Certbot to get certificates manually not generating private key


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
retex.global
I ran this command:
sudo certbot certonly --manual --csr request_retex_global_prod_letsencrypt.csr --preferred-challenges http
It produced this output:
[ec2-user@dev ~]$ sudo certbot certonly --manual --csr request_retex_global_prod_letsencrypt.csr --preferred-challenges http
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Performing the following challenges:
http-01 challenge for retex.global

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Create a file containing just this data:

DyCDtEkeHUMQug4ShdpOsXGcXTfkHc6acLyItTupcyw.XCKy5btj1SgR87YkVlBbFDfPcpcIjdWGGZL3Ds7MuEY

And make it available on your web server at this URL:

http://retex.global/.well-known/acme-challenge/DyCDtEkeHUMQug4ShdpOsXGcXTfkHc6acLyItTupcyw

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
Server issued certificate; certificate written to /home/ec2-user/0002_cert.pem
Cert chain written to <fdopen>
Cert chain written to <fdopen>

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /home/ec2-user/0005_chain.pem
   Your cert will expire on 2019-06-01. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

My web server is (include version):
nginx version: nginx/1.12.1

The operating system my web server runs on is (include version):
NAME=“Amazon Linux AMI”
VERSION=“2017.09”
ID=“amzn”
ID_LIKE=“rhel fedora”
VERSION_ID=“2017.09”
PRETTY_NAME=“Amazon Linux AMI 2017.09”
ANSI_COLOR=“0;33”
CPE_NAME=“cpe:/o:amazon:linux:2017.09:ga”
HOME_URL=“http://aws.amazon.com/amazon-linux-ami/
Amazon Linux AMI release 2017.09

My hosting provider, if applicable, is:
N/A

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.27.1

This is how I assign certificates to nginx
ssl_certificate /home/ec2-user/0005_chain.pem;
ssl_certificate_key /home/ec2-user/0002_cert.pem;

but I am getting the error message below
[ec2-user@mail ~]$ sudo nginx -t &&
sudo nginx -s reload

nginx: [emerg] SSL_CTX_use_PrivateKey_file("/home/ec2-user/0002_cert.pem") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: ANY PRIVATE KEY error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib)

nginx: configuration file /etc/nginx/nginx.conf test failed

Please advise


#2

Hi @Masber

you use an own Certificate signing request.

So you have alread a private key, so this

not generating private key

is the result. Contains

0002_cert.pem

your private key?


#3

That would be highly unlikely, as the key isn’t generated by certbot.

@Masber When you generated the CSR, you had to use a private key to sign that CSR. That key is also the key which you’d have to use for the certificate.


#4

ok, sorry I am not familiar with this topic… so I created the csr through java keystore so I guess my private key is within the keystore? if that is the case, the I will need to export the key in to a file and give it to nginx. Is that right?

thank you


#5

Yes, that looks good. But I don’t know what that java keystore is doing.

Or certbot creates the key and the CSR, then you import the key in your java keystore.


#6

ok, and I guess I will have to export it to PKCS #12 format?


#7

Did you use a guide or how-to to do this? How does Java relate to Java?


#8

Yes, but why did you do this? Are you using some other tools that require a Java keystore?


#9

Ugh, can’t edit my post any longer. I meant how does Java relate to the certificate/CSR/private key.


closed #10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.