Getting a fake acme certificate

manojit123 · March 18, 2023, 2:41am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:carbonhub.in

I ran this command:kubectl get cert

It produced this output:
NAME READY SECRET AGE
example-app True example-app-tls 14m
My web server is (include version):

The operating system my web server runs on is (include version):nginx latest

My hosting provider, if applicable, is: go daddy

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):using cert manager in AKS

manojit123 · March 18, 2023, 2:48am

What should I follow to get a valid Certificate using cert-manage for acme.

griffin · March 18, 2023, 2:54am

You are probably using the Let's Encrypt staging endpoint instead of the production one.

Change this:

https://acme-staging-v02.api.letsencrypt.org/directory

to this:

https://acme-v02.api.letsencrypt.org/directory

rg305 · March 18, 2023, 3:04am

Hi @manojit123, and welcome to the LE community forum

A cert was issued:
crt.sh | carbonhub.in

But the site is not using that cert.
It showed a cert for "ingress.local".

Does cert-manager have a support channel?

rg305 · March 18, 2023, 3:11am

Seems like the site has gone silent:
[even the HTTP site is gone]

curl -Ii carbonhub.in
HTTP/1.1 404 Not Found
Date: Sat, 18 Mar 2023 03:07:33 GMT
Content-Type: text/html
Content-Length: 146
Connection: keep-alive

Also, note that the issued cert does NOT contain the "www".

Name:    carbonhub.in
Address: 20.219.183.254

Name:    carbonhub.in
Address: 20.219.183.254
Aliases: www.carbonhub.in

Name:    *.carbonhub.in
Address: 20.219.183.254

griffin · March 18, 2023, 3:55am

manojit123 · March 18, 2023, 4:21am

You are correct on your findings rg305. I am able see a proper certificate and TLS secret in Kubernetes but some how the site is taking only ingress.local cert. Can you guide what I am missing with..

manojit123 · March 18, 2023, 4:27am

curl -Li hello-world-ingress.carbonhub.in

HTTP/1.1 200 OK

Date: Sat, 18 Mar 2023 04:26:54 GMT

Content-Type: text/html; charset=utf-8

Content-Length: 611

Connection: keep-alive

manojit123 · March 18, 2023, 4:34am

I am using https://acme-v02.api.letsencrypt.org/directory

manojit123 · March 18, 2023, 4:36am

Do we need to add "www" in the common name of cert? is it mandatory requirement? Pls suggest

manojit123 · March 18, 2023, 4:39am

carbonhub.in is a go daddy domain name.. There is not server with that name. I have deployed a ingress with hostname as https://hello-world-ingress.carbonhub.in/

manojit123 · March 18, 2023, 4:59am

I could fix the problem like changing the ingress hostname as carbonhub.in.. Now it is working as expected.

system · April 17, 2023, 4:59am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Create certificate by acme.sh / certbot Help	8	1392	January 13, 2020
Acme cert renewal no luck even after following the blog Help	5	513	September 2, 2020
Cisco Exressway as ACME client Help	7	1663	May 20, 2020
Error while getting certificates Help	4	3859	July 8, 2018
When I had try to generate SSL through acme2 Help	13	1089	May 16, 2021

Getting a fake acme certificate

Related topics