Cannot get new cert going after auto-renew failed

nx6 · June 9, 2019, 10:16pm

I first got my SSL cert a few months ago and had everything up and working pretty easily, the issues have come with my first renewal. I’m not going to get into certbot failing to renew. At this point I’m just trying to get things back up and working. So I did things manually, but I cannot get my new certificate live.

My domain is: nx6.no-ip.org

I ran this command: certbot certonly --standalone -d nx6.no-ip.org

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for nx6.no-ip.org
Waiting for verification…
Cleaning up challenges

IMPORTANT NOTES:

Congratulations! Your certificate and chain have been saved at:
/usr/local/etc/letsencrypt/live/nx6.no-ip.org/fullchain.pem
Your key file has been saved at:
/usr/local/etc/letsencrypt/live/nx6.no-ip.org/privkey.pem
Your cert will expire on 2019-09-07. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew all of your certificates, run
“certbot renew”
If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

Then I restarted nginx…
root@nginx_reverse:/ # service nginx start
Performing sanity check on nginx configuration:
nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful
Starting nginx.

But I’m still not able to access my servers. Still getting the SSL error.

I have tried clearing browser cache and cookies and relaunching.

Then I looked around for this issue online and tried this to check my new certificates…

root@nginx_reverse:/ # openssl x509 -in /etc/letsencrypt/live/nx6.no-ip.org/cert.pem -text -noout

And got:

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:f5:4e:4d:11:79:9e:4f:6f:43:72:e0:6a:83:22:5d:4d:f0
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Let’s Encrypt, CN=Let’s Encrypt Authority X3
Validity
Not Before: Mar 11 07:48:59 2019 GMT
Not After : Jun 9 07:48:59 2019 GMT
Subject: CN=nx6.no-ip.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:

So I still seem to be using the old certificates despite certbot saying my renewal was sucessful and it downloaded the new files?

My web server is (include version): nginx 1.14.2

The operating system my web server runs on is (include version): FreeBSD 11.2-RELEASE-p9 (note: This is in a jail on FreeNAS 11.2U4.1)

My hosting provider, if applicable, is: (none - self-hosted)

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

_az · June 9, 2019, 10:49pm

Are the files in the live directory symlinks?

ls -la /etc/letsencrypt/live/nx6.no-ip.org/

nx6 · June 9, 2019, 11:35pm

Yes. They go back to the archive folder.

root@nginx_reverse:/ # ls -la /etc/letsencrypt/live/nx6.no-ip.org/
total 16
drwxr-xr-x 2 root wheel 7 Mar 11 03:49 .
drwx------ 3 root wheel 4 Mar 11 03:49 …
lrwxr-xr-x 1 root wheel 37 Mar 11 03:49 cert.pem -> …/…/archive/nx6.no-ip.org/cert1.pem
lrwxr-xr-x 1 root wheel 38 Mar 11 03:49 chain.pem -> …/…/archive/nx6.no-ip.org/chain1.pem
lrwxr-xr-x 1 root wheel 42 Mar 11 03:49 fullchain.pem -> …/…/archive/nx6.no-ip.org/fullchain1.pem
lrwxr-xr-x 1 root wheel 40 Mar 11 03:49 privkey.pem -> …/…/archive/nx6.no-ip.org/privkey1.pem
-rw-r–r-- 1 root wheel 692 Mar 11 03:49 README

mnordhoff · June 10, 2019, 1:48am

Both /etc/letsencrypt/ and /usr/local/etc/letsencrypt/ exist and contain certificates?

nx6 · June 10, 2019, 2:19am

Okay, we’re getting somwhere now. Yes! There are two sets of certs.
/etc/letsencrypt/live/ has the certs dated Mar 11 to Jun 9.

Just checked the other location.

root@nginx_reverse:/etc/letsencrypt # openssl x509 -in /usr/local/etc/letsencrypt/live/nx6.no-ip.org/cert.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
04:e5:7b:c7:9c:20:13:81:e8:47:73:2a:d6:c9:18:fd:d8:58
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Let’s Encrypt, CN=Let’s Encrypt Authority X3
Validity
Not Before: Jun 9 19:54:29 2019 GMT
Not After : Sep 7 19:54:29 2019 GMT

I think this may be from when I first set up the proxy. I originally requested the certs with a copy of certbot from git. Then later I took that out and installed from pkg for easier maintaining. I didn’t think of the two installs choosing different places to store files (plus frankly I think the folder names “etc” and “local” get reused too much, which confuses me).

So now I just have to fix nginx using the wrong certs.

Edit: Changed paths in ssl_common.conf and started nginx back up…
Able to reach my Airsonic server again on the sub-domain, and checked the cert info and it lists the September expiration date.

Thank you for pointing that out. I wasn’t paying close enough attention to the location certbot was giving and what I was actually checking.

system · July 10, 2019, 2:19am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.