With the help of Jonathan Griffin and his CertSage at griffin.software/certsage.php I was able (in January) to get SSL certs for my two sites hermetic-systems-com and fractal-timewave.com. (Both these sites run with Windows.) This month I have successfully renewed certs for the former and partially for the latter.

After CertSage generates the files needed (namely, certitificate.crt and certificate.key) I send them to my ISP to install, and they kindly do this.

The problem I now have with fractal-timewave.com is that when I view the cert (via the padlock in my Firefox browser) it shows that the cert is only for fractal-timewave.com, but not also for www.fractal-timewave.com (unlike the cert for hermetic.systems.com, which covers both).

IIRC when I got the certs earlier, I had created a folder called CertSage which is one level above the website root folder. In that folder I have a folder called .well-known, and in that folder is a folder called acme-challlenge.

I then bring up CertSage and tell it I want to acquire a production certificate. As I recall, I then enter both the www and non-www variants, fractal-timewave.com and www.fractal-timewave.com and click on the 'Aquire production certificate' button. I get the reply:

Trouble...

urn:ietf:params:acme:error:unauthorized
129.146.99.71: Invalid response from https://fractal-timewave.com/.well-known/acme-challenge/uhf4g ... 404

This looks like I should have put something in the /.well-known/acme-challenge folder and that's missing. If so, I don't know what that it or how to get it.

Would the Griffin kindly enlighten me?

Regards,
Peter

When communicating directly with other members, you must tag them with the @ sysmbol.
Like:
@griffin
not
Griffin
nor
griffin

Thanks for the advice.

So would the @griffin kindly enlighten me?

That FQDN seems to be misspelled.

A typo. hermetic-systems.com

Was there a specific reason for using certsage ?

I tried CertBot, which seemed (to me at least) to want to be used with Linux and Python. I am familiar with neither of them, and was unable to use CertBot.

I use Windows and PHP, and my ISP runs Apache. When I finally got CertSage working (in January and this month) it was easy and it gave me what I needed (to pass on to my ISP). It's only when attempting to renew the certs for FTW that I've forgotten how I did it before (I'm not a Linux person) and needed reminding. @griffin has been very helpful.

Who is your ISP? LuxSci?

Can't they just get the a certificate on your behalf?

It might be possible to setup the server to automatically get and renew your certs.
certsage is geared more towards shared hosting scenarios where certs must be managed manually.

I'm just a humble software developer trying (without much success) to eke out a living by publishing my software. I know almost nothing about servers and operating systems. LuxSci manages my sites and I'm not even clear about who actually hosts them, but I believe whoever does it does it using Apache. That's all I know, except how to use tools such as FileZilla, Visual Basic, C, PHP, Firefox, etc. I'm hoping @griffin can remind me of how to get the certs I need so I can get back to doing something I know how to do.

@PMeyer Perhaps reviewing your history on this forum will refresh your memory? You can click any of your comments to see the full thread where griffin helped earlier.

What I've been overlooking so far in this thread is the error message that CertSage is giving me after I request a production certificate, namely:

urn:ietf:params:acme:error:unauthorized
129.146.99.71: Invalid response from https://fractal-timewave.com/.well-known/acme-challenge/j5gaIqJrjCtZTbC8A...[omitted]: 404

I don't recall seeing this before, and If you do a web search on "urn:ietf:params:acme:error:unauthorized" it turns out that this error message has been presented to other users of Lets Encrypt, with various arcane (to me) explanations.

I'll keep looking, but this error message probably is the primary clue to why the cert is not being generated. @griffin would know.

The CertSage folder should automatically be created by CertSage itself when you run it (if it doesn't exist already) in the location you have described. The /.well-known/acme-challenge/ folders are automatically created by CertSage as well in the website root folder. Those folders should not be in the CertSage folder. Are you running CertSage from https://fractal-timewave.com/certsage.php ? You must run it from your own domain name, not directly from the griffin.software domain name. If you look at your certificate in a browser, you're typically only seeing the common name (CN) field, which is the first domain name you entered into CertSage when creating your certificate. All of the covered domain names are listed as subject alternative names (SANs) in the certificate. You can see those by looking at your certificate with a tool like this:

In this case, it does appear that you didn't enter both fractal-timewave.com and www.fractal-timewave.com into CertSage when you acquired your certificate.

SSL Checker
In this case, it does appear that you didn't enter both fractal-timewave.com
and www.fractal-timewave.com into CertSage when you acquired
your certificate.

I think that is so (I was testing). And maybe the problem is that I have not removed that certificate in order to make a new one using both www- and non-www- domain names. Buy maybe not.

You must run it [CertSage] from your own domain name,
not directly from the griffin.software domain name.

I was doing the latter.

I'll now try to do it right.

Success!

I just had to make sure that the CertSage folder had the correct permissions setting to allow the certs to be written.

Many thanks! Again!

Kind regards,,
Peter

You're quite welcome, my friend!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.