Wrong '.der' file-check after creating Certificates via RFC 2136 and Inhouse FreeIPA

Hi ZoeyVid

I tried to implement the FreeIPA ACME over your custom ACME solution. This sadly did not work, because it seems, that FreeIPA needs additional Hooks, to work correctly and Issue Certificates with NPMplus.

So I tried over DNS-Challange and the RFC 2136 Provider. This is not the best option, because I need everytime to manually select this provider again and fill out all needed config values.

But.. it seems to work - nearly :)

Inside the below log output, you see that it gets correctly certificates with the following command:

certbot --logs-dir /tmp/certbot-log --work-dir /tmp/certbot-work --config-dir /data/tls/certbot certonly --config "/data/tls/certbot/config.ini" --cert-name "npm-4" --domains "proxyint.michu-it.corp" --authenticator dns-rfc2136 --dns-rfc2136-credentials "/data/tls/certbot/credentials/credentials-4" --email "michu@michu-it.com"

The certificates are valid and correctly stored, but the config-check is failing then see:

nginx: [emerg] BIO_new_file("/data/tls/certbot/live/npm-4.der") failed (SSL: error:80000002:system library::No such file or directory:calling fopen(/data/tls/certbot/live/npm-4.der, rb) error:10000080:BIO routines::no such file) nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed

The cause seems to sit in the file "_certificates.conf" on line 7: ssl_stapling_file /data/tls/certbot/live/npm-{{ certificate_id }}.der;

Full Log:

nginx: [emerg] BIO_new_file("/data/tls/certbot/live/npm-3.der") failed (SSL: error:80000002:system library::No such file or directory:calling fopen(/data/tls/certbot/live/npm-3.der, rb) error:10000080:BIO routines::no such file)
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
[Nginx    ] › ℹ  info      Reloading Nginx
[SSL      ] › ℹ  info      Revoking Certbot certificates for Cert #3: proxyint.swissmakers.corp
[SSL      ] › ℹ  info      Deleted all files relating to certificate npm-3.
Congratulations! You have successfully revoked the certificate that was located at /data/tls/certbot/live/npm-3/fullchain.pem.

[SSL      ] › ℹ  info      Credentials file deleted successfully
[Nginx    ] › ℹ  info      Reloading Nginx
[Nginx    ] › ℹ  info      Reloading Nginx
[Certbot  ] › ▶  start     Installing rfc2136...
[Certbot  ] › ☒  complete  Installed rfc2136
[SSL      ] › ℹ  info      Requesting Certbot certificates via RFC 2136 for Cert #4: proxyint.swissmakers.corp
[SSL      ] › ℹ  info      Command: certbot --logs-dir /tmp/certbot-log --work-dir /tmp/certbot-work --config-dir /data/tls/certbot certonly --config "/data/tls/certbot/config.ini" --cert-name "npm-4" --domains "proxyint.michu-it.corp" --authenticator dns-rfc2136 --dns-rfc2136-credentials "/data/tls/certbot/credentials/credentials-4" --email "michu@michu-it.com"
[SSL      ] › ℹ  info      Requesting a certificate for proxyint.michu-it.corp
Waiting 60 seconds for DNS changes to propagate

Successfully received certificate.
Certificate is saved at: /data/tls/certbot/live/npm-4/fullchain.pem
Key is saved at:         /data/tls/certbot/live/npm-4/privkey.pem
This certificate expires on 2025-01-11.
These files will be updated when the certificate renews.
NEXT STEPS:
- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

nginx: [emerg] BIO_new_file("/data/tls/certbot/live/npm-4.der") failed (SSL: error:80000002:system library::No such file or directory:calling fopen(/data/tls/certbot/live/npm-4.der, rb) error:10000080:BIO routines::no such file)
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
[Nginx    ] › ℹ  info      Reloading Nginx
2024/10/13 19:02:00 [warn] 574#574: deleting socket /run/nginx-1.sock
[SSL      ] › ⬤  debug     /data/tls/certbot/archive/npm-4/cert1.pem added to certificate zip
[SSL      ] › ⬤  debug     /data/tls/certbot/archive/npm-4/chain1.pem added to certificate zip
[SSL      ] › ⬤  debug     /data/tls/certbot/archive/npm-4/fullchain1.pem added to certificate zip
[SSL      ] › ⬤  debug     /data/tls/certbot/archive/npm-4/privkey1.pem added to certificate zip
[SSL      ] › ⬤  debug     zip completed :  /tmp/npm-4-1728838938244.zip
[Nginx    ] › ℹ  info      Reloading Nginx
nginx: [emerg] BIO_new_file("/data/tls/certbot/live/npm-4.der") failed (SSL: error:80000002:system library::No such file or directory:calling fopen(/data/tls/certbot/live/npm-4.der, rb) error:10000080:BIO routines::no such file)
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
[Nginx    ] › ℹ  info      Reloading Nginx

Cheers from switzerland

ZoeyVid / NPMplus

Wrong '.der' file-check after creating Certificates via RFC 2136 and Inhouse FreeIPA #1163