[Eisfair] Problem mit eigenem (LE oder ZeroSSL) Zertifikat
Marcus Röckrath
marcus.roeckrath at gmx.de
Mi Jun 17 12:47:56 CEST 2026
Hallo Jürgen,
Marcus Röckrath wrote:
> Wenn ein Zertifikat über cert-request-cert installiert wird, werden aber
> doch die enthaltenen Zertifikate korrekt aufgeteilt, oder?
Das CrossSigning führt allerdings zu einer Fehlermeldung:
# /var/install/bin/certs-request-cert --simulate http download.eisfair.org
requesting http certificate from server 'download.eisfair.org' ...
certificate file 'download.eisfair.org.pem' ...
valid until: 03.09.2026
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
06:90:5e:db:80:05:ce:ec:72:f5:a1:f4:71:c7:62:c3:1c:4c
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Let's Encrypt, CN=YR1
Validity
Not Before: Jun 4 22:02:55 2026 GMT
Not After : Sep 2 22:02:54 2026 GMT
Subject: CN=download.eisfair.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:e3:82:d4:c7:1d:38:08:84:c8:2f:4c:10:ea:9c:
.......
ff:ff:cf
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
B9:F8:60:84:A0:A5:FC:8D:EE:94:45:F5:7D:CA:A6:70:C7:4B:A9:BD
X509v3 Authority Key Identifier:
1F:2F:35:BE:46:14:82:CD:40:B1:AE:79:2C:55:78:FA:F7:D4:68:FB
Authority Information Access:
CA Issuers - URI:http://yr1.i.lencr.org/
X509v3 Subject Alternative Name:
DNS:download.eisfair.org
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
X509v3 CRL Distribution Points:
Full Name:
URI:http://yr1.c.lencr.org/77.crl
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID :
D7:6D:7D:10:D1:A7:F5:77:C2:C7:E9:5F:D7:00:BF:F9:
82:C9:33:5A:65:E1:D0:B3:01:73:17:C0:C8:C5:69:77
Timestamp : Jun 4 23:01:26.030 2026 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:46:02:21:00:BE:7F:0D:02:19:43:A4:67:EA:93:7E:
FC:42:AF:35:DC:92:81:3E:7E:52:6A:04:FB:14:9E:9A:
F2:1D:35:0F:84:02:21:00:A1:EA:5A:FC:AA:8B:16:BC:
E2:13:84:35:9A:B9:44:D1:78:2A:DB:DB:FB:1B:9A:38:
93:FE:D4:8D:1D:77:F6:9E
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID :
26:E3:64:6E:58:69:21:23:BC:34:3F:47:24:35:9B:37:
92:CD:24:5A:88:D8:15:D3:93:33:FD:99:18:AB:47:23
Timestamp : Jun 4 23:01:25.899 2026 GMT
Extensions: 00:00:05:00:19:42:23:45
Signature : ecdsa-with-SHA256
30:45:02:20:3A:0D:2A:2B:EA:B2:9E:DE:BA:8F:65:B8:
55:96:00:62:8B:87:3A:A3:23:99:0B:7D:68:98:BC:54:
21:05:B5:E5:02:21:00:9B:15:A7:C3:B9:2B:D5:CC:6F:
B6:54:1D:3C:3F:4F:50:AE:86:9B:8B:8A:D5:B0:32:FB:
50:D5:5E:CD:38:75:93
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
98:7b:5b:02:2a:3a:03:f1:96:83:5c:b8:89:5c:bc:ee:fd:f1:
.....
97:9c:07:a3
-----BEGIN CERTIFICATE-----
MIIGAzCCBOugAwIBAgISBpBe24AFzuxy9aH0ccdiwxxMMA0GCSqGSIb3DQEBCwUA
.....
fGaQl5wHow==
-----END CERTIFICATE-----
certificate file 'yr1.pem' ...
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
a2:02:53:f1:5f:26:91:c0:5d:c1:ce:13:b9:bc:ca:4e
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=ISRG, CN=Root YR
Validity
Not Before: Sep 3 00:00:00 2025 GMT
Not After : Sep 2 23:59:59 2028 GMT
Subject: C=US, O=Let's Encrypt, CN=YR1
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a1:58:bc:5f:6c:42:62:03:17:bc:9c:4d:3c:aa:
.....
6e:33
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Subject Key Identifier:
1F:2F:35:BE:46:14:82:CD:40:B1:AE:79:2C:55:78:FA:F7:D4:68:FB
X509v3 Authority Key Identifier:
DE:E7:5B:60:D0:22:6D:40:28:7D:3F:0D:01:FE:A4:B5:52:B4:51:94
Authority Information Access:
CA Issuers - URI:http://yr.i.lencr.org/
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
X509v3 CRL Distribution Points:
Full Name:
URI:http://yr.c.lencr.org/
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
d3:ec:ef:32:ad:e4:1e:28:35:75:d4:e6:9a:6f:91:89:b4:eb:
.....
1e:01:02:67:8a:6d:3f:aa
-----BEGIN CERTIFICATE-----
MIIE2zCCAsOgAwIBAgIRAKICU/FfJpHAXcHOE7m8yk4wDQYJKoZIhvcNAQELBQAw
.....
Qc123V5LTXDZW4CcsPBDyhy4v+c8hClAyw/IkJlfBqxB9D+/wvIMHgECZ4ptP6o=
-----END CERTIFICATE-----
skipping certificate 'Root_YR' because it's a root/self-signed one.
finished.
--
Gruß Marcus
[eisfair-Team]
Mehr Informationen über die Mailingliste Eisfair