Expired Cert - Cannot Get New Cert For Specific Server

reockey · May 5, 2022, 3:26pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is https://citrix-sf.inside.i3microsystems.com

I have a system that I inherited. Not very familiar with Let's Encrypt. I have a server that the cert expired on last night. I ran the scripts that are in a set of instructions that I found. I was able to download a cert but it was for the wrong server. How do I download a cert for a server whose cert has expired?

reockey · May 5, 2022, 3:35pm

I ran this command to export the certificate to my local server;
sudo openssl pkcs12 -export -out certificate.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -name Citrix-SF_2022-05-05"
A certificate file exported but for the wrong server and the script/command does not seem to give the cert the name I specified.

9peppe · May 5, 2022, 5:17pm

How did you produce cert.pem and chain.pem?

reockey · May 5, 2022, 5:56pm

Frankly I am not sure since I am just following commands in a Word file that was left behind by my predecessor who I never met. My best guess is this;
--I am using SSH to attach to login to a local server.
--Once logged into that server, I run ./ssl-cert-check -f ssldomains which returns a screen with a list of servers of the form servername.inside.mycompanydomain.com and their certificate status and expiration date.
--next the instructions tell me to Check export of CF_DNS_SERVERS=’8.8.8.8 8.8.4.4’ though I am not sure how to do this or what it does.
--I then cd a directory called "dehydrated"
--Now I run sudo ./dehydrated -c -d localservername -t dns-01 -k 'hooks/cloudflare/hook.py'
--I am then prompted to input the password twice for a specific account.
--After inputting the password twice I see a screen go by the seems to be checking domain names for existing certs and creating new certs.
After that I change to a specified certificate directory and run sudo openssl pkcs12 -export -out certificate.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -name ChosenFilename
--The new certs then show up in a directory.
--I copy the certs to the server the cert belongs to and import the cert and bind it to the server on port 443.

I hope this explanation is not overly detailed.

9peppe · May 5, 2022, 6:13pm

The output filename is in -out certificate.pfx, not -name ChosenFilename.

I think the -d localservername is the fully qualified domain name of your server, is it? The certificate will be for that name.

system · June 4, 2022, 6:13pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.