Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: mciit.co.za
I ran this command:
certbot certonly --manual --csr C:\Program Files\Zoho\ZohoCreator\jre\bin\key.csr --preferred-challenges dns
It produced this output:
usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...
Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: argument --csr: No such file or directory
My web server is (include version): Not Sure, Think Tomcat-8.5.27
The operating system my web server runs on is (include version): Windows Server 2022 Standard - 21H2
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know): Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.8.0
Good Day Everyone,
I'm totally new to this and it's the first time trying to get a wildcard SSL Certificate without just letting the hosting provider handle it and get it working as we are now using a on-premises low software package to do the development and hosting of applications.
So, if I ask stupid questions or ask for clarification over and over, please excuse me, I'm trying to learn here so that I can do this on my own in the future and as I said, this is all new to me.
I have tried to read up as much as I could, but I just get more confused.
Any Help is Greatly Appreciated and if you need any more information please just ask and I shall try to provide it.
I shall try to give as much information as possible, as this can be a bit confusion.
We use the Following Low-Code Platform to develop the applications:
Zoho Creator On-premises is an installable low-code platform for creating enterprise-grade custom applications that can be seamlessly accessed from smartphones, tablets, and web browsers.
So, it is installed on the local Windows Server, has a self-signed certificate and accessed via web browser http://localhost:8666 or whatever port you assigned it and use a PostgreSQL DB.
Each Application developed can be accessed via its own Customer Portal address but must be verified via SSL before it can be accessed by customers from outside.
So for example we have App1 and App2 and our domain is mciit.co.za, the link for App1 will be “https://App1.mci-it.co.za” and for App2 “https://App2.mci.co.za”
In the Zoho documentation we saw them mention “Let’s Encrypt” as a free CA and we thought as they have suggested it, let us try it and here the fun starts.
In the documentation they show how to generate a .csr and keystore with keytool:
Step 1: Create a Keystore file
Before requesting for a certificate from a CA, you need to create tomcat specific ".keystore" file and ".csr" file. The .keystore file and .csr filewill include information provided by the individual who creates the .keystore and .csr files.
To create the .keystore file follow the below steps,
- Open the Command Prompt.
- From the location \ jre \ bin execute the command.
keytool -genkey -alias <your_alias_name> or [Domain Name] -keyalg RSA -keysize 2048 -keystore sas.keystore
Step 2: Creating .CSR (Certificate Signing Request) file
The .CSR (Certificate Signing Request) file is temporary and should be submitted to a CA to receive CA-Signed Certificate files.
Please follow the steps given below to create the CSR file.
- Open the Command Prompt
- From the location \ jre \ bin execute the below command.
keytool -certreq -alias <your_alias_name> -file key.csr -keystore sas.keystore
In the above command <your_alias_name> is the alias name provided when creating the keystore, key.csr is the name of the CSR file that will be created after the command is executed.
So we ended up with key.csr and sas.keystore.
To Make the interface easier with “Let’s Encrypt” we saw most people talking about “Certbot”, so downloaded the windows version and ran it from powershell.
But looking at the commands, we didn’t need a .csr file, so we just ran it as:
PS C:\Users\Administrator> certbot certonly –standalone and requested a certificate for “app1.mciit.co.za”
This worked and we got the following files:
Cert.pem
Chain.pem
Fullchain.pem
Privkey.pem
Unfortunately, Zoho Creator On-Premises can’t use .pem files, so we imported the. pem into The Certificates snap-in in Windows and then Exported the files to .cer Format:
ISRG Root X1.cer
R11.cer
App1.mciit.co.za
Next step in the Zoho documentation is to import the files in the correct sequence so we start with the Root Certificate, then Intermediate/Cross and last Primary :
Installing the Root Certificate file (ISRG Root X1.cer)
Each time you install a certificate to your keystore you will be prompted for the keystore password, which you chose while generating your CSR. Type the following command to install the Root certificate file:
keytool -import -trustcacerts -alias root -file <File_Name>.crt -keystore sas.keystore
NOTE: Choose ‘Yes’ if you get prompted with a message that says "Certificate already exists in system-wide CA keystore under alias Do you still want to add it to your own keystore? [no]:"
You will get a confirmation stating that the "Certificate was added to keystore".
Install the Intermediate Certificates and Cross Intermediate Certificates (if any) (R11.cer)
Follow the instructions provided by the CA.
keytool -import -trustcacerts –alias intermediate -file <File_Name>.crt -keystore sas.keystore
keytool -import -trustcacerts –alias cross -file <File_Name>.crt -keystore sas.keystore
You will get a confirmation stating that the "Certificate was added to keystore".
Install the Primary or the Domain Certificate file (App1.mciit.co.za)
Type the following command to install the Primary certificate file:
keytool -import -trustcacerts -alias <your_alias_name or [Domain Name]> -file your_domain_name.crt -keystore sas.keystore
Please note that <your_alias_name or [Domain Name]> should be replaced with the alias name provided when creating the keystore (as discussed in Step 1). This time you will get a different confirmation stating that the "Certificate reply was installed in keystore”.
All works well till the last step where we need to import the primary certificate, there we get an error:
keytool error: java.lang.Exception: Public keys in reply and keystore don't match
So here starts the questions, what did we do wrong to get that error?
Is it the creation of the .csr or keystore or the command in Certbot?
What do we need to change?
Is it maybe a setup in the Windows Server?
They then recommended we rather try a Wildcard Certificate instead of One for each separate application, so *.mciit.co.za so easy to just link app1.mciit.co.za or app2.mciit.co.za or app3.mciit.co.za etc.
But according to the Certbot documentation, where we used the “standalone” option before, we need to use the “DNS plugins” option as this is the only way to get Wildcart Certificates from “Let’s Encrypt”:
| Plugin | Auth | Inst | Notes | Challenge types (and port) |
|---|---|---|---|---|
| DNS plugins | Y | N | This category of plugins automates obtaining a certificate by |
modifying DNS records to prove you have control over a
domain. Doing domain validation in this way is
the only way to obtain wildcard certificates from Let’s
Encrypt.|dns-01 (53)|
The DNS Plugins they give are:
- certbot-dns-cloudflare
- certbot-dns-digitalocean
- certbot-dns-dnsimple
- certbot-dns-dnsmadeeasy
- certbot-dns-gehirn
- certbot-dns-google
- certbot-dns-linode
- certbot-dns-luadns
- certbot-dns-nsone
- certbot-dns-ovh
- certbot-dns-rfc2136
- certbot-dns-route53
- certbot-dns-sakuracloud
But All of these seem to be a signup service or having a Webroot or server?
So now the questions are:
Which DNS Plugin do we use, for Windows Server and this App? As a Stand Alone?
We can create a wildcard .scr file and use it with the manual Option in Certbot, but Would it Work?
Can we just use the certbot certonly –standalone and requested a certificate for “*.mciit.co.za”?
Would it Give the same Error?
I am so Sorry for the long post, but it the only way to try and explain what is behind all of the issues we face and the questions we have.
Thank you