Certbot apparently renewed, but server not offering cert on port 443

Server
1

I think I have renewed my Letsencrypt certificate - when I try to renew again I get:

Processing /etc/letsencrypt/renewal/pathwayanalytics.com.conf
-------------------------------------------------------------------------------
Attempting to parse the version 0.17.0 renewal configuration file found at /etc/letsencrypt/renewal/pathwayanalytics.com.conf with version 0.10.2 of Certbot. This might not work.
Cert not yet due for renewal

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/www.pathwayanalytics.com/fullchain.pem (skipped)
  /etc/letsencrypt/live/pathwayanalytics.com/fullchain.pem (skipped)
No renewals were attempted.

So I guess the certificates are renewed ok.
But the server is still showing an expired certificate on port 443 at https://crt.sh/?q=pathwayanalytics.com

I have a cron job setup but this has also failed to apply a new certificate in time:
17 */12 * * * /home/charles/certbot-master/certbot-auto renew --quiet --no-self-upgrade --renew-hook ‘echo “\nI have renewed the certificate located in ${RENEWED_LINEAGE} and this certificate contains the following domains ${RENEWED_DOMAINS}\n\n” >&2’ --post-hook “/opt/bitnami/ctlscript.sh restart”

I am running a Bitnami build of Joomla! on Jessie

What am I doing wrong? Where can I find the expired certificates that are actually being used by my apache server?
Thanks for any help on this.

2

by searching bitnami on this forum.

Bitnami doesn’t not use the default location for the config files.

This has cropped up a few times before and there are solutions in the previous posts.

Andrei

3

Thanks for the steer Andrei -

I updated the httpd-ssl.conf file with the locations of the letsencrypt pem files etc,

https://crt.sh/?q=pathwayanalytics.com
shows the certificate is still not installed.

It did show a valid cert but when my browser still showed the old certificate I restarted apache and now the https://crt.sh/?q=pathwayanalytics.com shows just the old cert installed…

Any ideas?

1 Like
4

Certificate now installed (apparently) but browser not receiving it...

OK, so when I edited sudo vi /opt/bitnami/apache2/conf/extra/httpd-ssl.conf I did not read the helpful README file at
/etc/letsencrypt/live/[yourdomain.com]/README:

This directory contains your keys and certificates.

privkey.pem : the private key for your certificate.
fullchain.pem: the certificate file used in most server software.
chain.pem : used for OCSP stapling in Nginx >=1.3.7.
cert.pem : will break many server configurations, and should not be used
without reading further documentation (see link below).

We recommend not moving these files. For more information, see the Certbot
User Guide at User Guide — Certbot 2.7.0.dev0 documentation.

and I pointed SSLCertificateFile to
"/etc/letsencrypt/live/pathwayanalytics.com/cert.pem"
rather than...
"/etc/letsencrypt/live/pathwayanalytics.com/fullchain.pem"

and SSLCertificateChainFile
"/etc/letsencrypt/live/pathwayanalytics.com/fullchain.pem"
rather than...
"/etc/letsencrypt/live/pathwayanalytics.com/chain.pem"

who was to know??!

Anyway, now I have corrected that and the crt.sh | pathwayanalytics.com shows a shiny new certificate complete with serial number etc. :wink:

BUT my browsers still show: (net::ERR_CERT_DATE_INVALID)
...and the cert serial number still refers to the old certificate.

I have cleared my browser cache and tried other browsers on VMs

Help - what is going on?

7

Can you check that the renewed certificate is the right one?

openssl x509 -dates -noout -in /etc/letsencrypt/live/pathwayanalytics.com/cert.pem

and then see if there are any other configuration directives referring to copies of the certificate at another location?

grep -r SSLCertificate /opt/bitname/apache2

8

yes that looks fine:
notBefore=Aug 3 11:58:00 2017 GMT
notAfter=Nov 1 11:58:00 2017 GMT

sudo grep -r SSLCertificate /opt/bitnami/apache2
returns...
Binary file /opt/bitnami/apache2/modules/mod_ssl.so matches
/opt/bitnami/apache2/conf/original/extra/httpd-ssl.conf:# Point SSLCertificateFile at a PEM encoded certificate. If
/opt/bitnami/apache2/conf/original/extra/httpd-ssl.conf:SSLCertificateFile "/opt/bitnami/apache2/conf/server.crt"
/opt/bitnami/apache2/conf/original/extra/httpd-ssl.conf:#SSLCertificateFile "/opt/bitnami/apache2/conf/server-dsa.crt"
/opt/bitnami/apache2/conf/original/extra/httpd-ssl.conf:#SSLCertificateFile "/opt/bitnami/apache2/conf/server-ecc.crt"
/opt/bitnami/apache2/conf/original/extra/httpd-ssl.conf:SSLCertificateKeyFile "/opt/bitnami/apache2/conf/server.key"
/opt/bitnami/apache2/conf/original/extra/httpd-ssl.conf:#SSLCertificateKeyFile "/opt/bitnami/apache2/conf/server-dsa.key"
/opt/bitnami/apache2/conf/original/extra/httpd-ssl.conf:#SSLCertificateKeyFile "/opt/bitnami/apache2/conf/server-ecc.key"
/opt/bitnami/apache2/conf/original/extra/httpd-ssl.conf:# Point SSLCertificateChainFile at a file containing the
/opt/bitnami/apache2/conf/original/extra/httpd-ssl.conf:# the referenced file can be the same as SSLCertificateFile
/opt/bitnami/apache2/conf/original/extra/httpd-ssl.conf:#SSLCertificateChainFile "/opt/bitnami/apache2/conf/server-ca.crt"
/opt/bitnami/apache2/conf/extra/httpd-ssl.conf:# Point SSLCertificateFile at a PEM encoded certificate. If
/opt/bitnami/apache2/conf/extra/httpd-ssl.conf:# SSLCertificateFile "/opt/bitnami/apache2/conf/server.crt"
/opt/bitnami/apache2/conf/extra/httpd-ssl.conf:SSLCertificateFile "/etc/letsencrypt/live/pathwayanalytics.com/fullchain.pem"
/opt/bitnami/apache2/conf/extra/httpd-ssl.conf:SSLCertificateFile "/etc/letsencrypt/live/www.pathwayanalytics.com/fullchain.pem"
/opt/bitnami/apache2/conf/extra/httpd-ssl.conf:#SSLCertificateFile "/opt/bitnami/apache2/conf/server-dsa.crt"
/opt/bitnami/apache2/conf/extra/httpd-ssl.conf:#SSLCertificateFile "/opt/bitnami/apache2/conf/server-ecc.crt"
/opt/bitnami/apache2/conf/extra/httpd-ssl.conf:# SSLCertificateKeyFile "/opt/bitnami/apache2/conf/server.key"
/opt/bitnami/apache2/conf/extra/httpd-ssl.conf:SSLCertificateKeyFile "/etc/letsencrypt/live/pathwayanalytics.com/privkey.pem"
/opt/bitnami/apache2/conf/extra/httpd-ssl.conf:SSLCertificateKeyFile "/etc/letsencrypt/live/www.pathwayanalytics.com/privkey.pem"
/opt/bitnami/apache2/conf/extra/httpd-ssl.conf:#SSLCertificateKeyFile "/opt/bitnami/apache2/conf/server-dsa.key"
/opt/bitnami/apache2/conf/extra/httpd-ssl.conf:#SSLCertificateKeyFile "/opt/bitnami/apache2/conf/server-ecc.key"
/opt/bitnami/apache2/conf/extra/httpd-ssl.conf:# Point SSLCertificateChainFile at a file containing the
/opt/bitnami/apache2/conf/extra/httpd-ssl.conf:# the referenced file can be the same as SSLCertificateFile
/opt/bitnami/apache2/conf/extra/httpd-ssl.conf:#SSLCertificateChainFile "/opt/bitnami/apache2/conf/server-ca.crt"
/opt/bitnami/apache2/conf/extra/httpd-ssl.conf:SSLCertificateChainFile "/etc/letsencrypt/live/pathwayanalytics.com/chain.pem"
/opt/bitnami/apache2/conf/extra/httpd-ssl.conf:SSLCertificateChainFile "/etc/letsencrypt/live/www.pathwayanalytics.com/chain.pem"
/opt/bitnami/apache2/conf/bitnami/bitnami.conf:#SSLCertificateFile "/opt/bitnami/apache2/conf/server.crt"
/opt/bitnami/apache2/conf/bitnami/bitnami.conf:#SSLCertificateKeyFile "/opt/bitnami/apache2/conf/server.key"
/opt/bitnami/apache2/conf/bitnami/bitnami.conf:SSLCertificateFile "/etc/letsencrypt/archive/pathwayanalytics.com/cert1.pem"
/opt/bitnami/apache2/conf/bitnami/bitnami.conf:SSLCertificateKeyFile "/etc/letsencrypt/archive/pathwayanalytics.com/privkey1.pem"
/opt/bitnami/apache2/conf/bitnami/bitnami.conf:SSLCertificateChainFile "/etc/letsencrypt/archive/pathwayanalytics.com/fullchain1.pem"

Blockquote

9

Thanks for posting this.

This is your problem. All of your web server configurations should always point at the live versions rather than the archive versions, specifically because the live version is updated upon renewal, while the archive version is, well, an archive, and the individual files there are never updated. :slight_smile:

10

Thanks Schoen - perfect solution!

#To recap, if anyone has the same issue on a Bitnami server.
#Install LetEncrypt using normal procedure for your server:

#Search for the location of your live LetEncrypt .pem files:
sudo find / -name '.pem’
#they should be somewhere like “/etc/letsencrypt/live/[yourdomain.com]/”

#Edit the Default Virtual Host Conf file for Bitnami
sudo vi /opt/bitnami/apache2/conf/bitnami/bitnami.conf

#and ensure the following parameters are set/replaced to point to the cert files in the /etc/letsencrypt/live/ folder:
SSLCertificateFile "/etc/letsencrypt/live/[yourdomain.com]/fullchain.pem"
SSLCertificateKeyFile "/etc/letsencrypt/live/[yourdomain.com]/privkey.pem"
SSLCertificateChainFile "/etc/letsencrypt/live/[yourdomain.com]/chain.pem"
SSLCertificateFile "/etc/letsencrypt/live/[www.yourdomain.com]/fullchain.pem"
SSLCertificateKeyFile "/etc/letsencrypt/live/[www.yourdomain.com]/privkey.pem"
SSLCertificateChainFile “/etc/letsencrypt/live/[www.yourdomain.com]/chain.pem”

##NB
#SSLCertificateFile is fullchain.pem
#SSLCertificateKeyFile is privkey.pem
#SSLCertificateChainFile is chain.pem

*** cert.pem is not used ***

#see
sudo vi /etc/letsencrypt/live/[yourdomain.com]/README

#for completeness do the same in
sudo vi /opt/bitnami/apache2/conf/extra/httpd-ssl.conf

#restart apache:
sudo /opt/bitnami/ctlscript.sh stop
sudo /opt/bitnami/ctlscript.sh start

#now auto renew should function without issue:
sudo ./certbot-master/certbot-auto renew

11

You'll only need each of these items once, not twice. :slight_smile:

I'm glad this fix worked for you.

12

well done

one last thing for you to tidy up.

Currently your cert covers www.pathwayanalytics.com

To get a good user experience you can do one of two things.

A) Rewrite all /pathwayanalytics.com to www.pathwayanalytics.com
B) Get a certificate that covers both www.pathwayanalytics.com and pathwayanalytics.com

image
image.png1359×551 79.8 KB

Andrei

13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.