I would agree it is starting to look sort of wierd
I've setup letenscrypt certs for two other webservers I'm helping with via zerossl around the same time as the certbot's first request.
So, it's most probably a mix up with the zerossl process or another one like Juergen suspected.
But what I (think) remembered of it is that I was asked a few questions like names, email address, website name, password etc before the certificate was issued.
Why I seem convinced there is a password now is because (for example) while trying to get Pentaho server (tomcat) to use Certbot certificate I ran
into request for password for the cert to be imported. While it seemed like keytool will accept same password (certbot) for the key as the keystore it threw error
asking for the password and when any other password is used it would complained that it is not the correct password. I followed this tut
These are things typically asked when creating a certificate signing request (CSR). Most CAs ask you to submit a CSR in order to get a certificate. There is a passphrase that can be specified as well (though it is useless if an attacker can access the CSR since it is encoded as plain text). Certbot actually generates the CSR for you. The reason you aren't asked for all of the other information by certbot is because Let's Encrypt just throws away anything it can't verify automatically. Hence why there's no subject organization, country, or city in a Let's Encrypt certificate. If you generate your own CSR with such information and submit it to Let's Encrypt (via an ACME client), you will see the truth of what I say.
I think I've figured out where your password concerns originate.
To create a new JKS keystore from scratch, containing a single self-signed Certificate, execute the following from a terminal command line:
snip
After executing this command, you will first be prompted for the keystore password. The default password used by Tomcat is "changeit" (all lower case), although you can specify a custom password if you like. You will also need to specify the custom password in the server.xml configuration file, as described later.
Next, you will be prompted for general information about this Certificate, such as company, contact name, and so on. This information will be displayed to users who attempt to access a secure page in your application, so make sure that the information provided here matches what they will expect.
Finally, you will be prompted for the key password, which is the password specifically for this Certificate (as opposed to any other Certificates stored in the same keystore file). The keytool prompt will tell you that pressing the ENTER key automatically uses the same password for the key as the keystore. You are free to use the same password or to select a custom one. If you select a different password to the keystore password, you will also need to specify the custom password in the server.xml configuration file.
If everything was successful, you now have a keystore file with a Certificate that can be used by your server.
In order to generate a CSR that will be submitted to a CA (e.g. Let's Encrypt), Tomcat first has you generate a self-signed certificate. The private key for this self-signed certificate, which will eventually become the private key for the real certificate, is stored in your keystore, which requires entering a password. Tomcat then uses the information from that self-signed certificate to generate the CSR.
To use your own CSR file with certbot, you need to use the --csr *path to CSR* parameter (and must be using certonly). This prevents certbot from generating the CSR (and its private key) for you.
So I gave it a go!
I raised an openssl certificate with password (stored in keystore). Then I raised a csr using the keystore. I then used the csr to request a new certbot certificate like:
It's the space after the comma between the domain names that caused certbot to fail. There should not be any spaces. Ideally there should also be quotes (to protect against wildcard expansion in bash). You can't use an installer (-i apache) with certonly.
Those are local to the system with that host file.
I think they meant since the used it there with a space they remembered that and used a similar syntax with certbot - which did not work as expected.
As for the really long command...
I'm confused on why you used certonly and then added -a and -i
[&2* readers: Get involved; Be heard. It starts with: if you read something you like, then like it ]
I will go and give your last amended command line a try and see how it goes:
sudo certbot certonly --cert-name smoothgift.com --csr /home/richard/pentaho-ssl/certreq.csr --webroot -w /srv/www/htdocs -d "www.smoothgift.com,smoothgift.com"
Oh no! The private IP address stays correctly defined in the hosts (otherwise it will be trouble everywhere!)
Giving it here as 192.168.-.- is just me being paranoid, feeling like I'm putting everything out there, hosts, cli.ini,http.conf etc. Makes one feel a bit naked out there in a cold world.
The question that came to mind is:
Where is Certbot getting this changing last line "From command line/config: smoothgift.com, www.smoothgift.com" from?
When you specify --cert-name, certbot gets the domain names from the existing certificate. When you specify -d, certbot uses the domain names you specify. It should also be able to extract the domain names directly from the CSR.
Thanks for your reply.
I got pretty much the same error back:
sudo certbot certonly --csr /home/richard/pentaho-ssl/certreq.csr --webroot -w /srv/www/htdocs
Inconsistent domain requests:
From the CSR: smoothgift.com,www.smoothgift.com
From command line/config: smoothgift.com, www.smoothgift.com
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /home/richard/pentaho-ssl/keystore -destkeystore /home/richard/pentaho-ssl/keystore -deststoretype pkcs12".
And here is the Openssl cert&keystore's:
$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore /home/richard/pentaho-ssl/keystore Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: smoothgift.com,www.smoothgift.com
What is the name of your organizational unit?
[Unknown]: smoothgift
What is the name of your organization?
[Unknown]: Smoothgift
What is the name of your City or Locality?
[Unknown]: Amsterdam
What is the name of your State or Province?
[Unknown]: Amsterdam
What is the two-letter country code for this unit?
[Unknown]: NL
Is CN="smoothgift.com,www.smoothgift.com", OU=smoothgift, O=Smoothgift, L=Amsterdam, ST=Amsterdam, C=NL correct?
[no]: yes
Enter key password for
(RETURN if same as keystore password):
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /home/richard/pentaho-ssl/keystore -destkeystore /home/richard/pentaho-ssl/keystore -deststoretype pkcs12".