Cert Renewal - Employee on Vacation

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
api.abortionpolicyapi.com

The employee that renews this certificate is away and not responding to emails. I'm not sure how to go about handling this? Our certificate lapses on 1/9.

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

It depends on how your website is run. The recommended approach is that certificates are renewed automatically by your webserver so no human steps are required, but it seems like your webserver is not configured in that way.

Without knowing anything more about how your website is run, the most common configuration is a single Linux server with the Certbot client on it.

Can you log into your webserver with some kind of console, like via SSH? If so, does the command sudo certbot renew do anything?

3 Likes

I am so sorry - but I'm not an engineer and don't understand what you've asked. What will happen if the certificate does not renew in time?

If the certificate doesn't renew in time, your API will become unavailable as clients will refuse to connect to it.

Somebody with access to your webserver needs to fix this. Is the employee who is on vacation the only one who knows about it?

3 Likes

will the folks that are currently using the api no longer be able to access it? Yes - we are a small org with one engineer and they are not responding.

Do you have some hardware device that must be always on for the request of your engineer? Otherwise, do you an external bill from the engineer for third party IT service?

3 Likes

You have two domains running on two different services:

  1. abortionpolicyapi.com is running on SquareSpace
  2. api.abortionpolicyapi.com is running on Dreamhost

The Dreamhost domain is the one affected.

Dreamhost offers a few different ways to host domains.

You have two options:

  1. Fix the problem. Contact Dreamhost.com to figure out how that domain is run and who owns the plan it is served from. If the plan offers access to anyone on your team that you can communicate with, they can come here and we can walk them through things. If you are on a "managed" plan with Dreamhost, Dreamhost Staff should be able to log into the system and renew the cert for you. If you're on a shared plan, they should be able to do that as well. They employ some really great staff there, so I would contact them ASAP for help and guidance.

  2. Patch the problem temporarily. The domain is registered through domain.com ; If your available team members have access to that login, you could conceivably route the dns for api.abortionpolicyapi.com through the Cloudflare CDN. In that setup, your subscribers will connect with cloudflare who will handle all the SSL stuff and then cloudflare will connect back to your actual api server.

If the certificate lapses, your subscribers may or may not be able to use the API - it will depend entirely on their setups. Some systems will raise an immediate error on the expired certificate and not allow access by default; others will allow access by default. It is honestly impossible to forecast how many subscribers will be affected as that relies on what libraries they use and how they configured their applications.

Thank you for your work in this field.

5 Likes

you all are incredible - i was able to gain access to Dreamhost.

is it an easy process to walk me through where to renew this within dreamhost?

4 Likes

It depends on the client...

SSH login I hope.
If so, try this one:
certbot certificates

3 Likes

If "certbot certificates" returns anything, post it here.
If it returns nothing...
Try this:
sudo find / -name *abortionpolicyapi* | grep -vi 'cer|crt|pem'

3 Likes

If both fail to produce anything of value [no clues]...
Then we need to crack open the web service to see where it gets the cert from.
I can't say I know about where this keeps things:

X-Powered-By: Express

[maybe some other volunteer can help if it comes down to this]

2 Likes

I was able to get a Dreamhost customer service person to help me - thank you all very much!!

4 Likes

I'm glad you're up and running!

4 Likes

Were they able to automate the renewal process?
[If not, we may see you here again in about 80 days]

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.