Jump to content
Froxlor Forum
  • 0

How to trigger renewal of certificate?


peterpan

Question

Posted

Hi,

I have a domain equipped with a certificate from LE. The cert is valid another 2 months. Now I added a domain as an alias of the existing domain, but the certificate isn't updated to have the new domain as its SAN.

How do I trigger getting a new and updated certificate? Should I delete the existing one?

Thanks for helping out.

 

Peter

Recommended Posts

Posted

 

It seems to work. When I add a domain as an alias, a new certificate is created. But the certificate is not good:
 

# openssl x509 -in  /etc/ssl/froxlor-custom/xxxxxxx.net.crt -text -noout
unable to load certificate
140135579193600:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:../crypto/asn1/tasn_dec.c:1130:
140135579193600:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:290:Type=X509
140135579193600:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:../crypto/pem/pem_oth.c:33:

The content of the certificate is:

-----BEGIN CERTIFICATE-----
ewogICJ0eXBlIjogInVybjphY21lOmVycm9yOnJhdGVMaW1pdGVkIiwKICAiZGV0
YWlsIjogIkVycm9yIGNyZWF0aW5nIG5ldyBjZXJ0IDo6IHRvbyBtYW55IGNlcnRp
ZmljYXRlcyBhbHJlYWR5IGlzc3VlZCBmb3IgZXhhY3Qgc2V0IG9mIGRvbWFpbnM6
IGNhbXBpYW5vLmRlLGNhbXBpYW5vLmVzLGNhbXBpYW5vLmZyLGNhbXBpYW5vLml0
LGNhbXBpYW5vLm5ldCxjYW1waWFuby5ubCxjcm9uLmNhbXBpYW5vLm5ldCx3ZWJo
b29rLmNhbXBpYW5vLm5ldCx3d3cuY2FtcGlhbm8uZGUsd3d3LmNhbXBpYW5vLmVz
LHd3dy5jYW1waWFuby5mcix3d3cuY2FtcGlhbm8uaXQsd3d3LmNhbXBpYW5vLm5l
dCx3d3cuY2FtcGlhbm8ubmw6IHNlZSBodHRwczovL2xldHNlbmNyeXB0Lm9yZy9k
b2NzL3JhdGUtbGltaXRzLyIsCiAgInN0YXR1cyI6IDQyOQp9
-----END CERTIFICATE-----

which seems quite short.

 

Posted

I found the following line in the output:

[Sun Sep 15 15:13:43 CEST 2019] Sign failed: "detail":"Error creating new cert :: too many certificates already issued for exact set of domains: xxxxxxx.ca,xxxxxxx.de,xxxxxxx.es,xxxxxxx.fr,xxxxxxx.it,xxxxxxx.net,xxxxxxx.nl,xxxxxxx.us,cron.xxxxxxx.net,webhook.xxxxxxx.net,www.xxxxxxx.ca,www.xxxxxxx.de,www.xxxxxxx.es,www.xxxxxxx.fr,www.xxxxxxx.it,www.xxxxxxx.net,www.xxxxxxx.nl,www.xxxxxxx.us: see https://letsencrypt.org/docs/rate-limits/"

As a result, I seem to get a faulty cert from LE, instead of no cert at all. Then, when restarting Apache, it fails with "Configuration failed".

Posted

You can safely delete it from the ssl-certificates list, a new one will be generated automatically with the next cronjob

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...