Certificat OK, mais accès HTTPS impossible (apparamment depuis le dernier renouvellement du certificat)

Bonjour,

short english version
My certificate has been correctly renewed, but now the HTTPS access to my websites is not possible (eg https://eastndc.eu/ or https://fileshare.acroe-ica.org/ )

I am very sorry, but I cannot hook into the issue with my limited expertise !

Thanks for your upcoming help !

version francaise courte
Mon certificat a pu être renouvelé avec succès, mais depuis quelques jours l'accès en HTTPS sur les sites web couverts par ce certificat échoue (probablement depuis le renouvellement).

J'ai rebooté la machine ; rien n'y fait.

Détail ci cessous après les informations demandées.

Je peux lire des réponses en Anglais : Yes indeed !

Mon nom de domaine est :
eastndc.eu
fileshare.eastndc.eu
fileshare.acroe-ica.org

J’ai exécuté cette commande :
/usr/bin/certbot renew --renew-hook "/root/haproxy_letsencrypt/concat_certificate.sh"

Elle a produit cette sortie :
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/fileshare.acroe-ica.org.conf

Cert not yet due for renewal

The following certs are not due for renewal yet:

/etc/letsencrypt/live/fileshare.acroe-ica.org/fullchain.pem expires on 2021-03-05 (skipped)

No renewals were attempted.

No hooks were run.

Mon serveur Web est (inclure la version) :
haproxy version 1.6.3 2015/12/25

Le système d’exploitation sur lequel mon serveur Web s’exécute est (version incluse) :
Ubuntu 16.04.6 LTS

Mon hébergeur, le cas échéant, est :
hebergement : moi même ! Mais sur une autre machine (relai assuré par HAproxy)
DNS : gandi

Je peux me connecter à un shell root sur ma machine (oui ou non, ou je ne sais pas) :
yes indeed

J’utilise un panneau de configuration pour gérer mon site (non, ou fournit le nom et la version du panneau de configuration) :
no

===

Bonjour,

Le certificat concerné a été renouvelé je pense automatiquement le 3 / 01 / 2021.
Avec succès (cf logs).

Je ne sais pas si il fonctionnait entre le 3 janvier et le 5 janvier, mais en tout cas depuis hier, l'accès HTTPS sur les sites WWW couverts par ce certificat échoue, par exemple :
https://eastndc.eu/
ou
https://fileshare.acroe-ica.org/

J'ai rebooté la machine qui héberge le certificat (sous haproxy), puis aussi redémarré encore haproxy, mais l'accès HTTPS ne fonctionne toujours pas.

Je ne suis pas spécialiste et ... suis fort démuni pour expértiser la raison du problème rencontré !

Merci beaucoup beaucoup par avance pour votre aide !
Nicolas

Can you show the output of certbot certificates? Because as far as I can see, you've got valid certificates from December 2020 for all your mentioned domains (and a test subdomain it seems):

Also, I'm interested in the script /root/haproxy_letsencrypt/concat_certificate.sh.. What is actually using the (wrong) certificate? Does HAProxy function as the TLS endpoint? Or Apache? Because your site says it's server is Apache 2.4.18.

Hello Oriris,

Here is the output of certbot certificate

certbot certificates
[sudo] Mot de passe de gsiacroeica : 
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: fileshare.acroe-ica.org
    Domains: fileshare.acroe-ica.org eastndc.eu fileshare.eastndc.eu www-test.eastndc.eu
    Expiry Date: 2021-03-05 15:14:03+00:00 (VALID: 55 days)
    Certificate Path: /etc/letsencrypt/live/fileshare.acroe-ica.org/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/fileshare.acroe-ica.org/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Because as far as I can see, you've got valid certificates from December 2020 for all your mentioned domains (and a test subdomain it seems):

Indeed, I also think the certificates are valid !

What is actually using the (wrong) certificate?

None AFAIK ! This is why I do not understand !

Also, I'm interested in the script /root/haproxy_letsencrypt/concat_certificate.sh

I don't think this is the issue, but here it is :
#!/bin/bash

DOMAIN='fileshare.acroe-ica.org'

mkdir -p /etc/haproxy/certs

cat /etc/letsencrypt/live/$DOMAIN/fullchain.pem /etc/letsencrypt/live/$DOMAIN/privkey.pem > /etc/haproxy/certs/$DOMAIN.pem

chmod -R go-rwx /etc/haproxy/certs/$DOMAIN.pem

chown haproxy:haproxy /etc/haproxy/certs/$DOMAIN.pem

service haproxy restart

Does HAProxy function as the TLS endpoint? Or Apache? Because your site says it's server is Apache 2.4.18.

I do not understand the notion of "TLS endpoint", sorry
This being said :

• the websites are not hosted on the HAProxy machine. HAproxy only forward the requests to 2 other machines.
• https://eastndc.eu is forwarded to a machine which runs, you are correct, Apache 2.4.18
• https://fileshare.acroe-ica.org are forwarded to Synology NAS.

Finally :

• the system and certificate were running OK until the past days.
• note that the HAproxy machine operates with a quite old ubuntu (Ubuntu 16.04.6 LTS).

What is actually using the (wrong) certificate?

Well, I have no idea

I hope I answered correctly to your questions !
Thanks,
Nicolas

Seems to be fine.

With "TLS endpoint" I mean to which software program (e.g. Apache or HAProxy) the webbrowser of the client connects to for the actual encrypted HTTPS connection.
You could imagine a program, let's say A, listening on port 443, accepting connections on a TCP level, but forwarding the contents of the connection to program B. And program B would then decrypt the HTTPS connection, presenting the certificate, et cetera. In that case, your webbrowser would be connected to program A, but the actual TLS endpoint would be program B.

But HAProxy might be the TLS endpoint. HAProxy and Apache can very well be speaking plain, old, unencrypted HTTP.

Does your NAS have the (now expired) certificate installed? I'm guessing it doesn't. That would also be an argument that HAProxy is the software actually using the certificate.

That would mean something is not functioning well between certbot and HAProxy. The script might be malfunctioning. It might be the script wasn't called for some reason.

First, easy one, we might check when the file used by HAProxy was created with:

ls -l /etc/haproxy/certs/fileshare.acroe-ica.org.pem

If that is the same date as when the newly issued certificate was created, then certbot and the script is fine, but for some reason HAProxy doesn't use it. If it is a date from approx. 90 days ago, then the script didn't work or certbot didn't run it for some reason.

Note: never ever share the contents of the /etc/haproxy/certs/fileshare.acroe-ica.org.pem file! It contains your private key.

Hello again,

sorry for my delay, I was away from office these days.

But HAProxy might be the TLS endpoint. HAProxy and Apache can very well be speaking plain, old, unencrypted HTTP.

Indeed, HAProxy exchanges with the Apache and Synology machine in unencrypted HTTP (these machine are not exposed on the Internet).

I suppose this indeed mean that HAProxy is the TLS endpoing !?

Does your NAS have the (now expired) certificate installed? I'm guessing it doesn't. That would also be an argument that HAProxy is the software actually using the certificate.

You guess is correct !
The Apache and Synology machines have never had the certificate. Only HAProxy. So far, it worked like a charm !

ls -l /etc/haproxy/certs/fileshare.acroe-ica.org.pem

October, 6, 2020 :
-rw------- 1 haproxy haproxy 5360 oct. 6 12:06 /etc/haproxy/certs/fileshare.acroe-ica.org.pem

I hope I answered everything so far !
But I am still lost
Thanks,
Nicolas

Hello again,

Following your previous hint, Osiris, I tried :

• to remove /etc/haproxy/certs/fileshare.acroe-ica.org.pem
• then to renew it with the new certificate (dated 2021 - january - 4).

As far as I can tell, everything now works like a charm again !
For some reason, my renew hook did not function properly on January 4th.

I would be very grateful if someone could confirm my certificate is now OK.

But, anyhow, thank you very much for your help in investigating this issue !
Best-
Nicolas

I confirm your site is working fine now and it is using a certificate issued on December 5th.