I have an SSL certificate issued by https://letsencrypt.org/ . It will be expiring tomorrow and I am having trouble renewing it. I have spun up a fresh linux box, installed certbot (as per https://letsencrypt.org/getting-started/ ) . I have the following saved in a local directory:
cert.pem
chain.pem
fullchain.pem
privkey.pem
Within the directory that contains the certificate I then run
/path/to/certbot/certbot-auto renew --dry-run --force-renew
certbot appears to not find the certificates as it then says
No renewals were attempted.
I have also run
/path/to/certbot/certbot-auto renew --force-renew
and get the same response.
Is there a way to renew certificates that are not stored in the expected /letsencrypt/archive/... folder as is the case for a fresh installation on a fresh box?
Related
For reference, my MacBook Air is running version 10.14.1.
I've tried to download ghcup by running this command in the terminal:
curl --proto '=https' --tlsv1.2 -sSf https://get-ghcup.haskell.org | sh
However, when I run this command, I recveieve the following error:
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
HTTPS-proxy has similar options --proxy-cacert and --proxy-insecure.
Could this error be caused by my MacBook running an old version?
I have a nodejs/express api on a AWS EC2 server with a ssl certificate that is generated with Let's encrypt every 3 months.
Auto renewal isn't on and we let it exipre before trying to renew but after renewing it we are getting an error saying:
Unable to verify the first certificate
or
UNABLE_TO_VERIFY_LEAF_SIGNATURE
depending on what we are testing with.
We are using Certbot for renewing with the following command (and not $ certbot renew) :
$ sudo certbot certonly --dns-route53 -d *.example.com -d example.com --server https://acme-v02.api.letsencrypt.org/directory
Certificates are generated as expected with an expiration date 3 months from now.
Any ideas on what's going on ? I've tried most of the things I could find on SO and elsewhere but nothing worked.
P.S. Servers and I don't go along very well :/ (I do mobile app dev) so assume that I don't know anything when replying :D
Solution was quite easy, just needed to use the fullchain.pem file (and reboot your server if applicable).
Sidenote:
If someone on your team tells you that they've tested a solution and that it didn't work, don't just blindly trust them but test it yourself if all other possible solutions didn't work...(have lost 1+ day because someone thought they did test with the fullchain.pem (or did it wrongly)
We are able to create azure api manager. it has default azure specific urls for management,portal, proxy,scm.
we want to change these URLs to different format.is it possible for someone provide steps for getting pfx file mainly from letsencrypt.
as per my understanding we need to use for getting certificates
sudo -H ./letsencrypt-auto certonly --standalone -d mycustomdomain.com
consider for example mycustomdomain.com is proxy url for which we need to generate certificate.
this url must be present as A name in some dns system. but since our url is not associated with any IP or other record we can not proceed in this case.
.
I can't help you with LetsEncrypt, but for APIM's custom domains you should not create A record in DNS, instead you create CNAME record for your custom domain that points to default APIM hostname, i.e. xxx.azure-api.net. You could go for A record and use APIM's IP address, but that would not be stable as IP may change if some disaster occurs, and will change if service deleted/undeleted, or joined/removed from vnet.
Here are steps to create pfx certificate with letsencrypt.
Problem statement
Azure API management service provide default url for accessing backend API.This url is known as proxy url and has format like .azure.api.net.
Azure also provide facility to create custom url by providing url name, pfx certificate and certificate password.
Steps to generate pfx file
install certbot on your ubantu box (you can check similar steps online for other OS)
sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository universe
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot
retrieve txt record
certbot -d api.mycompanydomain.com --manual --preferred-challenges dns certonly
It will provide txt value to add in our azure dns zone. Please add same in dns zone as txt value. Once done click enter. It will generate certificates in /etc/letsencrypt/live/api.mycompanydomain.com
create pfx file
visit /etc/letsencrypt/live/api.mycompanydomain.com and run following command
sudo openssl pkcs12 -export -out api.mycompanydomain.com.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem
it will create pfx file in current working directory which you can use while creating custom domains
map default proxy url to custom url as cname
once you configure this custom url you can map your custom url to default url in azure dns zone.
I was trying to install gitlab on my linux server following this guide and got stucked in the second setp that says
curl: (60) SSL certificate problem: self signed certificate
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
any idea on how can I solve this?
ANSWER be sure to have http_proxy and https_proxy variables correctly set.
---- UPDATE ----
After setting the variables I got the following answer from curl
Detected operating system as Ubuntu/trusty.
Checking for curl...
Detected curl...
Running apt-get update... done.
Installing apt-transport-https... done.
Installing /etc/apt/sources.list.d/gitlab_gitlab-ce.list...curl: (60) SSL certificate problem: self signed certificate
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
Unable to run:
curl https://packages.gitlab.com/install/repositories/gitlab/gitlab-ce/config_file.list?os=Ubuntu&dist=trusty&source=script
Double check your curl installation and try again.
Tell curl to ignore SSL warnings with -k/--insecure. Documented in man curl.
Edit: also check your proxy settings, as the host you're trying to curl to does, in fact, have a valid SSL certificate. See the --proxy option of curl.
I'm facing an issue in installing SSL certificate in IIS and below are the step before I got the certificate from my CA.
Generated a private key file using OpenSSL with: "openssl genrsa -out key_name.key 2048" command.
Generated .csr file with: "openssl req -out CSR.csr -key key_name.key -new -sha256" command.
Once I generated the CSR file, I provided the same CSR file to CA to get me certificate.
I got the certificate in .p7b format, which I converted to .cer format.
Installed certificate using "Complete certificate request" option in IIS.
Now the problem is that newly installed certificate vanishes from IIS after a refresh. I Googled this issue and understood that, it's happening so because there is no private key associated with certificate. My question is where the private key has gone?? I had created the CSR using the private key in step 1. Secondly, how do I over come this issue, I have to install the certificate anyhow. Please help.
You did not generate the certificate request via IIS Manager. Thus, you should not use IIS to complete the request.
Instead, you need to use OpenSSL to generate a PFX file,
create a pfx file from a .cer and a .pem file
Then you can import it to IIS.
You might read this post for more details,
https://blog.lextudio.com/2015/06/the-whole-story-of-server-certificate-disappears-in-iis-77-588-510-0-after-installing-it-why/