Fake LE Intermediate X1: invalid certificate created by certbot

#1

Hi guys. I’ve created certificates by certbot, but they are not valid for some reason.
Could you please suggest what is wrong here?
I’ve provided all the needed information below. If you need more details, please feel free to ask.

My domain is: stage.timebarter.co

I ran this command:
docker-compose run --rm --entrypoint “certbot certonly --webroot -w /var/www/certbot --staging --email pavlo@timebarter.co -d stage.timebarter.co -d www.stage.timebarter.co --rsa-key-size 4096 --agree-tos --force-renewal” certbot

It produced this output:
ARNING: Dependency conflict: an older version of the ‘docker-py’ package may be polluting the namespace. If you’re experiencing crashes, run the following command to remedy the issue:
pip uninstall docker-py; pip uninstall docker; pip install docker
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for stage.timebarter.co
http-01 challenge for www.stage.timebarter.co
Using the webroot path /var/www/certbot for all unmatched domains.
Waiting for verification…
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/stage.timebarter.co/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/stage.timebarter.co/privkey.pem
   Your cert will expire on 2019-05-16. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"

My web server is (include version): nginx version: nginx/1.13.12

The operating system my web server runs on is (include version): Debian GNU/Linux 9

I can login to a root shell on my machine (yes or no, or I don’t know): I can

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

#2

Hi @pivanchy

you have installed the test certificate from the stage system. This is signed by Fake LE.

So create a certificate from the productive system and use that.

2 Likes
#3

The “–staging” part of this command is what’s causing your cert to come from the test CA. Remove that and you should be good to go.

2 Likes
closed #4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.