Renewing certificate failure caused mismatched cert/key

Help
1

My domain is: www.tsaswimteam.com

I ran this command:
C:\Apache\letsencrypt-simple\letsencrypt.exe --verbose --manualhost=www.tsaswimteam.com --webroot=C:\Apache\Tomcat\webapps\swimteam --emailaddress=tsaswimteam@gmail.com --accepttos=yes --plugin=manual --centralsslstore=C:\Apache\certs

It failed, but the windows closed automatically so I could not see what was wrong. I tried a few more times and then exceeded the limits so I could not renew anymore. I actually still have 1.5 months before the cert expires. However, this failed command caused the chain.pem and key.pem files out of sync (one updated and one didn’t) so I was left with a non-working system. I urgently need a working pair of pem files. What can I do now?

I should have backed up these files before requesting new certs so at least I could recover using the old files if anything fails. This mismatched files caused Apache server failed to start, saying configuration error.

Thanks!
BK

2

Hi @blueking

first, I thought you have hitted the failed certificate limit.

But checking your domain ( https://check-your-website.server-daten.de/?q=tsaswimteam.com ):

CRT-Id Issuer not before not after Domain names LE-Duplicate next LE
1329830909 CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US 2019-03-30 00:46:35 2019-06-27 23:46:35 www.tsaswimteam.com duplicate nr. 5 next Letsencrypt certificate: 2019-04-06 00:15:56
1329795131 CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US 2019-03-30 00:26:08 2019-06-27 23:26:08 www.tsaswimteam.com duplicate nr. 4
1329785378 CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US 2019-03-30 00:21:47 2019-06-27 23:21:47 www.tsaswimteam.com duplicate nr. 3
1329779459 CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US 2019-03-30 00:18:06 2019-06-27 23:18:06 www.tsaswimteam.com duplicate nr. 2
1329773405 CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US 2019-03-30 00:15:56 2019-06-27 23:15:56 www.tsaswimteam.com duplicate nr. 1

You have created 5 new certificates. So certificate creation works.

But you use

CN=www.tsaswimteam.com
	30.03.2019
	28.06.2019
expires in 90 days	www.tsaswimteam.com - 1 entry

signed by

CN=Fake LE Intermediate X1
	24.05.2016
	24.05.2036
expires in 6265 days

so you have installed a certificate of the test system.

I'm not so firm with letsencrypt-simple. But there should be minimal the last certificate on your system.

And if you use Tomcat, there are additional steps required so Tomcat can use that certificate.

The problem with the closed window.

How did you executed that command?

Open Start / execute / Run (don't know how this is named in Windows en), then type

cmd.exe

then you have a permanent box.

3

Thank you so much for your quick response. The problem was that the domain.chain.pem and the domain.key.pem files were not created at the same time. The working ones got overwritten. So I don’t have a working pair. I had to use the test certificate/key because I need the site up. Is there a way for me to retrieve a valid cert/key without creating a new one?

From your info, it seems I can only create cert again one week later on 4/6 :-(.

BK

4

The rate limit is a "duplicate domain names" limit.

But your dns entries:

Host T IP-Address is auth. ∑ Queries ∑ Timeout
tsaswimteam.com A 71.135.5.138 yes 1 0
AAAA yes
www.tsaswimteam.com A 71.135.5.138 yes 1 0
AAAA yes

You have both domain names. So you should create one certificate with both domain names (non-www and www).

There you can create a new certificate (because it's a different set of domain names).

5

Thanks. How do I create a cert for multiple domains? I am on Windows and use letsencrypt-simple client. This exe file launches its own window, and closes it upon exit. I googled how to stop command windows from closing, but this command windows doesn’t work with all the options I tried.

I tried to use --help for the command, but still didn’t know the command for multi-domain cert. This is the command I am currently doing. Should I somehow append the more domains into the --manualhost option?
C:\Apache\letsencrypt-simple\letsencrypt.exe --verbose --manualhost=www.tsaswimteam.com --webroot=C:\Apache\Tomcat\webapps\swimteam --emailaddress=tsaswimteam@gmail.com --closeonfinish --accepttos=yes --plugin=manual --centralsslstore=C:\Apache\certs

6

I've never used that client, check the documentation.

7

No, the design of the web PKI is that your private key only exists on your server and isn't known to anyone else or stored anywhere else. So if you don't have it, there's no other copy available.

If you need a certificate and key just to make your configuration temporarily valid, you could use a self-signed certificate, which you can create using some openssl commands that I don't remember offhand, or perhaps with another tool like

which generates one in your browser. This certificate would not be accepted by browsers, but it can be used by server software and gives you a key and certificate that match. If the problem is just getting a service to start so that you can proceed with other steps, that could be a useful solution.

8

Yeah, I used the --test option to create test cert/key, and that allows me to bring up the web site.

9

I tried what JuergenAuer suggested and successfully created cert/key files. I just needed to add the second domain in the following format.

–manualhost=www.tsaswimteam.com,tsaswimteam.com

All is good now. Thank you, JuergenAuer!

2 Likes
10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.