Cert isn't recognizing some of the domains?

karoshi · May 29, 2021, 1:07am

My domain is: hkn.ucsd.edu

I ran this command:
certbot certonly --webroot --webroot-path /var/www/vhost.hkn/public/wordpress -d hkn.ucsd.edu -d hkn.sysnet.ucsd.edu

It produced this output:
certbot certonly --webroot --webroot-path /var/www/vhost.hkn/public/wordpress -d hkn.ucsd.edu -d hkn.sysnet.ucsd.edu
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/hkn.ucsd.edu.conf)

What would you like to do?

1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Keeping the existing certificate

Certificate not yet due for renewal; no action taken.

My web server is (include version):
apache2 -v
Server version: Apache/2.4.18 (Ubuntu)
Server built: 2020-08-12T21:35:50

The operating system my web server runs on is (include version):
Linux sysnet.sysnet.ucsd.edu 4.4.0-112-generic #135-Ubuntu SMP Fri Jan 19 11:48:36 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
(Ubuntu 16.04.7)

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot --version
certbot 0.27.0

I have had this run just fine in the past but for some reason today it seems to be unhappy... looking at https://www.whynopadlock.com/ it seems that it's crabby about the cert being for hkn.sysnet.ucsd.edu rather than hkn.ucsd.edu in spite of the multiple -d I have above (and despite that working okay up to today)

I have verified that the conf file has the correct SSL files
grep -i ssl hkn.conf
SSLEngine on
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/hkn.sysnet.ucsd.edu/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/hkn.sysnet.ucsd.edu/privkey.pem

and
ls -ltr /etc/letsencrypt/live/hkn.sysnet.ucsd.edu/
total 4
-rw-r--r-- 1 root root 682 May 28 16:22 README
lrwxrwxrwx 1 root root 46 May 28 16:33 privkey.pem -> ../../archive/hkn.sysnet.ucsd.edu/privkey2.pem
lrwxrwxrwx 1 root root 48 May 28 16:33 fullchain.pem -> ../../archive/hkn.sysnet.ucsd.edu/fullchain2.pem
lrwxrwxrwx 1 root root 44 May 28 16:33 chain.pem -> ../../archive/hkn.sysnet.ucsd.edu/chain2.pem
lrwxrwxrwx 1 root root 43 May 28 16:33 cert.pem -> ../../archive/hkn.sysnet.ucsd.edu/cert2.pem

I note also:
ls -l /etc/letsencrypt/renewal/hkn.*
-rw-r--r-- 1 root root 554 May 28 16:33 /etc/letsencrypt/renewal/hkn.sysnet.ucsd.edu.conf
-rw-r--r-- 1 root root 626 Apr 25 08:26 /etc/letsencrypt/renewal/hkn.ucsd.edu.conf

I should add:

http[s]://hkn.[sysnet.].ucsd.edu are all supposed to force over to https://hkn.ucsd.edu
this has worked up to today, i.e. that's the same certbot command I've used previously
the error given on chrome is: NET::ERR_CERT_COMMON_NAME_INVALID
the whynopadlock indicates that it's looking at hkn.sysnet.ucsd.edu

So I mean, that's consistent. It's behaving like I asked for a cert only for hkn.sysnet.ucsd.edu which would of course not work with hkn.ucsd.edu, except that I asked for both in using -d hkn.ucsd.edu -d hkn.sysnet.ucsd.edu with my certbot command as shown above.

Thanks,
CM

stevenzhu · May 29, 2021, 2:14am

Hi,

The issue is, you did request a certificate for only hkn.sysnet.ucsd.edu today.
Before today, you have always used a certificate for both hostname (crt.sh | 4429304734). But for some reason you got one for only sysnet(crt.sh | 4608195716 & crt.sh | 4608195716). That can also be seen from your certbot config file, because the original structure should set certificate under /etc/letsencrypt/live/hkn.ucsd.edu/.

If you run sudo certbot certificates, you'll have a high chance of seeing two certificates at once. One with both hostnames, and one with the sysnet hostname.
What you can do to fix it is to modify your web server config file and change

SSLCertificateFile /etc/letsencrypt/live/hkn.sysnet.ucsd.edu/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/hkn.sysnet.ucsd.edu/privkey.pem

to

SSLCertificateFile /etc/letsencrypt/live/hkn.ucsd.edu/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/hkn.ucsd.edu/privkey.pem

Then do a server reload or restart.

After you are able to confirm everything is working, you can then delete the single hostname certificate with sudo certbot delete --cert-name hkn.sysnet.ucsd.edu (BEFORE YOU DELETE, CONFIRM THIS IS THE ONE WITH THE SINGLE HOST)

Thank you

karoshi · May 29, 2021, 2:30am

What I don't understand is that I haven't done anything differently last time and today (I do actually keep records of what I do each renewal, so I can just copy out previuosly working commands each time). The certbot command last time and today included " -d hkn.ucsd.edu -d hkn.sysnet.ucsd.edu"

Is that not enough for both domains?

Also certbot certificates does show me:
Certificate Name: hkn.ucsd.edu
Domains: hkn.ucsd.edu hkn.sysnet.ucsd.edu
Expiry Date: 2021-07-24 14:26:24+00:00 (VALID: 56 days)
Certificate Path: /etc/letsencrypt/live/hkn.ucsd.edu/fullchain.pem
Private Key Path: /etc/letsencrypt/live/hkn.ucsd.edu/privkey.pem

and

Certificate Name: hkn.sysnet.ucsd.edu
Domains: hkn.sysnet.ucsd.edu
Expiry Date: 2021-08-26 22:33:33+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/hkn.sysnet.ucsd.edu/fullchain.pem
Private Key Path: /etc/letsencrypt/live/hkn.sysnet.ucsd.edu/privkey.pem

as well as many others (I vhost a number of domains on this server)

rg305 · May 29, 2021, 2:33am

Although there was a cert issued with both domains, that cert isn't being served by either site:
SSL Server Test: hkn.ucsd.edu (Powered by Qualys SSL Labs)
SSL Server Test: hkn.sysnet.ucsd.edu (Powered by Qualys SSL Labs)

Can we confirm that certbot certificates shows the cert with both domains?

karoshi · May 29, 2021, 2:34am

Yes, see above (sorry, I edited to add, but your message showed up in the meantime). Why did this happen?

rg305 · May 29, 2021, 2:36am

I can't be certain why it happened.
But the fix is to use the cert with both names in both vhost configs.

But before we go down that path...
Please show the output of:
apachectl -S
[to confirm there are no other (Apache) misconfigurations]

If the output is too long, grep it for something unique but common to both - possibly like hkn

karoshi · May 29, 2021, 2:40am

apache2ctl -S | grep hkn
port 443 namevhost hkn.ucsd.edu (/na/www/conf/hkn.conf:21)
alias hkn.sysnet.ucsd.edu
port 80 namevhost hkn.ucsd.edu (/na/www/conf/hkn.conf:5)
alias hkn.sysnet.ucsd.edu

I think the crontab might be the culprit:
# renew letsencrypt certs
42 6,18 1,16 * * root /usr/local/sbin/certbot-auto renew --no-self-upgrade

wasn't certbot-auto deprecated (I've been using letsencrypt for quite some time now)

rg305 · May 29, 2021, 2:42am

Please show the output of:
which certbot
which certbot-auto

and the file: /na/www/conf/hkn.conf

karoshi · May 29, 2021, 2:42am

Anyway, let me switch to the other certs and see if that fixes. I'm just trying to figure out why I suddenly have a set with only one domain in it since as I say, I just redo these things the same way each time :-/

rg305 · May 29, 2021, 2:44am

I think you might have both (certbot and certbot-auto) installed.
But this, by itself, should NOT cause the problem you describe.

karoshi · May 29, 2021, 2:45am

which certbot
/usr/bin/certbot

which certbot-auto
/usr/local/sbin/certbot-auto

<VirtualHost *:80>
ServerName hkn.ucsd.edu
ServerAlias hkn.sysnet.ucsd.edu
DocumentRoot "/var/www/vhost.hkn/public/wordpress"

#Redirect Permanent "/" "https://hkn.ucsd.edu"
#allow certbot/renewal to access test files
<IfModule mod_rewrite.c>
	RewriteEngine On
	RewriteCond %{HTTPS} !=on
	RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/ 
	RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
</IfModule>

(lots of specific WP protection/hardening, but at the end in the 443 section)

Include /etc/letsencrypt/options-ssl-apache.conf|
SSLCertificateFile /etc/letsencrypt/live/hkn.sysnet.ucsd.edu/fullchain.pem|
SSLCertificateKeyFile /etc/letsencrypt/live/hkn.sysnet.ucsd.edu/privkey.pem|

karoshi · May 29, 2021, 2:48am

For some reason (the Apr 25 set should have still be good, so no reason to generate the May 28 set):

ls -l /etc/letsencrypt/live//hkn.*
/etc/letsencrypt/live//hkn.sysnet.ucsd.edu:
total 4
lrwxrwxrwx 1 root root  43 May 28 16:33 cert.pem -> ../../archive/hkn.sysnet.ucsd.edu/cert2.pem
lrwxrwxrwx 1 root root  44 May 28 16:33 chain.pem -> ../../archive/hkn.sysnet.ucsd.edu/chain2.pem
lrwxrwxrwx 1 root root  48 May 28 16:33 fullchain.pem -> ../../archive/hkn.sysnet.ucsd.edu/fullchain2.pem
lrwxrwxrwx 1 root root  46 May 28 16:33 privkey.pem -> ../../archive/hkn.sysnet.ucsd.edu/privkey2.pem
-rw-r--r-- 1 root root 682 May 28 16:22 README

/etc/letsencrypt/live//hkn.ucsd.edu:
total 4
lrwxrwxrwx 1 root root  36 Apr 25 08:26 cert.pem -> ../../archive/hkn.ucsd.edu/cert5.pem
lrwxrwxrwx 1 root root  37 Apr 25 08:26 chain.pem -> ../../archive/hkn.ucsd.edu/chain5.pem
lrwxrwxrwx 1 root root  41 Apr 25 08:26 fullchain.pem -> ../../archive/hkn.ucsd.edu/fullchain5.pem
lrwxrwxrwx 1 root root  39 Apr 25 08:26 privkey.pem -> ../../archive/hkn.ucsd.edu/privkey5.pem
-rw-r--r-- 1 root root 682 Aug 27  2020 README

rg305 · May 29, 2021, 2:48am

This cert:

only has one name:

You definitely need to change those lines to the other cert and restart/reload Apache.
Then you can delete the single named cert:
certbot delete --cert-name hkn.sysnet.ucsd.edu

karoshi · May 29, 2021, 2:50am

ANd yes, that fixes it. But how it happened in the first place....

rg305 · May 29, 2021, 2:51am

And you also need to decide between using certbot or certbot-auto ...
Please show:
/usr/bin/certbot --version
/usr/local/sbin/certbot-auto --version

stevenzhu · May 29, 2021, 2:53am

That's definitely a myth😂

Maybe take a look at your root's history file?

P.S. It's equally important to remove your certbot-auto installation, just like @rg305 suggests.

If you want to renew your certificate, it's better to use certbot -q renew in your crontab (or systemd timer)

karoshi · May 29, 2021, 2:53am

/usr/bin/certbot --version
certbot 0.27.0

/usr/local/sbin/certbot-auto --version
Your system is not supported by certbot-auto anymore.
certbot-auto and its Certbot installation will no longer receive updates.
You will not receive any bug fixes including those fixing server compatibility
or security problems.
Please visit https://certbot.eff.org/ to check for other alternatives.
certbot 1.7.0

I should just be able to sub in /usr/bin/certbot into the crontab line

rg305 · May 29, 2021, 2:54am

I can think of several scenarios that could cause that to happen.
Most revolving around being presented with choices ... and making the wrong one - LOL

karoshi · May 29, 2021, 2:55am

Ha ha ha ha, well computers ALWAYS do EXACTLY as they're told, eh?

You mentioned earlier about deleting the single domain one, which seems prudent, b/c I can just see the darned thing renewing later on and overwriting the ssl stuff in the conf file again.

karoshi · May 29, 2021, 3:03am

Anyway, I ran the delete command on the singleton, and checked with the renew and only the hkn cert with both domains is left in place. I guess I'll just set a reminder to myself to keep an eye on this, since I'm not sure which of the wrong PRESS RETURN NOW happened, if it was me or a cronjob or... ??

Anyway, THANK YOU for the help. If you're in the U.S., enjoy the long weekend, eh?