How to go from the CSR file to SSL certificate?


#1

My apologies if this is a primitive question, I am quite new to the world of SSL. I’ve ran

sudo certbot certonly --standalone -d my.domain.com

to obtain a certificate for RStudio Shiny Pro server. My port 80 was already assigned to the said server, so from what I can gather the installer could not complete (there is no /etc/letsencrypt/live folder, for example). On the other hand, I have a .CSR file, which I understand is a preliminary step towards obtaining a certificate. Unfortunately I cannot figure out how to go from CSR to SSL with Letsencrypt. Any suggestions? Thanks.


#2

Usually, you don’t use a CSR you made yourself with Let’s Encrypt if you’re using Certbot, as Certbot generates its own CSR to use. It is possible to use your own, but strongly discouraged as this breaks a lot of other Certbot functionality regarding certificate management.

Could you please fill out the full questionnaire (reproduced below), especially the part about the output from the command you entered? My guess is that this command failed, if you already had a server running on that port. Standalone mode attempts to spin up its own web server, but it can’t if the port is in use already.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):


#3

Hi @autarkie,

Did you mean that Certbot created this CSR, or that RStudio Shiny Pro created it?

In the former case, the existence of the CSR (in /etc/letsencrypt/csr) is unimportant and it was indeed just an intermediate step in a failed attempt to get you a certificate.

In the latter case, @jared.m’s concern about the limitations of using externally-provided CSRs applies.


#4

Hi @schoen,

It is the former case: Certbot created the CSR, but failed to proceed further since the port (80) was occupied by Shiny Server Pro. Having realized this, I shut the Shiny Server down, but now I am bumping against the limits (domain name edited for privacy reasons):

ubuntu> sudo certbot certonly --standalone -d my.domain.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for my.domain.com
Waiting for verification...
Cleaning up challenges
An unexpected error occurred:
There were too many requests of a given type :: Error creating new cert :: too many certificates already issued for: domain.com: see https://letsencrypt.org/docs/rate-limits/
Please see the logfiles in /var/log/letsencrypt for more details.  

I was hoping I could take one of the existing CSRs and proceed from where Certbot stopped due to port conflicts. Or is the only option just to wait until the limits reset? Thanks!


#5

No, the rate limits are due to the resources consumed as a part of signing the certificate. You’ll just have to wait it out. If you’d already issued this certificate, you would get through under the renewal exemption, but that doesn’t seem to be the case here.


#6

This is confusing because the rate limit indicates that certificates were successfully issued recently! @autarkie, do you have some other certificates or some other users of your domain who are issuing certificates for subdomains?


#7

@schoen This actually might be the case, as the second-level domain belongs to a public DNS service, whereas the subdomain is unique.


#8

That’s probably the trouble—the rate limits also apply to public DNS services, unless they list themselves on the Public Suffix List.

https://www.publicsuffix.org/

Some of these services have done so, but others haven’t, so their users may be significantly affected by Let’s Encrypt rate limits.


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.