Live test and development


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: my.brownhanky.com

I ran this command:

It produced this output:

My web server is (include version): nginx open-resty 1.2

The operating system my web server runs on is (include version): Ubuntu 14.4

My hosting provider, if applicable, is: self

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): none

When I test and develop, I set change my local copy of /etc/hosts to point my domain to a different server.
Ever since we started using Let’s Encrypt, this strategy fails. I have to hammer my way through browser warnings.

I call this “staging” but it’s not clear to me you mean the same thing when you talk of staging.

How can I have a valid cert for a domain which really is in production but also for my own (live on the net) test/dev?

Thanks fro any advice…


#2

The same exact cert?
Copy it from one server to the other.

A cert covering a similarly name?
Certs are normally issued to the system at the IP of that name.
Since two systems are (should be) at two different IPs, that is not possible with ordinary authentication.
You would have to use DNS authentication - which does not validate your against any specific IP.

Two different names (like: domain.com & dev.domain.com)?
Is simple, as the names are unrelated.
You can issue each cert in the same way and independent of the other.
One name goes to one IP/system, while the other name goes to the other IP/system.


#3

Thank you for the prompt reply.

Exact same. I did copy
/etc/ssl/dhparams.pem;
and
brownhanky@tallone:~$ ls -lst /home/brownhanky/.acme.sh/my.brownhanky.com/
total 28
4 -rw-rw-r-- 1 brownhanky brownhanky 559 Sep 20 00:21 my.brownhanky.com.conf
4 -rw-rw-r-- 1 brownhanky brownhanky 2159 Sep 20 00:21 fullchain.cer
4 -rw-rw-r-- 1 brownhanky brownhanky 2159 Sep 20 00:21 my.brownhanky.com.cer
4 -rw-rw-r-- 1 brownhanky brownhanky 985 Sep 20 00:21 my.brownhanky.com.csr
4 -rw-rw-r-- 1 brownhanky brownhanky 212 Sep 20 00:21 my.brownhanky.com.csr.conf
4 -rw-rw-r-- 1 brownhanky brownhanky 1647 Jul 18 14:14 ca.cer
4 -rw-rw-r-- 1 brownhanky brownhanky 1675 Jul 18 14:14 my.brownhanky.com.key

from
total 28
4 -rw-rw-r-- 1 brownhanky brownhanky 559 Sep 20 00:21 my.brownhanky.com.conf
4 -rw-rw-r-- 1 brownhanky brownhanky 2159 Sep 20 00:21 fullchain.cer
4 -rw-rw-r-- 1 brownhanky brownhanky 2159 Sep 20 00:21 my.brownhanky.com.cer
4 -rw-rw-r-- 1 brownhanky brownhanky 985 Sep 20 00:21 my.brownhanky.com.csr
4 -rw-rw-r-- 1 brownhanky brownhanky 212 Sep 20 00:21 my.brownhanky.com.csr.conf
4 -rw-rw-r-- 1 brownhanky brownhanky 1647 Jul 18 14:14 ca.cer
4 -rw-rw-r-- 1 brownhanky brownhanky 1675 Jul 18 14:14 my.brownhanky.com.key
…but that fails (“Cert expired”).

But the two exact-same-sites are at different IPs.

Should this work? I have something else in the way? I think you are saying it should work, so I have some other issue.

But I cannot be certain of your answer. “Copy it from one server to another” is what I would like but fails.

DNS auth - my reading says chrome won’t allow it anyways.
Different (sub) domains names would work of course but this is legacy code.

The pem file is the same on both servers. Right or wrong?
Otherwise everything is the same except the IP.
It should work?


#4

Please show file:
fullchain.cer

YES. It should have worked.


#5

My problem with the rsync (copy) command. Thank you for your prompt and helpful confirmation.


#6

Here we are again. It works one day, it’s gone the next. The folder contents on both servers are identical.
You asked too see fullchain.cer. Here is it:
brownhanky@tallone:~/.acme.sh/my.brownhanky.com$ cat fullchain.cer
-----BEGIN CERTIFICATE-----
MIIGDjCCBPagAwIBAgISBMu7vGcMIDGpRTm0eVC9AvawMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODA5MjAwNjIxMDhaFw0x
ODEyMTkwNjIxMDhaMBwxGjAYBgNVBAMTEW15LmJyb3duaGFua3kuY29tMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6Qp5bNLbiySY+sINhl8o5KxEFdhc
b612JZsVRaNqk4mdg/lv31ENJfCnRY+aKa1Dik+QCMcameGHoBV2M5rUCXXV1yev
1W+fkE5EzQ3N+9nE32UDYUh8dOU912wi0uggiVIpizDd2pnh0+FcOa/1ACAJih40
GSLlcZKPqmVoEG6tDOeJCTMfRDK+Tg0DK7wuRYogPWGMnoxGrErxVpgzm1NrXvE/
GcgpzeNFaf/AX8lCLBg4CypxCDqTS0TZlU6RbuL3jwPSYfAJzo6QvOI1UMsS1LFc
rmEKN4hi+oXOq+trQfVA2wIR1wmHEvotlglunfNOaMxTPtkwGAmtnpP9EQIDAQAB
o4IDGjCCAxYwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
BgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQfTbbBM+wDBq39rBNmSIAL
tkYvnjAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEFBQcB
AQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5jcnlw
dC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlw
dC5vcmcvMBwGA1UdEQQVMBOCEW15LmJyb3duaGFua3kuY29tMIH+BgNVHSAEgfYw
gfMwCAYGZ4EMAQIBMIHmBgsrBgEEAYLfEwEBATCB1jAmBggrBgEFBQcCARYaaHR0
cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwgasGCCsGAQUFBwICMIGeDIGbVGhpcyBD
ZXJ0aWZpY2F0ZSBtYXkgb25seSBiZSByZWxpZWQgdXBvbiBieSBSZWx5aW5nIFBh
cnRpZXMgYW5kIG9ubHkgaW4gYWNjb3JkYW5jZSB3aXRoIHRoZSBDZXJ0aWZpY2F0
ZSBQb2xpY3kgZm91bmQgYXQgaHR0cHM6Ly9sZXRzZW5jcnlwdC5vcmcvcmVwb3Np
dG9yeS8wggEFBgorBgEEAdZ5AgQCBIH2BIHzAPEAdwDbdK/uyynssf7KPnFtLOW5
qrs294Rxg8ddnU83th+/ZAAAAWX12pdpAAAEAwBIMEYCIQDoG9zc0kzN8Szvn+jP
APdrm9gAEG8U2ADcfsm05Ns4+AIhAKE3JB6iiE57yHxhrpEOBdAvIfBl/yPORB4f
xZ+6cVetAHYAKTxRllTIOWW6qlD8WAfUt2+/WHopctykwwz05UVH9HgAAAFl9dqZ
qQAABAMARzBFAiEA2c4jB0o/Iifde2YEOESqUeX5ku4RRjOztbzHNQaTYfICIBmO
Ty9b357ZSrVDb+XUC6+tDCPH7KH7sugN2gTCAP9yMA0GCSqGSIb3DQEBCwUAA4IB
AQCU5V032B1yE1ozkn5uMxxW2x5wJUhDtmtDLeg7CaFJU4WFxpaI+pXuDEscuI/d
2bTl42Xzyl8rrIzVtTIkfIoYc54DnBMOJhYHFuO1RzekJP0Ae8auS6egooSbWam7
ikOdERmuwfaH/HSrGM21D/g6oX4/AFouyqD6tC1rfr/ZaRgUeYCMsVFgTFATzBrr
PtHsJtR/6roxJxfghUrWzwNSu/33jt0PFSXAcvhtSGgdg1pJ8640TDbCsv0JUks8
ZEoLnFbfOXmgzjUsKww8Pye5dbruCT2KoMLDvUnlPqD0jhFmsB6lcWYEXpool6M7
twaJcYnwZ4b39TYfa+a7K++J
-----END CERTIFICATE-----
brownhanky@tallone:~/.acme.sh/my.brownhanky.com$


#7

Hi @HankBrown

this is a valide Letsencrypt certificate with

CN = my.brownhanky.com

as domain name, you can use it 2018-12-19. Did you copy the private key? To use one certificate with different servers / code, this isn’t a problem. Copy and use it.

PS: Save the text in Windows as .crt - file.


#8

Did you copy the private key? I don’t know. What is your extension for that file?
Save in Windows?

I’m a linux guy. I’ve never had to deal with certs before.
(I used to have a wildcard, worked everywhere)
Where is the private key?

brownhanky@tallone:~/.acme.sh/my.brownhanky.com$ ls -ls
total 28
4 -rw-rw-r-- 1 brownhanky brownhanky 1647 Jul 18 14:14 ca.cer
4 -rw-rw-r-- 1 brownhanky brownhanky 2159 Sep 20 00:21 fullchain.cer
4 -rw-rw-r-- 1 brownhanky brownhanky 2159 Sep 20 00:21 my.brownhanky.com.cer
4 -rw-rw-r-- 1 brownhanky brownhanky 559 Sep 20 00:21 my.brownhanky.com.conf
4 -rw-rw-r-- 1 brownhanky brownhanky 985 Sep 20 00:21 my.brownhanky.com.csr
4 -rw-rw-r-- 1 brownhanky brownhanky 212 Sep 20 00:21 my.brownhanky.com.csr.conf
4 -rw-rw-r-- 1 brownhanky brownhanky 1675 Jul 18 14:14 my.brownhanky.com.key
brownhanky@tallone:~/.acme.sh/my.brownhanky.com$


#9

There is your key :wink:


#10

A certificate has always a public and a private key. These are created before the Certificate signing request is created and send to the CA.

The CA signes the Certificate signing request (public key and the other informations) with it’s own key.

This is one file.

The other file is the file with the private key. If you have both, you can use the certificate where you want.


#11
    # dsm 19 sep 18 : copy from 321 iinstead
    # rsync -avPe 'ssh -p2332'  brownhanky@dex321.exmasters.com:/home/brownhanky/.acme.sh/my.brownhanky.com /home/brownhanky/.acme.sh/
    ssl_certificate /home/brownhanky/.acme.sh/my.brownhanky.com/my.brownhanky.com.cer;
    ssl_certificate_key /home/brownhanky/.acme.sh/my.brownhanky.com/my.brownhanky.com.key;

    ssl_prefer_server_ciphers on;
    ssl_dhparam  /etc/ssl/dhparams.pem;
    ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";

    location ^~ /.well-known/acme-challenge/ {
       allow all;
    }

Am I not referencing this key in the config above?


#12

Looks ok (I am not a Linux guy). If it doesn’t help (reload/restart required), perhaps it’s the wrong vHost.


#13

Something is NOT right with that picture!
The CERT and FULLCHAIN should NOT be the same size:
The CERT should be only one cert.
While the FULLCHAIN should be that CERT plus at least one intermediate CHAIN cert.

Here is an example of what I mean:
-rw-r--r-- 1 root root 2159 Sep 13 02:20 cert1.pem
-rw-r--r-- 1 root root 1647 Sep 13 02:20 chain1.pem
-rw-r--r-- 1 root root 3806 Sep 13 02:20 fullchain1.pem
-rw-r--r-- 1 root root 1704 Sep 13 02:20 privkey1.pem

The cert size is 2159
And the fullchain size is 3806 (2159+1647) [cert + chain]