New certificate not valid

My domain is: hogwarts.zone
My web server is nginx/1.17.8
Using certbot 1.2.0
Running on a fully updated Arch Linux server.
I can login to a root shell on my machine.
I’m using not using a control panel to manage my site.

So I got an email telling me to renew my certificates. I deleted everything in /etc/letsenrypt/live/hogwarts.zone and generated new certificates without any errors or problems with the command:
certbot certonly --agree-tos --email secret@hogwarts.zone --webroot -w /var/www/_letsencrypt -d hogwarts.zone --force-renewal --rsa-key-size 4096 --staple-ocsp --must-staple

Now everything is working and I’m getting a good score on Qualys SSL Test:
https://www.ssllabs.com/ssltest/analyze.html?d=hogwarts.zone

However I got a big warning that my certificate is not trusted when running a security test on:
https://www.immuniweb.com/ssl/?id=Xb3yk3Yw

How do I resolve this error? Also it says that OCSP isn’t properly configured…

This implies your certificate is fine but you have specified OCSP staple and your actual web server is not configured for that: https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx

1 Like

Normally you can renew your certificate with a simple certbot renew. You don’t need to delete your old certificate first!

I’m curious where you found all of these options—is there a particular recipe or tutorial you followed? As @webprofusion mentioned, this requests a certificate with the “must-staple” option, which then expects your web server to be configured to support must-staple.

Hi, I know you can renew with certbot renew but I didn’t have OCSP Stapling before and wanted that this time so just to be sure I started over using this guide:

But added the following options to get a higher score on Qualys SSL Test:
–rsa-key-size 4096 --staple-ocsp --must-staple

I also changed the web root to --webroot -w /var/www/_letsencrypt because my site is stored on /var/www/hogwarts.zone

Hi @Sebbo

that’s the wrong order.

First step: Add the OCSP-stapling of your server.

If that works, then create a certificate with --must-staple.

--must-staple certificates are rare. But they require a working OCSP-stapling server.

Thank you, is there a way to force renew my certificates with the same options but without the --must-staple option? Or do I have to remove the certificates again and create new ones?

You can create new ones without removing the old ones.

Remove the --must-staple option or check your config file if there is the option defined.

Never remove certificates if the private key is save. There is a rate limit.

PS: Your server allows only Tls.1.3. That’s wrong. Tls.1.2 isn’t deprecated, a working Tls.1.2 is required.

That’s… unusual.

@Sebbo: look here:

Okay so that could be it! Will try again this weekend. Is there a reason why OCSP Stapling can’t work on a TLS 1.3 only web server? I thought it could be fun to try a 1.3 only web server and the Mozilla config generator allowed to combine OSCP Stapling while using their ”Mozilla Modern” preset.

Nobody wrote that. Tls.1.2 is the standard, so a public visible

isn’t a good idea. But OCSP uses http, so the Tls-protocol isn’t relevant.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.