Certificate gets renewed but still shows expired in the site

Certificate for the site fra.kucm.ac.kr expires on Oct. 20
even there was auto-renew command was entered

sudo certbot renew --dry-run

So i ran the command manually to renew certificate it doesn't work.
I reinstall it mutiple times and then I deleted the folder live and other file linked
and also removed certbot and python-certbot-nginx

Now when i install and try to install the certificate it says maximum limit reached so i waited
7 days and then install the new certificate still it is not updated and shows expired

This is the output of

certbot certificates

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: fra.kucm.ac.kr
Domains: fra.kucm.ac.kr
Expiry Date: 2021-01-27 05:50:17+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/fra.kucm.ac.kr/fullchain.pem
Private Key Path: /etc/letsencrypt/live/fra.kucm.ac.kr/privkey.pem


I restarted the server, restarted nginx but no effect
It was working fine before the expiry
I checked these sites:
https://crt.sh/?q=fra.kucm.ac.kr

I can't figure out the exact problem how the server is using old certificate.
Its shows multiple certificate but i can't figure out may be CN name different
expired has domain name other certificate has letsencrypt as CN name

OS: ubuntu 18
certbot: 0.31

Hi @SujilDevkota,

Could you check your nginx configuration to make sure that it's pointing at the Certbot-obtained certificate (via /etc/letsencrypt/live) and not some other certificate or separate copy elsewhere on your system?

You could check with a command like

grep -r ssl_certificate /etc/nginx

2 Likes

Yes following is the output
/etc/nginx/sites-available/kosin: ssl_certificate /etc/letsencrypt/live/fra.kucm.ac.kr/fullchain.pem; # managed by Certbot
/etc/nginx/sites-available/kosin: ssl_certificate_key /etc/letsencrypt/live/fra.kucm.ac.kr/privkey.pem; # managed by Certbot
/etc/nginx/sites-available/kosin.save: ssl_certificate /etc/letsencrypt/live/fra.kucm.ac.kr/fullchain.pem; # managed by Certbot
/etc/nginx/sites-available/kosin.save: ssl_certificate_key /etc/letsencrypt/live/fra.kucm.ac.kr/privkey.pem; # managed by Certbot
/etc/nginx/snippets/snakeoil.conf:ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
/etc/nginx/snippets/snakeoil.conf:ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;

Is kosin.save file the problem i have checked previously for such hidden file and have found none
now there is that file

Do you mean you rebooted Linux completely and this error is still happening?

Yes I entered

sudo reboot

connection with ssh was lost and the system was back quickly

That's quite strange. Are you sure that 1.237.185.235 is the server running this instance of nginx and that there's no other proxy or load balancer in between?

3 Likes

This server is an instance given to me there may be another server in between I asked them about it but they didn't give a proper answer this might be the cause
But initially i install the SSL to the domain from here

1 Like

Then there is a man-in-the-middle using your old cert.
Which, to me, means that your security is incomplete.
The GFW of Korea?

1 Like

Some more evidence to further these theories: https://cku.ulms.me points to the same host and has a valid certificate, but we don't see it in /etc/nginx.

3 Likes

Thank you so much for your support i will update soon
getting info from other side take time.

1 Like

I'm seeing sites-available, but not sites-enabled. Are you 200 % sure those config files are actually in use?

Please run nginx -T for a complete output of the currently actual in use directives.

1 Like

I may be misinterpreting your message and taking it too literally, but in the first message you wrote that you used the command

Shouldn't that be without --dry-run?

nginx: [warn] conflicting server name "fra.kucm.ac.kr" on 0.0.0.0:80, ignored
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

There is one warning because I have to write listen to the main server block also if I don't write listen there then it will show Too many redirect error in the site
I also want to ask about that also but i am sure that may not have caused the certificate expiry issue which i want to solve first.
Do I have to paste all configurations

1 Like

I have tried everything with renewal
and also have reached the limit to reinstall the certificate

certbot renew --dry-run
certbot renew
certbot --nginx -d fra.kucm.ac.kr

I mentioned that command because it was said that it will make renewal automatic in the guide I used to install the ssl but it exipred so i mention

1 Like

The fact the output of certbot certificates gives a valid certificate tells us a valid certificate has been issued. It's just not being used. --dry-run wouldn't result in a valid certificate in certbot certificates.

This tells me there is something not correct in your nginx configuration.

Yes please. You can skip all the stuff about mime-types, but I'd like to see the rest.

There is no limit for reinstalling a previously issued certificate. That's just a local thing without using the Let's Encrypt servers. There is however a limit for re-issuing the certificate. The latter is not useful at all (you already have a valid certificate) and only increases the load on the Let's Encrypt systems…

1 Like

ok I will paste the configuration but you have to know that I previously have no issue with SSL install, it was an issue after the expire happen. (Since previous people also have pointed the role of middle server and I was also thinking that someone might have installed SSL in root server later after i installed in this instance I have asked about it and maybe it will confirm by tomorrow)

About the warning when I install SSL it automatically remove listen from the server block and add new server block to handle force redirection to https but it shows ERR_TOO_MANY_REDIRECT problem in the site and I have to add listen again in the server block.

This is minimized version there are parameter for expiry and caching

server {
listen 80;
server_name fra.kucm.ac.kr;
location /static {
alias /home/ubuntu/kosin/static;
}
location /media {
alias /home/ubuntu/kosin/media;
}
location / {
include proxy_params;
proxy_pass http://unix:/home/ubuntu/kosin/ppes.sock;

}

listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/fra.kucm.ac.kr/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/fra.kucm.ac.kr/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
if ($host = fra.kucm.ac.kr) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name fra.kucm.ac.kr;
return 404; # managed by Certbot
}

Here the case is the 2nd line listen 80 gets removed when certbot adds the code and site shows too many redirect and I write listen 80 there. Lower part code is added by certbot as you know.

About reinstall and reissue certificate i try both and deleted the folder and after i delete folder the reissue was already reached the limit i didn't know about that at first and i waited 7days and now reinstall today. you can read in my main question.

Could you explain more about these "middle server" and "root server"?

I see two blocks listening on port 80 for the exact same FQDN:

That can't be good.
What shows?:
nginx -t

That looks creative.
Does that work as expected?