英文:
let's encrypt > certbot > openssl certificate (2048 bit key issue)
问题
我尝试生成一个通配符PFX证书,用于我的域example.com,使用Let's Encrypt,然后使用certbot,最后使用OpenSSL将.pem转换为pfx。
问题在于最终的PFX文件似乎不符合浏览器安全要求,而且密钥长度没有至少2048位,但这真的很奇怪,因为Certbot默认情况下使用2048位的RSA密钥(已经尝试强制为4096位,但结果相同)。
我按照以下步骤进行操作:
-
从Certbot(通过Anaconda Python安装)运行以下命令:
call C:\ProgramData\Anaconda3\Scripts\activate.bat
certbot certonly --dns-cloudflare --dns-cloudflare-credentials "C:\Users\administrator.EXAMPLE\Desktop\certificati\cloudflare.ini" --dns-cloudflare-propagation-seconds 30 -d *.example.com --email example@example.com
-
然后,从OpenSSL运行以下命令:
openssl pkcs12 -export -out "C:\Users\administrator.EXAMPLE\Desktop\certificati\EXAMPLE.com.pfx" -inkey "C:\Certbot\live\EXAMPLE.com\privkey.pem" -in "C:\Certbot\live\EXAMPLE.com\fullchain.pem" -password pass:TEST2023!
当我尝试导入证书时,从Sangfor VDI界面出现警告,并且如果我尝试从Chrome等浏览器访问完全限定域名(FQDN),由于SSL不匹配,域名无法加载。
英文:
I'm trying to generate a wildcard PFX certificate for my domain example.com with Let's Entrypt, then using certbot and finally converting .pem to pfx using OpenSSL.
The problem is that it seems the final PFX file doesn't meet security browser requiements and the key doesn't have at least 2048 characters, but this is really strange as Certbot by default works at 2048 bits for RSA keys (already tried forcing to 4096 but I get the same result).
This is the procedure I followed:
-
from Certbot (installed via Anaconda Python) I ran
call C:\ProgramData\Anaconda3\Scripts\activate.bat
certbot certonly --dns-cloudflare --dns-cloudflare-credentials "C:\Users\administrator.EXAMPLE\Desktop\certificati\cloudflare.ini" --dns-cloudflare-propagation-seconds 30 -d *.example.com --email example@example.com
-
After, from OpenSSL I ran
openssl pkcs12 -export -out "C:\Users\administrator.EXAMPLE\Desktop\certificati\EXAMPLE.com.pfx" -inkey "C:\Certbot\live\EXAMPLE.com\privkey.pem" -in "C:\Certbot\live\EXAMPLE.com\fullchain.pem" -password pass:TEST2023!
From Sangfor VDI interface an alert appears when I try to import the certificate and if I test to access the FQDN from Chrome for example, the domain cannot be loaded due to SSL mismatch.
答案1
得分: 5
certbot certonly --rsa-key-size 2048 --key-type rsa --dns-cloudflare --dns-cloudflare-credentials "C:\Users\administrator.EXAMPLE\Desktop\certificati\cloudflare.ini" --dns-cloudflare-propagation-seconds 30 -d *.example.com --email example@example.com
英文:
certbot certonly --rsa-key-size 2048 --key-type rsa --dns-cloudflare --dns-cloudflare-credentials "C:\Users\administrator.EXAMPLE\Desktop\certificati\cloudflare.ini" --dns-cloudflare-propagation-seconds 30 -d *.example.com --email example@example.com
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论