Third-party certificates with certbot

My domain is: nha-api.page.works

I ran this command: n/a

It produced this output: n/a

My web server is (include version): Apache/2.4.54

The operating system my web server runs on is (include version): Centos rhel fedora

My hosting provider, if applicable, is: EC2 on AWS

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.11.0

Hello, I'm trying to follow Oracle's documentation so that my server can receive "punchout" requests (see image).

My server is an EC2 on AWS, running a LAMP stack, and using certbot w/ cron to provide SSL. I have the OSN certificates downloaded; but how should I go about configuring certbot to include these certificates? Or do I edit the apache config to include these certificates separately? Thanks!

Hi @nickworks, and welcome to the LE community forum :slight_smile:

Certbot is an ACME client used to get certificates and manage certificate renewals.
So, I'm cunfused about that question.

Generally, that is where certificates are "used".
But, I'm not yet certain what you mean by "these certificates".
So, proceed with caution OR continue asking questions until you understand what you are doing.

Please explain this part in more detail.

2 Likes

You will almost definitely have to contact Oracle for help with this, because all of Oracle's relevant documentation is locked behind a paywall that requires active customer accounts.

Generally speaking... it reads like the Punchout system is essentially their version of a server/client configuration, and the OSN certificates are functioning sort of like Cloudflare's Origin certificates. I think at some point PayPal also required their certificates to be installed for certain services/routes.

If that is the case, what probably happens is that you have Certbot procure/install/manage the Certificates for your public facing websites, but the virtual hosts or services for Oracle are configured to use their Certificates. In that scenario, your public site would rely on publicly trusted certificates while the Oracle services would rely on the Oracle Certificates.

Your screenshot/post could also be interpreted as these being a root bundle of certificates that need to be installed into the OS or some app library - but I think they are functioning closer to the Cloudflare model.

4 Likes

I'm trying to receive punchout requests from oracle. When I test the endpoint from my oracle interface I get a message "SSL init errors". The documentation indicates that I should install OSN's certificates on my server, but that's not something I've done before.

My questions are: where do I put the OSN certificates (is it /etc/pki/tls/certs)? And since I'm using certbot, is there anything I have to configure so that these certificates don't interfere with one another?

That depends on what they contain.
If they contain a private key, then they are likely to be handled by the web service.
If they are some sort of trusted root cert(s), then they should likely be installed into the O/S.
In any case, I doubt certbot can do anything with them; Nor would their existence in your system cause any conflict with your use of certbot.
Again, certbot is only there to get you certificates and handle their renewals.
But those certificates have nothing to do with whatever was provided to you by Oracle.

4 Likes

Thank you!

I think the files are public keys. I have three .cer files, and they contain --BEGIN CERTIFICATE-- ... --END CERTIFICATE--

I followed this part from another Oracle article to download the keys.

1 Like

To me, that instruction doesn't sound like it will provide any keys - just public cert files.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.