Help automatically renew certs with SSLVerifyClient require


#1

Hello,

I tried to renew certificates but the challenge verification failed. The reason is because a self-signed certificate is required to connect to the website (SSLVerifyClient set to require in the apache2 conf).

As workaround I temporarily disabled the client authentication but I would like to know if it’s possible to provide to let’s encrypt the client certificate to be able to connect and pass verification challenge.

Otherwise how can I automatically renew certs in my case ? or is there any way to expand the 99-day lifetimes for certificates ?

Thank you for your help.
Nicolas.


#2

In that environment it won’t be possible to use the http challenge, you’ll have to use either the tls-sni or dns challenge. If you’re using Certbot you should use the apache plugin instead of webroot.


#3

If your website requires client certificate authentication to connect, one option is (as @cool110 suggested) use a different validator, though each of those carries its own requirements. Another option is to disable the authentication requirement for the /.well-known/acme-challenge path, leaving it intact for the remainder of your site. But no, there’s no way to extend the 90-day (not 99-day) certificate lifetime. And no, there’s no way to provide a client certificate to Let’s Encrypt so their servers will use it to connect.


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.