Problem/Motivation

Unable to upload custom certificate

Expected behaviour

Certificate uploads without error

Actual behaviour

Recieve error:

Upload failed: Result Validation Error: Validation timed out. This could be due to the key being passphrase-protected.

Steps to reproduce

1. Log on to Active Directory member computer (Windows).
2. Launch certlm.msc MMC snap-in.
3. Under Certificates (Local Computer), expand Personal.
4. Right-click Certificates and choose All Tasks > Request New Certificate....
5. In the Certificate Enrolment dialog, click Next.
6. Select an enrolment policy and click Next.
7. Tick the type of certificate to produce that has a purpose of "Server Authentication". (Based on cert templates)
8. Complete the properties, including the common name and corresponding DNS value.
9. On the Private key tab, under Key options ensure Make private key exportable is checked.
10. Click OK then Enroll and finally Finish
11. In the Personal > Certificates store, right-click the certificate just created.
12. Click All Tasks > Export....
13. In the Welcome to the Certificate Export Wizard, click Next.
14. Select Yes, export the private key and click Next.
15. Select Personal Information Exchange - PKCS #12 (.PFX).
16. Tick **Include all certificates in the path if possible **.
17. Tick Enable certificate privacy.
18. Ensure other options are not ticked and click Next.
19. Tick Password:, enter the same password twice and click Next.
20. Provide a file path and name for the .pfx, click Next, Finish and Ok.
21. Launch a command prompt and navigate to the location of the .pfx file stored on disk.
22. Run the following OpenSSL commands to extract the private key and certificate from the .pfx (entering password when prompted): openssl pkcs12 -in .\example.pfx -nocerts -out example.key -nodes openssl pkcs12 -in .\example.pfx -nokeys -out example.crt (Note: -nodes removes the passphrase requirement).
23. Browse to Nginx Proxy Manager.
24. Log in and navigate to SSL Certificates.
25. Click Add SSL Certificate and click Custom.
26. Provide a name and navigate the the .crt and .key file created earlier.
27. Click Save.

Proposed changes

N/A

Troubleshooting steps.

I want to secure the internal URL of HA.

• I have two HA instances, both running the latest version of HA and both run Nginx Proxy Manager.
• Both HA instances have a Lets Encrypt cert for the public-facing FQDN.
• The process described above worked perfectly for the first instance.

I have checked the logs for Nginx Proxy Manager, but there is no mention of the failed certificate upload and I cannot find any information on how to increase logging verbosity.

The cert/key does not have a passphrase and I have checked the cert/key match.

I've tried everything I can think of. The fact the process worked for one HA instance is really foxing me. If anyone has any suggestions, I'd be grateful if you could share them.

T.I.A