Certbot cloudflare docker doesn't recognize "key type" argument

embcla · June 4, 2023, 10:22pm

Context: I'm trying to provide my nas with a valid certificate for its domain name, which is not exposed to the internet, but does exist. I have the domain imported in cloudflare, so I can use the dns01 challenge.
So the way I went about doing this is:

create a container based on certbot/dns-cloudflare:latest
run the container to generate certificates and store them in a mounted share
manually upload the certificate to the NAS

It goes wrong at point 3: the key is not accepted. After reading around, I can't find decent documentation stating explicitly which formats are accepted, but many outdated guides point to RSA (see for example this one.

The current private key is of the type

-----BEGIN PRIVATE KEY-----
yadablada
-----END PRIVATE KEY-----

and is just 241 bytes long

So then I thought using --key-type rsa would fix it hence I changed the command in the container to

'certonly' '--non-interactive' '--key-type rsa' '--dns-cloudflare' '--dns-cloudflare-credentials' '/opt/cloudflare/credentials' '--agree-tos' '--email' 'me@myself.com' '-d' 'mydomain.com'

And this one fails immediately with

  certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...



Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,

it will attempt to use a webserver both for obtaining and installing the

certificate. 

certbot: error: unrecognized arguments: --key-type rsa

Here is where I'm stuck.

_az · June 4, 2023, 11:03pm

You need to split the flag and the flag argument into separate strings. Usually a shell does this for you, but with Docker or direct exec calls, you need to separate them yourself.

schoen · June 4, 2023, 11:32pm

In case it isn't obvious to all readers what the flag and argument are, that is like

'--key-type' 'rsa'

in this context.

When a whitespace character is included in quotes, it becomes part of a literal argument to the command. For comparison:

$ cd /tmp
$ echo hello > foo
$ echo goodbye > bar
$ cat foo bar
hello
goodbye
$ cat 'foo bar'
cat: 'foo bar': No such file or directory

In this case cat got a single argument containing an actual space character, which it tried to interpret as a filename.

embcla · June 5, 2023, 8:14am

Thanks, I did miss that, super silly of me to not apply the single quote everywhere

embcla · June 5, 2023, 8:17am

QNAP is still saying the key is not valid, so I ran a check and indeed seems something is wrong?

❯ openssl rsa -noout -modulus -in privkey.pem | openssl md5
140581992658240:error:0607907F:digital envelope routines:EVP_PKEY_get0_RSA:expecting an rsa key:../crypto/evp/p_lib.c:469:
(stdin)= d41d8cd98f00b204e9800998ecf8427e
❯ openssl x509 -noout -modulus -in fullchain.pem | openssl md5
(stdin)= e30fbb5ba0cecaad7a2d0cb836584c05

_az · June 5, 2023, 9:33am

Sounds like it's still an ECDSA key. I'd double check that you are reading the right files..

embcla · June 5, 2023, 9:58am

@_az how can I verify it's an ecdsa key?

here is the full log of the last operation

2023-06-05 08:03:26,582:DEBUG:certbot._internal.main:certbot version: 2.6.0
2023-06-05 08:03:26,583:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/local/bin/certbot
2023-06-05 08:03:26,583:DEBUG:certbot._internal.main:Arguments: ['--non-interactive', '--dns-cloudflare', '--dns-cloudflare-credentials', '/opt/cloudflare/credentials', '--agree-tos', '--email', 'me@myself.com', '-d', 'nas.mydomain.com', '--key-type', 'rsa', '--force-renew', '--cert-name', 'fullchain.pem']
2023-06-05 08:03:26,583:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#dns-cloudflare,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2023-06-05 08:03:26,606:DEBUG:certbot._internal.log:Root logging level set at 30
2023-06-05 08:03:26,607:DEBUG:certbot._internal.plugins.selection:Requested authenticator dns-cloudflare and installer None
2023-06-05 08:03:26,613:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * dns-cloudflare
Description: Obtain certificates using a DNS TXT record (if you are using Cloudflare for DNS).
Interfaces: Authenticator, Plugin
Entry point: dns-cloudflare = certbot_dns_cloudflare._internal.dns_cloudflare:Authenticator
Initialized: <certbot_dns_cloudflare._internal.dns_cloudflare.Authenticator object at 0x7f5d56dfe3e0>
Prep: True
2023-06-05 08:03:26,613:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot_dns_cloudflare._internal.dns_cloudflare.Authenticator object at 0x7f5d56dfe3e0> and installer None
2023-06-05 08:03:26,613:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator dns-cloudflare, Installer None
2023-06-05 08:03:26,699:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/1142874567', new_authzr_uri=None, terms_of_service=None), 50f1ce36467088f974652ad9ab7231f3, Meta(creation_dt=datetime.datetime(2023, 6, 4, 19, 11, 11, tzinfo=<UTC>), creation_host='certbot-dns-cloudflare-1', register_to_eff=None))>
2023-06-05 08:03:26,720:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2023-06-05 08:03:26,724:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2023-06-05 08:03:27,184:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 752
2023-06-05 08:03:27,184:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 05 Jun 2023 08:04:15 GMT
Content-Type: application/json
Content-Length: 752
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "itpkxGyJ6rs": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "renewalInfo": "https://acme-v02.api.letsencrypt.org/draft-ietf-acme-ari-01/renewalInfo/",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2023-06-05 08:03:27,215:DEBUG:certbot._internal.display.obj:Notifying user: Requesting a certificate for nas.mydomain.com
2023-06-05 08:03:27,337:DEBUG:acme.client:Requesting fresh nonce
2023-06-05 08:03:27,338:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2023-06-05 08:03:27,479:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2023-06-05 08:03:27,480:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 05 Jun 2023 08:04:15 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 891FojPtRLfYjK_VzJyWR4X-JFlcBe7ZQiqHl_tl93uKQNY
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800


2023-06-05 08:03:27,480:DEBUG:acme.client:Storing nonce: 891FojPtRLfYjK_VzJyWR4X-JFlcBe7ZQiqHl_tl93uKQNY
2023-06-05 08:03:27,480:DEBUG:acme.client:JWS payload:
b'{\n  "identifiers": [\n    {\n      "type": "dns",\n      "value": "nas.mydomain.com"\n    }\n  ]\n}'
2023-06-05 08:03:27,485:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTE0Mjg3NDU2NyIsICJub25jZSI6ICI4OTFGb2pQdFJMZllqS19Wekp5V1I0WC1KRmxjQmU3WlFpcUhsX3RsOTN1S1FOWSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvbmV3LW9yZGVyIn0",
  "signature": "QcYMCxaTh1xxUJkjaX-tdg_YhUfwH8upGCZuoB2M-u_e1tE4Ba5tZ8b5HMzX8li4plf8INYC-KGMMMTdhTKB7gvhi91IRV5vSDU1YwWKP5TYkYnnZadYL0yNS2-T4ClxdEV2y6qvkXP0ch2K7tpDI1W9GOIVBdhdR7igGHCSlPXDfS1eV8DUXamS14JYs9aL8sFyAe3O3mGk30OEKvI6s3m5dt5v_o90l4amQmxcq5GPiaByvkO0-sD4SeaSh6AxpkQEeFcOt7XGHIuFAuqUIgFFY8p4B5QH1cvuapvpNPmL2NV_l6dp4qDluh48ahW4yike2aIClQtQxzHWSq2zTQ",
  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogIm5hcy5tZWNvLmNmZCIKICAgIH0KICBdCn0"
}
2023-06-05 08:03:27,809:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 336
2023-06-05 08:03:27,810:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Mon, 05 Jun 2023 08:04:15 GMT
Content-Type: application/json
Content-Length: 336
Connection: keep-alive
Boulder-Requester: 1142874567
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-v02.api.letsencrypt.org/acme/order/1142874567/186671238647
Replay-Nonce: 891FvIURbXSV52AKpgY5Lb6o7xtlkJbI-5uDzvo-0W1udXo
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "status": "ready",
  "expires": "2023-06-12T08:04:15Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "nas.mydomain.com"
    }
  ],
  "authorizations": [
    "https://acme-v02.api.letsencrypt.org/acme/authz-v3/233935154287"
  ],
  "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/1142874567/186671238647"
}
2023-06-05 08:03:27,810:DEBUG:acme.client:Storing nonce: 891FvIURbXSV52AKpgY5Lb6o7xtlkJbI-5uDzvo-0W1udXo
2023-06-05 08:03:27,810:DEBUG:acme.client:JWS payload:
b''
2023-06-05 08:03:27,813:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/233935154287:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTE0Mjg3NDU2NyIsICJub25jZSI6ICI4OTFGdklVUmJYU1Y1MkFLcGdZNUxiNm83eHRsa0piSS01dUR6dm8tMFcxdWRYbyIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHotdjMvMjMzOTM1MTU0Mjg3In0",
  "signature": "A2xuPLF_H0kbjYdc9JOjbLk1o3LvYokwkGOZGZJPeIk9eSFCzt-5WwM6qzOemqy9-chNjJ3qcAwrMDuBTExn-NlW9RQw6lFG2kK3gky4Oi7pOAKwT4BQ_BbF6JFLbru9KckhC6EevurDgOIYggBYCsOUzuOcaDZpiFW8X_OQpmNJ6hqGxFitV0FcFRMOY4kd5w7ld98Z9IH8TjaZ4_SiidrOWAQ3yInIVdXB09rcesN_wcP6afT8d6p3KtctrfxOYt3lpOFN8006cH5tFd2xQRPjT9RNZ4PjQnqceOFWr82L-TXEu88ZfW6nw6HnRTVD-R1f3CHe7YpenzB823ZJvw",
  "payload": ""
}
2023-06-05 08:03:27,958:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/233935154287 HTTP/1.1" 200 499
2023-06-05 08:03:27,959:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 05 Jun 2023 08:04:15 GMT
Content-Type: application/json
Content-Length: 499
Connection: keep-alive
Boulder-Requester: 1142874567
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 371CjFuKhsVBGWir6MVImcZE6ZSazghUqyIIn-n9uGqB7HQ
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "nas.mydomain.com"
  },
  "status": "valid",
  "expires": "2023-07-04T19:12:07Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "valid",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/233935154287/aYDjTA",
      "token": "token",
      "validationRecord": [
        {
          "hostname": "nas.mydomain.com"
        }
      ],
      "validated": "2023-06-04T19:12:07Z"
    }
  ]
}
2023-06-05 08:03:27,959:DEBUG:acme.client:Storing nonce: 371CjFuKhsVBGWir6MVImcZE6ZSazghUqyIIn-n9uGqB7HQ
2023-06-05 08:03:27,960:DEBUG:certbot._internal.client:CSR: CSR(file=None, data=b'-----BEGIN CERTIFICATE REQUEST-----\nMIICbzCCAVcCAQAwADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJRv\nODL7DTOfte0qtRxAsa+OPOEfxqddZP14LMlYNPdyCc9qWJfRWlhMVYLfbH1zGV/G\nRNrGFuWXk1zmACdCbkCfEWR9AUWePoA2QpiSHOUT0N7zfyRb9Sn7fVk5LvO4E5O/\nFZtjRYU7Rrvlwf9p8JcpNqM2ubor5sEOfltp2ektXq9X2XaUFdOADVbtGHCHt3jt\nz427s0hZ6I9z5kZJQxBdjAGVs2UohXUZmqWEYJFsatMoU0KA9hOCQhcSHtKeQDUC\nyfLMsXjb7TFbpf+O3shB+NA9Z/VrxKHRD69YAl6EhbDmWcT6k66SyUjy+e6eE14P\nekd9GWrKVuJFF1UvKaECAwEAAaAqMCgGCSqGSIb3DQEJDjEbMBkwFwYDVR0RBBAw\nDoIMbmFzLm1lY28uY2ZkMA0GCSqGSIb3DQEBCwUAA4IBAQA7+U/SsHZATnaIlwNg\n0jw4CoOTSFt/AUsECecOcdLCNh2fwBqOBfgvVHXhJMGqB3l15d+oxmNI7SxwH/JJ\ncYTl+fc/tBTIWOCQyOvTIo5vJmcEwqGzBU+yreBgtXJHwDfVr3z1cEKuil5UzCop\npHRrOMRjSUab9QOMCZrNhby58MBRzFibRs/x4c0pnzRoETDvY2VzbhdhnKHQwVIh\nbKMlvyFmlMqMxKKyR1ennk+f5DAanM4qe4diK3n5wt9Y9zcf4W3xVo/mIqviTFzZ\nOLLhBKMg3VTHFU6DtscErb9DsM7lxzLjwNaO11fSe8brPOaIbvw2xcmV9C/HsKgK\n4Md1\n-----END CERTIFICATE REQUEST-----\n', form='pem')
2023-06-05 08:03:27,960:DEBUG:certbot._internal.client:Will poll for certificate issuance until 2023-06-05 08:04:57.960534
2023-06-05 08:03:27,961:DEBUG:acme.client:JWS payload:
b'{\n  "csr": "MIICbzCCAVcCAQAwADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJRvODL7DTOfte0qtRxAsa-OPOEfxqddZP14LMlYNPdyCc9qWJfRWlhMVYLfbH1zGV_GRNrGFuWXk1zmACdCbkCfEWR9AUWePoA2QpiSHOUT0N7zfyRb9Sn7fVk5LvO4E5O_FZtjRYU7Rrvlwf9p8JcpNqM2ubor5sEOfltp2ektXq9X2XaUFdOADVbtGHCHt3jtz427s0hZ6I9z5kZJQxBdjAGVs2UohXUZmqWEYJFsatMoU0KA9hOCQhcSHtKeQDUCyfLMsXjb7TFbpf-O3shB-NA9Z_VrxKHRD69YAl6EhbDmWcT6k66SyUjy-e6eE14Pekd9GWrKVuJFF1UvKaECAwEAAaAqMCgGCSqGSIb3DQEJDjEbMBkwFwYDVR0RBBAwDoIMbmFzLm1lY28uY2ZkMA0GCSqGSIb3DQEBCwUAA4IBAQA7-U_SsHZATnaIlwNg0jw4CoOTSFt_AUsECecOcdLCNh2fwBqOBfgvVHXhJMGqB3l15d-oxmNI7SxwH_JJcYTl-fc_tBTIWOCQyOvTIo5vJmcEwqGzBU-yreBgtXJHwDfVr3z1cEKuil5UzCoppHRrOMRjSUab9QOMCZrNhby58MBRzFibRs_x4c0pnzRoETDvY2VzbhdhnKHQwVIhbKMlvyFmlMqMxKKyR1ennk-f5DAanM4qe4diK3n5wt9Y9zcf4W3xVo_mIqviTFzZOLLhBKMg3VTHFU6DtscErb9DsM7lxzLjwNaO11fSe8brPOaIbvw2xcmV9C_HsKgK4Md1"\n}'
2023-06-05 08:03:27,963:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/finalize/1142874567/186671238647:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTE0Mjg3NDU2NyIsICJub25jZSI6ICIzNzFDakZ1S2hzVkJHV2lyNk1WSW1jWkU2WlNhemdoVXF5SUluLW45dUdxQjdIUSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvZmluYWxpemUvMTE0Mjg3NDU2Ny8xODY2NzEyMzg2NDcifQ",
  "signature": "hvqTmex3bMSy7qfTricvIooeMZzgTCLHCV5ZbOcPXI_sA5JX_8cRgFnGfiSencqbYRmWc5y1EXoNyyEafPrjmrjWlWW9oXiOJmyJc3yrSjzZ-kXykMp-HLLlrKQkZaHqUmaHw_RJ3unQ2QreVqEXzFmW-9GCAwbbwLtFarpEJ1dKn3H1ilSydJ6AedzJz8lJ1cTmNew5rTSXAeRfjUbwq7mdg9FOYjo3MrgcBoEp5FvuzrcOhZrj7RNtQN1Cp2S-aXEmeWQrup0umpV8wwnm99UBjgi66rwj8r9yNjyAivj1yrlr8SLdIVu-s90GtoM-64iJJFPXt6j714-k_By0wg",
  "payload": "ewogICJjc3IiOiAiTUlJQ2J6Q0NBVmNDQVFBd0FEQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUpSdk9ETDdEVE9mdGUwcXRSeEFzYS1PUE9FZnhxZGRaUDE0TE1sWU5QZHlDYzlxV0pmUldsaE1WWUxmYkgxekdWX0dSTnJHRnVXWGsxem1BQ2RDYmtDZkVXUjlBVVdlUG9BMlFwaVNIT1VUME43emZ5UmI5U243ZlZrNUx2TzRFNU9fRlp0alJZVTdScnZsd2Y5cDhKY3BOcU0ydWJvcjVzRU9mbHRwMmVrdFhxOVgyWGFVRmRPQURWYnRHSENIdDNqdHo0MjdzMGhaNkk5ejVrWkpReEJkakFHVnMyVW9oWFVabXFXRVlKRnNhdE1vVTBLQTloT0NRaGNTSHRLZVFEVUN5ZkxNc1hqYjdURmJwZi1PM3NoQi1OQTlaX1ZyeEtIUkQ2OVlBbDZFaGJEbVdjVDZrNjZTeVVqeS1lNmVFMTRQZWtkOUdXcktWdUpGRjFVdkthRUNBd0VBQWFBcU1DZ0dDU3FHU0liM0RRRUpEakViTUJrd0Z3WURWUjBSQkJBd0RvSU1ibUZ6TG0xbFkyOHVZMlprTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFBNy1VX1NzSFpBVG5hSWx3Tmcwanc0Q29PVFNGdF9BVXNFQ2VjT2NkTENOaDJmd0JxT0JmZ3ZWSFhoSk1HcUIzbDE1ZC1veG1OSTdTeHdIX0pKY1lUbC1mY190QlRJV09DUXlPdlRJbzV2Sm1jRXdxR3pCVS15cmVCZ3RYSkh3RGZWcjN6MWNFS3VpbDVVekNvcHBIUnJPTVJqU1VhYjlRT01DWnJOaGJ5NThNQlJ6RmliUnNfeDRjMHBuelJvRVREdlkyVnpiaGRobktIUXdWSWhiS01sdnlGbWxNcU14S0t5UjFlbm5rLWY1REFhbk00cWU0ZGlLM241d3Q5WTl6Y2Y0VzN4Vm9fbUlxdmlURnpaT0xMaEJLTWczVlRIRlU2RHRzY0VyYjlEc003bHh6TGp3TmFPMTFmU2U4YnJQT2FJYnZ3MnhjbVY5Q19Ic0tnSzRNZDEiCn0"
}
2023-06-05 08:03:29,165:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/finalize/1142874567/186671238647 HTTP/1.1" 200 440
2023-06-05 08:03:29,166:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 05 Jun 2023 08:04:16 GMT
Content-Type: application/json
Content-Length: 440
Connection: keep-alive
Boulder-Requester: 1142874567
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-v02.api.letsencrypt.org/acme/order/1142874567/186671238647
Replay-Nonce: 371Cg-MSkJn41kwSdpD_5orTGAoLWiafWliFILqx4mXuMK0
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "status": "valid",
  "expires": "2023-06-12T08:04:15Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "nas.mydomain.com"
    }
  ],
  "authorizations": [
    "https://acme-v02.api.letsencrypt.org/acme/authz-v3/233935154287"
  ],
  "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/1142874567/186671238647",
  "certificate": "https://acme-v02.api.letsencrypt.org/acme/cert/04e72d6f15741bcdc4900512266c7c383a98"
}
2023-06-05 08:03:29,166:DEBUG:acme.client:Storing nonce: 371Cg-MSkJn41kwSdpD_5orTGAoLWiafWliFILqx4mXuMK0
2023-06-05 08:03:30,167:DEBUG:acme.client:JWS payload:
b''
2023-06-05 08:03:30,170:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/order/1142874567/186671238647:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTE0Mjg3NDU2NyIsICJub25jZSI6ICIzNzFDZy1NU2tKbjQxa3dTZHBEXzVvclRHQW9MV2lhZldsaUZJTHF4NG1YdU1LMCIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvb3JkZXIvMTE0Mjg3NDU2Ny8xODY2NzEyMzg2NDcifQ",
  "signature": "ZrFpc-1ObuP6b4Pasy4g2YhNDyTz0xCB72kgl-TA5JE1cPdrh3tfW9whBGFpr4l-vpNATubNCQK8gvFFLMwnWMG_C4Qu2XilTQUo3gAl5dY6puQ2Pi_8vJQAr1R4lWVpSFmnNHkeg-gcLDRlhHbGR7SxrI9c3hGr8_twkGV5R_PSQsunqCm1B2gmXENPJQE_VxXzTXUZC2zm1w9Kr-tA9_ova9CUvTIkuS8_S3d978Bw-5aNrTPVwmqnuMixIKeRpzLb79XRrk8IxjJirAkeUrHg97j8L_HV3uvVcau5PY1KcPWF1Tn9P62pUYv6nU9-PFLCo06a9FpynOJrXAlYMw",
  "payload": ""
}
2023-06-05 08:03:30,321:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/order/1142874567/186671238647 HTTP/1.1" 200 440
2023-06-05 08:03:30,322:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 05 Jun 2023 08:04:18 GMT
Content-Type: application/json
Content-Length: 440
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 371CJLkOMMYoXJT5NBWfWBa5CAdXNvZyVJj2w666j54Tyog
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "status": "valid",
  "expires": "2023-06-12T08:04:15Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "nas.mydomain.com"
    }
  ],
  "authorizations": [
    "https://acme-v02.api.letsencrypt.org/acme/authz-v3/233935154287"
  ],
  "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/1142874567/186671238647",
  "certificate": "https://acme-v02.api.letsencrypt.org/acme/cert/04e72d6f15741bcdc4900512266c7c383a98"
}
2023-06-05 08:03:30,322:DEBUG:acme.client:Storing nonce: 371CJLkOMMYoXJT5NBWfWBa5CAdXNvZyVJj2w666j54Tyog
2023-06-05 08:03:30,323:DEBUG:acme.client:JWS payload:
b''
2023-06-05 08:03:30,325:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/cert/04e72d6f15741bcdc4900512266c7c383a98:
{
  "protected": "yadablada",
  "signature": "yadablada",
  "payload": ""
}
2023-06-05 08:03:30,480:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/cert/04e72d6f15741bcdc4900512266c7c383a98 HTTP/1.1" 200 5585
2023-06-05 08:03:30,481:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 05 Jun 2023 08:04:18 GMT
Content-Type: application/pem-certificate-chain
Content-Length: 5585
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-v02.api.letsencrypt.org/acme/cert/04e72d6f15741bcdc4900512266c7c383a98/1>;rel="alternate"
Replay-Nonce: 371CB-SCVZR4G60MmA0aNdNf8GJ9TJOkzWHFLaD4vPYeLzc
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

-----BEGIN CERTIFICATE-----
yadablada
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
yadablada
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
yadablada
-----END CERTIFICATE-----

2023-06-05 08:03:30,481:DEBUG:acme.client:Storing nonce: 371CB-SCVZR4G60MmA0aNdNf8GJ9TJOkzWHFLaD4vPYeLzc
2023-06-05 08:03:30,494:DEBUG:certbot._internal.storage:Creating directory /etc/letsencrypt/archive/fullchain.pem.
2023-06-05 08:03:30,495:DEBUG:certbot._internal.storage:Creating directory /etc/letsencrypt/live/fullchain.pem.
2023-06-05 08:03:30,496:DEBUG:certbot._internal.storage:Writing certificate to /etc/letsencrypt/live/fullchain.pem/cert.pem.
2023-06-05 08:03:30,496:DEBUG:certbot._internal.storage:Writing private key to /etc/letsencrypt/live/fullchain.pem/privkey.pem.
2023-06-05 08:03:30,497:DEBUG:certbot._internal.storage:Writing chain to /etc/letsencrypt/live/fullchain.pem/chain.pem.
2023-06-05 08:03:30,497:DEBUG:certbot._internal.storage:Writing full chain to /etc/letsencrypt/live/fullchain.pem/fullchain.pem.
2023-06-05 08:03:30,498:DEBUG:certbot._internal.storage:Writing README to /etc/letsencrypt/live/fullchain.pem/README.
2023-06-05 08:03:30,575:DEBUG:certbot._internal.plugins.selection:Requested authenticator dns-cloudflare and installer <certbot._internal.cli.cli_utils._Default object at 0x7f5d5708e3b0>
2023-06-05 08:03:30,575:DEBUG:certbot._internal.cli:Var key_type=rsa (set by user).
2023-06-05 08:03:30,576:DEBUG:certbot._internal.cli:Var authenticator=dns-cloudflare (set by user).
2023-06-05 08:03:30,576:DEBUG:certbot._internal.cli:Var dns_cloudflare_credentials=/opt/cloudflare/credentials (set by user).
2023-06-05 08:03:30,577:DEBUG:certbot._internal.storage:Writing new config /etc/letsencrypt/renewal/fullchain.pem.conf.
2023-06-05 08:03:30,581:DEBUG:certbot._internal.display.obj:Notifying user: 
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/fullchain.pem/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/fullchain.pem/privkey.pem
This certificate expires on 2023-09-03.
These files will be updated when the certificate renews.
2023-06-05 08:03:30,582:DEBUG:certbot._internal.display.obj:Notifying user: NEXT STEPS:
2023-06-05 08:03:30,583:DEBUG:certbot._internal.display.obj:Notifying user: - The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.
2023-06-05 08:03:30,586:DEBUG:certbot._internal.display.obj:Notifying user: If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le

I just read through all the logs, and realized that

/etc/letsencrypt/live/fullchain.pem/ contains a key and cert
/etc/letsencrypt/live/nas.mydomain.com/ contains a key and cert

Both the key and cert are not the same. Why?
Using the ones from the fullchain.pem folder works

What happens if I want to use the same share to generate certificates for multiple services? do I need to manually copy the fullchain.pem folders and rename them to their domains?

I though the domain folder was there just for this use case

_az · June 5, 2023, 10:34am

/etc/letsencrypt/live/fullchain.pem/privkey.pem would be your RSA key, and /etc/letsencrypt/live/fullchain.pem/fullchain.pem would be your certificate chain

I've looked up your certificate in the public certificate logs and it's definitely using an RSA key.

What do you mean by share?

embcla · June 5, 2023, 11:14am

Thank you for the check @_az
I'm trying to understand how cerbot works: when I have it installed in either local form or docker, I can run it for multiple domains.

So my thought was that certbot would generate all actual certificates in specific domain subfolders, but this doesn't seem to be true.

So what is the use of the live/domain folders?
and were I to generate a certificate for a different domain, it would again end up in live/fullchain.pem thus overwriting the previous one?

MikeMcQ · June 5, 2023, 12:52pm

The default is for Certbot to place the certs in a folder named by one of the domains in the cert. But, you are overriding that default with the --cert-name option

Either leave that off or be more careful how you set that

See Certbot docs for details of --cert-name

embcla · June 5, 2023, 3:01pm

Thank you so much, I've been stringing stuff I found online and this slipped my attention.

All solved

rg305 · June 5, 2023, 4:13pm

It ends up there with a sequence number added to the filename.

system · July 5, 2023, 4:13pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.