SSL Duplicate certificate

Using ignition 8.0.3, when trying to setup SSL on the gateway I get the error “A duplicate certificate was detected” Any ideas how to identify and remote the duplicate certificate?

Which type of certificate chain are you uploading? Can you send it to me so I can take a look? (there’s no private info in the chain)

There should be an error messages in the gateway logs to go along with this. Something like:

“Certificate %d is a duplicate of certificate %d”

I think maybe we’re being overly strict in this case.

Hi Kevin,

Thank-you for taking the time to reply. Below are the exact steps I take to get this error. I am just using LetsEncrypt to generate the certificates.

  1. Select “I have all the items above”

  2. Strangely there is a private key there already, no idea where this comes from so I then select Reset Step
    image

  3. Now I add the private key that was generated from the lets-encrypt process without any issues.

  4. Next I add the server certificate without any issues

  5. It’s not until I try to add the chain that the error is generated…

This is the error shown in the wrapper log file: Certificate 1 is a duplicate of certificate 0 route-group=config, route-path=/ssl/parse-and-validate/private-key-and-certificate-chain

image

Chain contents added below, as a new user to the forum it wouldn’t let me attach it as a file.

-----BEGIN CERTIFICATE-----
MIIF+jCCBOKgAwIBAgISBLdkJgU0E4wzaz0A5hjKuXmGMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTA4MDMwMDEyNTFaFw0x
OTExMDEwMDEyNTFaMCwxKjAoBgNVBAMTIWNjY3Nwb3J0c2dyb3VuZHMuc2FmZWdy
b3VwLmNvbS5hdTCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAM4/1/Jx
VA0PrKcQJ0UZwMLafpgIozxOrjpMSv35UANlVl1W8VqGziLNyHQwryRGgwI7Pvxf
lGsOfeSsMgwik51W6k8lNbw5x5GBm1V8U2CZsDptTj/56jPbQP/rW8uyk5so1aRC
xzWHyI66PhS5C5STnh3Da5mfdTJE9lX3/k2/MZ3cdt+3ugvKVxItFUsXaiP5Mq9B
jz7919xhEWkN0hPHlcHCObhJstWn2FcKQsYtn+UyPInIBzRjAyIaqhIHWfHyxYTv
kGLFL6z1HrKNctf2kKmCyqS6MuApUCupDSgq3pwiTd6AGB+khggfxwT2fGbm2Lup
6Dxf5VjNiZoHPRhC2LNXDFob6gGYbhy6tmC23FGPg0Ev3Xe/BixqpiN1Zv9/7FFb
9a8xIm3v0p/Mx/m42kwgYFgfbluG8e6Z7OVe0L1MvbFyeFKNSBNT/OPGnsKSZq9y
Q5DrEwueOcIzQmO09Cc5wXpuLspbCDdHy5+P8T9jHAoWNUjdlEuY7iME9wIDAQAB
o4ICdjCCAnIwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
BgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTGiCkZvV7XUcK8YC4F5lhP
5CH/LTAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEFBQcB
AQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5jcnlw
dC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlw
dC5vcmcvMCwGA1UdEQQlMCOCIWNjY3Nwb3J0c2dyb3VuZHMuc2FmZWdyb3VwLmNv
bS5hdTBMBgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsG
AQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQQGCisGAQQB1nkC
BAIEgfUEgfIA8AB2AG9Tdqwx8DEZ2JkApFEV/3cVHBHZAsEAKQaNsgiaN9kTAAAB
bFUJWMgAAAQDAEcwRQIgLj8LbXt0mJtbWHbU9ldDNV2cpnxzNU0nWWY0zgoCXQYC
IQCZSOfn85lI0MEcEn/XEO85ZsxLxoArich7BzPJ/zDGhAB2AGPy283oO8wszwty
hCdXazOkjWF3j711pjixx2hUS9iNAAABbFUJWJIAAAQDAEcwRQIhAKgy3ZBjALLk
67/GqCcqClXGQdpSNKNQbEatmgI0snYQAiAP8VgCkvN/FGHbhZjSPWgsmfhHBBl8
PIRPv6xfUU/vajANBgkqhkiG9w0BAQsFAAOCAQEAeV6Iajn71/m/5IuTRybVnaDN
TKZxim6/dlTS3zHscpBQl11mFRB8Sp5TdUM7BnBNdOaDt74EsRkxnxAWdcbPgGpm
Ma2viEvEvddgdRGver5L7/0cnIVdSkXgGRzPqwg0Dgs/bXcSOLBRZPBuQyaqhsml
LNfO89F9E7+3UcjGujXEZl2fQm3Pfj2ffylVX9NtsauammQ8+ue8SR2fPYV156lT
j0ETY2A1JH0i97vcUqbge7xwJvjKC5ZfOd2fDXUYemeT4o4kbYG5a9VmIMI6kdvf
4r2eZSX6jUexSTEXxi/RxhWQQTOd21XY8tX0EFUJgjV4cRV5U0FqBF6f26jCMA==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----

Try saving a copy without the 2nd certificate section in it and upload that as the chain.

Same error…

-----BEGIN CERTIFICATE-----
MIIF+jCCBOKgAwIBAgISBLdkJgU0E4wzaz0A5hjKuXmGMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTA4MDMwMDEyNTFaFw0x
OTExMDEwMDEyNTFaMCwxKjAoBgNVBAMTIWNjY3Nwb3J0c2dyb3VuZHMuc2FmZWdy
b3VwLmNvbS5hdTCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAM4/1/Jx
VA0PrKcQJ0UZwMLafpgIozxOrjpMSv35UANlVl1W8VqGziLNyHQwryRGgwI7Pvxf
lGsOfeSsMgwik51W6k8lNbw5x5GBm1V8U2CZsDptTj/56jPbQP/rW8uyk5so1aRC
xzWHyI66PhS5C5STnh3Da5mfdTJE9lX3/k2/MZ3cdt+3ugvKVxItFUsXaiP5Mq9B
jz7919xhEWkN0hPHlcHCObhJstWn2FcKQsYtn+UyPInIBzRjAyIaqhIHWfHyxYTv
kGLFL6z1HrKNctf2kKmCyqS6MuApUCupDSgq3pwiTd6AGB+khggfxwT2fGbm2Lup
6Dxf5VjNiZoHPRhC2LNXDFob6gGYbhy6tmC23FGPg0Ev3Xe/BixqpiN1Zv9/7FFb
9a8xIm3v0p/Mx/m42kwgYFgfbluG8e6Z7OVe0L1MvbFyeFKNSBNT/OPGnsKSZq9y
Q5DrEwueOcIzQmO09Cc5wXpuLspbCDdHy5+P8T9jHAoWNUjdlEuY7iME9wIDAQAB
o4ICdjCCAnIwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
BgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTGiCkZvV7XUcK8YC4F5lhP
5CH/LTAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEFBQcB
AQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5jcnlw
dC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlw
dC5vcmcvMCwGA1UdEQQlMCOCIWNjY3Nwb3J0c2dyb3VuZHMuc2FmZWdyb3VwLmNv
bS5hdTBMBgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsG
AQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQQGCisGAQQB1nkC
BAIEgfUEgfIA8AB2AG9Tdqwx8DEZ2JkApFEV/3cVHBHZAsEAKQaNsgiaN9kTAAAB
bFUJWMgAAAQDAEcwRQIgLj8LbXt0mJtbWHbU9ldDNV2cpnxzNU0nWWY0zgoCXQYC
IQCZSOfn85lI0MEcEn/XEO85ZsxLxoArich7BzPJ/zDGhAB2AGPy283oO8wszwty
hCdXazOkjWF3j711pjixx2hUS9iNAAABbFUJWJIAAAQDAEcwRQIhAKgy3ZBjALLk
67/GqCcqClXGQdpSNKNQbEatmgI0snYQAiAP8VgCkvN/FGHbhZjSPWgsmfhHBBl8
PIRPv6xfUU/vajANBgkqhkiG9w0BAQsFAAOCAQEAeV6Iajn71/m/5IuTRybVnaDN
TKZxim6/dlTS3zHscpBQl11mFRB8Sp5TdUM7BnBNdOaDt74EsRkxnxAWdcbPgGpm
Ma2viEvEvddgdRGver5L7/0cnIVdSkXgGRzPqwg0Dgs/bXcSOLBRZPBuQyaqhsml
LNfO89F9E7+3UcjGujXEZl2fQm3Pfj2ffylVX9NtsauammQ8+ue8SR2fPYV156lT
j0ETY2A1JH0i97vcUqbge7xwJvjKC5ZfOd2fDXUYemeT4o4kbYG5a9VmIMI6kdvf
4r2eZSX6jUexSTEXxi/RxhWQQTOd21XY8tX0EFUJgjV4cRV5U0FqBF6f26jCMA==
-----END CERTIFICATE-----

INFO | jvm 1 | 2019/08/04 10:44:24 | E [g.SslConfigRoutes ] [00:44:24]: Certificate 1 is a duplicate of certificate 0 route-group=config, route-path=/ssl/parse-and-validate/private-key-and-certificate-chain

Hmm, the chain looks okay. Can you share the server certificate from step 2?

Server Certificate below…

-----BEGIN CERTIFICATE-----
MIIF+jCCBOKgAwIBAgISBLdkJgU0E4wzaz0A5hjKuXmGMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTA4MDMwMDEyNTFaFw0x
OTExMDEwMDEyNTFaMCwxKjAoBgNVBAMTIWNjY3Nwb3J0c2dyb3VuZHMuc2FmZWdy
b3VwLmNvbS5hdTCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAM4/1/Jx
VA0PrKcQJ0UZwMLafpgIozxOrjpMSv35UANlVl1W8VqGziLNyHQwryRGgwI7Pvxf
lGsOfeSsMgwik51W6k8lNbw5x5GBm1V8U2CZsDptTj/56jPbQP/rW8uyk5so1aRC
xzWHyI66PhS5C5STnh3Da5mfdTJE9lX3/k2/MZ3cdt+3ugvKVxItFUsXaiP5Mq9B
jz7919xhEWkN0hPHlcHCObhJstWn2FcKQsYtn+UyPInIBzRjAyIaqhIHWfHyxYTv
kGLFL6z1HrKNctf2kKmCyqS6MuApUCupDSgq3pwiTd6AGB+khggfxwT2fGbm2Lup
6Dxf5VjNiZoHPRhC2LNXDFob6gGYbhy6tmC23FGPg0Ev3Xe/BixqpiN1Zv9/7FFb
9a8xIm3v0p/Mx/m42kwgYFgfbluG8e6Z7OVe0L1MvbFyeFKNSBNT/OPGnsKSZq9y
Q5DrEwueOcIzQmO09Cc5wXpuLspbCDdHy5+P8T9jHAoWNUjdlEuY7iME9wIDAQAB
o4ICdjCCAnIwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
BgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTGiCkZvV7XUcK8YC4F5lhP
5CH/LTAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEFBQcB
AQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5jcnlw
dC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlw
dC5vcmcvMCwGA1UdEQQlMCOCIWNjY3Nwb3J0c2dyb3VuZHMuc2FmZWdyb3VwLmNv
bS5hdTBMBgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsG
AQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQQGCisGAQQB1nkC
BAIEgfUEgfIA8AB2AG9Tdqwx8DEZ2JkApFEV/3cVHBHZAsEAKQaNsgiaN9kTAAAB
bFUJWMgAAAQDAEcwRQIgLj8LbXt0mJtbWHbU9ldDNV2cpnxzNU0nWWY0zgoCXQYC
IQCZSOfn85lI0MEcEn/XEO85ZsxLxoArich7BzPJ/zDGhAB2AGPy283oO8wszwty
hCdXazOkjWF3j711pjixx2hUS9iNAAABbFUJWJIAAAQDAEcwRQIhAKgy3ZBjALLk
67/GqCcqClXGQdpSNKNQbEatmgI0snYQAiAP8VgCkvN/FGHbhZjSPWgsmfhHBBl8
PIRPv6xfUU/vajANBgkqhkiG9w0BAQsFAAOCAQEAeV6Iajn71/m/5IuTRybVnaDN
TKZxim6/dlTS3zHscpBQl11mFRB8Sp5TdUM7BnBNdOaDt74EsRkxnxAWdcbPgGpm
Ma2viEvEvddgdRGver5L7/0cnIVdSkXgGRzPqwg0Dgs/bXcSOLBRZPBuQyaqhsml
LNfO89F9E7+3UcjGujXEZl2fQm3Pfj2ffylVX9NtsauammQ8+ue8SR2fPYV156lT
j0ETY2A1JH0i97vcUqbge7xwJvjKC5ZfOd2fDXUYemeT4o4kbYG5a9VmIMI6kdvf
4r2eZSX6jUexSTEXxi/RxhWQQTOd21XY8tX0EFUJgjV4cRV5U0FqBF6f26jCMA==
-----END CERTIFICATE-----

It looks like the server certificate is also part of the chain. I guess the only thing left to try is upload only the other half of that original chain as the new chain.

OK a step closer, after splitting the chain certificate into two separate certificates it accepts the bottom half but now wants a second chain certificate.

It doesnt like the top half of the chain

It’s because you don’t have the full chain, you have the leaf and the intermediate and you’re missing the root cert.

SUCCESS thanks, I ended up finding this page that allowed me to download the cross signing root CA.

1 Like

This page… https://letsencrypt.org/certificates/

1 Like

Great. That shouldn’t have been so difficult, maybe we can use what happened here to improve the flow.

Thank you @Aaron_Mitchell and @Kevin.Herron for figuring this one out! Spent a week trying to get my SSL cert in Ignition. I had a 4 certificate chain and was able to use the first for the certification, the last for the intermediate, then went to the certificate authorities website to download the root certificate.

We have a ticket on our backlog to explore the possibility of automatically populating the root CA cert for you based on the roots installed on the Gateway’s trust store. This would save users from the headache of having to grab the appropriate root CA cert out-of-band for the most common root CAs (or for custom root CAs which have already been added to the Gateway’s trust store).