Cert stopped working

Bferster · February 19, 2021, 3:06pm

My SSL stopped working all of a sudden today for my secure websocket server
The HTTPS server seems fine/
Clicking on the cert lock icon in Chrome shows that it expires 4/19/21
I renewed it today, it still shows that renewal

I reference the certs in the nodeJS server like this:

const server = https.createServer({
            cert: fs.readFileSync("/opt/bitnami/apache2/conf/server.crt"),
            key: fs.readFileSync("/opt/bitnami/apache2/conf/server.key")
            });

It looks like those two files are updated on the server (they have today's date)

My domain is: etal.live
My web server is (include version): Apache
The operating system my web server runs on is (include version): Debian/GNU Linux
My hosting provider, if applicable, is: AWS Lightsail
I can login to a root shell on my machine (yes or no, or I don't know): Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): apt-cache policy certbot | grep Installed

JuergenAuer · February 19, 2021, 3:14pm

Hi @Bferster

what's your wss port? https works, the certificate is ~~ one month old.

Bferster:

const server = https.createServer({
            cert: fs.readFileSync("/opt/bitnami/apache2/conf/server.crt"),
            key: fs.readFileSync("/opt/bitnami/apache2/conf/server.key")
            });

Did you restart your server?

Bferster · February 19, 2021, 6:17pm

Yes.
I rebuilt the site completely and installed a new cert, which seems to be working now
It seems I don't have permissions to load the crt & key files and now get this error from nodeJs:

Error: EACCES: permission denied, open '/opt/bitnami/apache/conf/server.crt'

Bferster · February 19, 2021, 6:19pm

The WS port is located at 8080

JuergenAuer · February 19, 2021, 6:28pm

Fix it, that can't work.

Bferster · February 19, 2021, 6:48pm

I hate to sound desperate, but I not sure how to fix it.

schoen · February 19, 2021, 7:20pm

You might want to look at a tutorial about Unix file permissions and ownership like

https://www.tutorialspoint.com/unix/unix-file-permission.htm

(that was just the first DuckDuckGo result for unix file permissions at DuckDuckGo).

A related question is what software is creating these files.

Bferster · February 19, 2021, 7:49pm

Thanks for the links.
I was able to change permissions,
but is it ok from Certbot's point of view to open this file:

/etc/letsencrypt/live/etal.live/privkey.pem

or does it need to be restricted so you can update it?

schoen · February 21, 2021, 5:46am

You might find that newly-renewed certificates are automatically given more-restrictive permissions by Certbot again. One option to change this is with a custom --deploy-hook script. (Or you could use Bitnami's tutorial, which I think is based on lego instead of Certbot.)