SSL request: Shows up multiple times on the transparency report

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
riskmgr.nl

I ran this command:
le64 --key account.key --email “adam@72media.nl” --csr “riskmgr-letsencrypt-wildcard-auto.csr” --handle-as dns --api 2 --csr-key “private-riskmgr-20190712.pem” --domains “*.riskmgr.nl,riskmgr.nl” --generate-missing -crt riskmgr-letsencrypt-wildcard.crt --live

It produced this output:
I don’t have the out any more , but there was a failure to verify and a success

My web server is (include version):
IIS 8.5

The operating system my web server runs on is (include version):
Windows Server 2012 R2

My hosting provider, if applicable, is:
Transip

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): ZeroSSL Crypt::LE client V0.31


I have been trying to renew my wildcard ssl cert. After a few attempts I was successful. However I couldn’t unpack the crt to *.pfx file. The *pem key didn’t match up ? So I retried renewing again, and I got another ssl cert. But failed again due to the key issue. So before I hit the rate limit I tried a completely new account key, which this time did hit the rate limit. What am I doing wrong which procedures should i have taken?

My ssl requests

I checked the site and saw that I had multiple SSL cert, where as I just needed 1. Any help to improve my process and to avoid hitting the limit would be appreciated. Thanks.

Here is my full command :
openssl genrsa -des3 -out private-riskmgr-20190712.pem 2048
le64 --key account.key --email “adam@72media.nl” --csr “riskmgr-letsencrypt-wildcard-auto.csr” --handle-as dns --api 2 --csr-key “private-riskmgr-20190712.pem” --domains “*.riskmgr.nl,riskmgr.nl” --generate-missing -crt riskmgr-letsencrypt-wildcard.crt --live

openssl pkcs12 -inkey private-riskmgr-20190712.pem -in riskmgr-letsencrypt-wildcard.crt -export -out riskmgr-letsencrypt-wildcard.pfx <======= produced “No certificate matches private key”

Hi @jose

you have created 5 identical certificates today - https://check-your-website.server-daten.de/?q=riskmgr.nl#ct-logs

Issuer not before not after Domain names LE-Duplicate next LE
Let’s Encrypt Authority X3 2019-07-12 2019-10-10 *.riskmgr.nl, riskmgr.nl - 2 entries duplicate nr. 5 next Letsencrypt certificate: 2019-07-19 08:20:19
Let’s Encrypt Authority X3 2019-07-12 2019-10-10 *.riskmgr.nl, riskmgr.nl - 2 entries duplicate nr. 4
Let’s Encrypt Authority X3 2019-07-12 2019-10-10 *.riskmgr.nl, riskmgr.nl - 2 entries duplicate nr. 3
Let’s Encrypt Authority X3 2019-07-12 2019-10-10 *.riskmgr.nl, riskmgr.nl - 2 entries duplicate nr. 2
Let’s Encrypt Authority X3 2019-07-12 2019-10-10 *.riskmgr.nl, riskmgr.nl - 2 entries duplicate nr. 1

That’s not a failure, there are enough certificates.

Your domain is invisible, only timeouts.

Looks like you use the wrong combination of private and public key.

Check date / time of your private keys and certificates to find the correct private key.

Thanks for the quick reply.

I don’t know how I made duplicates, besides retying with the same command. Is there a different command to renewing (*)certificates?

I’ll try the keys again, I think it is likely that I messed up and can’t the correct key anymore. How do I not create 5 duplicates ?

Thanks in advance.

That creates duplicates.

One time is enough. It’s an installation problem, not a certificate creation problem.

Then you have to wait - 2019-07-19.

That’s unfortunate.

I just retried the combination of key / certificates. I found one that works. Thanks for your advice. I’ll try and see if there is a simpler way to do this. If you have any recommendation I would love to hear it. Have a nice weekend and thanks for your help :smile:

By default the produced crt file would contain 2 certificates - the one of your domain and an intermediate one. If you need to produce a pfx version of the certificate, you can either remove that additional intermediate certificate from crt before the conversion, or (which is a better option) just use the native option of the client to produce a pfx along with crt - see --export-pfx option description.

Thank you! I’ll will look this information up. This should improve some error prone mistakes.