Getting a CSR from already existing certificates


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
meproduction.org
I ran this command:
?
It produced this output:
?
My web server is (include version):
NGINX - Unknown version
The operating system my web server runs on is (include version):
Ubuntu 18.04
My hosting provider, if applicable, is:
DigitalOcean
I can login to a root shell on my machine (yes or no, or I don’t know):
YES
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
NO
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.30.2

Okay, so my question
I already have my certificate for my website. I really don’t want to regenerate it, because that would mean ensuring I generate the certificate for my domains, and it’s 20+ subdomains. Along with that, one of the subdomains is hosted on a separate server, which means sending over the certificate, ensuring I have the system using the new certificate, and running tests on everything, and ensuring nothing starts throwing errors.

However, CloudFlare doesn’t like my certificate. I don’t use theirs, because if I disable CloudFlare, it then throws errors. That’s why I use LetsEncrypt. However, now if I do enable it, I can’t access my site. I’m assuming it’s because CloudFlare doesn’t have my encryption info. However, on the control panel, to add it, it asks for a CSR. I frankly have no clue what a CSR is. However, I do know I need to somehow get one, but I can’t have it replace my already existing certificates.

Just in case this is helpful, I don’t use LetsEncrypt’s CLI tool to generate the profile for NGINX. I select “None of the Above” for my web software. I don’t want it messing up my many NGINX config files. I have a specific location I store my systems keys, so I copy the keys from wherever LetsEncrypt puts them, to that location. Then my webserver and email server ( already knowing that location ) easily switch over.

Sorry if I’m missing something. I saw topics talking about generating new certificates to get a CSR, but replacing all of my certificates, updating everything, ensuring everything took effect, and making sure some of the more panicky browsers don’t have a hissy fit ( like Safari did when I updated my certificate before it expired ).

Thanks in advanced!


#2

It’s not clear from your story what you are actually trying to achieve.

Do you want Cloudflare to terminate SSL for you, or will you use your own server?

Sounds like you are trying to use the Origin CA feature of Cloudflare.

The purpose of that feature is to secure the leg from Cloudflare’s edges to your server, without requiring you to use a publicly trusted certificate (e.g. Let’s Encrypt).

In that scenario, browsers would always be using Cloudflare’s automatically generated Comodo certificates (Universal SSL) for your domains, not Let’s Encrypt.

I think you need to think about, in basic terms, what your end goal is:

  • Are you going to use the CDN feature of Cloudflare? Yes or no?
  • If yes, do you want to secure your origin server with Let’s Encrypt or the Cloudflare Origin CA?

#3

If you’d like help understanding this, it would be important to know what these exact errors are.


#4

Hello. In response to what errors there are, usually just a redirect error. I have enabled the CloudFlare CDN for my domain now. It may take a little while to activate, and let me give you the exact error. The usual error is too many redirects, ONLY if I have CloudFlare’s CDN enabled.

Before I started using LetsEncrypt, I used the CloudFlare SSL certificate the provided, so of course, I could ONLY access my site securely while I had the CloudFlare CDN enabled, otherwise it’d prevent me from accessing my site, if I recall correctly, it was saying the certificate was invalid or something.

Now that I do use LetsEncrypt everything works perfectly fine without CloudFlare, but trying to enable it causes issues - sometimes. It sometimes likes to be nice and work for a while. However, I am thinking about trying to enable features like HSTS, and I’d assume CloudFlare would require to know what my certificate is.


#5

In some cases, yes, I am thinking of enabling the CDN feature of CloudFlare. Really, the only subdomain that would be exposed, is the mail domain, since well, I can’t have that be running through CloudFlare, since I need to have the URL pointing to a static IP.

I am using the LetsEncrypt SSL key to secure my origin server ( I think - if the origin server is my VPS ). For large part, because if I disable CloudFlare’s CDN feature, I want my server to still be accessible via HTTPS, something not available when using certificates from CloudFlare.


#6

If you can reproduce any of these errors, it would be great to know the exact word-for-word error message in question. You could also do a test with @JuergenAuer’s tool

which diagnoses various kinds of redirect errors and helps get closer to understanding where they’re coming from. Note that redirect errors are basically always caused by some kind of configuration (in the web server or CDN, for example), but not by the certificate itself.


#7

I ran the check, but I’m not sure what information is relevant from there. I took two screenshots, and hopefully that contains relevant information to this. It says its in an infinite loop, now that the CloudFlare CDN has been enabled and taken time to have the changes be applied.

Not sure what information is/isn’t relevant here, but as my original post says, my domain is “meproduction.org”, so you can pull whatever information is/isn’t important. I frankly have no clue what really anything on that site means.


#8

Hi @coderboy14

you have a two-step loop. Load

http://meproduction.org/

in your browser, Chrome says:

ERR_TOO_MANY_REDIRECTS

http://meproduction.org/ redirects to https://meproduction.org/ redirects to http://meproduction.org/

So it’s impossible to see the site.

I see, there are too much rows, will fix it later (in Germany, it’s late).


#9

Interesting, currently http://meproduction.org/ redirects to https://meproduction.org/ but https://meproduction.org/ redirects to http://meproduction.org/. Potentially one of these is generated by Cloudflare and the other is generated by your server and passed through by Cloudflare.

Can you look in your Cloudflare settings and in your own web server configuration to see if you can find any reason that either would be generating the HTTPS → HTTP redirect? That’s probably the reason for the redirect loop problem.


#10

Thank you for the help. That’s quite odd. I do know on my VPS, the NGINX server is told to redirect all HTTP requests to HTTPS for security, and that works … until I add CloudFlare’s CDN feature. Sigh, silly computers.


#11

I’m not sure where I’d look in CloudFlare, but yes, on my VPS, I do have NGINX setup to redirect all HTTP requests to HTTPS for security. This works perfectly fine, until I enabled CloudFlare’s CDN feature. I’ll try and dig through the control panel, see if anything seems like it might relate to this. Haha. The HTTPS -> HTTP is confusing though, as that isn’t setup on my server, and doesn’t occur unless CloudFlare’s CDN is enabled.

Okay, so I think I found something that MIGHT be useful to know. Under “Crypto”, SSL is disabled. This is because I’m not using CloudFlare’s cryptography certificates, and it had seemed to be causing issues, so I disabled it.

Maybe that’s it, I can try enabling it, but what should I enable it to? I have no SSL certificates available on their panel, as my original post said, I was trying to add it, but I need a CSR for that.


#12

PS: There is a Grade F - Redirect https -> http:

https://meproduction.org/
2606:4700:30::681b:a843
301
http://meproduction.org/
1.084
F

This is always bad. In combination with the normal redirect it’s a loop.


#13

It’s not intentional. Nowhere on my server does it do that. It’s only once I add CloudFlare’s CDN does that issue start happening. My server only redirects HTTP to HTTPS, not the other way around ( except for rare cases, for small development projects where HTTPS isn’t supported, because I don’t want to generate the LetsEncrypt certificates for the subdomain, just for a project that I’ll be done testing in under 30 mins ).


#14

Well, it takes two to tango!
Inadvertently you are part of the problem.
You redirect to somewhere that redirects back to you.
So, until you can stop the redirection back to you, you should stop all redirections.
[So that at least some version of your site will be visible.]

That said, if it is not you then it can only be CloudFlare (But that happens to also be you - since you are the one who controls what CF does).


#15

I suppose. Sorry for the long delay. I’m trying to fix the issue on CloudFlare. I can’t seem to understand why it’s doing this. That’s why I my original question was, how TF do I get a “Certificate Signing Request”. When I go on Cloudflare, and click “Create Certificate” under “Origin Certificate”, it says I need a CSR to use my existing RSA keys. I DO want to use my existing LetsEncrypt keys. Mostly because if I need to disable CloudFlare’s CDN or something, I don’t want my SSL to automatically fail. I want to keep Cloudflare, because while getting info for this post, I enabled the CDN and forgot to disable it. On a day where neither me nor my partner ( the only two people who actually use the server ), we received something around forty thousand requests, from about sixty sources. Yikes! So, if I can keep CloudFlare, that’d be great! It might explain the occasionally massive spikes in memory and CPU usage our server experience, which lead to very low performance for all other important tasks ( such as managing the server via SSH, or delivering web content to legitimate users ).


#16

It seems that you may have a misconception/misunderstanding here.
Most CDN sites let the CDN create the cert the client sees.
Unless there are other factors you have not mentioned, the CDN can have a separate valid cert for your site. And when you remove them from the path, the client connects to your site and uses your valid cert.
[two similar but independent certs]


#17

Ah, so that’s what is generating this infinite loop? Well, that means I’m stuck between a rock and a hard place. The CloudFlare certificate works for some situations, but any time I need to preform specific work on the server, it always loved to give issues. It’s ultimately why I switched to LetsEncrypt, because the CloudFlare certificate wasn’t meeting my needs.

So basically, if I understand correctly, the only way I can use the CloudFlare CDN is if I use their certificates, or allow HTTP connections? Ultimately, to me, that leaves only one option. Don’t use CloudFlare, and find some other way to deal with this high traffic connections ( which shouldn’t be there ).


#18

A common mistake when using a CDN like Cloudflare is to allow the CDN to connect to your origin server only over HTTP. If you do this, obviously the backend connection is insecure, which is bad, but if you also configure your server to redirect HTTP to HTTPS, it’s even worse because your server will send a response that tells the browser to redirect to HTTPS, then the browser connects over HTTPS to Cloudflare, Cloudflare connects to your origin server again over HTTP, your origin again sends a redirect to HTTPS, and so on ad infinitum (or at least until the browser gives up and throws an error).

If this is the problem, one fix is to configure Cloudflare to always connect to your origin server over HTTPS, and set up the redirect in Cloudflare rather than on your origin server. To do this, go to the “Crypto” tab in Cloudflare and set SSL to “Full (strict)”, and “Always use HTTPS” to “On”.

When you use Cloudflare’s CDN, they automatically generate a certificate to use on the CDN. You also need a certificate on your server, but you do not need an “origin certificate” from Cloudflare if you already have a valid Let’s Encrypt certificate on your server.


#19

Thank you! So far, everything appears like it’s working as planned. I’ll try to respond within the next 24 hours to say if everything continues to go smoothly, but what you suggested does seem to have fixed it.