All my Google Cloud sites are down due to expired R3 certificate

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.childlinethailand.org and many others

I ran this command: nothing, the root certificate expired

It produced this output: broken websites, unhappy clients

My web server is (include version): google cloud

The operating system my web server runs on is (include version): bitnami

My hosting provider, if applicable, is: google cloud

I can login to a root shell on my machine (yes or no, or I don't know): IDK

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): bitnami

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

2

Your certificate is using the old "chain", this suggests that your apache config is pointing to an old copy of the "chain.pem" file rather than the latest version.

A certbot expert may be able to help you more. Did you follow a particular guide when setting up your bitnami server?

3

Hi thanks for your reply, actually after more investigation my sites work ok on windows and android, but not Chrome on mac, I think it's related to the Letsencrypt root certificate changes. I used certbot previously, not sure how to update the apache config, in the past trying to fix ssl problems on google cloud has led on to more issues. If someone knows please let me know. I have another 4 Google cloud sites that were working fine until yesterday

1 Like
4

Should I try to run the bitnami certbot tool again? as per this guide Generate and Install a Let's Encrypt SSL Certificate for a Bitnami Application or won't it help
Thanks

5

There is definitely some incorrect chaining issues with your site.
See: SSL Server Test: www.childlinethailand.org (Powered by Qualys SSL Labs)

1 Like
6

My websites are still down on my 2015 macbook which I use to edit the sites, do you know how I can fix this chaining issue? I used the bitnami certbot tool and followed recommended settings, which worked ok for years. Are you sure it's my error and unrelated to the letsencrypt's certificate news? Some Mac and Android users experience website connection issues caused by expired Let's Encrypt certificates - gHacks Tech News thanks for your help

1 Like
7

Bitnami is its' own beast.

Indirectly.
Your real issue is that the site has been serving an incorrect chain.
And now that chain has expired and is still being served (incorrectly):

openssl s_client -connect www.childlinethailand.org:443 -servername www.childlinethailand.org
CONNECTED(00000005)
depth=0 CN = www.childlinethailand.org
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = www.childlinethailand.org
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:CN = www.childlinethailand.org
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---

Also see:
https://www.ssllabs.com/ssltest/analyze.html?d=www.childlinethailand.org
[which may do a better job of explaining it than I - pictures paint 1000 words - I'm sure I've used less]

8

I think my sites are fixed now, I needed to revoke and reissue the certificates which meant clearing up various issues with bitnami before the bncert tool actually worked
Can we remove the links to my website please
Cheers

9

Revoke was NOT necessary.

1 Like
10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.