Certificate Expiration

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
https://barryserver.com with https://www.barryserver.com and dav.barryserver.com as alternates

I ran this command:
acme-client -Fv barryserver.com && rcctl reload httpd

It produced this output: OK

My web server is (include version): Apache??

The operating system my web server runs on is (include version): Open BSD v 7.3 x64

My hosting provider, if applicable, is: vultr for machine hosting

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): not using certbot; use acme-client.

I'm new to this game and I have set up a cron job to update my certificates and have forced the update with the command below. However I seem to keep getting security errors related to certificate expiration when accessing the website and checking calendar entries(dav.barryserver.com).

2

There doesn't seem to be an issue with getting a certificate: you already forced 2 unnecessary issuances: crt.sh | barryserver.com So please stop forcing new issuances as that leads hitting rate limits in 2 issuances.

With lack of information I'm just guessing here, but it probably has something to do with your webserver still using the old certificate instead of the new one. You already reloaded the webserver from the looks of it, so that isn't it. Maybe Apache is configured to use the old one directly? We'd need to see the Apache configuration to check that.

Where does acme-client store the certificates? What's the directory structure of /etc/acme/? Unfortunately the documentation of the client is like, well, almost non-existing. Only a flimsy man page..

2 Likes
3

If you are using the standard OpenBSD httpd server can you show us the /etc/httpd.conf file? That points to the certs. You probably ended up with the new certs in one folder while httpd.conf points somewhere else.

4 Likes
4

barryserver$ cat httpd.conf

prefork 5

types {
  include "/usr/share/misc/mime.types"
}

server "barryserver.com" {
  listen on * port 80
    location "/.well-known/acme-challenge/*" {
    root "/acme"
    request strip 2
  }
  location * {
    block return 301 "https://$HTTP_HOST$REQUEST_URI"
  }
}

server "barryserver.com" {
  listen on 127.0.0.1 port 8080
  default type text/html
  location "/pub/*" {
    directory auto index
  }
}
5

Huh. Well, I don't know OpenBSD except from quick look at their docs.

But, I was looking for something like below from their docs (link here). Do you know where the config for port 443 is?

server "example.com" {
  listen on * tls port 443
  tls {
    certificate "/etc/ssl/example.com.fullchain.pem"
    key "/etc/ssl/private/example.com.key"
  }
}
4 Likes
6

Only one file in the acme directory: letsencrypt-privkey.pem

acme-client.conf file is as follows:

barryserver$ cat acme-client.conf
authority letsencrypt {
  api url "https://acme-v02.api.letsencrypt.org/directory"
  account key "/etc/acme/letsencrypt-privkey.pem"
}

authority letsencrypt-staging {
  api url "https://acme-staging-v02.api.letsencrypt.org/directory"
  account key "/etc/acme/letsencrypt-staging-privkey.pem"
}

domain barryserver.com {
  alternative names { www.barryserver.com dav.barryserver.com }
  domain key "/etc/ssl/private/barryserver.com:443.key"
  domain full chain certificate "/etc/ssl/barryserver.com:443.crt"
  sign with letsencrypt
}
7

Contents of the /etc/ssl/ directory are:

barryserver# cd ssl
barryserver# ls
barryserver.com:443.crt dovecot-openssl.cnf private
barryserver.com:443.crt.1 ikeca.cnf x509v3.cnf
cert.pem openssl.cnf

Inside private is barryserver.com:443.key

8

If the cert.pem file is my certification, I notice that the creation date is March 25, 2023.

barryserver# ls -lT
total 752
-r--r--r-- 1 root wheel 5922 Nov 8 20:06:37 2023 barryserver.com:443.crt
-r--r--r-- 1 root wheel 5918 Nov 8 04:57:02 2023 barryserver.com:443.crt.1
-r--r--r-- 1 root bin 341121 Mar 25 16:14:50 2023 cert.pem
-rw-r--r-- 1 root wheel 496 Jun 6 19:47:58 2023 dovecot-openssl.cnf
-rw-r--r-- 1 root wheel 2703 Mar 25 16:14:50 2023 ikeca.cnf
-r--r--r-- 1 root bin 745 Mar 25 16:14:50 2023 openssl.cnf
drwx------ 2 root wheel 512 Jun 1 20:09:37 2023 private
-r--r--r-- 1 root bin 1006 Mar 25 16:14:50 2023 x509v3.cnf

9

And finally, the mime.types file that is included has this line:

application/x-x509-ca-cert der pem crt

Does this mean that the apache would be looking for a pem file first (and finding the old Mar 25 version) before the current crt file?

Thank you all for your patience and assistance!

1 Like
10

What shows?:
netstat -pant | grep -i listen

3 Likes
11

I don't see Apache being used. I think you are using the standard OpenBSD built-in httpd server. Because of the response headers for these requests

curl -I http://barryserver.com
HTTP/1.0 301 Moved Permanently
Date: Wed, 08 Nov 2023 23:20:53 GMT
Server: OpenBSD httpd

If you were using Apache it would say "Server: Apache" (most likely)

From your home directory can you show us this result

ls -lR

and also this

ls -lR /etc/ssl
4 Likes
12

The first:

barryserver$ ls -lR
.:
total 4
drwxr-xr-x 7 barry barry 512 Nov 8 03:59 barry

./barry:
total 608
drwx------ 8 barry barry 512 Nov 8 23:15 Maildir
-rw------- 1 barry barry 217491 Aug 7 20:56 PASSPORT.JPG
drwxr-xr-x 2 barry barry 512 Jun 1 20:42 bin
-rw-r--r-- 1 barry barry 16384 Jun 16 01:59 ex1
-rw-r--r-- 1 barry barry 16384 Jun 16 02:01 ex1.db
drwx------ 3 barry barry 512 Jun 2 03:03 radicale
drwx------ 5 barry barry 512 Jun 3 01:14 sent
-rw-r--r-- 1 barry barry 21 Jun 16 02:36 test_file_1.txt
-rw-r--r-- 1 barry barry 20991 Nov 8 03:59 ti.sh

./barry/Maildir:
total 64
drwx------ 2 barry barry 512 Oct 28 19:48 cur
-rw------- 1 barry barry 346 Oct 28 19:31 dovecot-uidlist
-rw------- 1 barry barry 8 Jun 6 21:13 dovecot-uidvalidity
-r--r--r-- 1 barry barry 0 Jun 6 19:56 dovecot-uidvalidity.647f8f81
-rw------- 1 barry barry 716 Nov 7 00:30 dovecot.index.cache
-rw------- 1 barry barry 7896 Nov 7 00:30 dovecot.index.log
-rw------- 1 barry barry 6624 Nov 7 03:50 dovecot.list.index.log
-rw------- 1 barry barry 72 Jun 6 21:13 dovecot.mailbox.log
drwx------ 2 barry barry 512 Oct 28 19:31 new
-rw------- 1 barry barry 43 Jun 6 21:13 subscriptions
drwx------ 2 barry barry 512 Oct 28 18:08 tmp

./barry/Maildir/cur:
total 808
-rw------- 1 barry barry 3081 Jun 3 01:11 1685754703.2e93c30d.barryserver.com:2,S
-rw------- 1 barry barry 5613 Jun 6 22:24 1686090255.66994564.barryserver.com:2,RS
-rw------- 1 barry barry 299118 Aug 7 19:17 1691435829.7695e3c8.barryserver.com:2,S
-rw------- 1 barry barry 3673 Sep 11 14:50 1694443821.db473071.barryserver.com:2,S
-rw------- 1 barry barry 64880 Sep 29 22:37 1696027078.433feeef.barryserver.com:2,S
-rw------- 1 barry barry 5298 Oct 28 18:08 1698516499.50b0d222.barryserver.com:2,RS

./barry/Maildir/new:
total 0

./barry/Maildir/tmp:
total 0

./barry/bin:
total 12
-rwx------ 1 barry barry 82 Jun 1 20:00 m
-rwx------ 1 barry barry 63 Jun 1 20:01 m-x
-rwx------ 1 barry barry 71 Jun 1 20:41 radbak

./barry/radicale:
total 4
drwxr-xr-x 3 barry barry 512 Jun 2 03:03 collections

./barry/radicale/collections:
total 4
drwxr-xr-x 3 barry barry 512 Jun 2 03:03 collection-root

./barry/radicale/collections/collection-root:
total 4
drwxr-xr-x 4 barry barry 512 Jun 2 03:03 barry

./barry/radicale/collections/collection-root/barry:
total 8
drwxr-xr-x 3 barry barry 1536 Nov 3 03:03 0dd3ebc3-17b8-e9b7-c624-cf0a107a5b1f
drwxr-xr-x 3 barry barry 512 Nov 1 03:03 9ba008bb-3b6c-3d29-63d7-3da111e3c17b

./barry/radicale/collections/collection-root/barry/0dd3ebc3-17b8-e9b7-c624-cf0a107a5b1f:
total 80
-rw------- 1 barry barry 764 Nov 8 03:03 01352530-5E94-4AD7-ADC5-75A95A49D7EC.ics
-rw------- 1 barry barry 770 Nov 8 03:03 07AFE149-514A-495B-8A5A-C520CFAC42E9.ics
-rw------- 1 barry barry 1451 Nov 8 03:03 0A2B8BA9-781D-4F18-B907-2AEE784BD435.ics
-rw------- 1 barry barry 373 Nov 8 03:03 22BDF821-7E6F-4EF7-BE1D-EB281981F980.ics
-rw------- 1 barry barry 763 Nov 8 03:03 295A9037-E185-4C7D-B87C-2C45C22B4579.ics
-rw------- 1 barry barry 1398 Nov 8 03:03 2A7EE18B-0E25-4638-A7F4-A5FCD67EDEAE.ics
-rw------- 1 barry barry 846 Nov 8 03:03 2AAA474D-EC76-4657-9013-F792B62A8180.ics
-rw------- 1 barry barry 837 Aug 11 03:03 485AD1B3-DA2D-46D1-9CC8-569008246290.ics
-rw------- 1 barry barry 845 Nov 8 03:03 5F730613-8A45-49CF-90A8-0A5271FECBB5.ics
-rw------- 1 barry barry 404 Nov 8 03:03 654F6F6A-D508-460A-A5CB-07782950D738.ics
-rw------- 1 barry barry 838 Nov 8 03:03 6B4AFD2E-BB0B-44D7-8622-4619C5329111.ics
-rw------- 1 barry barry 776 Nov 8 03:03 840E5A21-0C3C-45D7-AC16-C6D699CB4A22.ics
-rw------- 1 barry barry 766 Nov 8 03:03 9B8FCCFE-F716-4721-9690-F32286508D27.ics
-rw------- 1 barry barry 792 Nov 8 03:03 BBB230D1-5F10-42B3-B558-0C95F4C909B7.ics
-rw------- 1 barry barry 768 Nov 8 03:03 BE11B225-738E-4544-AD1F-86E09886142D.ics
-rw------- 1 barry barry 1506 Nov 8 03:03 CAA4A255-C7AE-4DCC-A527-4EB566D9CCF8.ics
-rw------- 1 barry barry 790 Nov 8 03:03 E13DB543-0D8C-4547-A85C-836EA720A3C4.ics
-rw------- 1 barry barry 768 Nov 8 03:03 E2ECD995-C6BA-4A1A-9101-4F28DB6EBD72.ics
-rw------- 1 barry barry 766 Nov 8 03:03 F4F0089B-230A-43C6-B396-72BEA7130A52.ics
-rw------- 1 barry barry 798 Nov 8 03:03 F89F6E23-C7BA-474F-82C4-39C4EB74DFA7.ics

./barry/radicale/collections/collection-root/barry/9ba008bb-3b6c-3d29-63d7-3da111e3c17b:
total 20
-rw------- 1 barry barry 177 Nov 8 03:03 462259C9-3F90-4129-AAD0-1F8A8EC40CED.vcf
-rw------- 1 barry barry 283 Nov 8 03:03 66D58899-5E0F-4EF3-9999-D700A00EBB90.vcf
-rw------- 1 barry barry 228 Nov 8 03:03 A5BB1A73-4996-4DA1-913B-138771E089ED.vcf
-rw------- 1 barry barry 237 Nov 8 03:03 B1E13A78-F00A-48E2-BDB4-1505A0788257.vcf
-rw------- 1 barry barry 299 Nov 8 03:03 B35A2C15-4B2C-4368-A483-2227F2AB9BA5.vcf

./barry/sent:
total 12
drwx------ 2 barry barry 512 Aug 10 23:24 cur
drwx------ 2 barry barry 512 Jun 3 01:14 new
drwx------ 2 barry barry 512 Aug 10 23:24 tmp

./barry/sent/cur:
total 44
-rw------- 1 barry barry 298 Jun 3 01:14 1685754867.25546_1.barryserver:2,S
-rw------- 1 barry barry 762 Jun 6 20:30 1686083444.82081_1.barryserver:2,S
-rw------- 1 barry barry 603 Jun 6 20:34 1686083656.82081_3.barryserver:2,S
-rw------- 1 barry barry 359 Jun 6 22:24 1686090260.80982_1.barryserver:2,S
-rw------- 1 barry barry 1762 Jun 6 22:28 1686090519.80982_3.barryserver:2,S
-rw------- 1 barry barry 351 Jun 6 22:34 1686090877.80982_5.barryserver:2,S
-rw------- 1 barry barry 467 Aug 9 19:54 1691610897.33894_1.barryserver:2,S
-rw------- 1 barry barry 826 Aug 9 20:44 1691613871.92369_1.barryserver:2,S
-rw------- 1 barry barry 326 Aug 9 22:01 1691618493.16460_1.barryserver:2,S
-rw------- 1 barry barry 394 Aug 9 22:16 1691619416.87638_1.barryserver:2,S
-rw------- 1 barry barry 438 Aug 10 23:24 1691709856.51820_1.barryserver:2,S

./barry/sent/new:
total 0

./barry/sent/tmp:
total 0

13

The second:

barryserver# ls -lR /etc/ssl
/etc/ssl:
total 752
-r--r--r-- 1 root wheel 5922 Nov 8 20:06 barryserver.com:443.crt
-r--r--r-- 1 root wheel 5918 Nov 8 04:57 barryserver.com:443.crt.1
-r--r--r-- 1 root bin 341121 Mar 25 2023 cert.pem
-rw-r--r-- 1 root wheel 496 Jun 6 19:47 dovecot-openssl.cnf
-rw-r--r-- 1 root wheel 2703 Mar 25 2023 ikeca.cnf
-r--r--r-- 1 root bin 745 Mar 25 2023 openssl.cnf
drwx------ 2 root wheel 512 Jun 1 20:09 private
-r--r--r-- 1 root bin 1006 Mar 25 2023 x509v3.cnf

/etc/ssl/private:
total 8
-r-------- 1 root wheel 3272 Jun 1 20:09 barryserver.com:443.key

14

My system doesn't seem to like the -pant qualifier. -a works but that seems to be about it.

15

Sorry, I can't make sense of what I am seeing. I'd suggest trying an OpenBSD forum. Or, maybe @rg305 will see something or another volunteer.

Your server is currently using a cert that was issued on Aug5. Use a tool like below to see. I don't see any such cert on your system.

I do see 2 .pem files from today but you have gotten 3 certs today

And, you got a cert on Oct2 so that should have replaced the Aug5 cert but did not.

Your httpd.conf did not even have a listen for port 443 and no include statements. I don't know how it even knows how to handle HTTPS requests

Your recent cert history from the public logs

image
image1962×1536 430 KB

3 Likes
16

OpenBSD deviated from Apache Foundation's httpd in 1995. The version currently in distribution was completely rewritten.
httpd — HTTP daemon
And information on OpenBSD's acme client can be found here:
acme-client` — ACME client

Using the "-F" switch asks acme-client to FORCE renewal. This should be avoided regardless of the client in use.
EDIT:
netstat -na -f inet
might work for you. (I can't remember if you need to be "root") or "super-user" in OpenBSD speak... ;@)

5 Likes
17

That worked to produce this output. Thank you. And I am definitely using httpd for OpenBSD, not Apache.

barryserver# netstat -na -f inet
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address IP-Proto
ip 112100 0 . . 1
ip 112100 0 . . 1
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address TCP-State
tcp 0 0 45.76.65.252.443 212.102.40.218.25990 TIME_WAIT
tcp 0 44 45.76.65.252.22 72.205.100.41.49775 ESTABLISHED
tcp 0 0 45.76.65.252.443 212.102.40.218.48988 TIME_WAIT
tcp 0 0 45.76.65.252.443 212.102.40.218.37188 TIME_WAIT
tcp 0 0 *.443 . LISTEN
tcp 0 0 *.993 . LISTEN
tcp 0 0 *.995 . LISTEN
tcp 0 0 127.0.0.1.5232 . LISTEN
tcp 0 0 *.22 . LISTEN
tcp 0 0 127.0.0.1.8080 . LISTEN
tcp 0 0 *.80 . LISTEN
tcp 0 0 45.76.65.252.587 . LISTEN
tcp 0 0 127.0.0.1.587 . LISTEN
tcp 0 0 45.76.65.252.25 . LISTEN
tcp 0 0 127.0.0.1.25 . LISTEN
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address
udp 0 0 45.76.65.252.26357 108.61.73.243.123
udp 0 0 45.76.65.252.49129 108.61.73.244.123
udp 0 0 45.76.65.252.47840 108.61.56.35.123
udp 0 0 . .
udp 0 0 . .
udp 0 0 45.76.65.252.68 .

1 Like
18

It certainly is confusing. I don't see the Aug 5 certificate anywhere either. And on the 443 issue, the relayd.conf file has this section, which might help:

relay "https" {
  listen on 0.0.0.0 port 443 tls
  protocol https
  forward to <httpd> port 8080
  forward to <radicale> port 5232
19

@barry your site is checking out ok on letsdebug.net for http-01 validation.

Have you retried your cert request without the "F" option?

acme-client -v barryserver.com && rcctl reload httpd

Please post the output.

4 Likes
20

ALSO:
Could or would you please post your /etc/acme-client.conf
Thank you.
EDIT:
The last time I used OpenBSD was 1991. I used it for a "transparent firewall". And Let's encrypt didn't exist yet. So your results may vary. But, if my research is correct, (for an "old guy") your acme-client.conf should look something like this.

domain barryserver.com {
    domain dav.barryserver.com {
        domain www.barryserver.com {
            domainkey "/etc/ssl/private/barryserver.com.key"
            certificate "/etc/ssl/barryserver.com.crt"
            fullchain "/etc/ssl/barryserver.com.fullchain.pem"
            signwith "/etc/ssl/private/barryserver.com.com.key"
            challenge ftp
            challenge http
            challenge tls-http-01
        }
    }
}

If you make changes.... BACK EVERYTHING UP JUST IN CASE!!!!
I HATE COPY AND PASTE!!!!
But I Hope this helps you out.

4 Likes