Certificate issued but shows an old one on the browser?

saltynoodles · September 7, 2021, 7:35pm

Apache/2.4.41 (Ubuntu)

Ubuntu 20.04.2 LTS

PHP 7.4.3

certbot 1.18.0

We issued a wildcard certificate with the certbot-dns-digitalocean plugin (Welcome to certbot-dns-digitalocean’s documentation! — certbot-dns-digitalocean 0 documentation ).

Output:

Successfully deployed certificate for *.wpmu.work to /etc/apache2/sites-enabled/wpmu-le-ssl.conf
Your existing certificate has been successfully renewed, and the new certificate has been installed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

We restarted the server, rebooted, and cleared cache and cookies. However the page is still not secured at https, when I check the certificate it says:

*.wpmu.work
Issued by: R3
Expired: Sunday, May 9, 2021 at 9:01:20 PM Pacific Daylight Time

“*.wpmu.work“ certificate is expired

When I run certbot certificates this is the output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: wpmu.work
    Serial Number: 48ed74fd4a4876e2a9968a030cc6c4fb3c2
    Key Type: RSA
    Domains: wpmu.work *.wpmu.work
    Expiry Date: 2021-12-06 17:29:27+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/wpmu.work/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/wpmu.work/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Since the cert on the server says Expiry date December 6, 2021, any thoughts on why the new certificate is not reflecting in the browser when we have already restarted the server?

Here are the virtual hosts sitting in /etc/apache2/sites-available:

wpmu-le-ssl.conf

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerAdmin webmaster@localhost
    ServerName wpmu.work
    ServerAlias www.wpmu.work
    DocumentRoot /var/www/wpmu

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    <Directory /var/www/wpmu>
        Options Indexes FollowSymLinks
        AllowOverride All
        Require all granted
    </Directory>

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/wpmu.work/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/wpmu.work/privkey.pem
</VirtualHost>
</IfModule>

wpmu.conf

<VirtualHost *:80>
    ServerAdmin webmaster@localhost
    ServerName wpmu.work
    ServerAlias www.wpmu.work
    DocumentRoot /var/www/wpmu

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    <Directory /var/www/wpmu>
        Options Indexes FollowSymLinks
        AllowOverride All
        Require all granted
    </Directory>

RewriteEngine on
RewriteCond %{SERVER_NAME} =wpmu.work [OR]
RewriteCond %{SERVER_NAME} =www.wpmu.work
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

Thank you!

MikeMcQ · September 7, 2021, 8:49pm

A more experienced person will probably be needed to help you but are you sure the DNS is pointing to that Apache server? The only reason I ask is that your crt.sh cert history shows you using cdn.wpmu.work recently but a curl to that gives a brief response from Amazon S3. This looks to me like you really are fronting S3 with a CDN so I thought maybe your DNS might be pointing to the wrong server (or perhaps being misdirected by a CDN).

https://crt.sh/?q=wpmu.work

saltynoodles · September 7, 2021, 9:19pm

The cdn.wpmu.work is a CNAME with a Hostname of cdn.wpmu.work and the value leads to a digital ocean spaces.

MikeMcQ · September 7, 2021, 9:40pm

@saltynoodles Yes, but, are you sure the IP 164.90.246.160 associated with wpmu.work is for that Apache server you are configuring with these new certs? Your explanation was otherwise clear. Your cert history shows lots of LE certs in recent months and the one which you say you are seeing expired long ago.

So, either your Apache config has a problem or the DNS isn't pointing to the right server. In any event, you'll probably need to wait for a more experienced person. Apache is not my strong suit.

saltynoodles · September 7, 2021, 10:18pm

Yes, I'm sure the Load Balancers IP on Digital Ocean is 164.90.246.160. Thanks for your help though, any amount of input is always helpful

rg305 · September 7, 2021, 10:42pm

Wildcard certs require DNS-01 authentication.
Provided by:

[none-of-which relies on any client side web service at all]

Which certbot certificates confirms to have been updates recently:

The answer to:

IMO, is you are likely NOT hitting any of these covered names:

Please show the URL that is producing this problem.
OR, if you are then please show the output of:
sudo apachectl -t -D DUMP_VHOSTS

saltynoodles · September 7, 2021, 11:03pm

The URL is https://wpmu.work/

doing sudo apachectl -t -D DUMP_VHOSTS gives me

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:443                  wpmu.work (/etc/apache2/sites-enabled/wpmu-le-ssl.conf:2)
*:80                   wpmu.work (/etc/apache2/sites-enabled/wpmu.conf:1)

rg305 · September 7, 2021, 11:10pm

Please show these outputs exactly as entered below:
sudo ls -l /etc/apache2/sites-enabled/*
sudo cat /etc/apache2/sites-enabled/wpmu-le-ssl.conf

saltynoodles · September 7, 2021, 11:13pm

sudo ls -l /etc/apache2/sites-enabled/*

lrwxrwxrwx 1 root root 35 Feb  9  2021 /etc/apache2/sites-enabled/wpmu-le-ssl.conf -> ../sites-available/wpmu-le-ssl.conf
lrwxrwxrwx 1 root root 28 Feb  9  2021 /etc/apache2/sites-enabled/wpmu.conf -> ../sites-available/wpmu.conf

sudo cat /etc/apache2/sites-enabled/wpmu-le-ssl.conf

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerAdmin webmaster@localhost
    ServerName wpmu.work
    ServerAlias www.wpmu.work
    DocumentRoot /var/www/wpmu

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    <Directory /var/www/wpmu>
        Options Indexes FollowSymLinks
        AllowOverride All
        Require all granted
    </Directory>

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/wpmu.work/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/wpmu.work/privkey.pem
</VirtualHost>
</IfModule>

rg305 · September 7, 2021, 11:59pm

Well, then there is only one last place to look:
sudo ls -l /etc/letsencrypt/live/wpmu.work/*

MikeMcQ · September 8, 2021, 2:10am

@saltynoodles While @rg305 looks at Apache, I have a question about your Load Balancer (LB). At least w/AWS, a LB acts as the https endpoint (listener) for the client. AWS allows either http or https between an LB and your application server (Apache or whatever).

Does Digital Ocean work the same way? If so, the LE certs you created with Apache would be for https between Apache and the LB. You need different certs in the Load Balancer for https to the client. I looked very briefly at some Digital Ocean pages and it seems it works much like AWS. And it offers automatic provisioning of Lets Encrypt certs for the LB.

Could the old cert you are seeing be an old cert in your LB? Or, perhaps you are seeing the old cert message in your LB talking to Apache?

webprofusion · September 8, 2021, 2:44am

My guess is the server that's responding is not the one you think it is.

The response is coming from 164.90.246.160 and only you know if that's correct and if you have any internal port forwarding - is this server directly accessed on this IP or do you port forward to another machine?

As @rg305 mentioned, also check the certificates folder /etc/letsencrypt/live/wpmu.work/ to ensure that the files have a recent date.

saltynoodles · September 8, 2021, 4:23pm

sudo ls -l /etc/letsencrypt/live/wpmu.work/*

-rw-r--r-- 1 root root 692 Feb  9  2021 /etc/letsencrypt/live/wpmu.work/README
lrwxrwxrwx 1 root root  33 Sep  7 18:29 /etc/letsencrypt/live/wpmu.work/cert.pem -> ../../archive/wpmu.work/cert6.pem
lrwxrwxrwx 1 root root  34 Sep  7 18:29 /etc/letsencrypt/live/wpmu.work/chain.pem -> ../../archive/wpmu.work/chain6.pem
lrwxrwxrwx 1 root root  38 Sep  7 18:29 /etc/letsencrypt/live/wpmu.work/fullchain.pem -> ../../archive/wpmu.work/fullchain6.pem
lrwxrwxrwx 1 root root  36 Sep  7 18:29 /etc/letsencrypt/live/wpmu.work/privkey.pem -> ../../archive/wpmu.work/privkey6.pem

rg305 · September 8, 2021, 4:28pm

Please show (to be sure):
sudo ls -l /etc/letsencrypt/archive/wpmu.work/*6.pem

saltynoodles · September 8, 2021, 4:34pm

-rw-r--r-- 1 root root 1846 Sep  7 18:29 /etc/letsencrypt/archive/wpmu.work/cert6.pem
-rw-r--r-- 1 root root 3749 Sep  7 18:29 /etc/letsencrypt/archive/wpmu.work/chain6.pem
-rw-r--r-- 1 root root 5595 Sep  7 18:29 /etc/letsencrypt/archive/wpmu.work/fullchain6.pem
-rw------- 1 root root 1704 Sep  7 18:29 /etc/letsencrypt/archive/wpmu.work/privkey6.pem

rg305 · September 8, 2021, 4:35pm

Beautiful!

saltynoodles · September 8, 2021, 4:58pm

Sooo it looks like it was the Load Balancers SSL, I just created a new one and it looks like it is working so far. Thanks for all your help!

system · October 8, 2021, 4:58pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
New server, used certbot plugin for wildcard, but site times out Help	18	741	March 11, 2021
DigitalOcean certbot renew but still expired cert Help	5	1799	April 21, 2017
Trying to add a wildcard certificate but browsers still recognize an expired one. How do I remove this? Help	7	1414	January 12, 2022
Certificate appears as outdated, however it is up to date Help	3	642	May 27, 2018
What can I do if the letsencrypt certificate has expired? Help	13	980	March 20, 2019

Certificate issued but shows an old one on the browser?

Related topics