Thanks for the links/pointers. I have already posted there to no avail.
The funny thing is: the show cert command works on a different certificate which I obtained via certbot formerly. That is RSA2048 type. The questionable one is supposedly an ECC certificate (?)
How can I analyze the certificate using local a command, e.g. openssl ... (file contains a private key which I don't want to expose to public cert testing sites)?
Why do you need to revoke a cert?
You can "remove"/"erase" a cert by deleting [all copies of] it.
What do you mean by "analyze"?
If you only want to see if it is RSA or ECC, you can tell quickly by the size of the key file.
[How big is the key file?]
If you want to know more details, you can simply show us [just] the public cert file here.
[never show anyone your private key files]
Or learn more about the command openssl x509. Or any online openssl webinterface. No need to bother volunteers for such mundane tasks IMO 
Revoke was wrong here. I just meant remove. Yes, thanks. I found it and removed it.
I'm still chasing for the reason why haproxy isn't accepting the cert file. Haproxy requires to paste the private key into the fullchain.cert.
I did so manually for the cerbot obtained cert file. And haproxy works on this while it doesn't
on the acme.sh obtained cert.
The acme.sh --issue command says, that the domain I'm requesting has an ecc certificate already. It says this on creation (--issue) as on removal as well:
acme@mail:~$ acme.sh --remove -d www.mydomain.org
[Sat Nov 11 10:34:10 AM CET 2023] The domain 'www.mydomain.org' seems to have a ECC cert already, lets use ecc cert.
[Sat Nov 11 10:34:10 AM CET 2023] www.mydomain.org is removed, the key and cert files are in /var/lib/acme/.acme.sh/www.mydomain.org_ecc
[Sat Nov 11 10:34:10 AM CET 2023] You can remove them by yourself.
Perhaps your HAProxy doesn't like ECC certs...? ? ?
I would try feeding it an RSA cert.
Then, if you don't need an ECC cert and it does like the RSA cert, you can switch to using RSA.
If it doesn't like that RSA cert either, then you might be doing something wrong.
If it does like the RSA cert BUT you do need to use an ECC cert...
Then you may need to dig deeper into how you created that ECC cert OR visit an HAProxy support channel [I'm not sure this is the best place to get help with that kind of problem].
Thanks. I posted my problem already to the haproxy list and I'm hoping to get support from there soon.
The fact, that an ECC cert is generated, doesn't stem from my will, it seems to be the default, when I follow this Wiki:
root@ubuntu:~# sudo -u acme -s
acme@ubuntu:~$ DEPLOY_HAPROXY_HOT_UPDATE=yes DEPLOY_HAPROXY_STATS_SOCKET=/var/run/haproxy/admin.sock DEPLOY_HAPROXY_PEM_PATH=/etc/haproxy/certs acme.sh --deploy -d domain1.com --deploy-hook haproxy
[Mon Apr 24 02:17:31 PM UTC 2023] The domain 'domain1.com' seems to have a ECC cert already, lets use ecc cert.
[Mon Apr 24 02:17:31 PM UTC 2023] Deploying PEM file
[Mon Apr 24 02:17:31 PM UTC 2023] Moving new certificate into place
[Mon Apr 24 02:17:31 PM UTC 2023] Creating new certificate '/etc/haproxy/certs/domain1.com.pem' over HAProxy stats socket.
[Mon Apr 24 02:17:31 PM UTC 2023] Success
And many thanks for helping a mundane.
You should be able to specify the cert type you desire from acme.sh.
I don't use HAProxy, so I can't be certain how they work together.
But I have used acme.sh and have asked it to provide both types of certs for the same domain name without any issues.
The only way I see with haproxy to specify the cert type is to use the --keylength parameter. Will try this next.
Would I have to --remove the cert first or can I --issue an RSA certificate on top of a previously obtained ECC certificate?
Don't remove anything [yet].
You can have both types of certs for the same domain name(s) in the same server at the same time.
Thanks. It worked! I obtained a new certificate with --keylength 2048 and that file can be shown by the command:
acme@mail:~$ echo "show ssl cert /etc/haproxy/certs/fullchain.pem" | socat /var/run/haproxy/admin.sock -
Filename: /etc/haproxy/certs/fullchain.pem
Status: Used
Serial: A6A8C6305EC26559641EF1F2EBA42C7E
notBefore: Nov 11 00:00:00 2023 GMT
notAfter: Feb 9 23:59:59 2024 GMT
Subject Alternative Name: DNS:www.mydomain.org, DNS:cms.mydomain.org, DNS:imap.mydomain.org, DNS:mail.mydomain.org, DNS:otherofmydomains.de, DNS:smtp.mydomain.org
Algorithm: RSA2048
SHA1 FingerPrint: 075B6B1F87B009FD7EF63F6E6F3E17BD9F1D2DAA
Subject: /CN=www.mydomain.org
Issuer: /C=AT/O=ZeroSSL/CN=ZeroSSL RSA Domain Secure Site CA
Chain Subject: /C=AT/O=ZeroSSL/CN=ZeroSSL RSA Domain Secure Site CA
Chain Issuer: /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
Chain Subject: /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
Chain Issuer: /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services
OCSP Response Key:
acme@mail:~$
And this also means that I have to abandon certbot from now on? Since the certtificate contains all required domain names I need.
That's great!
Now you can review the certs in the system - something like: "acme.sh --list"
Then you can remove/delete whichever certs are no longer needed and no longer being used.
Thanks. I see two certificates listed by the acme.sh --list command.
Actually, I don't want to keep the ec256 certificate. What is the difference between
"removing" and "revoking" the certificate? Do I have to do both in sequence?
Now, that I have the multidomain cert obtained by the acme.sh challenge, I seem to not need
the certbot generated certificate anymore, do I ? Even more, would they interfere with the new cert?
The acme certs are in
/var/lib/acme/.acme.sh
The certbot ones in /etc/letsencrypt/.
What mechanism now takes care for the automatic renewals?
In acme.sh, "removing" only deletes the certificate from its' maintenance.
You must physically update anything that may still be using it; And you must also delete the files on disk [if you want to - when you no longer need them].
In all cases, "revoking" tells the CA that the cert has [possibly] been compromised and it should be defined as "untrusted". This process is very resource consuming and should NOT be taken lightly.
The two things are NOT interchangeable, nor equal.
If you simply don't need a cert anymore, just remove it.
Certs don't interfere with each other.
If you no longer need the certs in certbot, run certbot delete and follow the prompts.
ACME clients normally install a line in cron or systemd that takes care of renewing managed certs.
So, you should NOT need to do anything for them to renew.
Thanks, very helpful, your remarks.
Just a few questions on further understanding:
With certbot I had these symlinks from /etc/letsencrypt/live/domain/ to /etc/letsencrypt/archive/domain, allowing to always use the symlink and having the correct valid cert behind it.
How does this work with acme.sh? There are these deploy scripts. Where can I read about how they are used?
I cannot find any traces of acme in /etc/*. (grep -r acme /etc/* doesn't yield anything meaningful).
Maybe despite of:
letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/dfxxxxxxxxd2334yyy/regr.json:{"body": {}, "uri": "https://acme-v02.api.letsencrypt.org/acme/acct/91xxxxxxxx"}
letsencrypt/accounts/acme-staging-v02.api.letsencrypt.org/directory/a3a99bd7xxxxxxxxb96e16xx4a2/regr.json:{"body": {}, "uri": "https://acme-staging-v02.api.letsencrypt.org/acme/acct/4255xxxxx"}In acme.sh, I believe by default the certs are located within /root/.acme.sh/ and the renewals overwrite the existing files - so, you only need to point the web server to it once.
Try these:
sudo find / -name fullchain.cer
sudo locate fullchain.cer
I did the revoking/removing a minute before and let me --issue new certs with --keylength 2048 and they're all in ~acme/.acme.sh.
They are sitting there but nothing has been deployed to the webserver so far.
I wonder how this mechanism works in haproxy (will ask this in their forum).
HAProxy may be set to require the cert and key in one single file.
To do that you may need to include a "deploy-hook" - which would combine them and place that file wherever needed.
That said, there may be a way to get HAProxy to use the cert and key files separately.
I don't use HAProxy, so I can't be sure about that - worth looking into though.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.