New Invalid certificate

dcaamano · July 21, 2023, 6:55pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: infov5.dcorpsystems.ca

I ran this command:
$PluginName = Cloudflare
$CN = infov5.dcorpsystems.ca
$CNwww = www.infov5.dcorpsystems.ca

$certParams = @{
Domain = $CN, $CNwww
Plugin = $PluginName
PluginArgs = @{CFToken = ($CFAPITokenSecure) }
AcceptTOS = $true
Contact = $EmailContact
#PreferredChain = 'ISRG Root X1'
PfxPass = $Credential.GetNetworkCredential().Password
}
New-PACertificate @certParams

It produced this output: Created the certificate and installed it on the certificate store, then I configured IIS to use the certificate
Although I own my domain, I am not publishing the site on the internet, I am tessting the process
I am validating the domain
Issuing the certificate
Installing the certificate on the internal web server for testing
My internal DNS is configured with the CN

I am new to Let's Encrypt, so I do not know if I am doing something wrong.
The curl command gives me this error:

TLSv1.3 (OUT), TLS handshake, Client hello (1):
TLSv1.3 (IN), TLS handshake, Server hello (2):
TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
TLSv1.3 (IN), TLS handshake, Certificate (11):
TLSv1.3 (OUT), TLS alert, unknown CA (560):
SSL certificate problem: unable to get local issuer certificate
Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: curl - SSL CA Certificates

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

My web server is (include version):

The operating system my web server runs on is (include version): Windows Server 2022

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): I am using Posh-acme

I am investigating Let's encrypt and creating a proof of concept for my company to eventually adopt it, but I am getting this error on the bowser

Your connection isn't private

Attackers might be trying to steal your information from infov5.dcorpsystems.ca (for example, passwords, messages, or credit cards).

NET::ERR_CERT_AUTHORITY_INVALID

Osiris · July 21, 2023, 7:11pm

I'm not entirely sure.

While certificate transparancy log aggregators often have a backlog of certificate yet to be indexed, it's often no that bad. And I don't see any certificate issued for infov5.dcorpsystems.ca using crt.sh (crt.sh | infov5.dcorpsystems.ca) nor Entrust Certificate Search - Entrust, Inc..

Perhaps your ACME client used the staging environment? Can you view the certificate in your browser and check the issuer?

MikeMcQ · July 21, 2023, 7:47pm

@Osiris has guessed right that you are getting certs from the Let's Encrypt staging system

You will need to configure posh-acme to request certs from the production LE system

Osiris · July 21, 2023, 7:50pm

Please note that it's fine to issue a lot of certificates from the staging environment, but that there are strict rate limits for the production environment. (Looking at the number of certs issued quite fast after each other.)

Bruce5051 · July 21, 2023, 7:55pm

This is all I find for Domain Names; no A, AAAA, or CNAME

$ nslookup -q=any www.infov5.dcorpsystems.ca aisha.ns.cloudflare.com.
Server:         aisha.ns.cloudflare.com.
Address:        162.159.38.186#53

www.infov5.dcorpsystems.ca      hinfo = "RFC8482" ""

$ nslookup -q=any infov5.dcorpsystems.ca aisha.ns.cloudflare.com.
Server:         aisha.ns.cloudflare.com.
Address:        162.159.38.186#53

infov5.dcorpsystems.ca  hinfo = "RFC8482" ""

MikeMcQ · July 21, 2023, 8:05pm

It is normal not to see those with DNS Challenge for internal network use.

Bruce5051 · July 21, 2023, 8:07pm

Correct, I just didn't see which of the Challenge Types - Let's Encrypt was being used.

Osiris · July 21, 2023, 8:13pm

It wasn't mentioned explicitly, but was implied by using the Cloudflare plugin.

Bruce5051 · July 21, 2023, 8:13pm

Thanks @Osiris

dcaamano · July 21, 2023, 9:44pm

Hello,

Thank you all so much for your response, I was using stage instead of prod. I modify the code to use PROD and the certificate works like a charm, with no issues whatsoever.

Once again thank you for your answers and pointing me in the right direction.

system · August 20, 2023, 9:44pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.