I am trying to import a pfx cert to my Ubuntu server and an app called Mesh Central.
The export runs fine. The import appears to work fine.
When I browse my website I get this error message.
Has anyone seen this before and know how I can fix it?
There are a few things which could be relevant, the most likely thing is the Mesh Central app doesn’t understand the blank password for the PFX and therefore can’t access the private key but it’s just not telling you that. [ I am assuming the app accepts the PFX file without conversion ]
To test that theory you can try setting a PFX password under Certificate > Advanced > Signing & Security (scroll down for password option), then use Request Certificate to refresh your PFX with a version that has a password set, then re-upload to Mesh Central and specify the password there (however that’s done).
It’s less common for linux based stuff to use PFX and more common for the app to expect a file that’s split into the certificate (in text PEM format) and a key file. You can do that by adding a Task for Deploy to Generic Server, then set the output filename parameters and run the task, this will convert your PFX into component files for the certificate (and optionally the full chain) and key.
A quick google suggest that MeshCentral perhaps has built in Let’s Encrypt support, so you could also try that.
Thanks for the feedback:
-
Unfortunately I cannot use let’s encrypt as another device is already using port 80 so I cannot use the built-in Let’s Encrypt service
-
I have also tested other pfx certs on the ISS server that CertifyTheWeb is installed on and I am getting the same error.
“pulling ma hair out” 
Hmm, I had assumed you were already using Certify The Web to get a certificate from Let’s Encrypt in PFX format, since you were already trying to install it to Ubuntu.
You could look at DNS validation, which is where you automatically create a TXT record in your domain DNS to respond to the Let’s Encrypt challenge. DNS Validation (dns-01) | Certify The Web Docs - it depends on who your DNS provider is etc.
I am already using DNS validation.
In both cases the cert is certed and ready for use however the error message appears when trying to browse the site.
Here is what I do:
on Linux
- open CeritfyTheWeb app
- use a task to export the cert in a “.pfx” format
- copy the cert to my Ubuntu server
- I have this script to move my pfx cert to the server data dir
#!/bin/sh
openssl pkcs12 -in mesh.pfx -nocerts -out mesh_enc.key
openssl rsa -in mesh_enc.key -out mesh.key
openssl pkcs12 -in mesh.pfx -clcerts -nokeys -out mesh.crt
systemctl stop meshcentral.service
mv ~/meshcentral-data/agentserver-cert-private.key ~/meshcentral-data/agentserver-cert-private.key_old
cp ~/cert/mesh.key ~/meshcentral-data/mesh.key
mv ~/meshcentral-data/mesh.key ~/meshcentral-data/agentserver-cert-private.key
mv ~/meshcentral-data/agentserver-cert-public.crt ~/meshcentral-data/agentserver-cert-public.crt_old
cp ~/cert/mesh.crt ~/meshcentral-data/mesh.crt
mv ~/meshcentral-data/mesh.crt ~/meshcentral-data/agentserver-cert-public.crt
mv ~/meshcentral-data/mpsserver-cert-private.key ~/meshcentral-data/mpsserver-cert-private.key_old
cp ~/cert/mesh.key ~/meshcentral-data/mesh.key
mv ~/meshcentral-data/mesh.key ~/meshcentral-data/mpsserver-cert-private.key
mv ~/meshcentral-data/mpsserver-cert-public.crt ~/meshcentral-data/mpsserver-cert-public.crt_old
cp ~/cert/mesh.key ~/meshcentral-data/mesh.key
mv ~/meshcentral-data/mesh.crt ~/meshcentral-data/mpsserver-cert-public.crt
mv ~/meshcentral-data/webserver-cert-private.key ~/meshcentral-data/webserver-cert-private.key_old
cp ~/cert/mesh.key ~/meshcentral-data/mesh.key
mv ~/meshcentral-data/mesh.key ~/meshcentral-data/webserver-cert-private.key
mv ~/meshcentral-data/webserver-cert-public.crt ~/meshcentral-data/webserver-cert-public.crt_old
cp ~/cert/mesh.crt ~/meshcentral-data/mesh.crt
mv ~/meshcentral-data/mesh.crt ~/meshcentral-data/webserver-cert-public.crt
systemctl start meshcentral.service
On Windows
- use the cert import wizard to import “.pfx” to trusted root certificates
If you want to stick with your own script for conversion of PFX to pem (.key and .key) then you will need to pass them through some sort of validation to check they are valid for use. I note that you appear to be outputting mesh_env.key in your first step, but then you are copying mesh.key which could be the wrong file.
I would suggest using the Deploy to Generic Server task in Certify The Web to create your .crt and .key files, and I’d suggest using the full chain option for your .crt file. If your linux server supports SSH/SFTP then the app can export directly to your server, otherwise you have to copy the files.
I assume the Windows machine you are deploying to is not the one where you are using Certify The Web as the default auto deployment for the app will install it to the required certificate store (Personal/My by default), so if it’s the same machine there is no real deployment you would need to do.