Hi all,
I wanted to update my documentation on Discourse. I upgraded NethServer, PostgreSQL, and Discourse. Everything worked fine.
Since I had not opened my virtual machine for over a year, the Let’s Encrypt certificate was expired.
Since I just changed the name of the server, domain name and IP addresses, I took no chances and deleted the full directory from /root/.acme.sh
and reinstalled the script. It is a new version i.e. 3.0.
I requested a test certificate, it didn’t work.
I was asked to register - I remembered that in the old days you had to accept the license of Let’s encrypt. So, as suggested I ran:
acme.sh --register-account -m toto@toto.org
and everything went well.
The test certificate was recognized by Firefox for the ServerManager and by Discourse.
Very happy that it works, I then asked for an official certificate and there the problems started.
The official certificate was recognized by Firefox for the ServerManager, but when I went to Discourse, the new certificate was not there and it was the test one that was used. I cleaned caches… reboot… always the same old test certificate for Discourse.
Solution # 1:
acme.sh version-3.0
...
DEFAULT_CA=$CA_ZEROSSL
DEFAULT_STAGING_CA=$CA_LETSENCRYPT_V2_TEST
...
old acme.sh
...
DEFAULT_CA=$CA_LETSENCRYPT_V2
DEFAULT_STAGING_CA=$CA_LETSENCRYPT_V2_TEST
...
After several hours of debugging, I found that the acme.sh
script was using DEFAULT_CA=$CA_ZEROSSL
and not Let’s Encrypt anymore.
I deleted the entire /root/.acme.sh
directory and copied an old one from an old virtual machine.
I requested a test certificate and everything went well for ServerManager and Discourse.
I asked for an official certificate again; it was recognized by ServerManager, but not by Discourse which persisted in using the newest test one.
Solution # 2:
Again, after several hours of debugging, I found that the certificate keys: /etc/pki/tls/private/privkey.pem
, /etc/pki/tls/certs/cert.pem
and /etc/pki/tls/certs/chain.pem
had the date of the test certificate.
So I copy them with those in the /root/.acme.sh/forum.toto.org/
directory while renaming them, reboot and then Discourse offered the official certificate.
Yes, I had modified the pki db
as the wiki explains
ChainFile=/etc/pki/tls/certs/cert-chain.crt
CrtFile=/etc/pki/tls/certs/cert.crt
EmailAddress=toto@toto.org
KeyFile=/etc/pki/tls/private/cert.key
Now even if I force request a new official certificate, still the one from Discourse is not updated.
Questions:
- Am I the only one who got misled by ZeroSSL.com
- Using version 3.0 of the
acme.sh
script changed something that I don’t see that interferes with/sbin/e-smith/signal-event certificate-update
? - Else, can I modify the certificate renewal cronjob to copy the new certificate to the pki folder ?
- Else, as the new keys are correctly copy to the pki folder, can I modify the certificate renewal cronjob just to rename the keys in the pki folder to the correct names ?
- Else, just name the keys in the
pki db
:chain.pem
,cert.pem
andprivkey.pem
?
All suggestions are welcome.
Michel-André