I see this problem all over the internet searches, and can't seem to find the resolution. I want to use shellinabox on whatever.net:54321 I have letsencrypt certificates I've tried to copy /etc/letsencrypt/live/whatever.net/fullchain.pem to /var/libshellinabox/certificate.pem then chown shellinabox:shellinabox certificate.pem, but after trying to connect from a browser, SIAB creates a self-signed certificate-whatever.net.pem I've also tried editing /etc/default/shellinabox certdir line to point to /etc/letsencrypt/live/whatever.net, but then shellinabox compains about not having correct file permissions. (Understandably so) I've also tried copying /etc/letsencrypt/live/whatever.net/fullchain.pem to certificate.pem, and chown certificate.pem to shellinabox, but that doesn't seem to do the trick either. Seems like it should be easy enough, but no matter what I've tried, letsencrypt still wants to make it's own self-signed certificates, which causes browsers to complain. So, the big question, what's the magic tapdance to make siab use letsencyrypt certificates and stop making self-signed certificates?

Is there a way to use certbot and letsencrypt certificate for multiserver setup without having to manually copy the certificates from one node to another? I have a domain name example.com which is resolved to 192.0.2.1 in Americas and to 192.0.2.2 in Asia. I run certbot from American server and it successfully generates certificate. I can't run the same command from Asian server, as certbot will be able to resolve domain only to 192.0.2.1. Therefore in order to install certificate for Asian server I have to copy it from 192.0.2.1 to 192.0.2.2. Yes, the copy process can be scripted, though it doesn't look like a good idea for me. Is there other way around?

Replaced my real domain name with 'domain'. I have nextcloud running on my server 192.168.1.2, when opening the website nc.domain.eu and check certificate : > Common Name (CN) nc.domain.eu Organization (O) Certificate> Organizational Unit (OU) So this works. But when i open adguard.domain.eu it shows : > Common Name (CN) collabora.domain.eu Organization (O) Certificate> Organizational Unit (OU) Collabora used to run on this machine but due to issues i removed it however the 'certificate' still remains. When running : > openssl s_client -showcerts -connect 192.168.1.2:443 --- Server certificate subject=CN = collabora.domain.eu issuer=C = US, O = Let's Encrypt, CN = E6 --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: ECDSA Server Temp Key: X25519, 253 bits --- SSL handshake has read 3314 bytes and written 373 bytes Verification: OK --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 256 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- How do i remove that certificate from Ubuntu? locate .pem | grep "\.pem$" | xargs -I{} openssl x509 -issuer -enddate -noout -in {} I used that to find 'collabora.domain.eu' and found 2 results : > could not read certificate from > /etc/letsencrypt/archive/collabora.domain.eu/privkey1.pem directory contains : > cert1.pem chain1.pem fullchain1.pem privkey1.pem > > Could not read certificate from > /etc/letsencrypt/live/collabora.domain.eu/privkey.pem directory contains : > cert.pem chain.pem fullchain.pem privkey.pem README Can i just remove those directories? and run : > update-ca-certificates And i want to add a www.domain.eu and *.domain.eu to this server. I already have the files created on Nginx Proxy Manager. Can i just copy those in? If yes where? I also tried : sudo certbot certificates sudo certbot delete selected '1' which was 'collabora.domain.eu' and ran update-ca-certificates but openssl s_client -showcerts -connect 192.168.1.2:443 still shows it. **#### EDIT ####** I just found that collabora.conf was still in sites-available and being loaded. Renamed/removed it and restarted Apache2. Now it gets even weirder. If i enter 'adguard.domain.eu:8883' in my browser it's good and uses *.domain.eu cert. If i click 'adguard.domain.eu' in NPM it uses 'nc.domain.eu'. NC.Domain.eu = nextcloud which is loaded through 'nextcloud-le-ssl.conf' which is correct. Nginx Proxy Manager is serving *.domain.eu and www.domain.eu. I couldn't get 'wildcard' to work on the server before. I wonder if i can just take the 'xxx.pem' files from NPM and replace the lines in 'nextcloud-se-ssl' and hope for the best? But i guess certbot could cause issues here.. and renewing will require for me to do it manually.

I have certbot installed and successfully use it to encrypt my homepage. Now I tried to set up an email system for my website using dovecot and postfix. I got it mostly running; the only problem is that thunderbird gives me a warning about the address being fraudulent because I use the SSL key of mysite.com for imap.mysite.com (same for SMTP). How can I add imap.mysite.com and smtp.mysite.com to the existing mysite.com certificate using certbot in order to avoid the warning?

Good day, I'm having a problem renewing a domain with certbot. This is the error I'm getting: root@mywebserver:~# certbot renew Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/mywebsite.com.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Renewing an existing certificate for mywebsite.com and www.mywebsite.com Failed to renew certificate mywebsite.com with error: Could not bind TCP port 80 because it is already in use by another process on this system (such as a web server). Please stop the program in question and then try again. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - All renewals failed. The following certificates could not be renewed: /etc/letsencrypt/live/mywebserver.com/fullchain.pem (failure) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1 renew failure(s), 0 parse failure(s) Currently, I'm running a Wordpress instance with OpenLiteSpeed WordPress One-Click app, which is supposed to automatically renew certs for me, but it hasn't been the case. The image comes with automatic certificate renewal by default in /etc/cron.d/certbot: SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin 0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew --deploy-hook "systemctl restart lsws" 0 0 * * 3 root systemctl restart lsws I mean, sure, I can go and stop my webserver and proceed with certbot renew process, but then I wont be able to fix this and go through all this again once the certificate ends again. Huge thanks in advance to anyone who jumps in to help me with this.

In the folder /etc/ssl/certs/ i can well see: - Symbolic links to the certificates stored at /usr/share/ca-certificates/ - The BUNDLE file ca-certificates.crt which contains all certificates in PEM format I see only root CA certificates...i don't see the intermediate CA certificates ? Why ? For example, with Let's encrypt CA, i can well find: - ISRG_Root_X1.pem - ISRG_Root_X2.pem But where are the Let's encrypt intermediate certificates ? At the day i write this question, there are 4 intermediate CR certificates: - E5 - E6 - R10 - R11 I guess there are somewhere on my computer, because i can successfully establish an SSL connection to a server (using let's encrypt certificate).

Before adding ssl_certificate, my nginx.conf is very simple:

server {
    listen 80 default_server;

    index index.php index.html index.htm;

    location ~ [^/]\.php(/|$) {
        fastcgi_split_path_info  ^(.+\.php)(/.+)$;
        fastcgi_index            index.php;
        fastcgi_pass             php:9000;
        include                  fastcgi_params;
        fastcgi_read_timeout     1200s;
        fastcgi_param   PATH_INFO       $fastcgi_path_info;
        fastcgi_param   SCRIPT_FILENAME $document_root$fastcgi_script_name;
    }
}

Then I followed [here](https://phoenixnap.com/kb/letsencrypt-docker) to set Up letsencrypt with Nginx (replacing [domain-name] throughout), and now my nginx.conf looks like:

server {
    listen 80 default_server;

    server_name [domain-name] www.[domain-name];
    server_tokens off;

    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }

    location / {
        return 301 https://[domain-name]$request_uri ;
    }
}

server {
    listen 443 default_server ssl http2;
    listen [::]:443 ssl http2;

    server_name [domain-name];

    ssl_certificate /etc/nginx/ssl/live/[domain-name]/fullchain.pem;
    ssl_certificate_key /etc/nginx/ssl/live/[domain-name]/privkey.pem;
    
    location / {
    	proxy_pass http://[domain-name] ;
    }

    index index.php index.html index.htm;

    location ~ [^/]\.php(/|$) {
        fastcgi_split_path_info  ^(.+\.php)(/.+)$;
        fastcgi_index            index.php;
        fastcgi_pass             php:9000;
        include                  fastcgi_params;
        fastcgi_read_timeout     1200s;
        fastcgi_param   PATH_INFO       $fastcgi_path_info;
        fastcgi_param   SCRIPT_FILENAME $document_root$fastcgi_script_name;
    }
}

See the changes here -- https://www.diffchecker.com/bAfVjewE/ , > which I think is very simple, straightforward, and reasonable. However, my php site is completely broken -- My chrome browse says it gets into endless redirect (_"redirected you too many times"_), see Notes 2. What might be the cause, and fix? Notes, 1. The adding of ssl_certificate is fine, but the endless redirect is there even when I tested with an empty site. 1. When endless redirect happens, the nginx logs kept printing nothing but ...[08/Aug/2024:15:xx:yy +0000] "GET / HTTP/1.1" 301 162 "-" "Mozilla/5.0 (X11; Linux x86_64)..., even thought I've seen that the protocol on my browser has changed from http to https. If I visit it with curl, I'm getting:

$ curl -i https://my.site.name:443/ 
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Thu, 08 Aug 2024 15:42:45 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Location: https://my.site.name/ 


301 Moved Permanently

301 Moved Permanently
nginx

and the server log is:

[08/Aug/2024:15:42:45 +0000] "GET / HTTP/1.1" 301 162 "-" "curl/8.5.0" "my.ip"
[08/Aug/2024:15:42:45 +0000] "GET / HTTP/1.1" 301 162 "-" "curl/8.5.0" "-"

And the error log is empty, as this is how my ngix logging is configed:

cd /var/log/nginx/

root@5b6a9033cb31:/var/log/nginx# ls -l
total 0
lrwxrwxrwx 1 root root 11 Jul 23 07:14 access.log -> /dev/stdout
lrwxrwxrwx 1 root root 11 Jul 23 07:14 error.log -> /dev/stderr

I'm doing the Let’s Encrypt *for the firs time* and this *101 question* might quite possibly have been answered somewhere, but anyway, from https://eff-certbot.readthedocs.io/en/latest/using.html#setting-up-automated-renewal > Most Certbot installations come with automatic renewals preconfigured. This is done by means of a scheduled task which runs certbot renew periodically. So, to simplify things, I'm using the Certbot docker container to get certificate, and that container does not come with automatic renewals preconfigured, thus I need to enable that functionality myself. The scheduled cron task is pretty straightforward: 0 0,12 * * * root sleep $SLEEPTIME && certbot renew -q My question is, Let's Encrypt certificates is good for **three months**, but this official recommendation from the Certbot document says that we need to try renewal **every 12 hours**. This looks really excessive to me. Anyone know how soon we can do the renewal? (As from https://unix.stackexchange.com/questions/760300/update-lets-encrypt-certificate-from-command-line I know that there is no --force-renewal option) I meant, if the renewal can happen 10 days ahead, then my cron job can be set every 5 days, if 6 days ahead, I'll use 3. Also anyone knows if certbot renew's return code can be used to notify my script to trigger my nginx config reload after the renewal indeed happens? Thanks

I am trying to set up Mosquitto using this guide: https://www.digitalocean.com/community/tutorials/how-to-install-and-secure-the-mosquitto-mqtt-messaging-broker-on-ubuntu-18-04 I am using ubuntu 20.04 but I couldn't find any Focal-specific guides. When I first install it, I can start and restart the service without issue. However, adding my cofig file seems to break it, specifically the keyfile lines. I have tried Mosquitto both from the Ubuntu repos and from the PPA. The error appears after I make a conf file, which looks like this:

allow_anonymous false
password_file /etc/mosquitto/pwfile

listener 1883 localhost

listener 8883
certfile /etc/letsencrypt/live/mydomain/cert.pem
cafile /etc/letsencrypt/live/mydomain/chain.pem
keyfile /etc/letsencrypt/live/mydomain/privkey.pem

listener 8083
protocol websockets
certfile /etc/letsencrypt/live/mydomain/cert.pem
cafile /etc/letsencrypt/live/mydomain/chain.pem
keyfile /etc/letsencrypt/live/mydomain/privkey.pem

` and when I restart the service after adding the above conf file, it fails and this is what is in journalctl -xe :

-- A start job for unit mosquitto.service has begun execution.
-- 
-- The job identifier is 4722.
Dec 20 06:45:32 thestash mosquitto: 1608464732: Loading config file /etc/mosquitto/conf.d/default.conf
Dec 20 06:45:32 thestash systemd: mosquitto.service: Main process exited, code=exited, status=1/FAILURE
-- Subject: Unit process exited
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support 
-- 
-- An ExecStart= process belonging to unit mosquitto.service has exited.
-- 
-- The process' exit code is 'exited' and its exit status is 1.
Dec 20 06:45:32 thestash systemd: mosquitto.service: Failed with result 'exit-code'.
-- Subject: Unit failed
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support 
-- 
-- The unit mosquitto.service has entered the 'failed' state with result 'exit-code'.
Dec 20 06:45:32 thestash systemd: Failed to start Mosquitto MQTT Broker.
-- Subject: A start job for unit mosquitto.service has failed
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support 
-- 
-- A start job for unit mosquitto.service has finished with a failure.
-- 
-- The job identifier is 4722 and the job result is failed.
Dec 20 06:45:32 thestash systemd: mosquitto.service: Scheduled restart job, restart counter is at 5.
-- Subject: Automatic restarting of a unit has been scheduled
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support 
-- 
-- Automatic restarting of the unit mosquitto.service has been scheduled, as the result for
-- the configured Restart= setting for the unit.
Dec 20 06:45:32 thestash systemd: Stopped Mosquitto MQTT Broker.
-- Subject: A stop job for unit mosquitto.service has finished
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support 
-- 
-- A stop job for unit mosquitto.service has finished.
-- 
-- The job identifier is 4794 and the job result is done.
Dec 20 06:45:32 thestash systemd: mosquitto.service: Start request repeated too quickly.
Dec 20 06:45:32 thestash systemd: mosquitto.service: Failed with result 'exit-code'.
-- Subject: Unit failed
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support 
-- 
-- The unit mosquitto.service has entered the 'failed' state with result 'exit-code'.
Dec 20 06:45:32 thestash systemd: Failed to start Mosquitto MQTT Broker.
-- Subject: A start job for unit mosquitto.service has failed
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support 
-- 
-- A start job for unit mosquitto.service has finished with a failure.
-- 
-- The job identifier is 4794 and the job result is failed.
Dec 20 06:45:34 thestash sudo: admin : TTY=pts/0 ; PWD=/home/admin ; USER=root ; COMMAND=/usr/bin/nano /etc/mosquitto/conf.d/default.conf
Dec 20 06:45:34 thestash sudo: pam_unix(sudo:session): session opened for user root by admin(uid=0)
Dec 20 06:45:38 thestash sudo: pam_unix(sudo:session): session closed for user root
Dec 20 06:45:38 thestash kernel: [UFW BLOCK] IN=eth0 OUT= MAC=d6:32:76:db:0a:3b:18:2a:d3:e0:df:f0:08:00 SRC=45.129.33.168 DST=104.236.7.145 LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=11309 PROTO=TCP SPT=59534 DPT=21661 WINDOW=1024 RES=0x00 SYN URGP=0 
Dec 20 06:45:44 thestash sudo: admin : TTY=pts/0 ; PWD=/home/admin ; USER=root ; COMMAND=/usr/bin/journalctl -xe
Dec 20 06:45:44 thestash sudo: pam_unix(sudo:session): session opened for user root by admin(uid=0)

If I comment out the keyfile lines in my default.conf, the service restarts without error. The keys are there and do not seem to cause problems for anything else on my server. And the mosquitto.log file indicates that it is indeed a problem with reading the certificate. A permissions issue seems like a good guess, but I don't see why that would be a problem only for privkey.pem but not the other two files, which also have the same permissions. Also, nginx can use my certificates without owning them.

1608463912: mosquitto version 2.0.3 starting
1608463912: Config loaded from /etc/mosquitto/mosquitto.conf.
1608463912: Opening ipv4 listen socket on port 1883.
1608463912: Opening ipv4 listen socket on port 8883.
1608463912: Opening ipv6 listen socket on port 8883.
1608463912: Error: Unable to load CA certificates. Check cafile "/etc/letsencrypt/live/mylittlestashbox.com/chain.pem".
1608463912: Error: Unable to load server certificate "/etc/letsencrypt/live/mylittlestashbox.com/cert.pem". Check certfile.
1608463912: OpenSSL Error: error:0200100D:system library:fopen:Permission denied
1608463912: OpenSSL Error: error:20074002:BIO routines:file_ctrl:system lib
1608463912: OpenSSL Error: error:140DC002:SSL routines:use_certificate_chain_file:system lib
1608464267: mosquitto version 2.0.3 starting
1608464267: Config loaded from /etc/mosquitto/mosquitto.conf.
1608464267: Opening ipv4 listen socket on port 1883.
1608464267: Opening ipv4 listen socket on port 8883.
1608464267: Opening ipv6 listen socket on port 8883.
1608464267: Error: Unable to load CA certificates. Check cafile "/etc/letsencrypt/live/mylittlestashbox.com/chain.pem".
/var/log/mosquitto/mosquitto.log

I am trying to get SSL certificate with Let's Encrypt nginx on Amazon Linux 2023. * First, I added EPEL using the commands

wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm 

and

sudo rpm -ihv --nodeps ./epel-release-latest-8.noarch.rpm

and it installed with no problem * Then I tried

sudo yum install python3-certbot-nginx

and got the error message:

Problem: package certbot-1.22.0-1.el8.noarch requires python3-certbot = 1.22.0-1.el8, 
    but none of the providers can be installed
      - conflicting requests
      - nothing provides python3.6dist(setuptools) >= 39.0.1 needed by python3-certbot-1.22.0-1.el8.noarch
      - nothing provides python3.6dist(cryptography) >= 2.5.0 needed by python3-certbot-1.22.0-1.el8.noarch
      - nothing provides python3.6dist(configobj) >= 5.0.6 needed by python3-certbot-1.22.0-1.el8.noarch
      - nothing provides python3.6dist(distro) >= 1.0.1 needed by python3-certbot-1.22.0-1.el8.noarch
      - nothing provides /usr/bin/python3.6 needed by python3-certbot-1.22.0-1.el8.noarch
      - nothing provides python3.6dist(pytz) needed by python3-certbot-1.22.0-1.el8.noarch
      - nothing provides python(abi) = 3.6 needed by python3-certbot-1.22.0-1.el8.noarch
      (try to add '--skip-broken' to skip uninstallable packages)

* I also tried

sudo dnf install python3-certbot-nginx

but got a similar error. I learned I may need a code ready builder but haven't been able to install it. Please how can I get it. If that is not the issue, please what I'm I doing wrong and how can I resolve it?

Apache webserver on Rocky Linux 9, with SSL certs obtained from LetsEncrypt. This is the config of a specific virtual host "myvhost", but the problem arises for all vhosts on my server: /etc/httpd/conf.d/myvhost.conf: ServerName myvhost.example.org DocumentRoot "/var/www/html/myvhost" RewriteEngine on RewriteCond %{SERVER_NAME} =myvhost.example.org RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent] /etc/httpd/conf.d/myvhost-le-ssl.conf (autogenerated by LetsEncrypt): ServerName myvhost.example.org DocumentRoot "/var/www/html/myvhost" Include /etc/letsencrypt/options-ssl-apache.conf Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains" TraceEnable off SSLCertificateFile /etc/letsencrypt/live/example.org-0001/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/example.org-0001/privkey.pem The command curl -i http://myvhost.example.org returns: HTTP/1.1 400 Bad Request Date: Wed, 19 Jun 2024 12:39:10 GMT Server: Apache Content-Length: 362 Connection: close Content-Type: text/html; charset=iso-8859-1 400 Bad Request

Bad Request

Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.

Why is it doing that? Amongst other things, HTTP Error 400 prevents certbot renew from verifying the domain and renewing the certificate. It is worth noting that the exact same configuration on CentOS Stream 8 did not result in this problem. EDIT: output of the command for f in $(grep -l -e SSLCertificate -e :80 /etc/httpd/conf.d/*.conf); do printf '\n== %s ==\n' "$f"; grep -hE 'SSLCertificate|VirtualHost|Server(Name|Alias)' "$f" | sed -e 's/#.*//' -e '/^[[:space:]]*$/d'; done | less: == /etc/httpd/conf.d/main-le-ssl.conf == ServerName example.org SSLCertificateFile /etc/letsencrypt/live/example.org-0001/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/example.org-0001/privkey.pem == /etc/httpd/conf.d/main.conf == ServerName example.org == /etc/httpd/conf.d/myvhost-le-ssl.conf == ServerName myvhost.example.org SSLCertificateFile /etc/letsencrypt/live/example.org-0001/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/example.org-0001/privkey.pem == /etc/httpd/conf.d/myvhost.conf == ServerName myvhost.example.org == /etc/httpd/conf.d/anothervhost-le-ssl.conf == ServerName anothervhost.example.org SSLCertificateFile /etc/letsencrypt/live/example.org-0001/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/example.org-0001/privkey.pem == /etc/httpd/conf.d/anothervhost.conf == ServerName anothervhost.example.org == /etc/httpd/conf.d/ssl.conf == SSLCertificateFile /etc/letsencrypt/live/example.org-0001/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/example.org-0001/privkey.pem

I have a some internally available servers (all Debian), that share a LetsEncrypt wildcard certificate (*.local.example.com). One server (Server1) keeps the certificate up-to-date and now I'm looking for a process to automatically distribute the .pem-files from Server1 to the other servers (e.g. Server2 and Server3). I don't allow root logins via SSH, so I believe I need an intermediary user. I've considered using a cronjob on Server1 to copy the updated .pem-files to a users directory, where a unprivileged user uses scp or rsync (private key authentication) via another cronjob to copy the files to the Server2/3. However, to make this a more secure process, I wanted to restrict the user's privileges on the Server2/3 to chroot to their home directory and only allow them to use scp or rsync. It seems like this isn't a trivial configuration and most methods are outdated, flawed or requite an extensive setup (rbash, forcecommand, chroot, ...). I've also considered to change the protocol to sftp, which should allow me to use the restricted sftp environment, via OpenSSH but I have no experience. An alternative idea was to use an API endpoint (e.g. FastAPI, which is already running on Server1) or simply a webserver via HTTPS with custom API-Secrets or mTLS on Server1 to allow Server2/3 to retrieve the .pem-files. At the moment, the API/webserver approach seems most reasonable and least complex, yet feels unnecessarily convoluted. I'd prefer a solution that doesn't require additional software. Server1 has .pem-files (owned by root) and Server2/3 need those files updated regularly (root-owned location). What method can I use to distribute those files automatically in a secure manner?

For some reason OpenVPN is working on my local machine very well, But IPSec IKEV2 VPN not & it only works when OpenVPN is connect. I have a domain for IPSec IKEV2 VPN & in local machine vpn is using port 443. Tell what should i do to force vpn workable on my local machine without OpenVPN. Should i change port 443 on server or change ports 500 & 4500? I followed the link below for setup IKEv2 VPN Using Strongswan and Let's encrypt on CentOS 7 With Some Changes. How to Setup IKEv2 VPN Using Strongswan and Let's encrypt on CentOS 7 My Let's encrypt commands is like this : curl https://get.acme.sh | sh ~/.acme.sh/acme.sh --set-default-ca --server letsencrypt ~/.acme.sh/acme.sh --register-account -m helius.dev@gmail.com ~/.acme.sh/acme.sh --issue -d my_domain.com --keylength 4096 --standalone --force service httpd stop ~/.acme.sh/acme.sh --issue -d my_domain.com --keylength 4096 --standalone --force Your cert is in: /root/.acme.sh/my_domain.com/my_domain.com.cer Your cert key is in: /root/.acme.sh/my_domain.com/my_domain.com.key The intermediate CA cert is in: /root/.acme.sh/my_domain.com/ca.cer And the full chain certs is there: /root/.acme.sh/my_domain.com/fullchain.cer ~/.acme.sh/acme.sh --installcert -d my_domain.com --keylength 4096 --key-file /root/private.key --fullchain-file /root/cert.crt service httpd start service httpd status Certificate Copy : sudo cp /root/private.key /etc/strongswan/ipsec.d/private/ sudo cp /root/cert.crt /etc/strongswan/ipsec.d/certs/ sudo cp /root/.acme.sh/p02.artemis-art.buzz/ca.cer /etc/strongswan/ipsec.d/cacerts/ StrongSwan config : #global configuration IPsec #chron logger config setup charondebug="ike 1, knl 1, cfg 0" uniqueids=no #define new ipsec connection conn hakase-vpn auto=add compress=no type=tunnel keyexchange=ikev2 ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,aes256-sha1-modp1024,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024! esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128gcm16,aes128gcm16-ecp256,aes256-sha1,aes256-sha256,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16,aes256gcm16-ecp384,3des-sha1! fragmentation=yes forceencaps=yes dpdaction=clear dpddelay=300s rekey=no left=%any leftid=@my_domain.com leftcert=cert.crt leftsendcert=always leftsubnet=0.0.0.0/0 right=%any rightid=%any rightauth=eap-mschapv2 rightsourceip=10.15.1.0/24 rightdns=1.1.1.1,8.8.8.8 rightsendcert=never eap_identity=%identity And here is secrets file : nano -K /etc/strongswan/ipsec.secrets : RSA "private.key" test : EAP "123" Let explain problem again. Some firewall rules on my wi-fi internet provider are blocking vpn (ikev2 - l2tp - pptp) But openvps works like a charm. When openvpn is working i can connect to ikev2 vpn by upper config. Tell me what should i change about ikev2 to work whithout openvpn. Fist step i think i should chanage ports 500 & 4500 on server. I am right? But how? **/etc/strongswan/ipsec.d/** This file has no place for define custom ports!!!

I have a small test server at home and I registered with letsencrypt to get a valid certificate. Certificate expired and wasn't automatically renewed (no harm done, this is strictly for testing purposes). I don't remember exactly how I installed the certificate and "certbot" was not installed on my server (actually a LXD container, if relevant) running "Debian GNU/Linux 12 (bookworm)". I installed certbot with standard:

sudo apt update && sudo apt install certbot python3-certbot-nginx

and then proceeded to use it:

sudo certbot --nginx -d blog.mydomain.it

but I got an unexpected error:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for blog.mydomain.it

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/blog.mydomain.it/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/blog.mydomain.it/privkey.pem
This certificate expires on 2024-02-14.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Successfully deployed certificate for blog.mydomain.it to /etc/nginx/sites-enabled/blog.conf
We were unable to install your certificate, however, we successfully restored your server to its prior configuration.

NEXT STEPS:
- The certificate was saved, but could not be installed (installer: nginx). After fixing the error shown below, try installing it again by running:
  certbot install --cert-name blog.mydomain.it

nginx restart failed:
2023/11/16 23:31:55 [emerg] 561#561: SSL_CTX_use_PrivateKey("/etc/letsencrypt/blog.mydomain.it_ecc/private.key") failed (SSL: error:05800074:x509 certificate routines::key values mismatch)

Ask for help or search for solutions at https://community.letsencrypt.org . See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

I guess there's some mismatch between previous certificate install and what certbot is trying to do, but I am at a loss about how to proceed. I have no problem in wiping the old certificate, if that's useful, but I would like to understand before I make a deeper mess. I need to reinstall certificates without disturbing the server itself (reasonable downtime is perfectly OK). UPDATE: - As requested (it doesn't seem to add any info, but...):

mcon@webserver:~$ sudo certbot install --cert-name blog.mydomain.it
[sudo] password for mcon: 
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Deploying certificate
Successfully deployed certificate for blog.mydomain.it to /etc/nginx/sites-enabled/blog.conf
We were unable to install your certificate, however, we successfully restored your server to its prior configuration.
nginx restart failed:
2023/11/17 09:08:38 [emerg] 3162#3162: SSL_CTX_use_PrivateKey("/etc/letsencrypt/blog.mydomain.it_ecc/private.key") failed (SSL: error:05800074:x509 certificate routines::key values mismatch)

Ask for help or search for solutions at https://community.letsencrypt.org . See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
mcon@webserver:~$

UPDATE2: - my /etc/nginx/sites-enabled/blog.conf contained the following definition:

server {
    listen 443 ssl;
    server_name blog.mydomain.it;
    root /var/www/vitepress;
    ssl_certificate /etc/letsencrypt/blog.mydomain.it/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/blog.mydomain.it/privkey.pem;
    ssl_certificate /etc/letsencrypt/blog.mydomain.it/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/blog.mydomain.it_ecc/private.key;

    location / {
        index index.html;
        try_files $uri $uri/ /index.html;
    }
}

commenting out the second ssl_certificate/ssl_certificate_key pair actually solves the problem. Now my my (working!) installation reads:

server {
    listen 443 ssl;
    server_name blog.mydomain.it;
    root /var/www/vitepress;
    ssl_certificate /etc/letsencrypt/live/blog.mydomain.it/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/blog.mydomain.it/privkey.pem; # managed by Certbot

    location / {
        index index.html;
        try_files $uri $uri/ /index.html;
    }
}
server {
    if ($host = blog.mydomain.it) {
        return 301 https://$host$request_uri ;
    } # managed by Certbot

    listen 80;
    server_name blog.mydomain.it;
    return 404; # managed by Certbot
}

I am still curious about what was actually wrong and why those two lines were there (to avoid repeating the mistake, of course) but problem seems resolved.

A raspberry pi 3B+ is outfitted with NextCloudPi. Duckdns was setup and runs: the certificate expired August 13, 2023. Is there a terminal command that can force certificate renewal? I did find certbot : certbot renew --force-renewal I tried: pi@nextcloudpi:~ $ sudo certbot certonly Which returned: > IMPORTANT NOTES: > - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/downwind.duckdns.org/fullchain.pem Your key > file has been saved at: > /etc/letsencrypt/live/xxxxxxx.duckdns.org/privkey.pem Your cert > will expire on 2024-01-30. To obtain a new or tweaked version of > this certificate in the future, simply run certbot again. To > non-interactively renew *all* of your certificates, run "certbot > renew"

My prelimanary actions: - setting up a ddns hostname with noip service (ok) - configured to automatically keep alive the association on my home router(ok) - installed a proxmox server v8 (ok) - create a lxc container with model "debian11-turnkey-wordpress" with a static IP (ok) - configured port forwarding 80,443 on router to point the lxc wordpress container(ok) The current situation: The website in lan is ok When I try to access from internet with the ddns hostname it works the first time and then goes in ssl cert error both with http/https When I try to get let's encrypt certificate with the selfconsole panel it fail in fatal error My questions: How i can implement correctly the ssl certification in the container to use https from internet to lan container inside proxmox with a forwarding from outside to home network lan? The configuration must be applied only on containers or there is somthing to do in general in the proxmox os, instead, to have all the newest containers ssl encrypted by default?

One of my systems (Rocky Linux 9) collects wildcard certificates from LetsEncrypt and distributes it to the various systems that require an SSL certificate. I also have AWX running on Kubernetes (CentOS Stream 8) and I want to use the LetsEncrypt certificate for that system as well (So I DON'T want Kubernetes to manage the certificate) How can I deploy the certificates to Kubernetes and which of the files cert.pem, chain.pem, fullchain.pem and privkey.pem are required? Thanx in advance for your help

I want to expand an existing file instead of creating a new certificate for a subdomain. I have these domains already in the file:

certtool -i < /etc/letsencrypt/live/example.org-0002/fullchain.pem|grep DNSname
                        DNSname: forum.example.com
                        DNSname: m.example.de
                        DNSname: m.example.org
                        DNSname: example.com
                        DNSname: example.de
                        DNSname: example.org
                        DNSname: wiki.example.org
                        DNSname: www.example.com
                        DNSname: www.example.de
                        DNSname: www.example.org

(certtool is part of the package gnutls-bin in debian) I know, there is the certbot --expand option, but if I don't get the exact set of domains again, it will create a new certificate with the next suffix -0003 How can I prevent that, if I only want to add one domain to an existing cert file?

i tested some things in docker and f*d up, also removed all containers and volumes including the certbot ones. so why is certbot still able to give me my certificates back? is it because they are stored somewhere in a web storage? is it because dockers storage driver keeps files even after deleting volumes/containers? is it because letsencrypt only needs a succesful DNS challenge and nothing more? i'm just curious how it works.. --- Addressing comments: > What do you mean by "give ... certificates back"? Are you sure it's not just generating a new certificate? with "give certs back" my thinking was, that i actually would need more than just my mail and dns possession. does this imply i don't need to back up the letsencrypt certificates and instead create new ones? what is the minimum requirement to "overwrite" then? thanks for help

To get and renew a Letsencrypt certificate, I need to open the http port 80 while certbot is running, and close it afterwards. (There is no normal web service in this server). With iptables I used these commands in the letsencrypt "/etc/letsencrypt/renewal-hooks/pre" and ".../post" scripts:

iptables -I INPUT -p tcp --dport 80 -j ACCEPT -m comment --comment "Allow HTTP for certbot"

and

iptables -D INPUT -p tcp --dport 80 -j ACCEPT -m comment --comment "Allow HTTP for certbot"

I can use iptables-translate with the first -I(nsert) rule to get the equivalent nft command:

nft insert rule ip filter INPUT tcp dport 80 counter accept comment \"Allow HTTP for certbot\"

But with the -D(elete) command, I just get

Translation not implemented

So what would be the best way to implement this with nftables? Maybe I could also add and then remove an entire special table for that with nft add table ... and nft delete table ... ? But how to make sure that packets are not dropped anyway by my other table wich has policy drop?