Multiple Stupid Mistakes when requesting certificates

Mdbserver · August 24, 2020, 10:47am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

mdbdev.io

I ran this command:

I used NGINX to issue a new certificate.

It produced this output:

Internal Error

My web server is (include version):

OMV 5 on Raspebrry Pi4

The operating system my web server runs on is (include version):

Buster

My hosting provider, if applicable, is:

N/A

I can login to a root shell on my machine (yes or no, or I don’t know):

Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

As it is run through nginx I can’t seem to get any output from CLI

So I kind of made a couple of stupid mistakes.

I initially had a server that was working fine, but decided I’d rather use docker with traefik. However this didn’t go well, as I am new to this and the guide was overly complex.

This was my first mistake as I did manage to get certificates issued but I didn’t revoke them before my second stupid mistake.

My second mistake was that due to my frustration with the above situation I decided to just do a fresh install of raspbian/omv and take the nginx route as it is much more user friendly. It was all going fine until I tried to get a certificate for my subdomain.

I was then met with an internal error. I checked the certificates my domain has and they are there. But I am unsure of the following:

Can I reinstate them for this fresh install? I am on a new ip address on my internal network.
Or do I have to try and revoke the existing certificates and have them re-issued?

Apologies in advance for my stupidity and thanks for any help you can offer.

Everything has went fine

_az · August 24, 2020, 11:17am

Revoking a certificate doesn’t really help you in any way. It’s there in the case of a stolen private key, or if an unauthorized third party issued a certificate. That’s it. Creating multiple certificates is a perfectly OK thing to do, as long as it’s within your rate limits.

Your current “internal error” appears to be because Cloudlare can’t connect to your server. For the time being, it may be simpler to disable the Cloudflare proxy and get things running without it. It’s an extra moving part which makes it harder to understand what’s happening.

Mdbserver · August 24, 2020, 4:07pm

Hey @_az thanks for your response and for clearing things up.

Even just disabling cloudflare and having it set to only DNS still gives me the error. Or do you mean, switch completely out of cloudflare? And revert to having my dns managed by registrar?

Or could it be something else?

Mdbserver · August 24, 2020, 6:55pm

I also did a test here - https://check-your-website.server-daten.de/?i=c9debeb0-ba1f-4e81-8e9f-f648c686defe

I am unsure of how to read the outcome, other than I got a t rating which refers to timeout.

However someone more competent may understand what is going on.

Edit - Updated link to permalink.

freessltools.com · August 24, 2020, 7:21pm

You absolutely can (and probably should) reinstate/reinstall your existing certificates. Hopefully their corresponding private keys are still there too. I concur with @_az that revoking the certificates will accomplish nothing unless you've exposed your private keys. Simply deleting certificates and their private keys when they're not needed is better than revoking them as revocation takes resources. As for the error, I defer to @_az who is FAR more knowledgeable than I.

Looking at crt.sh | mdbdev.io, it looks like you have a variety of valid certificates around.

JuergenAuer · August 24, 2020, 7:24pm

Hi @Mdbserver

please start with some basics:

If you want to use http validation, a running webserver is required.

Timeout -> there is no running webserver, so you can't use http validation.

But

Issuer	not before	not after	Domain names	LE-Duplicate	next LE
Let's Encrypt Authority X3	2020-08-22	2020-11-20	mdbdev.io - 1 entries	duplicate nr. 1
Let's Encrypt Authority X3	2020-08-20	2020-11-18	*.mdbdev.io, mdbdev.io - 2 entries	duplicate nr. 1

you have created two certificates, one is a wildcard, that requires dns validation.

So you have already a certificate, use it.

freessltools.com · August 24, 2020, 7:25pm

@JuergenAuer

I think you’re psychic sometimes. I was just preparing to reference you to ask for your help here.

_az · August 24, 2020, 10:28pm

Yes, I mean just disabling the CDN.

It's not going to fix your problem, but it allows you to distinguish between problems which are related to your webserver and its certificate, and issues which are related to Cloudflare.

Once you are connecting directly to OpenResty (rather than through Cloudflare), try install the existing certificate onto the subdomain.

Get that working before turning the CDN back on.

If you are dead set on figuring out your Cloudflare origin errors, https://community.cloudflare.com.

system · September 23, 2020, 10:28pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.