I need help for apply certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:nightstar.top

I ran this command:none

It produced this output:I can’t apply for a digital certificate.

My web server is (include version):IIS

The operating system my web server runs on is (include version):Windows Server 2016

My hosting provider, if applicable, is:www.hanming.com

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):I don’t Know

I am the owner of this domain name and the website it resolves.When I apply for SSL certificate with acme client called WACS,it reminds me that this domain name has been applied for certificate many times, but I didn’t do that.

If you can, I hope you can revoke the SSL certificate of the domain name and reissue it for me. If necessary, I can provide you domain name certificate or information you need.

Thank you.

(nightstar.top and *.nightstar.top)

Then someone else did, because in the last week five identical certificates for *.nightstar.top, nightstar.top have been issued. Let's Debug Toolkit

You should use one of those five, or wait some days (2~7).

That’s why I need help. Because I didn’t apply for these certificates at all, I didn’t have the public key and private key of these certificates, and I couldn’t use them, so I need to ask you to revoke these certificates and reissue them to my legal and correct domain name and website owner. Thank you.

Revoking certificates will not help you get new ones issued.

And to revoke them yourself you need the private key.

What?However, I do not have a private key, and these certificates are not applied for by me.

You need to ask whoever has access to your dns management interface (dnspod.net?) if they did.

Hi @An_ye

checking your domain there are 5 Letsencrypt certificates - and a new Buypass certificate - https://check-your-website.server-daten.de/?q=nightstar.top#ct-logs

Issuer not before not after Domain names LE-Duplicate next LE
Buypass Class 2 CA 5 2020-03-28 2020-09-24 nightstar.top - 1 entries
Let's Encrypt Authority X3 2020-03-28 2020-06-26 *.nightstar.top, nightstar.top - 2 entries duplicate nr. 5 next Letsencrypt certificate: 2020-04-04 07:41:09
Let's Encrypt Authority X3 2020-03-28 2020-06-26 *.nightstar.top, nightstar.top - 2 entries duplicate nr. 4
Let's Encrypt Authority X3 2020-03-28 2020-06-26 *.nightstar.top, nightstar.top - 2 entries duplicate nr. 3
Let's Encrypt Authority X3 2020-03-28 2020-06-26 *.nightstar.top, nightstar.top - 2 entries duplicate nr. 2
Let's Encrypt Authority X3 2020-03-28 2020-06-26 *.nightstar.top, nightstar.top - 2 entries duplicate nr. 1

The Buypass is installed and used:

CN=nightstar.top
	28.03.2020
	24.09.2020
expires in 175 days	nightstar.top - 1 entry

Wildcard certificates require dns validation.

I'd never tried those but something looks off. My Firefox (74) cries SEC_ERROR_UNKNOWN_ISSUER while:
image

@An_ye you have an incomplete chain (and a pretty unsafe configuration): SSL Server Test: nightstar.top (Powered by Qualys SSL Labs)

You need to tell apache to send the fullchain, or the cert and chain.

Oh, interesting.

Yep, my FireFox (74) cries too, but Edge (MS) and Chrome are happy. Looks like FireFox don't know / accept the Buypass certificate.

It looks more like it won’t download the intermediate on its own.

I applied for buypass’s digital certificate,because I can’t apply for a digital certificate issued by Let’s Encrypt.
But actually I want to use a certificate issued by Let’s Encrypt.
So I rellay need help.
On the other hand, if I don’t need SSL certificate, can’t I ask CA to revoke the certificate that issued my domain name maliciously?
Of course, it’s just a discussion from another angle. I still need SSL certificate now.

Please read the output I have shared:

next Letsencrypt certificate: 2020-04-04 07:41:09

If you didn't create that certificate? Who did that?

Please read

Revoking certificates doesn't reset the rate limit you have hitted.

Looks like you have created these certificates.

Ok, but you need to configure apache to use it properly. I think you should keep using the Buypass certificate for now.

You need to add a SSLCACertificateFile directive in your apache configuration or to change your SSLCertificateFile one. Read more here: https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html

(also: you can revoke a certificate without the private key, but don’t do so unless you are SURE the private key is compromised and you have full control over your accounts, dns and servers)

In fact, I applied with an acme client.

The first time, I filled in the information and options, and passed the domain name verification of ca. however, instead of outputting the corresponding private key and file, an error message pops up.

(there is also a retry option) I tried again 3 times, but failed, so I had to give up.

The second time I tried again, the acme client exited directly when the domain name was verified, without any prompt. Then I went to a website to apply for a certificate, and the website told me that my domain name had been applied for and issued many SSL certificates recently.

So I have to use buypass’s certificate temporarily and ask you for help.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.