certera-io / certera Goto Github PK

It would be great to have the ability to get notifications to a slack channel via webhook rather than just email alerts.

To obtain the certificate (not the chain, nor the private key one),
it should be necessary to add the parameter -d "chain=false", but this parameter is always ignored (v. 1.5.0) and the certificate is always in "Chain" mode.

It is not a blocking issue, because the first piece of the chain certificate corresponds to the main one, so it can be easily overcome.

Hey there,
like the title already suggests i would like to know if certera is still maintained and even more important if the dev is healthy and fine in these troublesome times lateley?
Thank you for sharing this with the OSS community,

cheers

It would be very nice to have the possibility to test the email sending.

In other words it would be better to be aware of some email troubles before the notification is normally triggered.

It would be very nice to manage also rocket chat integration as it is done with slack.

Hi,

I'm trying to get the dns challenge to work, but it seems like the validation function that checks if the DNS entry has been propagated is checking the wrong name. I found this by sniffing the dns traffic on the machine.

My hosts are all internal and NOT reachable via public dns.
So for example I want to validate test.example.com.
For this to work I need a TXT entry for _acme_challenge.test.example.com on the NS that is in charge for LE to validate.
The Set DNS script is successfully generating this entry, but then Certera is trying to check if there is a record for test.example.com which is of course failing as this will not be available externally.

Is this a bug or am I missing something here?

Hi!

Due to the Let's Encrypt DST Root CA X3 Expiration (September 2021) we need to add ' --preferred-chain "ISRG Root X1" ' to the certificate request in order to avoid compatibility issues.

Is there any way to perform this change in the code?

Kind regards,
Antoni.

https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

Hello,
I have troubles using DNS challenge creation/deletion scripts. The thing is that when a certificate is being requested I get an exception during attempt to run a script.

System.ComponentModel.Win32Exception (2): No such file or directory at System.Diagnostics.Process.ForkAndExecProcess(String filename, String[] argv, String[] envp, String cwd, Boolean redirectStdin, Boolean redirectStdout, Boolean redirectStderr, Boolean setCredentials, UInt32 userId, UInt32 groupId, UInt32[] groups, Int32& stdinFd, Int32& stdoutFd, Int32& stderrFd, Boolean usesTerminal, Boolean throwOnNoExec) at System.Diagnostics.Process.StartCore(ProcessStartInfo startInfo) at System.Diagnostics.Process.Start() at Certera.Web.AcmeProviders.CertesAcmeProvider.RunProcess(String file, String args, String envVars)

I figured out that the scripts are running fine unless you set any Environment Variables. So I belive that the problem is at CertesAcmeProvider.cs line number 258:
if (!isWindows) { file = EnvironmentVariableHelper.ToNixEnvVars(envVars) + file; }

I'll try to create a sample project this week to try to inject environment variables in a different manner and see if it will help

OS: Ubuntu 20.04

PS. These scripts work fine if I create a bash script and use environment variables there.

Currently testing this awesome project, and got to the point where I got the certificate for the certera instance. While testing the process of getting that certificate from a remote node (using curl) for further deployment, the file I got seems to include the full certificate chain.

Currently, the endpoint I'm hitting, as per the documentation, is /api/certificate/<certificate_name>. Is there another endpoint for the unbundled certificate? If not, how about another parameter, like bundled=true|false? By default true to avoid breakage.

In the same vein, how about yet another parameter, chain=false|true, that would allow to download just the chain (or, if the chain is the same for any certificate, another endpoint altogether.)

Why the above? I deploy certificates in dissimilar systems: Apache, Nginx, Icecast, and many more. Each of them have different semantics for injecting the certs: some like the bundles, others separated (Icecast even wants to have the certificate, chain and key in a single file.) So, having the option of getting all those components separately would make certera more versatile, IMO.

Is there a reason the server is configured to require direct query of root servers for DNS validation? I edited the config file to only have my router IP address but validation still fails (status shows it is trying to query a root). I have my network configured to block all unencrypted DNS unless it is to my router which queries cloudflare through an encrypted connection.

I can make a firewall exception for the VM Certera is running on but would rather avoid it if possible. Thanks!

Running Debian 11 (ARM) on a VM, i've installed a clean OS and followed instructions on https://docs.certera.io/#linux . I've downloaded the correct ARM binary and ran chmod +x on the certera binary, however when I attempt to run it with ./certera it tells me

-bash: ./certera: No such file or directory.

I've tried multiple times with the download and am unable to run the binary from certera-2.1.5-linux-arm.zip . Am I missing something in the instructions or is Debian perhaps not supported?

Is there any way we can add/update/remove domains in the tracking list programatically? If we have an ever changing list of domains to keep an eye on, it would be very useful to be able to interact with that tracking list in some way and remove room for error on the manual update front.

After unpacking and running I get
No usable version of libssl was found Aborted
this is certera 2.1.5 on Ubuntu 22.04 with libssl3 3.0.2 installed.

I already install certera on VPS but when im access using https://x.x.x.x , I have error like this

Forbidden request from remote IP address: x.x.x.x. Does not match

There is no ADD (or CREATE) button on certificate creation page.
Being a standard html form it is possible to submit the form putting the focus on a textfield and hitting "Enter" button.

Hi

I don't know if you want to sell your software.... In any case, your store is offline.

My Certera instance was working fine and then it stopped renewing some of my certs yielding an error:

fail: Certera.Web.Services.CertificateAcquirer[0]
error obtaining certificate: Unknown Error

There is no additional detail in the logs. I tried deleting and re-adding certs and the same error persisted. I even created a new VM and installed from scratch. The only cert that works on the new instance is the cert for Certera itself. Any idea what I can do to troubleshoot this further?

Hello

I'm trying to install it.
I've downloaded, unzipped, set correct changes (chmod, port binding permission, etc...) since I'm using Linux.
Then started the process. No issue so far. (Certificate discovery service starting., etc...)

Then I connect to web server and then... I have the issue :
500 Internal Server Error
and below logs in application side :

Mar 20 00:17:15 pki-certera certera[16545]: #033[41m#033[30mfail#033[39m#033[22m#033[49m: Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware[1]
Mar 20 00:17:15 pki-certera certera[16545]:       An unhandled exception has occurred while executing the request.
Mar 20 00:17:15 pki-certera certera[16545]: System.InvalidOperationException: Cannot create instance of type 'System.String' because it is missing a public parameterless constructor.
Mar 20 00:17:15 pki-certera certera[16545]:    at Microsoft.Extensions.Configuration.ConfigurationBinder.CreateInstance(Type type)
Mar 20 00:17:15 pki-certera certera[16545]:    at Microsoft.Extensions.Configuration.ConfigurationBinder.BindInstance(Type type, Object instance, IConfiguration config, BinderOptions options)
Mar 20 00:17:15 pki-certera certera[16545]:    at Microsoft.Extensions.Configuration.ConfigurationBinder.BindProperty(PropertyInfo property, Object instance, IConfiguration config, BinderOptions options)
Mar 20 00:17:15 pki-certera certera[16545]:    at Microsoft.Extensions.Configuration.ConfigurationBinder.BindNonScalar(IConfiguration configuration, Object instance, BinderOptions options)
Mar 20 00:17:15 pki-certera certera[16545]:    at Microsoft.Extensions.Configuration.ConfigurationBinder.BindInstance(Type type, Object instance, IConfiguration config, BinderOptions options)
Mar 20 00:17:15 pki-certera certera[16545]:    at Microsoft.Extensions.Configuration.ConfigurationBinder.Bind(IConfiguration configuration, Object instance, Action`1 configureOptions)
Mar 20 00:17:15 pki-certera certera[16545]:    at Microsoft.Extensions.Options.NamedConfigureFromConfigurationOptions`1.<>c__DisplayClass1_0.<.ctor>b__0(TOptions options)
Mar 20 00:17:15 pki-certera certera[16545]:    at Microsoft.Extensions.Options.ConfigureNamedOptions`1.Configure(String name, TOptions options)
Mar 20 00:17:15 pki-certera certera[16545]: #033[41m#033[30mfail#033[39m#033[22m#033[49m: Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware[3]
Mar 20 00:17:15 pki-certera certera[16545]:       An exception was thrown attempting to execute the error handler.
Mar 20 00:17:15 pki-certera certera[16545]: System.InvalidOperationException: Cannot create instance of type 'System.String' because it is missing a public parameterless constructor.
Mar 20 00:17:15 pki-certera certera[16545]:    at Microsoft.Extensions.Configuration.ConfigurationBinder.CreateInstance(Type type)
Mar 20 00:17:15 pki-certera certera[16545]:    at Microsoft.Extensions.Configuration.ConfigurationBinder.BindInstance(Type type, Object instance, IConfiguration config, BinderOptions options)
Mar 20 00:17:15 pki-certera certera[16545]:    at Microsoft.Extensions.Configuration.ConfigurationBinder.BindProperty(PropertyInfo property, Object instance, IConfiguration config, BinderOptions options)
Mar 20 00:17:15 pki-certera certera[16545]:    at Microsoft.Extensions.Configuration.ConfigurationBinder.BindNonScalar(IConfiguration configuration, Object instance, BinderOptions options)
Mar 20 00:17:15 pki-certera certera[16545]:    at Microsoft.Extensions.Configuration.ConfigurationBinder.BindInstance(Type type, Object instance, IConfiguration config, BinderOptions options)
Mar 20 00:17:15 pki-certera certera[16545]:    at Microsoft.Extensions.Configuration.ConfigurationBinder.Bind(IConfiguration configuration, Object instance, Action`1 configureOptions)
Mar 20 00:17:15 pki-certera certera[16545]:    at Microsoft.Extensions.Options.NamedConfigureFromConfigurationOptions`1.<>c__DisplayClass1_0.<.ctor>b__0(TOptions options)
Mar 20 00:17:15 pki-certera certera[16545]:    at Microsoft.Extensions.Options.ConfigureNamedOptions`1.Configure(String name, TOptions options)
Mar 20 00:17:15 pki-certera certera[16545]: #033[41m#033[30mfail#033[39m#033[22m#033[49m: Microsoft.AspNetCore.Server.Kestrel[13]
Mar 20 00:17:15 pki-certera certera[16545]:       Connection id "0HMG9VN2BQ4QO", Request id "0HMG9VN2BQ4QO:00000001": An unhandled exception was thrown by the application.
Mar 20 00:17:15 pki-certera certera[16545]: System.InvalidOperationException: Cannot create instance of type 'System.String' because it is missing a public parameterless constructor.
Mar 20 00:17:15 pki-certera certera[16545]:    at Microsoft.Extensions.Configuration.ConfigurationBinder.CreateInstance(Type type)
Mar 20 00:17:15 pki-certera certera[16545]:    at Microsoft.Extensions.Configuration.ConfigurationBinder.BindInstance(Type type, Object instance, IConfiguration config, BinderOptions options)
Mar 20 00:17:15 pki-certera certera[16545]:    at Microsoft.Extensions.Configuration.ConfigurationBinder.BindProperty(PropertyInfo property, Object instance, IConfiguration config, BinderOptions options)
Mar 20 00:17:15 pki-certera certera[16545]:    at Microsoft.Extensions.Configuration.ConfigurationBinder.BindNonScalar(IConfiguration configuration, Object instance, BinderOptions options)
Mar 20 00:17:15 pki-certera certera[16545]:    at Microsoft.Extensions.Configuration.ConfigurationBinder.BindInstance(Type type, Object instance, IConfiguration config, BinderOptions options)
Mar 20 00:17:15 pki-certera certera[16545]:    at Microsoft.Extensions.Configuration.ConfigurationBinder.Bind(IConfiguration configuration, Object instance, Action`1 configureOptions)
Mar 20 00:17:15 pki-certera certera[16545]:    at Microsoft.Extensions.Options.NamedConfigureFromConfigurationOptions`1.<>c__DisplayClass1_0.<.ctor>b__0(TOptions options)
Mar 20 00:17:15 pki-certera certera[16545]:    at Microsoft.Extensions.Options.ConfigureNamedOptions`1.Configure(String name, TOptions options)

Any idea ?

Hi again,

I read all your documentation and even all the github posts, I also followed all the configurations mentioned in "https://docs.certera.io/#home".

Said this, I'm trying to renew some certificates, but I've only managed to renew one of them... no matter what I do, I can't renew any other certificate even with the same vhost configuration on the same machine.

I've already activated debug logs, but they do not provide any useful information.

dbug: Certera.Web.Services.CertificateAcquirer[0]
[mydomain.example] - starting certificate acquisition
dbug: Certera.Web.Services.CertificateAcquirer[0]
[mydomain.example] - creating ACME order
dbug: Certera.Web.AcmeProviders.CertesAcmeProvider[0]
Order created: https://acme-v02.api.letsencrypt.org/acme/order/102358678/6260472891
dbug: Certera.Web.Services.CertificateAcquirer[0]
[mydomain.example] - requesting ACME validation
dbug: Certera.Web.Services.CertificateAcquirer[0]
[mydomain.example] - completing order
dbug: Certera.Web.AcmeProviders.CertesAcmeProvider[0]
1 incomplete authorizations.
dbug: Certera.Web.AcmeProviders.CertesAcmeProvider[0]
1 incomplete authorizations.
dbug: Certera.Web.AcmeProviders.CertesAcmeProvider[0]
0 incomplete authorizations.
fail: Certera.Web.Services.CertificateAcquirer[0]
[mydomain.example] - error obtaining certificate: BadRequest urn:ietf:params:acme:error:connection Fetching https://mycerteraserver.com/.well-known/acme-challenge/YJ8o-u2TvjKqiR41hpJLGOzw9VrGVltiQDNX6i7eqU: Error getting validation data
dbug: Certera.Web.Services.CertificateAcquirer[0]
[mydomain.example] - done

I do not understand how is it possible that only one certificate avoided the error "Error getting validation data".

¿Is there any other procedure to follow in order to troubleshoot this issue?

Thanks in advance,
Kind regards,
Toni.

To start: This is already easy to achieve with sh/bash scripting, so priority is definitely low here, but wanted to kick off a discussion on the subject.

I think it would be nice to expand the api optional parameter "chain=true | false" to "chain=full | intermediate | none". Some folks don't consider including the root CA in the chain a best practice (and it shouldn't be needed). The additional option would return the certificate and intermediary, but not the root CA. Essentially the behavior would be:

full = same as "true" now, so root ca, intermediate, and end cert
intermediate = returns "true" minus the root CA, so just intermediate and end cert
none = same as "false" now, so just the end cert

Some discussion on the topic:
https://security.stackexchange.com/questions/65332/ssl-root-certificate-optional

The notifications are not sent, but I can successfully receive the test email.

That is very strange.

The only think I can suppose about it is that we are not working under SSL connection (to the mail server).

I wanted to change the existing Certera Cert to DNS challenge/validation. When I change the drop down and hit save it does not update. I thought this may be defined behavior for the Certera cert, so I tried making another cert for a different subdomain and then switching the challenge type which also failed.

Is this intended / needed behavior based on how LE works? If so, may want to tweak the drop down box to become grey/unchangeable once a cert is created.

Thanks!

Hi everyone,
I need to add a certificate to one site that has NGINX + Varnish working.
For example, if I do this using Certbot I have to do the following:

/etc/varnish/default.vcl:

sub vcl_recv {
  if (req.url ~ "^/\.well-known/acme-challenge/") {
    set req.backend_hint = certbot;
    return(pipe);
  }
}


sub vcl_pipe {
  if (req.backend_hint == certbot) {
    set req.http.Connection = "close";
    return(pipe);
  }
}

backend certbot {
  .host = "127.0.0.1";
  .port = "8089";
}

/etc/nginx/conf.d/example.conf

server {
  listen 8089;
  server_name_;

  location ^~ /.well-known/acme-challenge/ {
    allow all;
    default_type "text/plain";
    alias /srv/www/.well-known/acme-challenge/;
  }
}

The doc says that with Certera NGINX looks like this:

server {
  (...)
  location ^~ /.well-known/acme-challenge/ {
    default_type "text/plain";				
    rewrite /.well-known/acme-challenge/(.*) https://<your_certera_site_hostname>/.well-known/acme-challenge/$1 break;
  }
}

I don't know how to make this including Varnish software.
Let's Encrypt has a limit to make a request by the hour, so I can't make a lot of tests until finding the right configuration.
Can you help me, please?
Greetings!

Back in May/June 2020, a root certificate from Sectigo/Comodo expired leaving a bunch of people scrambling. Certera's cert monitoring only looks at the top most cert's expiration, not the entire chain. This could have been easily caught by checking the expiration of all certs in the chain.

How to unlock a user that has failed few login attempts?
Is there a way to do that?

I'm trying to install Certera in a produccion server in order to manage our Let's Encrypt certificites but I'm facing an issue at the installation progress:

System.IO.IOException: Failed to bind to address http://[::]:80: address already in use.
---> Microsoft.AspNetCore.Connections.AddressInUseException: Address already in use

Our 80 port is already in use by a webservice, due to this reason, I tried to change default port 80 without success...

I figure out where to make thoose changes but I don't know how to compile the code after the modifications.
Is there any way to compile the source code? Something like "Config / make / make install".

Kind regards,
Antoni.

Your software was exactly what I needed for managing LE certificates in my homelab. Thanks for sharing!
One thing I found missing was that the version number is only available in a txt file. It would be nice to have it displayed on the settings page or on an about page that shows your software details, contact, etc.

Hi all. How I install the system without expose server to internet. Using a dns challenge.

Hi,

Is it possible to get more information on how to test DNS-01 challenge in the beta version 2.0.0-beta?
I can help test the feature if you can tell me how to setup the script which is name in the image /opt/dnsc/dnsc.

By example what is the script expecting has an output for certera to catch the created certificates?

Regards

Does the action of deleting a certificate via the UI will request a revocation? If not, what should be the procedure?

Hello

I'm on the installation phase.
Once I start the Certificate installation phase : https://docs.certera.io/#certificate
When I clic on "Get certificate", I receive following error :

Starting certificate acquisition for certera.domain.com... 
Initializing ACME client and ensuring account... 
Creating order... 
Requesting ACME validation... 
Completing order... (this can take up to 30 seconds)
Cleaning up... 
Done. Status: Invalid... 



Errors:
Forbidden urn:ietf:params:acme:error:unauthorized Invalid response from http://certera.domain.com/.well-known/acme-challenge/ddkhQNDuC2Bn2aIvOsgfsgdsGQ4Zw65opKuwZDr07w [1.2.3.4]: 502

Then on application logs, I have following logs :

Mar 20 00:23:57 pki-certera certera[16545]: #033[40m#033[32minfo#033[39m#033[22m#033[49m: Certera.Web.Pages.Setup.IndexModel[0]
Mar 20 00:23:57 pki-certera certera[16545]:       User created a new account with password.
Mar 20 00:24:42 pki-certera certera[16545]: #033[40m#033[1m#033[33mwarn#033[39m#033[22m#033[49m: Certera.Web.Program[0]
Mar 20 00:24:42 pki-certera certera[16545]:       Cert requested for , which differs from certera.domain.com. Will only attempt to locate certificate for certera.domain.com.
Mar 20 00:24:42 pki-certera certera[16545]: #033[40m#033[1m#033[33mwarn#033[39m#033[22m#033[49m: Certera.Web.Program[0]
Mar 20 00:24:42 pki-certera certera[16545]:       Cert requested for , which differs from certera.domain.com. Will only attempt to locate certificate for certera.domain.com.
Mar 20 00:24:42 pki-certera certera[16545]: #033[40m#033[1m#033[33mwarn#033[39m#033[22m#033[49m: Certera.Web.Program[0]
Mar 20 00:24:42 pki-certera certera[16545]:       Cert requested for , which differs from certera.domain.com. Will only attempt to locate certificate for certera.domain.com.
Mar 20 00:24:42 pki-certera certera[16545]: #033[40m#033[1m#033[33mwarn#033[39m#033[22m#033[49m: Certera.Web.Program[0]
Mar 20 00:24:42 pki-certera certera[16545]:       Cert requested for , which differs from certera.domain.com. Will only attempt to locate certificate for certera.domain.com.

Any idea ?

Hello,
We have a custom DNS and We want use the DNS-01 challenge but I dont understand the documentation in https://docs.certera.io/#dns-01

In Settings:

1. The "Set DNS record script" where live? Inside Certera server, the server that serves the website that it will have after the wildcard, or the DNS server?

2. The location inside the server is anyplace? Can be "/var/www/letsencrypt/.well-known/acme-challenge"? for example.

3. The script arguments "--set -d {{Domain}} -n {{Record}} -r TXT -v {{Value}}" is okey?

4. I have the site cloud.example.sh and the certificate will be *.example.sh, then I created the file _acme-challenge.example.sh
   in the path "/var/www/letsencrypt/.well-known/acme-challenge", but inside is empty.
   How I can get the token ACME to add to the file? And the content inside?

5. What register CNAME I have to add to my DNS? How I can get it?

6. If I want to use Certera with Cloudflare for example, How I can make this?

Greetings!