Closed zerwes closed 6 months ago
while performing a force run, I get
Certificates
-Status....................: ***********
WARNUNG: Could not link the certificate"lorem.abc.xyz"
to Intermediate "Let’s Encrypt R3"
errors found in the log file:
2024-01-12 05:52:20:6226 INFO [ADC-CERTUPLOAD] Certificate updated successfully.
2024-01-12 05:52:20:6226 INFO [ADC-REMOVEPREVIOUS] -RemovePrevious parameter was NOT specified, not removing previous files.
2024-01-12 05:52:20:6226 INFO [ADC-CERTUPLOAD] Link "lorem.abc.xyz" to "Let’s Encrypt R3"
2024-01-12 05:52:20:6226 DEBUG [INVOKE-ADCRESTAPI] URI: "https://cns..../nitro/v1/config/sslcertkey?action=link", METHOD: "POST"
2024-01-12 05:52:20:6226 DEBUG [INVOKE-ADCRESTAPI] JSON Payload: "{\"sslcertkey\":{\"linkcertkeyname\":\"Let’s Encrypt R3\",\"certkey\":\"lorem.abc.xyz\"},\"params\":{\"onerror\":\"EXIT\",\"warning\":\"NO\"}}"
2024-01-12 05:52:20:6383 ERROR [INVOKE-ADCRESTAPI] Caught an error. Exception Message: Der Remoteserver hat einen Fehler zurückgegeben: (599) Netscaler specific error.
2024-01-12 05:52:20:6383 ERROR [ADC-CERTUPLOAD] Could not link the certificate "lorem.abc.xyz" to Intermediate "Let’s Encrypt R3".
Full Error Details :
======================: Exception
PSMessageDetails :
Exception : System.Net.WebException: Der Remoteserver hat einen Fehler zurückgegeben: (599) Netscaler specific error.
bei Microsoft.PowerShell.Commands.WebRequestPSCmdlet.GetResponse(WebRequest request)
bei Microsoft.PowerShell.Commands.WebRequestPSCmdlet.ProcessRecord()
TargetObject : System.Net.HttpWebRequest
CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException
FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand
ErrorDetails : { "errorcode": 1540, "message": "Certificate does not exist", "severity": "ERROR" }
but linking via the netscaler cli works as expected
nsroot@cns01-Primary > link ssl certKey lorem.abc.xyz "Let’s Encrypt R3"
Done
NS version: NetScaler NS13.1: Build 49.15
Hi, can you email me the full (debug) log with everything? You can replace all sensitive data.
Hello @j81blog and thank you for your reply
here is the full debug log lec.log
I double checked that the user used for the api call is able to run
link ssl certKey nowa.my.tld "Let’s Encrypt R3"
without error, so I am really confused about the
ErrorDetails : { "errorcode": 1540, "message": "Certificate does not exist", "severity": "ERROR" }
Hello @j81blog Is there anything I can provide or test here? Did the included log reveal any hint that can help resolving the issue? Thank you for your effort
Maybe it's the name of the cert? In my setup, the name of the intermediate is just "R3" not "Let's Encrypt R3". Can you unlink the intermediate from all certificates and remove the intermediate?
Next just run the script. The script will add the intermediate as it cannot find it. Can you also provide me with the debug log?
Hello @j81blog This is exactly the procedure I had considered on my own as a alternative. Thank you for confirming that this is a viable path. During the next maintenance window I will try this out and keep you updated. Thanks for your efforts.
It's a strange issue maybe it's the " ' " in the name?
I maybe have found something, looks like it was indeed something with " ' " in "Let’s Encrypt R3". Probably this will work now. Have not had a chance to test it yet. The latest dev version has some improvements for this. But if you already changed the name, think that will work as well.
Hello @j81blog sorry for the delay
well ... I unlinked the existing certs from the intermediate cert and removed the R3 and the "ISRG Root X1" cert then I started a renew of the certificates.
the certs where renewed correctly, but the intermediate and root cert where not uploaded and linked!
DEBUG [ADC-CERTUPLOAD] Checking if IntermediateCA "R3" already exists.
INFO [ADC-CERTUPLOAD] Uploading "R3-2025.crt" to the ADC.
DEBUG [INVOKE-ADCRESTAPI] URI: "https://.../nitro/v1/config/systemfile", METHOD: "POST"
ERROR [INVOKE-ADCRESTAPI] Caught an error. Exception Message: Der Remoteserver hat einen Fehler zurückgegeben: (409) Konflikt.
WARN [ADC-CERTUPLOAD] Could not upload or get the Intermediate CA (R3), manual action may be required.
...
ERROR [ADC-CERTUPLOAD] Could not link the certificate "lore.ipsum.nonsense" to Intermediate "R3".
So I uploaded the "R3" and "ISRG Root X1" manually and linked them. I paid attention to name the certs correct.
Then I issued a new cert on a newly created VS ... And voila, this time the automatic linking worked!
Well, for what reason ever originally the linking and the upload failed, it seems we have a working state for now.
I will have a eye on the certs the next time the automatic renewal will happen, but I assume it should work like with the new cert.
If not I will try the latest from dev
and reopen the issue.
Thanks for your support and the great script. Greetings
just for the record: automatic renewal worked as expected thank you for your support
Hello. We are using this with
"ValidationMethod": "http"
for 2 certificates. The renewal works fine and as expected, but after each renewal we have to link the new certs usingAre we missing something in our config ore is there a post run hook we can configure? Thank you for the great script and your support