Certbot - Certificate Issued from Let's Encrypt but Live Certificates Pointing At Previous Versions

Help
1

Please fill out the fields below so we can help you better.

My domain is: zenit4you.win www.zenit4you.win m.zenit4you.win

I ran this command: ./certbot-auto certonly --nginx -d zenit4you.win -d www.zenit4you.win -d m.zenit4you.win

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Currently, the renew verb is capable of either renewing all installed certificates that are due to be renewed or renewing a single certificate specified by its name. If you would like to renew specific certificates by their domains, use the certonly command. The renew verb may provide other options for selecting certificates to renew in the future.
root@1ng:/opt/certbot-auto# ./certbot-auto certonly --nginx -d zenit4you.win -d www.zenit4you.win -d m.zenit4you.win
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for zenit4you.win
tls-sni-01 challenge for www.zenit4you.win
tls-sni-01 challenge for m.zenit4you.win
Waiting for verification…
Cleaning up challenges

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at
    /etc/letsencrypt/live/zenit4you.win/fullchain.pem. Your cert will
    expire on 2017-05-31. To obtain a new or tweaked version of this
    certificate in the future, simply run certbot-auto again. To
    non-interactively renew all of your certificates, run
    "certbot-auto renew"

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

root@1ng:/opt/certbot-auto# date
Fri Jun 2 12:13:52 MSK 2017

My web server is (include version): nginx/1.12.0

The operating system my web server runs on is (include version):
Ubuntu 16.04.2 LTS

My hosting provider, if applicable, is:
n/a
I can login to a root shell on my machine (yes or no, or I don’t know):
no

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

then,

openssl x509 -in /etc/letsencrypt/live/zenit4you.win/cert.pem -text -noout

got:
Validity
Not Before: Mar 2 05:50:00 2017 GMT
Not After : May 31 05:50:00 2017 GMT
cert issued already OUTDATED :frowning2:
current day is 2 jun .2017

what am I doing wrong?

2

Could you please post the output of the following commands?

ls /etc/letsencrypt/archive
ls -l /etc/letsencrypt/live/zenit4you.win
ls -lt /etc/letsencrypt/archive/zenit4you.win
certbot-auto certificates

I’m thinking that this sounds similar to a problem seen recently where the new certificate is issued correctly, but for some unknown reason the symbolic links in /etc/letsencrypt/live don’t get updated, or get updated incorrectly.

Are you using Docker?

3

hi @shadowhide

The problem is definitely down at the client end and the folders/directory

I can see you have been issued several certificates in the last few days

https://crt.sh/?q=zenit4you.win

Andrei

4

#ls /etc/letsencrypt/archive
/etc/letsencrypt/archive/zenit4you.win:
cert1.pem cert2.pem chain1.pem chain2.pem fullchain1.pem fullchain2.pem privkey1.pem privkey2.pem

/etc/letsencrypt/archive/zenit4you.win-0002:
cert1.pem chain1.pem fullchain1.pem privkey1.pem

#ls -l /etc/letsencrypt/live/zenit4you.win
lrwxrwxrwx 1 root root 42 Jun 2 12:17 cert.pem -> …/…/archive/zenit4you.win-0002/cert1.pem
lrwxrwxrwx 1 root root 43 Jun 2 12:17 chain.pem -> …/…/archive/zenit4you.win-0002/chain1.pem
lrwxrwxrwx 1 root root 47 Jun 2 12:17 fullchain.pem -> …/…/archive/zenit4you.win-0002/fullchain1.pem
lrwxrwxrwx 1 root root 45 Jun 2 12:17 privkey.pem -> …/…/archive/zenit4you.win-0002/privkey1.pem

#ls -lt /etc/letsencrypt/archive/zenit4you.win

-rw-r–r-- 1 root root 1838 Jun 2 12:17 cert2.pem
-rw-r–r-- 1 root root 1647 Jun 2 12:17 chain2.pem
-rw-r–r-- 1 root root 3485 Jun 2 12:17 fullchain2.pem
-rw-r–r-- 1 root root 1708 Jun 2 12:17 privkey2.pem
-rw-r–r-- 1 root root 3489 May 27 22:28 fullchain1.pem
-rw-r–r-- 1 root root 1842 May 27 22:28 cert1.pem
-rw-r–r-- 1 root root 1647 May 27 22:28 chain1.pem
-rw-r–r-- 1 root root 1708 May 27 22:28 privkey1.pem

yes, it’s look like symlinks not updated

after manual recreation symlinks all works fine

is it bug in certbot client?

5

Possibly. I've never managed to replicate it myself, but it's come up a couple of times in the forum.

Did you make any manual changes to the contents of /etc/letsencrypt/ at any point (other than updating the symlinks just now)?

The surprising thing is that the symlinks in live/zenit4you.win are pointing to certificates in archive/zenit4you.win-0002 rather than archive/zenit4you.win (where the renewed one was saved); this is also similar to the previous case of this bug.

@schoen you might be interested in this...

6

I did not make any changes

7

docker is not used

BTW, few days ago I played with Lego (python letsencrypt client (domain validation via DNS))

may be certbot-auto does not override already issued certificates by other clients…

8

Does Lego also save certificates under /etc/letsencrypt/archive? That might definitely be causing this problem…

9

I don’t use lego but according to its README it defaults to ${CWD}/.lego unless you override it with --path.

10

@bmw, I think we’ve had at least three reports like this where symlinks somehow point into a different lineage’s (with the same lineage name except -0001 or -0002) archive directory.

Can you think of anything that could cause this? It seems like a severe potential storage.py or renewal.py bug, yet my recollection of how RenewableCert works makes it hard to envision how this can happen.

11

Oh wow. I played with this for a bit trying to reproduce but was unable to (without manually modifying /etc/letsencrypt).

@shadowhide, I’m very interested in the commands you ran to get Certbot into this state. Would you be willing to provide the contents of /var/log/letsencrypt? This directory should contain a number of log files allowing me to get more information about what happened. Feel free to redact values like domains, email, and IP addresses as you feel appropriate. You’re also welcome to email them to me directly rather than posting them here. My email is bmw@eff.org.

Additionally, if anyone is able to give me a link to another thread where a user hit this issue without manually modifying /etc/letsencrypt, I’d appreciate it!

12

@bmw, the other one that I remember is

but I think there is even a third one somewhere.

13

I’ve seen at least one case where, in the end, someone had manually renamed the directory.

14

This?

15

Yes, thanks @jmorahan!

16

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.