linking certs in the chain after run required

[zerwes]

Hello. We are using this with "ValidationMethod": "http" for 2 certificates. The renewal works fine and as expected, but after each renewal we have to link the new certs using

link ssl certKey $CertKeyNameToUpdate "Let’s Encrypt R3"

Are we missing something in our config ore is there a post run hook we can configure? Thank you for the great script and your support

[zerwes]

while performing a force run, I get

Certificates
 -Status....................: ***********
WARNUNG: Could not link the certificate"lorem.abc.xyz"
         to Intermediate "Let’s Encrypt R3"

errors found in the log file:

2024-01-12 05:52:20:6226    INFO    [ADC-CERTUPLOAD]    Certificate updated successfully.
2024-01-12 05:52:20:6226    INFO    [ADC-REMOVEPREVIOUS]    -RemovePrevious parameter was NOT specified, not removing previous files.
2024-01-12 05:52:20:6226    INFO    [ADC-CERTUPLOAD]    Link "lorem.abc.xyz" to "Let’s Encrypt R3"
2024-01-12 05:52:20:6226    DEBUG   [INVOKE-ADCRESTAPI] URI: "https://cns..../nitro/v1/config/sslcertkey?action=link", METHOD: "POST"
2024-01-12 05:52:20:6226    DEBUG   [INVOKE-ADCRESTAPI] JSON Payload: "{\"sslcertkey\":{\"linkcertkeyname\":\"Let’s Encrypt R3\",\"certkey\":\"lorem.abc.xyz\"},\"params\":{\"onerror\":\"EXIT\",\"warning\":\"NO\"}}"
2024-01-12 05:52:20:6383    ERROR   [INVOKE-ADCRESTAPI] Caught an error. Exception Message: Der Remoteserver hat einen Fehler zurückgegeben: (599) Netscaler specific error.
2024-01-12 05:52:20:6383    ERROR   [ADC-CERTUPLOAD]    Could not link the certificate "lorem.abc.xyz" to Intermediate "Let’s Encrypt R3".
Full Error Details    :
======================: Exception
PSMessageDetails      : 
Exception             : System.Net.WebException: Der Remoteserver hat einen Fehler zurückgegeben: (599) Netscaler specific error.
                           bei Microsoft.PowerShell.Commands.WebRequestPSCmdlet.GetResponse(WebRequest request)
                           bei Microsoft.PowerShell.Commands.WebRequestPSCmdlet.ProcessRecord()
TargetObject          : System.Net.HttpWebRequest
CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException
FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand
ErrorDetails          : { "errorcode": 1540, "message": "Certificate does not exist", "severity": "ERROR" }

but linking via the netscaler cli works as expected

nsroot@cns01-Primary > link ssl certKey lorem.abc.xyz "Let’s Encrypt R3"
 Done

NS version: NetScaler NS13.1: Build 49.15

[j81blog]

Hi, can you email me the full (debug) log with everything? You can replace all sensitive data.

[zerwes]

Hello @j81blog and thank you for your reply

here is the full debug log lec.log

I double checked that the user used for the api call is able to run link ssl certKey nowa.my.tld "Let’s Encrypt R3" without error, so I am really confused about the

ErrorDetails          : { "errorcode": 1540, "message": "Certificate does not exist", "severity": "ERROR" }

[zerwes]

Hello @j81blog Is there anything I can provide or test here? Did the included log reveal any hint that can help resolving the issue? Thank you for your effort

[j81blog]

Maybe it's the name of the cert? In my setup, the name of the intermediate is just "R3" not "Let's Encrypt R3". Can you unlink the intermediate from all certificates and remove the intermediate?

Next just run the script. The script will add the intermediate as it cannot find it. Can you also provide me with the debug log?

[zerwes]

Hello @j81blog This is exactly the procedure I had considered on my own as a alternative. Thank you for confirming that this is a viable path. During the next maintenance window I will try this out and keep you updated. Thanks for your efforts.

[j81blog]

It's a strange issue maybe it's the " ' " in the name?

[j81blog]

I maybe have found something, looks like it was indeed something with " ' " in "Let’s Encrypt R3". Probably this will work now. Have not had a chance to test it yet. The latest dev version has some improvements for this. But if you already changed the name, think that will work as well.

[zerwes]

Hello @j81blog sorry for the delay

well ... I unlinked the existing certs from the intermediate cert and removed the R3 and the "ISRG Root X1" cert then I started a renew of the certificates.

the certs where renewed correctly, but the intermediate and root cert where not uploaded and linked!

DEBUG   [ADC-CERTUPLOAD]        Checking if IntermediateCA "R3" already exists.
INFO    [ADC-CERTUPLOAD]        Uploading "R3-2025.crt" to the ADC.
DEBUG   [INVOKE-ADCRESTAPI]     URI: "https://.../nitro/v1/config/systemfile", METHOD: "POST"
ERROR   [INVOKE-ADCRESTAPI]     Caught an error. Exception Message: Der Remoteserver hat einen Fehler zurückgegeben: (409) Konflikt.
WARN    [ADC-CERTUPLOAD]        Could not upload or get the Intermediate CA (R3), manual action may be required.
...
ERROR   [ADC-CERTUPLOAD]        Could not link the certificate "lore.ipsum.nonsense" to Intermediate "R3".

So I uploaded the "R3" and "ISRG Root X1" manually and linked them. I paid attention to name the certs correct.

Then I issued a new cert on a newly created VS ... And voila, this time the automatic linking worked!

Well, for what reason ever originally the linking and the upload failed, it seems we have a working state for now. I will have a eye on the certs the next time the automatic renewal will happen, but I assume it should work like with the new cert. If not I will try the latest from dev and reopen the issue.

Thanks for your support and the great script. Greetings

[zerwes]

just for the record: automatic renewal worked as expected thank you for your support