Is there a way to generate a new CSR without removing the existing cert within Interworx?
If I’m understanding correctly, I need to delete the private key and CSR so I can generate a new private key and then CSR. During this process the SSL on the site breaks which isn’t ideal when it takes hours to days to get the cert.
If there isn’t a way within Interworx’s UI, is there a way through the CLI or otherwise on the command line?
Interworx has let’s encrypt which is free SSL which is dependent on dns records pointing to the hosting server
This would auto renew before expiry
I do not understand how if using a paid SSL which requires a fresh CSR how it takes days. It should only take around an hour or less depending upon your CA you use and type of SSL
Unfortunately I have one client who pays for their certs. They have some reasonably strict security business practices because of the industry that they’re in so Lets Encrypt doesn’t work for them. Do I think that’s the best – no – but I have no power to change things in this situation.
I need to generate a new private key and CSR, send it to them, and then they need generate it. Yes, this shouldn’t take very long, but it’s still not going to be a couple minutes. Using just the built in methods, the site would show an insecure method during that time.
The simplest way to be sure I would do the following
In siteworx for the domain
Goto ssl and view each, then copy and paste into a text editor and save eg private key view private key and copy and paste into a text editor and save then move onto CSR ssl and chain
Once done instead of view click delete
When all have been deleted, create new private key and create new CSR
Make a copy of them and send your client the CSR for new certificate
Then delete the CSR and private key
Then create new private key but select use your own and copy and paste the original from above and save and do same for CSR ssl and chain
You may have to restart Apache
Or you could try just copying the ssl files as shown in the domain conf file but I prefer above
Then with new ssl arrives delete as above and use new saved private key and CSR then add ssl and chain and restart Apache
That’s the only way that I’ve found as well. Unfortunately, as Apache is restarted after each step, the site goes down for a bit of time, though very long.
It would be really nice if there was a way to generate a new private key and CSR “on the side” and then when the new cert comes in, put those in place along with the cert.
It would also be nice if there was a way to say “don’t restart apache” after each step. Even if I can generate the cert right away, the site is still going to be a broken state for 5+ minutes.
Yes I know interworx have that feature on the roadmap for development in the future
If you have another interworx server, you could create the domain and generate what you need then copy and paste the details over at the time which would not affect the current ssl state
You should be able to disable apache restarts for a moment while you do this by adding a prevent-httpd-restart environment flag with:
touch ~iworx/etc/env/prevent-httpd-restart
This will basically tell InterWorx to skip restarting httpd until the above file is removed. It was originally designed to prevent restarts while folks did a large number of imports, but it should work here too.
Just be ABSOLUTELY sure to remove the file once you are done or you’ll run into issues when apache actually needs to restart (adding accounts, etc.).