Unable to set up own SSL Certificate

My YunoHost server

Hardware: VPS bought online: Strato - Debian 10
YunoHost version: (stable)
I have access to my server : Through SSH | through the webadmin
Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : no

Dear YUNO Host community,

I could really use your help. I’m trying to set up a custom certificate so I followed the steps from the documentation but I can’t seem to get it working. This is my first time working with all this.

My process:

  1. I have a made backup of the self-signed-certificate with all files that were originally working on the server. (This turned out to be a very smart move as I had to restore the original to access my instance - thank you instructions)
  2. I have the (entity) certificate, intermediate certificate and root certificate on the server; all in .crt format. I combine these using cat and output as crt.pem → Now I have 1 file with the 3 certificates combined.
  3. I have the private key and convert from jks to pem using sslopen as indicated in the instructions and I verify that the output format looks like it’s expected (example in docs).
  4. both files go in the DOMAIN.TLD folder.
  5. I set the right permissions.
  6. When I try to restart the webserver I get a failed to restart notice.

Since this does not work as expected I decided to inspect the original files and I notice that the enitity certificate (first one at the top in the created crt.pem file) is different in my crt.pem compared to the self-signed crt.pem created by yunohost.

  • the crt I get from the service provider looks like the encrypted version of the human readable format yunohost has for the self singed certificate, so after a lot of research I discover how to convert the (encrypted) crt to the same x509 -text format.

Now that my crt.pem looks the same as the original I hoped it would have done the trick but unfortunately not.

The webserver is still not restarting (obviously due to an error in the files) and I have done everything I could think of.

I would have used the Let’s Encrypt certificate option the portal offers but my Service Provider does not give the option to set the CA record (I have called them about it) - so that’s not an viable approach either.

Does anyone have any ideas what could be the issue and/or how to better understand what goes wrong? I tried looking at the journalctl to get details from the nginx service but I don’t see much.

Looking forward to some pointers and fixing this last bit of setting up YUNO Host, I really love it already so can’t wait to blaze ahead.

Kind regards, Paul

This is an usual confusion, but there is absolutely no need to define a CAA record to obtain a Let’s Encrypt certificate … CAA records are only meant as an extra security measure to prevent other certification authorities to emit a certificate for your server. So this protects you from negligence / abuses from other CA.

To obtain a Lets encrypt certificate, you only need to have proper DNS A (or AAAA) records, and exposed port 80.

Hi Aleks, Thank you for the quick reply.
I’m trying that now with a subdomain

  • I set got a valid certificate through YUNO Host
  • From what I can tell port 80 is open:
admin@h2949833:~$ sudo lsof -i:80 | grep LISTEN
nginx    2064     root   14u  IPv4 1896725099      0t0  TCP *:http (LISTEN)
nginx    2064     root   15u  IPv6 1896725100      0t0  TCP *:http (LISTEN)
nginx   16663 www-data   14u  IPv4 1896725099      0t0  TCP *:http (LISTEN)
nginx   16663 www-data   15u  IPv6 1896725100      0t0  TCP *:http (LISTEN)

The browser is not recoginsing the change yet but maybe I have to wait a couple of hours for the DNS Registry to update?

I’ll wait till the end of the day and let you know.

edit: If you want to have a look at property i’m trying to figure this out for see: https://oudersvan.vrijeschoolthula.amsterdam :smiley:

Wonderful! Thank you for your help, it works now.

Kind regards,

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.