Renewal not include intermidiate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:clientzone.budsfx.com

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

hi
after export pfx that include fullchain after renewal the intermidiate information is not included and its makes me trouble is there a way that the auto renewal process will include intermidiate?

thanks

This depends on your acme client. What is your acme client?

im using acme run powershell script from azure automation

#######################################################################################

Script that renews a Let’s Encrypt certificate for an Azure Application Gateway

Pre-requirements:

- Have a storage account in which the folder path has been created:

‘/.well-known/acme-challenge/’, to put here the Let’s Encrypt DNS check files

- Add “Path-based” rule in the Application Gateway with this configuration:

- Path: ‘/.well-known/acme-challenge/*’

- Check the configure redirection option

- Choose redirection type: permanent

- Choose redirection target: External site

- Target URL:

- Example: ‘https://test.blob.core.windows.net/public

- For execution on Azure Automation: Import ‘AzureRM.profile’, ‘AzureRM.Network’

and ‘ACMESharp’ modules in Azure

UPDATE 2019-11-27

- Due to deprecation of ACMEv1, a new script is required to use ACMEv2.

The module to use is called ACME-PS.

#######################################################################################

Param(
[string]$domain,
[string]$EmailAddress,
[string]$STResourceGroupName,
[string]$storageName,
[string]$AGResourceGroupName,
[string]$AGName,
[string]$AGOldCertName
)

Azure Login

If Runbook for Azure Automation

$connection = Get-AutomationConnection -Name AzureRunAsConnection
Login-AzureRmAccount -ServicePrincipal -Tenant $connection.TenantID -ApplicationID $connection.ApplicationID -CertificateThumbprint $connection.CertificateThumbprint

Create a state object and save it to the harddrive

$state = New-ACMEState -Path $env:TEMP
$serviceName = ‘LetsEncrypt’

Fetch the service directory and save it in the state

Get-ACMEServiceDirectory $state -ServiceName $serviceName -PassThru;

Get the first anti-replay nonce

New-ACMENonce $state;

Create an account key. The state will make sure it’s stored.

New-ACMEAccountKey $state -PassThru;

Register the account key with the acme service. The account key will automatically be read from the state

New-ACMEAccount $state -EmailAddresses $EmailAddress -AcceptTOS;

Load an state object to have service directory and account keys available

$state = Get-ACMEState -Path $env:TEMP;

It might be neccessary to acquire a new nonce, so we’ll just do it for the sake of the example.

New-ACMENonce $state -PassThru;

Create the identifier for the DNS name

$identifier = New-ACMEIdentifier $domain;

Create the order object at the ACME service.

$order = New-ACMEOrder $state -Identifiers $identifier;

Fetch the authorizations for that order

$authZ = Get-ACMEAuthorization -State $state -Order $order;

Select a challenge to fullfill

$challenge = Get-ACMEChallenge $state $authZ “http-01”;

Inspect the challenge data

$challenge.Data;

Create the file requested by the challenge

$fileName = $env:TMP + ‘’ + $challenge.Token;
Set-Content -Path $fileName -Value $challenge.Data.Content -NoNewline;

$blobName = “.well-known/acme-challenge/” + $challenge.Token
$storageAccount = Get-AzureRmStorageAccount -ResourceGroupName $STResourceGroupName -Name $storageName
$ctx = $storageAccount.Context
Set-AzureStorageBlobContent -File $fileName -Container “public” -Context $ctx -Blob $blobName

Signal the ACME server that the challenge is ready

$challenge | Complete-ACMEChallenge $state;

Wait a little bit and update the order, until we see the states

while($order.Status -notin (“ready”,“invalid”)) {
Start-Sleep -Seconds 10;
$order | Update-ACMEOrder $state -PassThru;
}

We should have a valid order now and should be able to complete it

Therefore we need a certificate key

$certKey = New-ACMECertificateKey -Path “$env:TEMP$domain.key.xml”;

Complete the order - this will issue a certificate singing request

Complete-ACMEOrder $state -Order $order -CertificateKey $certKey;

Now we wait until the ACME service provides the certificate url

while(-not $order.CertificateUrl) {
Start-Sleep -Seconds 15
$order | Update-Order $state -PassThru
}

As soon as the url shows up we can create the PFX

$password = ConvertTo-SecureString -String “Passw@rd123***” -Force -AsPlainText
Export-ACMECertificate $state -Order $order -CertificateKey $certKey -Path “$env:TEMP$domain.pfx” -Password $password;

Delete blob to check DNS

Remove-AzureStorageBlob -Container “public” -Context $ctx -Blob $blobName

RENEW APPLICATION GATEWAY CERTIFICATE

$appgw = Get-AzureRmApplicationGateway -ResourceGroupName $AGResourceGroupName -Name $AGName
Set-AzureRmApplicationGatewaySSLCertificate -Name $AGOldCertName -ApplicationGateway $appgw -CertificateFile “$env:TEMP$domain.pfx” -Password $password
Set-AzureRmApplicationGateway -ApplicationGateway $appgw

Hi @gamliel

there are older topics with the same domain name - Unable to renew certificate with redirect cpanel and application gateway - looks like you have changed your user name.

That’s bad because the history is missing.

And checking your domain - https://check-your-website.server-daten.de/?q=clientzone.budsfx.com - there is the intermediate certificate sent.

Chain (complete) 1 CN=clientzone.budsfx.com


2 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US

But there is a redirect to https://clientzone.easyfx.eu/, there is an incomplete chain:

Chain - incomplete
1 CN=clientzone.easyfx.eu

But there is an Apache, so normally you don’t use a .pfx file.

1 Like

yes i exported from certbot the fullchain and than it worked but when the renewal appears than i lost intermidiate

hi
when i login to the website im not getting any redirect to easyfx do you have any soltion can help me?

maybe you see also easyfx cause i have multiple websites on the same server and ip

please help im really dont know what to do

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:clientzone.budsfx.com

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

try to refrase the question

i have exported fullchain from certbot to pfx file and configure it on azure application gateway.
but when acme challenge autorenewal script runs it removes the intermediate data but the certificates renews.
is it possible renewal process with acme http-01 will include the intermediate?
cause i have grade B and chain incomplete after the renewal.

The fullchain.pem generated by Certbot always includes the intermediate, as the second certificate in the chain.

If you want them separately, it’s cert.pem and chain.pem.

If it’s missing from your PFX, it’s an issue with the way you are creating the PFX.

i know when i exported the from certbot with fullchain the cert was ok but i have the script i attached for autorenewal with acme-challenge and with it renews the cert its missing the intermidiate.

Well, looking at the PS library you are using (https://github.com/PKISharp/ACMESharpCore-PowerShell), it seems that it doesn’t support exporting the intermediate with Export-ACMECertificate. Which is … a problem for you.

The certificate chain is not part of the issued certifcate. To get a correct certificate chain, you’ll need to import the intermediate certificates from your acme service. For Lets Encrypt you can obtain them via https://letsencrypt.org/certificates/.

I guess you would have to manually import the intermediate from the website into the PFX, as part of your PS automation. This comment appears to have a workaround for what you want: https://github.com/PKISharp/ACMESharpCore-PowerShell/issues/57#issuecomment-584522249 . This seems like an odd design for an ACME client. The certificate chain is sent from the CA server and shouldn’t be managed manually by end-users.

I can’t offer you a solution for this PS library, but I know of a different one that gives you the intermediate: https://github.com/rmbolger/Posh-ACME ,

From https://github.com/rmbolger/Posh-ACME/blob/master/Tutorial.md#your-first-certificate :

Then if the ACME server is able to properly validate the TXT record, the final certificate files are generated and the command should output the details of your new certificate. Only a subset of the details are displayed by default. To see them all, run Get-PACertificate | fl . The files generated in the output folder should contain the following:

  • cert.cer (Base64 encoded PEM certificate)
  • cert.key (Base64 encoded PEM private key)
  • cert.pfx (PKCS12 container with cert+key)
  • chain.cer (Base64 encoded PEM with the issuing CA certificate chain)
  • fullchain.cer (Base64 encoded PEM with cert+chain)
  • fullchain.pfx (PKCS12 container with cert+key+chain)

thanks i was able to export but now have other message

One of the certificates is signed with a SHA1 signature. We recommend that you reissue or replace this certificate with one that uses a SHA-2 signature. Contact your SSL provider about how to do this. Read more about the SHA-1 deprecation here.

Where is that message coming from?

It is true that the “DST Root CA X3” sports a SHA-1 signature, but it doesn’t matter, because it’s a trust anchor - it’s self-signed. Browsers don’t care about it and there’s no negative security consequence.

If the warning is not about the root certificate, then please share the link or screenshot where you see that message.

See there

Chain - too much certificates, don't send root certificates	
	1	CN=fxpackage.com
	
	2	CN=DST Root CA X3, O=Digital Signature Trust Co.
	
	3	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US

The root certificate is sent as the second certificate.

Looks like sslshopper doesn’t resort the certificates. So the error message is buggy.

1 Like

thanks about the info your amazing

thanks for all you saved me appreciate all

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.