Forum Stats

  • 3,875,203 Users
  • 2,266,862 Discussions
  • 7,912,106 Comments

Discussions

Renewing my Letsencrypt SSL cert

YTC#1 - Bruce D Porter
YTC#1 - Bruce D Porter Member Posts: 106 Red Ribbon
edited Mar 29, 2020 12:41PM in Secure Global Desktop

I've let the cert lapse, and embarrassingly I have forgotten how to import it :-( and failed to keep any notes.

I've searched the community and been searching the docs, but I can only find info relating to using the gateway.

I don't have a gateway, just a standalone.

I *think* the command to use is something like this

---8<

/opt/tarantella/bin/jre/bin/keytool -importcert \

-file /root/.acme.sh/ytc1.dyndns.org

-keystore /opt/tarantella/var/info/certs/sslkeystore \

-storepass "$(cat /opt/tarantella/var/info/key)" \

-alias alias \

-keypass "$(cat /opt/tarantella/var/info/key)"

---8<

But I don't already have a /opt/tarantella/var/info/certs/sslkeystore dir , doubt I ran this command.

Connecting to my site the cert shows as timed out in Oct 2019.

What am I missing to apply the renewed cert please ?

TIA

Best Answer

Answers

  • Jan-Oracle
    Jan-Oracle Member Posts: 122 Employee
    edited Mar 6, 2020 10:32AM Answer ✓

    Please refrain from manipulating the keystores directly and use the SGD tarantella (or tarantella-gateway) command.

    tarantella security certuse --help

  • Jan-Oracle
    Jan-Oracle Member Posts: 122 Employee
    edited Mar 6, 2020 10:47AM
  • YTC#1 - Bruce D Porter
    YTC#1 - Bruce D Porter Member Posts: 106 Red Ribbon
    edited Mar 6, 2020 10:53AM

    Thanks, my googling was taking me to the wrong place.

    In the meantime I realised have I my certs a little fubared due to having multiple services on dynamic dns, and not telling letsencrypt to issue multiple certs originally .... head down trying to debug acme.sh :-(

  • YTC#1 - Bruce D Porter
    YTC#1 - Bruce D Porter Member Posts: 106 Red Ribbon
    edited Mar 28, 2020 2:05PM

    I've still not cracked this, sorry.

    I've (finally) generated new a cert via letsencrypt using dehydrate

    But now when I try and apply it, this happens/ What does it mean by "The certificate does not exist" ?

    I've had a good google and read stuff, but can't find a solution ?

    The cert now has aliases set, but my other server falls back to this one (the joys of using dyndns) and fails as that is currently out of date :-(

    ---8<

    [email protected]:/var/tmp/cert# ksh -x ./apply-cert

    + PATH=/usr/bin:/usr/sbin:/opt/gnu/bin:/opt/tarantella/bin

    + export PATH

    + tarantella security certuse --certfile /var/tmp/cert/ytc1.dyndns.org/cert.pem --keyfile /var/tmp/cert/ytc1.dyndns.org/key.pem

    A key file already exists for this server.

    Are you sure you want to overwrite it? [no] yes

    The certificate file doesn't exist.

    ---8<

    [email protected]:/var/tmp/cert# ls -al /var/tmp/cert/ytc1.dyndns.org/cert.pem

    -rw-------   1 bruce    porter      2264 Mar 14 08:45 /var/tmp/cert/ytc1.dyndns.org/cert.pem

  • Jan-Oracle
    Jan-Oracle Member Posts: 122 Employee
    edited Mar 28, 2020 2:41PM

    this might be a case of permissions. The documentation says

    --certfile Specifies the location of a file containing the SSL certificate. If no --keyfile argument is specified, SGD assumes that the Section D.100, “tarantella security certrequest” command was used to generate the private key. You can use this option as follows:
    • To tell SGD about an SSL certificate you have already installed for use with another product, such as a web server. In this case, SGD makes symbolic links to, not copies of, the SSL certificate file and key file, if specified.
    • To install an SSL certificate received from a CA after generating a CSR using Section D.100, “tarantella security certrequest”. In this case, SGD installs the SSL certificate in /opt/tarantella/var/tsp for use with SGD security services. You must specify the full path to the SSL certificate file.
    The path must be readable by the ttasys user.

    Copy it to /tmp and chmod +r /tmp/*.pem

    YTC#1 - Bruce D Porter
  • YTC#1 - Bruce D Porter
    YTC#1 - Bruce D Porter Member Posts: 106 Red Ribbon
    edited Mar 29, 2020 5:28AM

    <accepts being politely told to RTFM :-) >

    Moved to /tmp and chmoded as pointed out, it still failed.

    I then spent ages trawling how I had it working until Oct last year (via acme.sh).

    Then sat looking at the output some more, trying alternative variations of the command (using <).

    Then  realised it was actually the *key* file that did not exist, it is not key.pem as I had typed but privkey.pem :-(

    <sigh> wood, trees, see, cannot ... </s>

    Right, now to make sure I document and do not forget what I have done :-)

    FYI, current setup is

    zone A

    =====

    Immutable, but /var/www writeable.

    Apache with port 80 open, redirected to zone by router doing port trigger.

    This zone obtains the cert + (currently) 3 aliases.

    Cert then shared to other servers

    Zone SGD

    ========

    Receives the cert and will apply when a new one arrives

    Zones (other)

    ==========

    Apache, so they will just have the cert overwritten and restarted when new one arrives.

    </a>

    Thanks (again)

  • Jan-Oracle
    Jan-Oracle Member Posts: 122 Employee
    edited Mar 29, 2020 12:41PM

    I had to look it up myself since I always use the SGD gateway and therefore never deal with certs on the SGD servers.

    Glad you got it working