Jump to content
Froxlor Forum
  • 0
peterpan

How to trigger renewal of certificate?

Question

Hi,

I have a domain equipped with a certificate from LE. The cert is valid another 2 months. Now I added a domain as an alias of the existing domain, but the certificate isn't updated to have the new domain as its SAN.

How do I trigger getting a new and updated certificate? Should I delete the existing one?

Thanks for helping out.

 

Peter

Share this post


Link to post
Share on other sites

Recommended Posts

  • 0

 

It seems to work. When I add a domain as an alias, a new certificate is created. But the certificate is not good:
 

# openssl x509 -in  /etc/ssl/froxlor-custom/xxxxxxx.net.crt -text -noout
unable to load certificate
140135579193600:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:../crypto/asn1/tasn_dec.c:1130:
140135579193600:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:290:Type=X509
140135579193600:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:../crypto/pem/pem_oth.c:33:

The content of the certificate is:

-----BEGIN CERTIFICATE-----
ewogICJ0eXBlIjogInVybjphY21lOmVycm9yOnJhdGVMaW1pdGVkIiwKICAiZGV0
YWlsIjogIkVycm9yIGNyZWF0aW5nIG5ldyBjZXJ0IDo6IHRvbyBtYW55IGNlcnRp
ZmljYXRlcyBhbHJlYWR5IGlzc3VlZCBmb3IgZXhhY3Qgc2V0IG9mIGRvbWFpbnM6
IGNhbXBpYW5vLmRlLGNhbXBpYW5vLmVzLGNhbXBpYW5vLmZyLGNhbXBpYW5vLml0
LGNhbXBpYW5vLm5ldCxjYW1waWFuby5ubCxjcm9uLmNhbXBpYW5vLm5ldCx3ZWJo
b29rLmNhbXBpYW5vLm5ldCx3d3cuY2FtcGlhbm8uZGUsd3d3LmNhbXBpYW5vLmVz
LHd3dy5jYW1waWFuby5mcix3d3cuY2FtcGlhbm8uaXQsd3d3LmNhbXBpYW5vLm5l
dCx3d3cuY2FtcGlhbm8ubmw6IHNlZSBodHRwczovL2xldHNlbmNyeXB0Lm9yZy9k
b2NzL3JhdGUtbGltaXRzLyIsCiAgInN0YXR1cyI6IDQyOQp9
-----END CERTIFICATE-----

which seems quite short.

 

Share this post


Link to post
Share on other sites
  • 0

I found the following line in the output:

[Sun Sep 15 15:13:43 CEST 2019] Sign failed: "detail":"Error creating new cert :: too many certificates already issued for exact set of domains: xxxxxxx.ca,xxxxxxx.de,xxxxxxx.es,xxxxxxx.fr,xxxxxxx.it,xxxxxxx.net,xxxxxxx.nl,xxxxxxx.us,cron.xxxxxxx.net,webhook.xxxxxxx.net,www.xxxxxxx.ca,www.xxxxxxx.de,www.xxxxxxx.es,www.xxxxxxx.fr,www.xxxxxxx.it,www.xxxxxxx.net,www.xxxxxxx.nl,www.xxxxxxx.us: see https://letsencrypt.org/docs/rate-limits/"

As a result, I seem to get a faulty cert from LE, instead of no cert at all. Then, when restarting Apache, it fails with "Configuration failed".

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Similar Content

    • By juca
      Hi,
      I was wondering if it possible to specify different custom configurations for HTTP and HTTPS traffic. 
      I have a couple of sites that would need to keep HTTP traffic active. Basically what I would like to do is the following:
      for HTTP:
      ProxyPreserveHost On ProxyRequests off ### HTTP Proxy AllowCONNECT 443 563 ProxyPass / http://localhost:16080/ ProxyPassReverse / http://localhost:16080/  
      for HTTPS:
      ###SSL Proxy ProxyPreserveHost On ProxyRequests off SSLProxyEngine on SSLProxyVerify none  SSLProxyCheckPeerCN off SSLProxyCheckPeerName off SSLProxyCheckPeerExpire off ProxyPass / https://localhost:16443/ ProxyPassReverse / https://localhost:16433/ is this possible?
       
    • By d00p
      Dear Froxlor Commuity,
      finally - the first release candidate of our new API based version 0.10.0! A lot of work has gone into this, many internal changes (you might miss any frontend-changes, but be patient...) most importantly the API backend which not only is used by froxlor frontend itself but can also be uses from within your website/scripts/etc.
      Froxlor now uses composer to include some of its requirements like phpMailer, Logger, IdnaConvert and TwoFactorAuth libraries.
      Here are some of the new features besides API that found their way in:
      - 2FA / TwoFactor Authentication for accounts - MySQL8 compatibility - new implementation of Let's Encrypt (acme.sh) - customizable error/access log handling for webserver (format, level, pipe-to-script, etc.) - lots and lots of bugfixes and small enhancements You can see all changes on Github at https://github.com/Froxlor/Froxlor/compare/0.9.40.1...0.10.0-rc2
      Download: 0.10.0-rc2

      Note: There will be no Debian packages for release-candidates.

      Visit http://www.froxlor.org or join our IRC channel #froxlor on irc.freenode.net.

      Thank you,
      d00p
    • By j4mb4l4j4
      Hallo, ich hätte eine Frage da ich aktuell in folgendes Problem laufe.
      Froxlor version: 0.9.39.5 (DB: 201805290)
      Meine Domains bekommen aktuell keine neuen Zertifikate mehr, da der Cronjob der die Letsencrypt Zertifikate erzeugt einen Fehler wirft.
      Gemäß Syspanel bekomme ich die Meldung (customer = mein Kunde, my.domain.com = meine Domain):
      25.03.19 18:51:38 error customer Could not get Let's Encrypt certificate for my.domain.com: Curl: Unknown SSL protocol error in connection to acme-v02.api.letsencrypt.org:443 25.03.19 17:48:28 error froxlor.panel Could not get Let's Encrypt certificate for my.domain.com: Curl: Unknown SSL protocol error in connection to acme-v02.api.letsencrypt.org:443 25.03.19 17:35:04 error customer Could not get Let's Encrypt certificate for my.domain.com: Curl: Empty reply from server 25.03.19 16:47:52 error froxlor.panel Could not get Let's Encrypt certificate for my.domain.com: Curl: Unknown SSL protocol error in connection to acme-v02.api.letsencrypt.org:443 25.03.19 16:43:53 error froxlor.panel Could not get Let's Encrypt certificate for my.domain.com: Curl: Empty reply from server 25.03.19 16:43:53 error customer Could not get Let's Encrypt certificate for my.domain.com: Curl: Unknown SSL protocol error in connection to acme-v02.api.letsencrypt.org:443 25.03.19 16:30:27 error froxlor.panel Could not get Let's Encrypt certificate for my.domain.com: Curl: Empty reply from server 20.03.19 16:55:42 error froxlor.panel Could not get Let's Encrypt certificate for my.domain.com: Curl: Could not resolve host: acme-v02.api.letsencrypt.org 20.03.19 16:50:50 error customer Could not get Let's Encrypt certificate for my.domain.com: Curl: Could not resolve host: acme-v02.api.letsencrypt.org 20.03.19 16:50:20 error froxlor.panel Could not get Let's Encrypt certificate for my.domain.com: Curl: Operation timed out after 0 milliseconds with 0 out of 0 bytes received 09.03.19 16:12:36 error customer Could not get Let's Encrypt certificate for my.domain.com: Curl: Empty reply from server 09.03.19 14:52:02 error customer Could not get Let's Encrypt certificate for my.domain.com: Curl: Empty reply from server 01.03.19 14:54:10 error customer Could not get Let's Encrypt certificate for my.domain.com: Curl: Unknown SSL protocol error in connection to acme-v02.api.letsencrypt.org:443 01.03.19 05:30:01 error customer Could not get Let's Encrypt certificate for my.domain.com: Curl: error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error Leider bekomme ich wenn ich folgenden Befehl ausführe auch keine Meldung, es hängt einfach und passiert nix:
      root@server:/var/run# php -q /var/www/my.domain.com/scripts/froxlor_master_cronjob.php --letsencrypt --debug [information] Updating Let's Encrypt certificates [information] Updating my.domain.com [information] letsencrypt-v2 Using 'https://acme-v02.api.letsencrypt.org' to generate certificate [information] letsencrypt-v2 Using existing account key [information] letsencrypt-v2 Starting certificate generation process for domains [information] letsencrypt-v2 Requesting challenge for my.domain.com Leider sehe ich keine weitere Möglichkeit zum Debugging.
      Wo müsste ich ansetzen um mehr Logs zu bekommen, bzw. kennt jemand den Fehler und kann mir sagen was ich falsch mache ?
      Irgendwie verstehe ich nicht was das Problem ist.
      Auf einem anderen Server mit anderer IP und Froxlor habe ich genau das gleiche Problem.
      Ich kann erfolgreich pingen und telnetten:
      root@server:/var/run# telnet acme-v02.api.letsencrypt.org 443 Trying 2a02:26f0:eb:186::3a8e... Connected to e14990.dscx.akamaiedge.net. Escape character is '^]'. ^CConnection closed by foreign host.  

    • By princeofnaxos
      After migrating from syscp, all SSL hosts have empty host files. A comment is there, saying "# no ssl-certificate was specified for this domain, therefore no explicit vhost is being generated".
      Looking in lib/Froxlor/Cron/Http/Apache.php, I see that $domain['ssl_cert_file'] must be empty in order to get that message. But where in the domain form should I enter the certificate's filename? There is nothing under "Webserver SSL settings" that looks like that.
       
    • By FearTheDude
      Folgende Situation:
      Ich betreibe einen vServer mit Froxlor als Hostingpanel
      Der docroot von meinedomain.tld liegt unter /var/customers/webs/meinAccount
      Eine SSL Weiterleitung wurde auf meinedomain.tld eingerichtet
      Kunden verwenden ein paar vorinstallierte tools (Webmailer, DB Frontend, Froxlor Panel) über toolname.meinedomain.tld
      Die Tools liegen nicht im docroot von meinedomain.tld sondern unter /var/www/toolname
      Folgendes Problem:
      Die SSL Weiterleitung von http auf https bei der Hauptdomain meinedomain.tld funktioniert nicht, es sei denn, man verwendet eine der Subdomains für die Tools
      Für meinedomain.tld wird anstatt /var/customers/webs/meinAccount der docroot /var/www verwendet
      Vorübergehende Lösung:
      Die Prüfung, ob mod_rewrite in der NN_froxlor_normal_vhost_meinedomain.tld.conf aktiv ist, entfernen
      <IfModule !mod_rewrite.c> Redirect 301 / https://meinedomain.tld/ </IfModule> Dann findet IMMER ein Redirect auf HTTPS statt, wobei hier auch der richtige docroot geladen wird.
      Nachteil:
      Sobald die Configs neu geschrieben werden, ist die Änderung weg.
      Fragen:
      Kann man die mod_rewrite prüfung für die SSL Weiterleitung irgendwo dauerhaft deaktivieren?
      Warum verwendet der vHost Container für http keinen bzw. den falschen docroot?
      Wie kann ich persistente Änderungen an den .conf Dateien für einen vHost vornehmen?




×
×
  • Create New...