I’ve got a mix Startcon SSL and Let’s Encrypt certificates on my box. Seems Startcon certificates now generate a hard error (NET::ERR_CERT_AUTHORITY_INVALID) in Chrome. They still work in Firefox.
Is there a way to force replacement of the Startcon certificates with Let’s Encrypt? The admin web page only generates a new CSR.
And management/ssl_certificates.py says “no need to replace”.
PS: Here are some details about Google revoking the WoSign and Startcon CA: https://security.googleblog.com/2016/10/distrusting-wosign-and-startcom.html
https://ma.ttias.be/despite-revoked-cas-startcom-wosign-continue-sell-certificates/
I believe you can do:
./management/ssl_certificates.py --force
That --force flag will likely do what you need.
How much is Startcon?
Were you able to replace Letsencrypt?
My Letsencrypt provision is broken with no way of fixing unless I blow away MIAB and start over.
Is there a workaround for management/ssl_certificates.py?
Thanks, that mostly did the job.
I’ve seen the “./management/ssl_certificates.py --force” suggestion in a few places and it is not working for me. (See the following.) Any suggestions? My guess is that for my particular situation, there is a bug in ssl_certificates.py.
$ sudo ./management/ssl_certificates.py --force
Traceback (most recent call last):
File "./management/ssl_certificates.py", line 807, in <module>
provision_certificates_cmdline()
File "./management/ssl_certificates.py", line 450, in provision_certificates_cmdline
status = provision_certificates(env, agree_to_tos_url=agree_to_tos_url, logger=my_logger, force_domains=force_domains, show_extended_problems=show_extended_problems)
File "./management/ssl_certificates.py", line 337, in provision_certificates
logger=my_logger)
File "/usr/local/lib/python3.4/dist-packages/free_tls_certificates/client.py", line 64, in issue_certificate
agree_to_tos_url, validation_method, acme_server, logger)
File "/usr/local/lib/python3.4/dist-packages/free_tls_certificates/client.py", line 112, in validate_domain_ownership
acme_server=acme_server)
File "/usr/local/lib/python3.4/dist-packages/free_tls_certificates/client.py", line 317, in create_client
client = acme.client.Client(acme_server, key)
File "/usr/local/lib/python3.4/dist-packages/acme/client.py", line 63, in __init__
self.net.get(directory).json())
File "/usr/local/lib/python3.4/dist-packages/acme/client.py", line 624, in get
self._send_request('GET', url, **kwargs), content_type=content_type)
File "/usr/local/lib/python3.4/dist-packages/acme/client.py", line 606, in _send_request
response = self.session.request(method, url, *args, **kwargs)
File "/usr/local/lib/python3.4/dist-packages/requests/sessions.py", line 488, in request
resp = self.send(prep, **send_kwargs)
File "/usr/local/lib/python3.4/dist-packages/requests/sessions.py", line 609, in send
r = adapter.send(request, **kwargs)
File "/usr/local/lib/python3.4/dist-packages/requests/adapters.py", line 423, in send
timeout=timeout
File "/usr/local/lib/python3.4/dist-packages/requests/packages/urllib3/connectionpool.py", line 594, in urlopen
chunked=chunked)
File "/usr/local/lib/python3.4/dist-packages/requests/packages/urllib3/connectionpool.py", line 350, in _make_request
self._validate_conn(conn)
File "/usr/local/lib/python3.4/dist-packages/requests/packages/urllib3/connectionpool.py", line 835, in _validate_conn
conn.connect()
File "/usr/local/lib/python3.4/dist-packages/requests/packages/urllib3/connection.py", line 311, in connect
cert_reqs=resolve_cert_reqs(self.cert_reqs),
File "/usr/local/lib/python3.4/dist-packages/requests/packages/urllib3/util/ssl_.py", line 267, in create_urllib3_context
context.set_ciphers(ciphers or DEFAULT_CIPHERS)
File "/usr/local/lib/python3.4/dist-packages/requests/packages/urllib3/contrib/pyopenssl.py", line 385, in set_ciphers
self._ctx.set_cipher_list(ciphers)
TypeError: must be str, not bytes