Cert renewed, but old (expired) cert still in use

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: gjschaller.homeftp.net

I ran this command: (Script, see below)

It produced this output: (Verbose, see below)

My web server is (include version): Apache 2.4

The operating system my web server runs on is (include version): ReadyNAS OS 6.10.3 (Debian Jessie)

My hosting provider, if applicable, is: (N/A)

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 1.3.0

===

I have an automated script that runs nightly to check for, and renew, my certificate. It seems to do the renew without issue. However, it did not replace the old cert with the new one.

Script:

/opt/letsencrypt/certbot-auto renew --standalone --pre-hook “service apache2 stop” --post-hook “service apache2 start”

Output:

root@GeoffNAS:/home/admin/crontab# ./LetsEncrypt-Renew.sh
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/gjschaller.homeftp.net.conf


Cert not yet due for renewal


The following certs are not due for renewal yet:
/etc/letsencrypt/live/gjschaller.homeftp.net/fullchain.pem expires on 2020-06-14 (skipped)
No renewals were attempted.
No hooks were run.


It looks like the new cert is there, but it’s not updating it for Apache. Anything I am missing or doing wrong?

Show me your apache config, what do the SSL directives say?

Also: why are you stopping apache and using --standalone instead of --apache or --webroot ?

To be honest, I set this up YEARS ago, and it worked all that time, so I don’t remember the reason why. About 3 months ago, my NAS crashed and needed to be reset - I restored everything, and reconfigured the same scripts, and it seemed to work. This is the first time it’s come up since the reformat, so it’s possible that’s the issue.

Let me try the other two flags, and I’ll get back to you.

They need other hooks and configs. use --dry-run for testing.

apache2.conf attached. This is on a ReadyNAS, which I am told is a bit odd in its setup, but hopefully should point in the right direction.

apache2.conf.txt (8.8 KB)

It’s probably somewhere in there:

# Include module configuration:
IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf
# Include generic snippets of statements
IncludeOptional conf-enabled/*.conf

# Include the virtual host configurations:
IncludeOptional sites-enabled/*.conf

You need to find the SSLCertificateFile directive (grep -ir "SSLCertificateFile" /etc/apache2 or the appropriate directory)

Does this help?

root@GeoffNAS:~# grep -ir “SSLCertificateFile” /etc/apache2
/etc/apache2/sites-available/default-ssl.conf: # SSLCertificateFile directive is needed.
/etc/apache2/sites-available/default-ssl.conf: SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
/etc/apache2/sites-available/default-ssl.conf: # the referenced file can be the same as SSLCertificateFile

Edit - more:

root@GeoffNAS:/etc# grep -ir “SSLCertificateFile” /etc/frontview
/etc/frontview/apache/ssl.conf:SSLCertificateFile /etc/frontview/apache/apache2.pem
/etc/frontview/apache/ssl.conf.orig:SSLCertificateFile /etc/frontview/apache/apache2.pem

I just remembered I had this documented from when I did the reformat. Apparently something happened with ReadyNAS OS during an update that made things… tricky. I had a local guru help me get it working, and documented it for me. Here’s what we had. This let me install it, but it may be why it’s not renewing as well.

Edit: The “tricky” part is that some of the add-ins (Nextcloud, etc.) prevented Let’s Encrypt from installing / updating packages properly. The edits make sure the right packages are installed and don’t auto-update and break, while still ensuring Let’s Encrypt runs.

Near those there should be others, for the ssl certificate key file.

if you run certbot certificates it will tell what to put there (fullchain for certificate and key for key)

(or you can try to use certbot install --apache)

Thank you for your help so far! I found certbot was not installed - I ran an apt-get install certbot to get it loaded, then the following, with results… getting closer.

root@GeoffNAS:/home/admin/crontab# ./LetsEncrypt-Renew.sh
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/gjschaller.homeftp.net.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/gjschaller.homeftp.net/fullchain.pem expires on 2020-06-14 (skipped)
No renewals were attempted.
No hooks were run.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
root@GeoffNAS:/home/admin/crontab# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Attempting to parse the version 1.3.0 renewal configuration file found at /etc/letsencrypt/renewal/gjschaller.homeftp.net.conf with version 0.10.2 of Certbot. This might not work.

-------------------------------------------------------------------------------
Found the following certs:
  Certificate Name: gjschaller.homeftp.net
    Domains: gjschaller.homeftp.net
    Expiry Date: 2020-06-14 03:50:42+00:00 (VALID: 60 days)
    Certificate Path: /etc/letsencrypt/live/gjschaller.homeftp.net/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/gjschaller.homeftp.net/privkey.pem
-------------------------------------------------------------------------------
root@GeoffNAS:/home/admin/crontab# certbot install --apache -d gjschaller.homeftp.net --cert-path /etc/letsencrypt/live/gjschaller.homeftp.net/fullchain.pem --key-path /etc/letsencrypt/live/gjschaller.homeftp.net/privkey.pem
Saving debug log to /var/log/letsencrypt/letsencrypt.log
The requested apache plugin does not appear to be installed

Getting closer… I did an apt-get install for both certbot and python-certbot-apache, but no luck on the renewing. I think I need to figure out where ReadyNAS configures the domain & certificates, which is not standard for Debian / Apache.

this is expected, it's valid for 60 days.

The issue is that an expired cert is still in use by Apache, and the site is giving a security warning. Let’s Encrypt didn’t update to the renewed / valid cert.

https://gjschaller.homeftp.net/

That’s because the SSLCertificateFile directive is not pointing to /etc/letsencrypt/live/gjschaller.homeftp.net/fullchain.pem but to something else.

(same for the private key and its directive – points to another file, obviously)

1 Like

Does this help? This is from the custom setup for ReadyNAS, in the Google Doc I linked above:

# cd /etc/frontview/apache
# cp apache2.pem apache2.pem.orig
# cp ssl.conf ssl.conf.orig
# nano ssl.conf
below line
"SSLCertificateFile /etc/frontview/apache/apache2.pem"
add the line
"SSLCertificateChainFile /etc/frontview/apache/chain.pem"
Save, and exit
# rm apache2.pem
# cat /etc/letsencrypt/live/fqdn.yourdomain.com/privkey.pem >> apache2.pem
# cat /etc/letsencrypt/live/fqdn.yourdomain.com/cert.pem >> apache2.pem
# cp /etc/letsencrypt/live/fqdn.yourdomain.com/chain.pem chain.pem

I was working off other guides - should those copy / cats instead point to the actual files?

you should convert those commands to a script and use it as --deploy-hook

(if they work – they look dirty)

1 Like

That did it - thank you! I made the script, made sure it backed up / touched / etc. as needed, and the correct cert is now in place. Everything is working again!

I updated my renew script with the --deploy-hook - we’ll see if it works next month.

Thank you again for your help!

1 Like

certbot has a lot of features to avoid creating wrappers around it, each certificate can have its hooks, so certbot knows what scripts to call for each certificate when systemd or crond call certbot renew --quiet twice a day :wink:

so, say I have two certs for apache and for another service, that I got with these commands:

# certbot --apache -d www.example.com -d example.com
# certbot --authenticator apache --deploy-hook /path/to/your/script.sh -d someotherservice.example.com

Then, when I run certbot renew, certbot will know to run that script after renewal, for the second certificate only.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.