Wacs.exe generates only 2 out of 3 pem files

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: syncpilot-test.xitrust.com

I ran this command:

  • I open wacs.exe
  • I choose “Create new certificate with advanced options”
  • I choose “Manually input host names”
  • Enter comma-separated list of host names, starting with the common name: syncpilot-test.xitrust.com
  • [INFO] Target generated using plugin Manual: syncpilot-test.xitrust.com
    Suggested FriendlyName is ‘[Manual] syncpilot-test.xitrust.com’, press enter to accept or type an alternative:
  • I press Enter
  • Next i choose: " 5: [http-01] Save file on local or network path"
  • Path to the root of the site that will handle authentication: C:\XiTrust\Apache24\htdocs.well-known\acme-challenge
  • “Copy default web.config before validation? (y/n*)”
  • I choose YES
  • Next i choose “2: Standard RSA key pair”
  • "What kind of CSR would you like to create?:
  • I choose " 3: Write .pem files to folder (Apache, ngnix, etc.)"
  • " Path to folder where .pem files are stored:"
  • I choose: C:\certificates (same path as in apache httpd-vhosts.config)
  • " Which installer should run for the certificate?:"
  • i choose: “1: Do not run any installation steps”

It produced this output:

[WARN] Overwriting previously created renewal
[INFO] Authorize identifier: syncpilot-test.xitrust.com
[INFO] Cached authorization result: valid
[INFO] Requesting certificate [Manual] syncpilot-test.xitrust.com
[INFO] Exporting .pem files to C:\certificates
[INFO] Installing with None…
[INFO] Next renewal scheduled at 2019/7/23 15:18:31

My web server is (include version): apache2.4

The operating system my web server runs on is (include version): Windows Server 2016 Standard

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No


My Problem is now that lets encrypt generates only two files:
syncpilot-test.xitrust.com-chain.pem
syncpilot-test.xitrust.com-key.pem

So no …crt.pem

I don’t know why. I configured Apache as i should, like adding to apache:

ProxyPass /.well-known/acme-challenge ! Alias /.well-known/acme-challenge C:/XiTrust/Apache24/htdocs/.well-known/acme-challenge

and included the necessary modules.
Is my “Path to the root of the site that will handle authentication:” right? (see above).
what i did to try, just to see if it works, i copied the certificate from https://crt.sh/ and put it into my
syncpilot-test.xitrust.com-crt.pem file

I have no clue at the moment. Thank you

Hi @odavid

that may be not required.

Open your chain.pem. If there are two

— Begin Certificate —

the file has both certificates - the cert and the intermediate Letsencrypt certificate.

But there is a problem.

You have created three certificates ( https://check-your-website.server-daten.de/?q=syncpilot-test.xitrust.com ):

CertSpotter-Id Issuer not before not after Domain names LE-Duplicate next LE
937520815 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-05-29 12:18:30 2019-08-27 12:18:30 syncpilot-test.xitrust.com - 1 entries duplicate nr. 3
935674329 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-05-28 10:19:42 2019-08-26 10:19:42 syncpilot-test.xitrust.com - 1 entries duplicate nr. 2
927443267 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-05-23 11:19:08 2019-08-21 11:19:08 syncpilot-test.xitrust.com - 1 entries duplicate nr. 1

One is installed:

CN=syncpilot-test.xitrust.com
	28.05.2019
	26.08.2019
expires in 89 days	syncpilot-test.xitrust.com - 1 entry

But with two errors:

HasNotSupportedCriticalExtension: A certificate contains an unknown extension that is marked ‘critical’.
InvalidExtension: Unknown error.

Looks like you have added a non-standard extension (I must check that).

And the chain is wrong - duplicated cert:

Chain - duplicate certificates	
	1	CN=syncpilot-test.xitrust.com
	2	CN=syncpilot-test.xitrust.com
	3	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US

The problem is that you copied a precertificate, not a final certificate. Because of Certificate Transparency requirements enforced by current browsers, CAs currently issue certificates in multiple stages:

  1. First the CA generates and signs a precertificate, which contains a “CT Precertificate Poison” extension marked critical. This extension intentionally makes the precertificate unusable.

  2. The CA submits the precertificate to several CT logs (currently the minimum requirements are 1 Google log and 1 non-Google log) and obtains Signed Certificate Timestamps (SCTs) from those logs.

  3. The CA generates and signs the final certificate, which contains the non-critical “CT Precertificate SCTs” extension instead of the critical “CT Precertificate Poison” extension. This certificate can be used for the intended purpose, unlike the precertificate.

  4. Finally, the CA may submit the final certificate to CT logs (technically this is not required, because the precertificate is already there, but good CAs usually do this).

To solve your problem, you need to remove the syncpilot-test.xitrust.com-crt.pem file (which actually contains a precertificate) from your web server configuration, and just use syncpilot-test.xitrust.com-chain.pem (this file contains both the server certificate and the required intermediate certificate). With Apache 2.4 you need to use

SSLCertificateFile /path/to/syncpilot-test.xitrust.com-chain.pem
SSLCertificateKeyFile /path/to/syncpilot-test.xitrust.com-key.pem

and omit SSLCertificateChainFile (which is documented as obsolete).

1 Like

Yep, checked that saved certificate. That has really the extension with the OID 1.3.6.1.4.1.11129.2.4.3 - and this is the precertificate extension:

https://tools.ietf.org/html/rfc6962#section-3.1

Added a new line in the output:

Fatal: Certificate is Pre-Certificate, not a Leaf certificate.

Thank you so much you two, sigprof and JuergenAuer! Now it works. I just copied the first cert from the cian.pem file into the crt.pem file. And thank you for the additional information!!

Unfortunately there is another thing. I have two domains, syncpilot.xitrust.com (i immigrated that from an old server) and syncpilot-test.xitrust.com. When i made the certificate, i chose “[http-01] Save file on local or network path”.
And the “Path to the root of the site that will handle authentication: C:\XiTrust\Apache24\htdocs.well-known\acme-challenge” (i did this for both domains)

The problem is that there is just one of the files (with the longer key in it) in the “acme.challange” file.
And this is the one from the old server. Shouldn’t there be two? one for each domain?

BUT the main Problem is: I can’t use the automatic renewal because now every time (every three month - and for our other domains too) i have to copy the cert from the cain.pem to the cert.pem and i can’t just deactivate the cert.pem in apache because apache won’t start then.

No, it doesn’t work.

Checking https://check-your-website.server-daten.de/?q=syncpilot-test.xitrust.com there is the wrong certificate:

Domainname Http-Status redirect Sec. G
http://syncpilot-test.xitrust.com/
149.154.101.47 200 0.046 H
https://syncpilot-test.xitrust.com/
149.154.101.47 200 0.366 N
Certificate error: RemoteCertificateNameMismatch

There is the

CN=syncpilot.xitrust.com
	31.05.2019
	29.08.2019
expires in 90 days	syncpilot.xitrust.com - 1 entry

installed from your main domain.

And your chain sends your certificate two times:

Chain - duplicate certificates	
	1	CN=syncpilot.xitrust.com
	2	CN=syncpilot.xitrust.com
	3	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US

Your main domain has the same - now correct - certificate - https://check-your-website.server-daten.de/?q=syncpilot.xitrust.com

Domainname Http-Status redirect Sec. G
http://syncpilot.xitrust.com/
149.154.101.47 301 https://syncpilot.xitrust.com/ 0.077 A
https://syncpilot.xitrust.com/
149.154.101.47 200 0.486 B

But the chain has the same error.

You have created 3 certificates with the test-name (2019-05-28 - 31) and two with the other name.

Where are these certificates?

Thank you for the fast reply.

The certificates are in folders:
C:\XiTrust\Zertifiakte\MOXIS_apache\TU (syncpilot-test)
C:\XiTrust\Zertifiakte\MOXIS_apache\PU (syncpilot)

I think one of the Problems (because “check-your-webserver” says Visible Content: Not Found The requested URL /.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de was not found on this server.) is that when creating the certificate (i created it serveral times new), i chose

“[http-01] Save file on local or network path”.

And the “Path to the root of the site that will handle authentication:

C:\XiTrust\Apache24\htdocs.well-known\acme-challenge”

I am not sure if this is the correct path there, is this is the root path.
As i said, there should be two files in acme-challenge folder, i guess.
Furthermore i have no Idea why the common name at syncpilot-test is “syncpilot.xitrust.com” and why there is even a syncpilot.xitrust.com entry in my syncpilot-test.xitrust.com certificate. I will have to look further.

Maybe it would best to create new ones? As i said, i immigrated one certificate from an old server.
To make new ones, i just have to overide the others yes? No revoke and then new ones.

This

isn’t an error. It’s a normal http status 404 - Not Found, marked with a green A. It’s a check if port 80 is open, if there is a webserver and if there is a - perhaps wrong - redirect.

I have no information about your configuration and I don’t know what that tool is doing.

Don’t revoke certificates if the private key is save.

Looks like you have only one vHost that answers. Is there a ServerName / ServerAlias defined?

One vHost -> one certificate. So if you have only one vHost and the certificate has only one domain name, the other domain name doesn’t work.

So you have two options:

  • two vHosts with two different certificates
  • one vHost and a certificate with two domain names

These are things you must do before you use a Letsencrypt client.

I have two domains in my apache config. It is one file yes but thats the case in windows.
So i have a ServerName “syncpilot.xitrust.com” and a ServerName “syncpilot-test.xitrust.com” and they are seperated. nslookup also dessolves it as two seperated domains.

I will look into it, and write if i find out more, thank you for your help till now! At least the browsers accept the certificates, so the sides can be used.

1 Like

Now the “RemoteCertificateNameMismatch” is gone, but still:

  • The “Chain - duplicate certificates” problem: I manually deleted the first certificate from the chain.pem file (the first one is the same as in the cert.pem file) and now the error is gone. But i fear next time i renew it will be the same.

  • Still the “Visible Content: Not Found The requested URL /.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de was not found on this server.”

  • I fear that next time wacs tries to automacticly updates the certitifactes, it will again be only the key.pem and chain.pem file, therefore i have to do cut the first cert from the chain.pem file and insert it in crt.pem file again.

All the problems would go away if apache2.4 would start without the crt.pem file, as SIGPROF suggested.

1 Like

I know configured my Apache2.4 so that the SSLCertificateFile points to chain.pem file, now my apache starts

SSLEngine on
SSLCertificateFile “C:/Zertifkate/syncpilot-test.xitrust.com-chain.pem”
SSLCertificateChainFile “C:/Zertifkate/syncpilot-test.xitrust.com-chain.pem”
SSLCertificateKeyFile “C:Zertifkate//syncpilot-test.xitrust.com-key.pem”

The remaining thing is the problem with the file in the \Apache24\htdocs.well-known\acme-challenge folder. I thought the server checks for a file (i have to set the path in the wacs.exe config when i make the certificate). I wonder why it works even if the file is not there.

And of course if the automatic update will function as hoped.

1 Like

That’s

not a problem. The result http status 404 - Not Found - has a green A.

It’s a check if port 80 is open and if a http server answers.

Yes, you have to do that again if you don’t want to have a chain error. But a duplicated certificate is better then a missing intermediate certificate.

I renewed it and i didn’t had tu cut anything, it is working this way, so no chain error.

Thank you again a thousend times for your help!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.