SSL certificate Pardot

AgatheLhenry · March 4, 2020, 11:14am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: https://go.airliquide.com

I ran this command: Pardot (Salesforce) wants to renew the SSL certificate of my CNAME go.airliquide.com but it doesn’t work. Pardot asked me to ask you directly. The problem might come from the fact that our DNS Certification Authority supplier Digicert don’t want you (LetsEnscrypt) to generate an SSL certificate for our domains. The solution would be:

give me a CSR (Certificat Signing Request) so that our supplier Digicert can create a specific SSL certificate with this CSR for my domain name go.airliquide.com
allow on your side the SSL certificate created by Digicert instead of using your own certificate

It produced this output: The SSL certificate can’t renew

My web server is (include version): i don’t know, this is managed by Pardot (Salesforce)

The operating system my web server runs on is (include version): i don’t know, this is managed by Pardot (Salesforce)

My hosting provider, if applicable, is: i don’t know, this is managed by Pardot (Salesforce)

I can login to a root shell on my machine (yes or no, or I don’t know): i don’t know

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): i don’t know what is a control panel

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): i don’t know

mnordhoff · March 4, 2020, 11:54am

Did they say why it "doesn't work"? If they tried to issue a certificate and it failed, Let's Encrypt would return an error message that would hopefully explain what was wrong.

Another CA can't physically stop you from getting a certificate.

According to my DNS resolver, your domain doesn't have any CAA records preventing Let's Encrypt or any other CA from issuing certificates.

If there's a contract between you and a company where you promise not to get Let's Encrypt certificates, Let's Encrypt wouldn't know about it and would have no way to technically enforce it. (And I don't think DigiCert would do anything that shady.)

AgatheLhenry · March 4, 2020, 1:22pm

They said they receive the following error:

“Error: DNS problem: SERVFAIL looking up A for go.airliquide.com - the domain’s nameservers may be malfunctioning”

After looking further into this issue they saw that the nameserver [ns03.airliquide.com] was not responding and said it was this issue that prevented you to provide a new certificate.

However, we’ve now solved the problem of this server, Pardot tried again to renew the certificate, and it’s still not working. They didn’t tell me what’s the error they get now, whether it’s the same or a new one.

If there’s indeed a contract between Air Liquide and Digicert where we promise not to get Let’s Encrypt certificates, would the solution I was talking about (giving me a CSR so that Digicert create their own certificates and then we use this certificate instead of LetsEnscrypt’s one) solve the problem?

system · April 3, 2020, 1:22pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.