Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Certificate Generation/Validation is failing From June 2024 #144

Open
nreddipalle opened this issue Jul 10, 2024 · 2 comments
Open

Certificate Generation/Validation is failing From June 2024 #144

nreddipalle opened this issue Jul 10, 2024 · 2 comments
Assignees
@glatzert
Labels
question Further information is requested

Comments

@nreddipalle
Copy link

nreddipalle commented Jul 10, 2024
edited
Loading

Please provide some information about your script:

  • Where should it run (On-Prem, Azure, Windows, Linux, Full / Desktop)?
  • Windows PowerShell (Azure Functions)
  • Which Version are you running (make sure to use the latest)
  • So far, using 1.5.0 but also tried with latest version.
  • What is your level of PowerShell expertise?
  • Good.

We are generating LetsEncrypt Certs so far without issues using Azure Function and importing into Azure KeyVault. But the function stops working from June 2024 which I assume seems to be due to this https://letsencrypt.org/certificates/

This is our code:

We generate the cert:

  # As soon as the url shows up we can create the PFX
   Export-ACMECertificate -State $acmeStateDir `
       -Order $order `
       -Path $certExportPath `
       -Password $securePassword `
       -UseAlternateChain

We split the Cert into Key and CRT due to this Error:

##"Correcting Certificate Order Due to a bug in LetsEncrypt Cert with InCorrect Order"
##There is a issue in roadmap to be fixed with AzureKeyVault so that it always keeps the order in the certifcate correct even if the  certificate is uploaded in the wrong order. 
## But Until then we wil mannually correct the order
## https://github.com/Azure/azure-rest-api-specs/issues/10637

&"${ModulePath}\openssl-1.1.1l\x64\bin\openssl.exe" pkcs12 -in "$certExportPath" -nocerts -out "${certExportPath}.key" -passin pass:$CERT_PASS -passout pass:$CERT_PASS
&"${ModulePath}\openssl-1.1.1l\x64\bin\openssl.exe" pkcs12 -in "$certExportPath" -clcerts -nokeys -out "${certExportPath}.crt" -passin pass:$CERT_PASS

##We download the Root and Intermediate CERTS manually

(New-Object System.Net.WebClient).DownloadFile("https://letsencrypt.org/certs/isrgrootx1.pem", "$acmeStateDir\Certificates\isrgrootx1.pem") ## ROOT CA
(New-Object System.Net.WebClient).DownloadFile("https://letsencrypt.org/certs/lets-encrypt-r3.pem", "$acmeStateDir\Certificates\lets-encrypt-r3.pem") ## INTERMEDIATE CA

Get-Content "$acmeStateDir\Certificates\isrgrootx1.pem" >> "$acmeStateDir\Certificates\ca.crt" ## ROOT CA
Get-Content "$acmeStateDir\Certificates\r10.pem" > "$acmeStateDir\Certificates\ca.crt" ## INTERMEDIATE CA

Get-Content "$acmeStateDir\Certificates\ca.crt"

##Rebuild pfx
&"${ModulePath}\openssl-1.1.1l\x64\bin\openssl.exe" pkcs12 -export -out "${certExportPath}.rebuilt.pfx" -inkey "${certExportPath}.key" -in "${certExportPath}.crt" -certfile "$acmeStateDir\Certificates\ca.crt" -passin pass:$CERT_PASS -passout pass:$CERT_PASS

when trying to test this rebuild pfx:

&"${ModulePath}\openssl-1.1.1l\x64\bin\openssl.exe" pkcs12 -nodes -in "${certExportPath}" -out "${certExportPath}.crt" -passin pass:$CERT_PASS

$Attime = (New-TimeSpan -Start (Get-Date "01/01/1970") -End (Get-Date).AddDays(+60)).TotalSeconds ## Checking with -attime 6 months in advance so that we know 6 months before if any certificate in the chain is expiring within 6 months
$Attime = ($Attime -Split("\."))[0].Trim() #Ignore MilliSeconds

&"${ModulePath}\openssl-1.1.1l\x64\bin\openssl.exe" verify -attime $Attime -x509_strict -CAfile "$acmeStateDir\Certificates\ca.crt" -verbose "${certExportPath}.crt"

I get this Error

error 20 at 0 depth lookup: unable to get local issuer certificate

I also tried with new Intermediate CERTS to no luck

(New-Object System.Net.WebClient).DownloadFile("https://letsencrypt.org/certs/isrgrootx1.pem", "$acmeStateDir\Certificates\isrgrootx1.pem") ## ROOT CA
(New-Object System.Net.WebClient).DownloadFile("https://letsencrypt.org/certs/2024/r10.pem", "$acmeStateDir\Certificates\r10.pem") ## INTERMEDIATE CA

Am I missing anything? Please suggest. Thanks.,
@nreddipalle nreddipalle added the question Further information is requested label Jul 10, 2024
@glatzert
Copy link
Collaborator

Where exactly does the error occur?
The message seems to be openssl related?

@nreddipalle
Copy link
Author

Error happening at last step
&"${ModulePath}\openssl-1.1.1l\x64\bin\openssl.exe" verify -attime $Attime -x509_strict -CAfile "$acmeStateDir\Certificates\ca.crt" -verbose "${certExportPath}.crt"

Is there a way to append RootCA and Intermediate CA directly during Issue Certificate/Export operation instead of doing it later..
I am still using 1.5.0 version of ACME.. wondering if any recent versions started supporting above??
Thanks for your response.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@glatzert glatzert

Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@glatzert @nreddipalle