You would also have to check the ecc, but I think it all fits.
1 Like
yes, that’s how everything should work.
1 Like
OK. We’re all set. Thanks again for your persistence. I marked you post that points out the problem as the solution.
4 Likes
I already asked in another post if it makes sense to keep the outdated rsa certificate, I hope it will be removed soon.
Something is not quite right, I have just deleted the old certificates and created new ones with the following rewrite, but the certificate is not also created for www:
cat /var/discourse/containers/app.yml
after_ssl:
# tell letsencrypt what additional certs to get
- replace:
filename: "/etc/runit/1.d/letsencrypt"
from: /--keylength/
to: "-d www.rpg-foren.com --keylength"
- replace:
filename: "/etc/runit/1.d/letsencrypt"
from: /--fullchainpath/
to: "-d www.rpg-foren.com --fullchainpath"
global: true
cat /etc/runit/1.d/letsencrypt
#!/bin/bash
/usr/sbin/nginx -c /etc/nginx/letsencrypt.conf
issue_cert() {
LE_WORKING_DIR="${LETSENCRYPT_DIR}" /shared/letsencrypt/acme.sh --issue $2 -d rpg-foren.com -d www.rpg-foren.com --keylength $1 -w /var/www/discourse/public
}
cert_exists() {
[[ "$(cd /shared/letsencrypt/rpg-foren.com$1 && openssl verify -CAfile <(openssl x509 -in ca.cer) fullchain.cer | grep "OK")" ]]
}
########################################################
# RSA cert
########################################################
issue_cert "4096"
if ! cert_exists ""; then
# Try to issue the cert again if something goes wrong
issue_cert "4096" "--force"
fi
LE_WORKING_DIR="${LETSENCRYPT_DIR}" /shared/letsencrypt/acme.sh \
--installcert \
-d rpg-foren.com \
-d www.rpg-foren.com --fullchainpath /shared/ssl/rpg-foren.com.cer \
--keypath /shared/ssl/rpg-foren.com.key \
--reloadcmd "sv reload nginx"
########################################################
# ECDSA cert
########################################################
issue_cert "ec-256"
if ! cert_exists "_ecc"; then
# Try to issue the cert again if something goes wrong
issue_cert "ec-256" "--force"
fi
LE_WORKING_DIR="${LETSENCRYPT_DIR}" /shared/letsencrypt/acme.sh \
--installcert --ecc \
-d rpg-foren.com \
-d www.rpg-foren.com --fullchainpath /shared/ssl/rpg-foren.com_ecc.cer \
--keypath /shared/ssl/rpg-foren.com_ecc.key \
--reloadcmd "sv reload nginx"
if cert_exists "" || cert_exists "_ecc"; then
grep -q 'force_https' "/var/www/discourse/config/discourse.conf" || echo "force_https = 'true'" >> "/var/www/discourse/config/discourse.conf"
fi
/usr/sbin/nginx -c /etc/nginx/letsencrypt.conf -s stop
openssl x509 -in /var/discourse/shared/standalone/ssl/rpg-foren.com_ecc.cer -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:f0:89:90:30:4f:d5:9b:40:00:9e:96:9a:d7:d0:dc:78:d5
Signature Algorithm: ecdsa-with-SHA384
Issuer: C = US, O = Let's Encrypt, CN = E6
Validity
Not Before: Sep 23 15:23:00 2024 GMT
Not After : Dec 22 15:22:59 2024 GMT
Subject: CN = rpg-foren.com
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:3a:65:89:b0:9b:07:c2:ef:f7:43:f8:f7:2e:e5:
8e:f8:47:76:19:cc:e6:98:50:e4:18:b7:9b:e0:f0:
60:49:ed:06:5c:66:d0:7b:79:07:84:0f:75:36:4b:
70:98:1d:76:6b:15:20:8f:c5:6d:43:cc:b8:12:a1:
eb:5a:d8:0f:7f
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
7F:CC:80:95:73:18:45:96:CD:73:16:0D:69:CA:4F:5E:54:D4:C1:13
X509v3 Authority Key Identifier:
93:27:46:98:03:A9:51:68:8E:98:D6:C4:42:48:DB:23:BF:58:94:D2
Authority Information Access:
OCSP - URI:http://e6.o.lencr.org
CA Issuers - URI:http://e6.i.lencr.org/
X509v3 Subject Alternative Name:
DNS:rpg-foren.com
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : A2:E3:0A:E4:45:EF:BD:AD:9B:7E:38:ED:47:67:77:53:
D7:82:5B:84:94:D7:2B:5E:1B:2C:C4:B9:50:A4:47:E7
Timestamp : Sep 23 16:21:30.838 2024 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:46:02:21:00:F4:3A:0D:45:49:BE:EB:7D:9F:03:C1:
36:53:77:49:23:6F:E4:57:2B:68:01:5A:31:EB:DB:B4:
1D:1B:30:EA:44:02:21:00:A1:DA:11:1B:2B:59:BB:86:
BF:0B:DC:F6:45:9A:DB:77:DB:A4:DF:1B:4D:74:6A:51:
9A:2A:A0:80:CC:E8:F3:CF
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 76:FF:88:3F:0A:B6:FB:95:51:C2:61:CC:F5:87:BA:34:
B4:A4:CD:BB:29:DC:68:42:0A:9F:E6:67:4C:5A:3A:74
Timestamp : Sep 23 16:21:30.896 2024 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:44:02:20:0A:B1:11:58:B1:41:F3:B4:90:13:55:9C:
E2:AD:D1:B8:0B:E9:15:A1:C9:4C:5C:AC:CC:1D:22:46:
6F:FC:64:C4:02:20:4A:EA:C9:AD:99:E3:0A:86:6C:3E:
80:EF:21:D8:DE:A4:83:EA:B6:E6:27:96:C1:98:92:4A:
7B:F0:87:38:41:20
Signature Algorithm: ecdsa-with-SHA384
Signature Value:
30:66:02:31:00:89:8d:24:d5:88:52:bb:f8:9e:db:d8:4c:ef:
33:c6:ea:c0:92:60:5f:42:55:e9:47:4f:2c:07:02:94:6d:d0:
32:14:8a:46:6b:c9:b1:24:e4:ff:34:32:d1:0b:d3:7c:df:02:
31:00:8c:2f:42:67:62:c0:4c:63:9d:8e:52:21:9a:a8:76:e5:
7d:a3:27:22:f2:1b:25:07:d0:86:44:ae:26:33:8b:70:7b:b2:
cc:e5:85:30:a6:1c:8f:b1:51:d2:cf:d1:61:0d
openssl x509 -in /var/discourse/shared/standalone/ssl/rpg-foren.com.cer -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
04:c8:d5:4a:f1:f4:9b:4f:23:b0:17:be:25:27:97:9b:2c:c2
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Let's Encrypt, CN = R10
Validity
Not Before: Sep 23 15:22:54 2024 GMT
Not After : Dec 22 15:22:53 2024 GMT
Subject: CN = rpg-foren.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:c9:ac:0e:03:50:58:be:48:e5:57:4f:86:8c:2c:
01:da:4d:08:c2:1f:e2:02:c4:73:98:f6:e7:04:a2:
68:ce:44:21:3e:f8:d7:cb:f8:bd:1c:ba:8f:a4:8b:
11:61:c9:8e:49:ef:a1:88:15:f3:41:1a:41:7f:80:
6a:fb:48:64:b2:2e:d6:79:e2:d0:b1:a1:bc:6b:91:
ec:76:96:8a:37:f4:24:14:d9:e9:a4:89:2a:49:c1:
bb:f1:26:98:15:4f:8e:e9:20:5f:bb:64:02:f9:4f:
93:e2:35:45:15:a8:66:c0:a9:92:97:5f:7e:f8:bd:
65:86:dc:05:9f:46:c8:b7:59:e1:1f:cc:c7:8c:ad:
fa:e3:fb:27:1f:92:45:16:45:9d:ab:4d:5c:29:5d:
7b:96:cc:26:62:69:c3:44:42:e1:7f:de:e3:32:b9:
4e:d2:86:c7:a5:e0:c8:40:bf:b8:5d:d9:fc:6f:70:
23:7b:07:23:0b:88:6b:6f:07:3b:18:76:f9:45:8b:
31:4c:9c:7f:34:d7:36:1f:59:51:42:8a:d8:d7:08:
d9:6b:72:f2:d1:9e:44:16:dd:3b:07:48:ca:a9:ee:
7c:fd:98:b1:4c:99:a4:71:62:c4:eb:ee:bc:d8:46:
c6:39:7c:ce:a5:4c:1d:0d:9e:ca:9b:00:46:e3:46:
0a:14:2a:19:f9:2e:5a:3e:98:f8:81:ac:72:c9:d7:
17:08:0b:40:e7:14:26:dd:87:15:45:6d:58:c1:61:
d3:02:e8:4d:84:70:e8:73:ba:ea:ae:47:5b:fe:e4:
58:5d:43:c7:eb:d9:17:1c:bc:1d:77:85:ac:74:6c:
a5:4d:b3:58:98:22:be:cc:dc:cb:90:49:90:c6:d5:
9a:4b:dd:13:bf:71:2e:f7:f5:d3:67:e8:54:66:cf:
e4:d4:24:78:5f:87:d1:2a:c5:fa:1e:53:f8:d1:f0:
5b:29:d1:fb:0b:21:24:cf:4e:73:da:c3:0b:d2:b9:
cd:75:5a:70:12:ca:e5:fb:37:ca:07:46:7a:41:5d:
5f:3b:7b:e4:91:7a:3d:6f:1f:3a:90:a9:6d:47:3f:
27:3e:9b:a0:e5:da:d2:22:e5:71:37:69:8b:0c:c1:
42:05:2c:ba:70:d9:8e:d2:af:25:e1:64:4e:e2:3b:
2d:a1:a8:14:f1:bb:18:0e:17:83:8c:04:ee:67:34:
5f:bf:c1:00:53:3c:da:9d:74:9b:5b:69:6d:f5:dd:
d6:0a:4f:03:66:a2:25:79:8c:cb:8e:ed:0d:c3:06:
38:44:ad:36:60:07:19:7e:09:86:c1:d3:f2:08:e8:
72:ca:7d:c8:c7:48:2d:39:7b:17:5c:a8:b9:80:dd:
73:57:05
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
FE:E1:BC:4C:C3:11:44:83:80:48:E6:F4:AB:B8:DE:AE:93:4F:2E:8F
X509v3 Authority Key Identifier:
BB:BC:C3:47:A5:E4:BC:A9:C6:C3:A4:72:0C:10:8D:A2:35:E1:C8:E8
Authority Information Access:
OCSP - URI:http://r10.o.lencr.org
CA Issuers - URI:http://r10.i.lencr.org/
X509v3 Subject Alternative Name:
DNS:rpg-foren.com
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 48:B0:E3:6B:DA:A6:47:34:0F:E5:6A:02:FA:9D:30:EB:
1C:52:01:CB:56:DD:2C:81:D9:BB:BF:AB:39:D8:84:73
Timestamp : Sep 23 16:21:24.622 2024 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:21:00:BD:C6:D8:48:E3:CD:EA:A7:41:E4:27:
FE:34:0C:47:A6:1F:78:6F:61:70:4F:39:B5:BE:22:2F:
39:E1:41:CE:53:02:20:69:1E:20:E0:42:25:40:76:D4:
B0:66:08:15:D7:9C:CC:4F:BC:A4:A2:1E:C6:36:0E:0B:
25:F5:7B:2D:30:85:3A
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 3F:17:4B:4F:D7:22:47:58:94:1D:65:1C:84:BE:0D:12:
ED:90:37:7F:1F:85:6A:EB:C1:BF:28:85:EC:F8:64:6E
Timestamp : Sep 23 16:21:24.621 2024 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:46:02:21:00:9E:CF:69:F9:27:E3:B0:4E:7D:DC:2D:
13:99:CD:8D:8C:B2:99:0B:B1:CA:82:83:07:2B:91:F7:
1B:71:EB:7B:ED:02:21:00:91:C6:62:90:C3:ED:ED:07:
62:1A:EC:43:02:C6:FE:F3:87:6A:0E:9C:C3:D7:54:1B:
69:3F:3F:FF:31:00:F6:6D
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
51:76:6c:49:3c:86:ea:b0:14:35:ca:85:63:27:de:76:ce:5c:
f2:17:83:28:f8:55:a3:31:f2:4a:32:ae:35:13:35:4b:95:54:
de:be:d7:b7:23:04:cf:2e:5b:e7:4f:cc:0b:90:58:fe:f8:14:
1a:16:a6:ec:1d:18:ec:36:e3:9a:dd:47:b6:e7:66:c9:6d:30:
cf:ab:d3:2d:9f:c6:c8:65:67:23:c1:3d:2e:b3:0c:c8:62:9c:
7a:ee:5d:f1:97:ea:b8:2e:a3:fb:3c:89:14:60:1e:e4:b7:9c:
8c:3c:af:18:aa:c2:68:06:aa:55:9b:cc:0c:5f:c4:ac:90:d1:
a2:c0:13:ed:71:0f:de:8d:0b:a8:1e:c1:1b:ea:38:b7:75:db:
66:b6:fc:68:16:7c:3c:11:5a:e6:f0:37:bc:26:83:ae:43:68:
68:71:d7:da:02:15:ef:50:5b:3e:6a:b3:6a:f7:7a:1f:a0:fc:
f3:f3:c7:43:2c:a2:e0:59:ba:1b:5c:7c:1b:03:7c:52:d1:6e:
2b:db:a2:dc:2d:69:9c:36:fe:b5:98:68:9f:67:8a:61:c8:8c:
6b:0e:b7:59:dc:92:92:d2:84:99:37:e7:ed:2f:47:a9:2a:a9:
b4:47:99:eb:64:8a:f2:57:09:16:d7:03:99:a9:fc:c2:1e:f8:
61:3a:a7:23
I have now created them again manually as described here.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.