Suddenly I get an error importing Letsencrypt certificate
32 views
Skip to first unread message
Cristiano Guadagnino
Feb 20, 2025, 5:55:44 PMFeb 20
to pwm-general
Hi everybody,
I've always been using Letsencrypt certificates with PWM 2.06.
I do not remember where I found the instructions to do it, but here is the small "manual" I wrote to do the job every three months:
----------------------------------
Update PWM certificate:
sudo certbot certonly --manual -d my_domain_here --agree-tos --rsa-key-size 4096 --preferred-challenges dns-01
then copy the generated certificates and create a PKCS12 this way:
openssl pkcs12 -export -out lencr.p12 -in fullchain?.pem -inkey privkey?.pem
sudo certbot certonly --manual -d my_domain_here --agree-tos --rsa-key-size 4096 --preferred-challenges dns-01
then copy the generated certificates and create a PKCS12 this way:
openssl pkcs12 -export -out lencr.p12 -in fullchain?.pem -inkey privkey?.pem
then install the resulting PKCS12 certificate through the PWM web-ui:
Settings ⇨ HTTPS Server ⇨ HTTPS Private Key & Certificate
Settings ⇨ HTTPS Server ⇨ HTTPS Private Key & Certificate
----------------------------------
This is what I've been doing in the past and it always worked.
Now, when I try to import the generated PKCS12 certificate I get an error when I click on "Save":
Configuration format error: error saving file: unexpected error
converting b64 privateKey to PrivateKey instance:
java.security.InvalidKeyException: Invalid RSA private key
I tried several times, changing some parameter here and there, but I always get this error or other errors.
Maybe something has changed in openssl? Or in Letsencrypt?
I don't know what to do, I still have a few days before the certificate expires but I'm out of ideas...
Maybe something has changed in openssl? Or in Letsencrypt?
I don't know what to do, I still have a few days before the certificate expires but I'm out of ideas...
Thank you in advance for any help
Cris
Jason Rivard
Feb 22, 2025, 3:54:16 AMFeb 22
to pwm-general
1) Check to see if your PWM instance is running an older Java version. Newer java builds have support for more modern crypto standards.
2) Try with the latest PWM release, it contains newer dependencies including some of the certificate management libraries.
3) It's possible the logs may contain more helpful info.
PWM itself doesn't really do any checking or introspection of the certificate other than passing it on to the JDK/libraries.
Cristiano Guadagnino
Feb 26, 2025, 4:14:57 AMFeb 26
to pwm-general
Thank you Jason for the suggestions.
I'll try them as soon as I have some free time (and before my certificate expires!) and I will get back to you.
Cristiano Guadagnino
Feb 28, 2025, 12:19:14 PMFeb 28
to pwm-general
Hi Jason and everyone,
my problem is solved.
It was due to a wrong certificate generation with certbot (Let's Encrypt): inexplicably, even if I had entered the --rsa-key-size 4096 option, the generated private key was in EC format instead of RSA, hence the error while trying to import the key.
After generating a new certificate with the correct format, the import was successful.
Thank you for your support and sorry for the noise.
Cris
Jason Rivard
Feb 28, 2025, 7:11:45 PMFeb 28
to pwm-general
Glad it's working and thanks for reporting the resolution!
Reply all
Reply to author
Forward
0 new messages