So in order to get a valid cert on my cisco cimc (think of a hp proliant ilo), I have to generate a CSR from the cimc (which I have done). Im trying to get the certbot-auto to use this CSR to generate a cert for it.
Please fill out the fields below so we can help you better.
I ran this command: ./certbot-auto certonly --csr csr.txt
It produced this output: Domain: newrock-ilo.monsterjam.org
Type: unauthorized
Detail: Incorrect validation certificate for TLS-SNI-01 challenge.
Requested
2ac5287d190b3beb82fa8b2a6b50648f.d9aaeb705062c2b12987d984ba7de117.acme.invalid
from 64.132.134.54:443. Received certificate containing ‘’
My operating system is (include version): linux
My web server is (include version): NA
My hosting provider, if applicable, is: NA
I can login to a root shell on my machine (yes or no, or I don’t know): not on cimc
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): nope
I’m guessing you’re not running certbot on the Cisco? Because the Let’s Encrypt validator is connecting to your Cisco, probably not the host you’re running certbot on.
well, actually I forgot to mention that I was able to get the DNS-01 challenge to work, and I was able to get the private key and certs generated, but there is no way for me to put the private key on the CIMC. It has its own private key that it stores somewhere that I cannot change.
So the cert i generated is pretty much useless.
OK, seems like you need to merge the two things you tried. Use DNS challenges, because you can pass those, but with CSR mode so the certificates work with your Cisco’s private key.
If you got the private key / CSR of the CIMC, then used that CSR with the DNS-01 challenge to obtain the certificate … that certificate should match the CSR / private key and hence work fine on the CIMC.
Which part of the above didn’t you do ? or which part did it give an error with ?
Maybe a terminological explanation helps here a tiny bit. In asymmetric cryptography keys come in pairs. Let’s Encrypt needs one half of the pair, the public key because that is baked into the certificate they’ll sign. They don’t need (indeed nobody but you/ the device should ever see) the private key, but as a high quality CA they demand proof that you do have control of it. A CSR embodies such proof. Like the certificate it is a signed document, but in this case signed by the key holder, proving they requested this certificate.
In CSR mode Certbot doesn’t make any keys, it will just arrange (once you have passed ownership challenges for the FQDNs requested) for the CSR to go to Let’s Encrypt and get you the corresponding certificate.
this is similar to your situation where in microsoft stores the private key and just produces a CSR.
Once you have a CSR you need to use a client such as cerbot and a Private Key for LetsEncrypt. Unlike the private key that CIMC generates the purpose of the LetsEncrypt private key is to identify you as a user and to sign validation requests.
You can use the CSR that CIMC gave you with Certbot by using the --csr Command
–csr CSR Path to a Certificate Signing Request (CSR) in DER or
PEM format. Currently --csr only works with the
’certonly’ subcommand. (default: None)
As suggested previously DNS validation is your best option as you may not be able to put custom files needed for the HTTP authentication.
