Expired Cert - Cannot Get New Cert For Specific Server

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is https://citrix-sf.inside.i3microsystems.com

I have a system that I inherited. Not very familiar with Let's Encrypt. I have a server that the cert expired on last night. I ran the scripts that are in a set of instructions that I found. I was able to download a cert but it was for the wrong server. How do I download a cert for a server whose cert has expired?

1 Like

I ran this command to export the certificate to my local server;
sudo openssl pkcs12 -export -out certificate.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -name Citrix-SF_2022-05-05"
A certificate file exported but for the wrong server and the script/command does not seem to give the cert the name I specified.

How did you produce cert.pem and chain.pem?


Frankly I am not sure since I am just following commands in a Word file that was left behind by my predecessor who I never met. My best guess is this;
--I am using SSH to attach to login to a local server.
--Once logged into that server, I run ./ssl-cert-check -f ssldomains which returns a screen with a list of servers of the form servername.inside.mycompanydomain.com and their certificate status and expiration date.
--next the instructions tell me to Check export of CF_DNS_SERVERS=’’ though I am not sure how to do this or what it does.
--I then cd a directory called "dehydrated"
--Now I run sudo ./dehydrated -c -d localservername -t dns-01 -k 'hooks/cloudflare/hook.py'
--I am then prompted to input the password twice for a specific account.
--After inputting the password twice I see a screen go by the seems to be checking domain names for existing certs and creating new certs.
After that I change to a specified certificate directory and run sudo openssl pkcs12 -export -out certificate.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -name ChosenFilename
--The new certs then show up in a directory.
--I copy the certs to the server the cert belongs to and import the cert and bind it to the server on port 443.

I hope this explanation is not overly detailed.

1 Like

The output filename is in -out certificate.pfx, not -name ChosenFilename.

I think the -d localservername is the fully qualified domain name of your server, is it? The certificate will be for that name.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.