Help with renewing SSL certificates

I run my server in Amazon EC2, and I am using the SSL key provided by LetsEncrypt.
The clients are android and iOS apps.

I am using network security config in android and Certificate pinning in iOS.

When certificate renewal happens (30 days prior to certificate expiry date), the old certificate is moved to the archive folder, and the apps stop working. I have to submit the apps with the new certificate to app stores to make it work.

Is there any possibility that I can utilize both the old and new keys? Or is there any way around? Kindly help with this issue.

In theory: yes. Unfortunately, you’re not giving us enough information to determine if this is also the case in practice. Information on HOW you get your certificates in the first place (through a command line interface with root access? Or with some sort of panel such as cPanel?). We need to know the client used et cetera.

That’s why there was a complete questionnaire in this Help section of the forum, but you either removed that or didn’t get it in the first place:

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

My domain is: ####.com

I ran this command: sudo certbot certonly --standalone for installing

It produced this output:

My web server is (include version): Node JS v10.18.0

The operating system my web server runs on is (include version): Ubuntu 18.04

My hosting provider, if applicable, is: GoDaddy

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.31.0

Since version 0.25.0 certbot has the --reuse-key option.

From certbot --help all:

  --reuse-key           When renewing, use the same private key as the
                        existing certificate. (default: False)

This is an answer to your key-use-question. I’m not sure if it’s the answer when using “certificate pinning” in iOS. I’m not familiair with that. Perhaps it also allows public key pinning?

Also, I’m reading a few articles about certificate pinning in iOS and I’m not sure if that’s even necessary. One article claimed a Man-in-the-Middle-attack was feasable, because an attacker could use a self-signed certificate? I’m assuming and hoping iOS doesn’t allow self-signed certificates as valid certs? Another article claims ARP cache poisoning and DNS spoofing are possible attack vectors which mandate certificate pinning, because an attacker could redirect the connection to the hackers IP address? That may be so, but even if that happens, a normal TLS certificate would be protecting your connection because a hacker can not get a valid certificate for your hostname. The IP address doesn’t matter. That’s why SSl/TLS exists in the first place, to counter this types of MitM. Certificate pinning doesn’t give you a lot of extra security IMHO.

2 Likes

Just a minor doubt. --resuse-key option will generate the same public key at every renewal?

Not “generate”. There’s nothing to generate if the key already exists. It just reuses the public/private keypair, like the option says. So the new certificate will contain the same public key as the previous did.

2 Likes

Your solutions helped me. Thanks for your help.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.