I cannot get SSL cert Certbot: error: unrecognized arguments: prefered-challenges=dns

9peppe · February 17, 2022, 4:44am

How did they become identical?

They're not supposed to be.

srinivas · February 17, 2022, 4:45am

another question

i got cert for dsrlearn.com and *.dsrlearn.com wildcard with SAN

if i use DNS CAA issuewild then will it cover dsrlearn.com?
if i want to provide email should i add another record of iodef along with isuewild?

9peppe · February 17, 2022, 4:46am

Just add issue.

It will cover issuewild as well. Iodef is pretty much ignored.

srinivas · February 17, 2022, 4:47am

openssl x509 -noout -modulus -in 0001_chain.pem | openssl md5
openssl rsa -noout -modulus -in private.pem | openssl md5

i performed these and i got same value. is anything wrong?

9peppe · February 17, 2022, 4:53am

I don't know those commands. How many certificates are in that chain file? There should be three. If not, run

cat cert.pem chain.pem > newfile.pem

And then use the newfile.pem as certificate.

srinivas · February 17, 2022, 4:53am

there are 3 certs in full chain

9peppe · February 17, 2022, 4:54am

And yet there is a mismatch. I don't know. Let's wait for someone else.

srinivas · February 17, 2022, 4:55am

do you think any problem with order?

inssllabs test

1 Sent by server

2 Extra download -> this is error it's in yellow

3 In trust store - fine

9peppe · February 17, 2022, 4:57am

Leaf, then intermediate, then "root"

srinivas · February 17, 2022, 5:00am

inssllabs test

1 Sent by server

2 Extra download -> this is error it's in yellow

3 In trust store - fine

9peppe · February 17, 2022, 5:00am

So you have a missing or wrong intermediate? Where does it come from?

srinivas · February 17, 2022, 5:01am

i don't know . how can i solve this?

9peppe · February 17, 2022, 5:02am

If you are sending the certificate by itself it's normal to have that issue. You need to send fullchain to solve it.

The issue is... Why is your fullchain not working?

srinivas · February 17, 2022, 5:12am

that's the issue. it's not working

srinivas · February 17, 2022, 6:53am

i checked again with every file i found hash of 0000_chain not match to key. hash of csr , full chain , cert matches to private key hash.

what should i do?

rg305 · February 17, 2022, 7:40am

Show that file here.
[make sure it doesn't contain the word "PRIVATE"]

I suppose it's the LE "long" chain.
Perhaps you would do better by using the "short" chain.

rg305 · February 17, 2022, 7:41am

Please show the command used.

srinivas · February 17, 2022, 7:42am

openssl x509 -pubkey -in 0000_chain.pem -noout | openssl sha256

srinivas · February 17, 2022, 7:43am

ssllabs says chain issues

rg305 · February 17, 2022, 7:45am

You are drawing at straws.
SSL Labs will always show an "issue" (with the "long" chain - its' root is expired).
But also shows no issue with at least one path (more than enough to validate).

And what are you comparing that output to?