Certificate renewal only partly successfull

hermann1 · August 19, 2017, 11:53am

(Its working now, maybe there was just some kind of delay or something. and maybe i needed to restart the server and/or apache)

I am following the directions here on how to renew the domains icemaps.com and synodins.com, here:
https://certbot.eff.org/#ubuntutrusty-apache

I follow the directions and the system reports success. However, only icemaps.com becomes active, but synodins.com remains insecure.

When I check it out its as if the certificate has never been renewed.

Here is the whynotsecure for synodins.com:
https://www.ssllabs.com/ssltest/analyze.html?d=synodins.com#whyNotTrusted
Its as if it hasn’t been renewed, but i just renewed it. Any hint would be appreciated.

I have no idea where to even start debugging this.

sahsanu · August 19, 2017, 12:07pm

Hello @hermann1,

The certificate you have renewed is covering 4 domains:

icemaps.com
www.icemaps.com
synodins.com
www.synodins.com

and that is the certificate used right now when you try to access to icemaps.com but the certificate used right now by synodins.com is the one issued at 21st May that only covers 2 domains synodins.com and www.synodins.com.

So, you need to configure your synodins.com VirtualHost to point to the same certificate used for icemaps.com.

Cheers,
sahsanu

Osiris · August 19, 2017, 12:07pm

Previously, before today, you had separate certificates for both domains:

Certificate 04:53:42:8c:9a:f0:6b:4f:ec:b8:f8:f4:86:ea:bf:6e:98:fe for icemaps.com and www.icemaps.com issued on May 21 08:32:00 2017 GMT.
Certificate 04:0f:9f:11:28:72:e8:f1:ac:67:2d:c4:19:74:95:71:af:b2 for synodins.com and www.synodins.com issued on May 21 08:31:00 2017 GMT.

NOW however, you have one certificate issued!:

Certificate 04:9f:f4:7f:b3:c9:f9:b5:0f:a8:be:5e:98:72:73:3e:43:34 for icemaps.com, synodins.com, www.icemaps.com and www.synodins.com issued on Aug 19 10:12:00 2017 GMT.

That is not supposed to happen when you just renew your existing certificates.

Which parts of the directions you linked to did you follow for the renewal? All, from the top? Or just from “Automating renewal” and downwards? Because this new certificate including all the domains suggests you started “over”.

How to fix this? I’m not sure if certbot can fix this, but you might want to look at the location of the new certificate in /etc/letsencrypt/ and check if the VirtualHost sections of your Apache configuration are pointing to the right certificate location.

hermann1 · August 19, 2017, 12:25pm

Tanks.

How do I do that?

hermann1 · August 19, 2017, 12:26pm

I went all from the top. But there was one thing, I accidentally went by the ‘debian others’ instructions first as i thought my server was a linux mint 17.3 when it really was an ubuntu 14.04.

I cant find any virtualhost section under /etc/letsencrypt. so i have no idea what to do.

sahsanu · August 19, 2017, 12:32pm

I would prefer flowers

I don't use Ubuntu but the conf files for your Apache should be here /etc/apache2/sites-enabled/ so you need to edit the conf file for synodins.com and modify SSLCertificateFile and SSLCertificateKeyFile directives to point to the same files as you are using for icemaps.com.

Cheers,
sahsanu

hermann1 · August 19, 2017, 12:42pm

here is the certificates directs in icemaps.com-le-ssl.conf file:

SSLCertificateFile /etc/letsencrypt/live/synodins.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/synodins.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/synodins.com/chain.pem

and here they are on synodins.com-le-ssl.conf:

SSLCertificateFile /etc/letsencrypt/live/synodins.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/synodins.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/synodins.com/chain.pem

They are both using the synodins one. /:

sahsanu · August 19, 2017, 2:06pm

Could you please show the output of the following commands?

certbot certificates
grep -ri SSLCertificateFile /etc/apache2/sites-enabled/*

hermann1 · August 19, 2017, 2:08pm

Now all of a sudden its working. maybe there was some delay or something, i dont know.
but thanks for the help.

sahsanu · August 19, 2017, 2:15pm

I’m glad you got it working but it is really strange because icemaps.com and synodins.com are using different certificates but as you said, in your Apache conf both points to the same certificate so you should have some other virtualhost or conf for icemaps.com, I think you should recheck the conf.

Have a nice weekend.
sahsanu

Osiris · August 19, 2017, 4:33pm

@sahsanu It’s possible certbot managed to put the new certificate with both domains in /live/synodins.com/.

sahsanu · August 19, 2017, 5:40pm

@Osiris, if that is true, when the op restarted the web server, both domains should serve the same certificate and they are being served by different certs:

$ echo | openssl s_client -connect synodins.com:443 -servername synodins.com 2>/dev/null | openssl x509 -noout -text | grep "DNS"
                DNS:synodins.com, DNS:www.synodins.com

$ echo | openssl s_client -connect icemaps.com:443 -servername icemaps.com 2>/dev/null | openssl x509 -noout -text | grep "DNS"
                    DNS:icemaps.com, DNS:synodins.com, DNS:www.icemaps.com, DNS:www.synodins.com

So something weird is out there ;).

If @hermann1 could show us the output of certbot certificates we could see what is going on there.

hermann1 · August 19, 2017, 7:49pm

Found the following certs:
** Certificate Name: synodins.com**
** Domains: icemaps.com,synodins.com,www.icemaps.com,www.synodins.com**
** Expiry Date: 2017-11-17 10:38:00+00:00 (VALID: 89 days)**
** Certificate Path: /etc/letsencrypt/live/synodins.com/fullchain.pem**
** Private Key Path: /etc/letsencrypt/live/synodins.com/privkey.pem**
** Certificate Name: synodins.com-0001**
** Domains: synodins.com,www.synodins.com**
** Expiry Date: 2017-11-17 11:55:00+00:00 (VALID: 89 days)**
** Certificate Path: /etc/letsencrypt/live/synodins.com-0001/fullchain.pem**
** Private Key Path: /etc/letsencrypt/live/synodins.com-0001/privkey.pem**
** Certificate Name: icemaps.com**
** Domains: icemaps.com,www.icemaps.com**
** Expiry Date: 2017-11-17 11:55:00+00:00 (VALID: 89 days)**
** Certificate Path: /etc/letsencrypt/live/icemaps.com/fullchain.pem**
** Private Key Path: /etc/letsencrypt/live/icemaps.com/privkey.pem**
** Certificate Name: synodins.com-0002**
** Domains: synodins.com**
** Expiry Date: 2017-11-17 10:48:00+00:00 (VALID: 89 days)**
** Certificate Path: /etc/letsencrypt/live/synodins.com-0002/fullchain.pem**
** Private Key Path: /etc/letsencrypt/live/synodins.com-0002/privkey.pem**
-------------------------------------------------------------------------------

sahsanu · August 19, 2017, 9:52pm

So, icemaps.com is using this path /etc/letsencrypt/live/synodins.com/ for the certs and synodins.com is using this one /etc/letsencrypt/live/synodins.com-0001/ but you said that your web server conf files for both domains point to /etc/letsencrypt/live/synodins.com/ which seems it is not true, synodins.com conf file must be using /etc/letsencrypt/live/synodins.com-0001/ if it is not there is in some conf file.

There is no problem at all if you know what you are doing.

Good luck.
sahsanu

system · September 18, 2017, 9:52pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.