Certbot does not create a CertificatePolicyId or other issues?

I have also used the certbot command in the following ways:

 - sudo certbot certonly --manual -d appstestjira.westeurope.cloudapp.azure.com
 - sudo certbot certonly --standalone --preferred-challenges http -d appstestjira.westeurope.cloudapp.azure.com

It generates 4 .PEM files, and I create and import them into a .PKCS12 and from that into the .JKS file.
From that .JKS I make a Docker image and create the Kubernetes pod and run it and in the end I always
I get "no Certificate uploaded". And I never get an error during creation, imports and so on
and I look at logs that seem to be perfectly fine.
One thing I have noticed though, is that in all my "bad .JKS" (as I compared it to a good .JKS) there is no section that:

 - CertificatePolicyId 

This is a previous sample, so such a part is missing:

[CertificatePolicyId: [1.3.6.1.4.1.44947.1.1.1]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 1A 68 74 74 70 3A 2F 2F 63 70 73 2E 6C 65 74 ..http://cps.let
0010: 73 65 6E 63 72 79 70 74 2E 6F 72 67 sencrypt.org
]] ]

Is it possible that the certbot command requires some kind of command or some kind of configuration setting?
The interesting thing is that it used to be that everything was fine until January this year, then certbot was not used for a couple of months, but now
I deleted it and reinstalled it, but nothing has changed. I don't know what the problem is and I'm very frustrated, maybe
can you give me some tips on what the problem might be, what I should look for, or could this lack of CertificatePolicyId be the problem?
Thank you in advance for your replies!

1 Like

This is the announcement of the change where they are no longer including their policy ids in certificates:

I'm not clear on what problem you're having that you're trying to solve (maybe because I'm not that familiar with Kubernetes) but I'm pretty sure that it isn't related to the policy id change.

7 Likes

Also, that removal is completely outside of the influence of ACME clients such as Certbot: it's entirely configured at Let's Encrypts end.

3 Likes

I see, thanks for the info, then it's probably not the certbot that's the problem.

I want to renew the certificate by storing all the necessary data in a Java Keystore file.
So I thought to use Certbot, which will import the created Certificate and all the necessary data into a newly created Java Keystore (.JKS).

I would then create a Docker image using Dockerfile and store the created image in the Azure Container Registry. The Kubernetes cluster would then fetch the new image and run the pod to launch the application. When I roll back to a previous image, the site works correctly and I only need to reset the image name as the previous images are also stored in a container(which is inside the Kubernetes cluster). The previous configurations were set up much earlier, so I would expect that there is no problem with the Kubernetes environment. That said, at the moment I don't know the exact reason why the application is not working if the .JKS is correct and the Docker Image is created without errors. Thanks for the help, at least I have ruled out a problem in the CertificatePolicyId area.

1 Like

I wouldn't rule out the CertificatePolicyId being an issue. While it should not be an issue, it's possible your system is configured to require it on upload.

I suggest troubleshooting with verbose logging of the import/upload function on the Server and Client instances, and then SSHing into them and trying it interactively instead of automated. The error messages might be generated, but are not hitting the logs due to log levels or output destination.

Edit: Just to clarify, the lack of a CertificatePolicyId will not affect stock/basic browsers, servers, clients, libraries, etc. At some point, your systems may have been configured to require this field, or was configured to only replace/upgrade Certificates with an exact match including this field.

5 Likes

Update: It finally turned out that there was no problem with the .JKS, as I renewed the certificate for a site that did not require a docker image to be generated, so there was no problem with the certbot, and the lack of certificatePolicyId was not a problem. I went in a slightly more extreme direction instead of doing a simpler test. There's a problem with the Docker image that caused it to not work so far, I just thought I'd write it down for those of you who might be interested, but I'll have the solution from here. Thanks for the replies, extremely quick replies here and good ideas, which is a great thing!

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.