1

So what we have is an invalid let's encrypt certificate, when we try to renew it, public key changes. Is there a way to preserve the old public key? Our clients have it implemented for SSL pinning purposes.

certbot certificates shows:

Certificate Name: domain.com-0001 Domains: domain.com api.domain.com beta-api.domain.com beta.domain.com demo.domain.com Expiry Date: 2018-04-16 11:58:34+00:00 (INVALID: EXPIRED, REVOKED) Certificate Path: /etc/letsencrypt/live/domain.com-0001/fullchain.pem Private Key Path: /etc/letsencrypt/live/domain.com-0001/privkey.pem

Renewal actually works, but it generates a new SHA256. Is it possible to preserve the old one? Please help, thanks!

marc_s
  • 153
  • 6

1 Answers1

3

Actually, it's possible, and the solution is following:

Navigate to the new folder and run:

sudo certbot certonly --csr /etc/letsencrypt/csr/crs-filename.pem

This command will generate new, valid letsencrypt certificate inside that folder.

Then you have to create fullchain manually by running:

sudo cat filename-cert.pem filename-chain.pem > filename-fullchain.pem

The last step is pointing to that file inside Nginx config (in my case this is Nginx):

sudo nano /etc/nginx/sites-enabled/domain.com.conf

Throw in following lines:

listen 443 ssl; ssl_certificate /home/username/letsencrypt/filename_fullchain.pem; ssl_certificate_key /etc/letsencrypt/archive/domain.com/privkey.pem include /etc/letsencrypt/options-ssl-nginx.conf; ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

Restart Nginx by running:

sudo service nginx restart

This will point web server to a new certificate (full chain) while using the old private key.

An original discussion and solution were posted here.

marc_s
  • 153
  • 6