i removed the “strong text” and it was added by this forum software.
I’ve recreated (as much as I can) your config, and it works creating the ca-bundle …
if you uncomment the lines, one at a time, and re-run. Can you narrow down exactly which line gives the error ?
oh dear, now i can’t reproduce the error since i copied the recent live files back into the .getssl/forum* directories.
let’s wait until i do a non-testing forced update tomorrow.
thanks for your help.
OK, You’re Welcome 
actually, i couldn’t resist trying at again BUT i lost https integrity, note the csr lines:
[root@forum ~]# ./getssl forum.drugs-and-users.org -f
existing csr at /root/.getssl/forum.drugs-and-users.org/forum.drugs-and-users.org.csr does not have the same domains as the config - re-create-csr
creating domain csr - /root/.getssl/forum.drugs-and-users.org/forum.drugs-and-users.org.csr
Registering account
Verify each domain
Verifying forum.drugs-and-users.org
forum.drugs-and-users.org is already validated
Verification completed, obtaining certificate.
Certificate saved in /root/.getssl/forum.drugs-and-users.org/forum.drugs-and-users.org.crt
The intermediate CA cert is in /root/.getssl/forum.drugs-and-users.org/chain.crt
copying domain certificate to /etc/pki/tls/certs/forum.drugs-and-users.org.crt
copying private key to /etc/pki/tls/private/forum.drugs-and-users.org.key
copying CA certificate to /etc/pki/tls/certs/chain.crt
copying private key and domain cert pem to /etc/webmin/miniserv.pem
copying full key, cert and chain pem to /etc/pki/tls/certs/ca_bundle.crt
getssl: forum.drugs-and-users.org - certificate obtained but certificate on server is different from the new certificate
Asking the obvious question. Does the old CSR contain different domains to those in the config ?
how could i tell ? should i just recreate the entire directory (after renaming it) ?
the file is not human readable.
the script is running ok with or without the comments but now the integrity loss confuses me (?)
You can check the contents of an existing csr using
openssl req -in "filename_of_csr" -noout -text
if it's been deleted and overwritten though it's tricky to tell 
i re-ran the forced update it but it's identical. did a "diff" and i can't understand where i screwed up, i'd say it's my fault. what bothers me is that i can't run with the https if i do this.
Why can’t you run https ? you have backups of all existing certs etc. And these are only test certs you are getting from the staging server now.
oh shit, SORRY ! I was still pointing to the staging server. i did a “openssl x509 -in “my cert” -text” against the one that worked and the one that didn’t !
sorry. trying the live one now …
ok, i truly will try this again at a later stage.
i think it’s going to be ok.
sorry to waste your time yet again but i have been learning how to inspect the certificates, at least.
I think it will work this time and i have called the ca-bundle a totally new name (testing with the staging server and it works).
I think we can close this and thanks again for your patience, understanding and assistance.
1 Like
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.