Certificate renewal only partly successfull

(Its working now, maybe there was just some kind of delay or something. and maybe i needed to restart the server and/or apache)

I am following the directions here on how to renew the domains icemaps.com and synodins.com, here:
https://certbot.eff.org/#ubuntutrusty-apache

I follow the directions and the system reports success. However, only icemaps.com becomes active, but synodins.com remains insecure.

When I check it out its as if the certificate has never been renewed.

Here is the whynotsecure for synodins.com:
https://www.ssllabs.com/ssltest/analyze.html?d=synodins.com#whyNotTrusted
Its as if it hasn’t been renewed, but i just renewed it. Any hint would be appreciated.

I have no idea where to even start debugging this.

Hello @hermann1,

The certificate you have renewed is covering 4 domains:

icemaps.com
www.icemaps.com
synodins.com
www.synodins.com

and that is the certificate used right now when you try to access to icemaps.com but the certificate used right now by synodins.com is the one issued at 21st May that only covers 2 domains synodins.com and www.synodins.com.

So, you need to configure your synodins.com VirtualHost to point to the same certificate used for icemaps.com.

Cheers,
sahsanu

1 Like

Previously, before today, you had separate certificates for both domains:

Certificate 04:53:42:8c:9a:f0:6b:4f:ec:b8:f8:f4:86:ea:bf:6e:98:fe for icemaps.com and www.icemaps.com issued on May 21 08:32:00 2017 GMT.
Certificate 04:0f:9f:11:28:72:e8:f1:ac:67:2d:c4:19:74:95:71:af:b2 for synodins.com and www.synodins.com issued on May 21 08:31:00 2017 GMT.

NOW however, you have one certificate issued!:

Certificate 04:9f:f4:7f:b3:c9:f9:b5:0f:a8:be:5e:98:72:73:3e:43:34 for icemaps.com, synodins.com, www.icemaps.com and www.synodins.com issued on Aug 19 10:12:00 2017 GMT.

That is not supposed to happen when you just renew your existing certificates.

Which parts of the directions you linked to did you follow for the renewal? All, from the top? Or just from “Automating renewal” and downwards? Because this new certificate including all the domains suggests you started “over”.

How to fix this? I’m not sure if certbot can fix this, but you might want to look at the location of the new certificate in /etc/letsencrypt/ and check if the VirtualHost sections of your Apache configuration are pointing to the right certificate location.

2 Likes

Tanks.

How do I do that?

I went all from the top. But there was one thing, I accidentally went by the ‘debian others’ instructions first as i thought my server was a linux mint 17.3 when it really was an ubuntu 14.04.

I cant find any virtualhost section under /etc/letsencrypt. so i have no idea what to do.

I would prefer flowers :stuck_out_tongue: :wink:

I don't use Ubuntu but the conf files for your Apache should be here /etc/apache2/sites-enabled/ so you need to edit the conf file for synodins.com and modify SSLCertificateFile and SSLCertificateKeyFile directives to point to the same files as you are using for icemaps.com.

Cheers,
sahsanu

2 Likes

here is the certificates directs in icemaps.com-le-ssl.conf file:

SSLCertificateFile /etc/letsencrypt/live/synodins.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/synodins.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/synodins.com/chain.pem

and here they are on synodins.com-le-ssl.conf:

SSLCertificateFile /etc/letsencrypt/live/synodins.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/synodins.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/synodins.com/chain.pem

They are both using the synodins one. /:

Could you please show the output of the following commands?

certbot certificates
grep -ri SSLCertificateFile /etc/apache2/sites-enabled/*
1 Like

Now all of a sudden its working. maybe there was some delay or something, i dont know.
but thanks for the help.

I’m glad you got it working but it is really strange because icemaps.com and synodins.com are using different certificates but as you said, in your Apache conf both points to the same certificate so you should have some other virtualhost or conf for icemaps.com, I think you should recheck the conf.

Have a nice weekend.
sahsanu

1 Like

@sahsanu It’s possible certbot managed to put the new certificate with both domains in /live/synodins.com/.

1 Like

@Osiris, if that is true, when the op restarted the web server, both domains should serve the same certificate and they are being served by different certs:

$ echo | openssl s_client -connect synodins.com:443 -servername synodins.com 2>/dev/null | openssl x509 -noout -text | grep "DNS"
                DNS:synodins.com, DNS:www.synodins.com

$ echo | openssl s_client -connect icemaps.com:443 -servername icemaps.com 2>/dev/null | openssl x509 -noout -text | grep "DNS"
                    DNS:icemaps.com, DNS:synodins.com, DNS:www.icemaps.com, DNS:www.synodins.com

So something weird is out there ;).

If @hermann1 could show us the output of certbot certificates we could see what is going on there.

1 Like

Found the following certs:
** Certificate Name: synodins.com**
** Domains: icemaps.com,synodins.com,www.icemaps.com,www.synodins.com**
** Expiry Date: 2017-11-17 10:38:00+00:00 (VALID: 89 days)**
** Certificate Path: /etc/letsencrypt/live/synodins.com/fullchain.pem**
** Private Key Path: /etc/letsencrypt/live/synodins.com/privkey.pem**
** Certificate Name: synodins.com-0001**
** Domains: synodins.com,www.synodins.com**
** Expiry Date: 2017-11-17 11:55:00+00:00 (VALID: 89 days)**
** Certificate Path: /etc/letsencrypt/live/synodins.com-0001/fullchain.pem**
** Private Key Path: /etc/letsencrypt/live/synodins.com-0001/privkey.pem**
** Certificate Name: icemaps.com**
** Domains: icemaps.com,www.icemaps.com**
** Expiry Date: 2017-11-17 11:55:00+00:00 (VALID: 89 days)**
** Certificate Path: /etc/letsencrypt/live/icemaps.com/fullchain.pem**
** Private Key Path: /etc/letsencrypt/live/icemaps.com/privkey.pem**
** Certificate Name: synodins.com-0002**
** Domains: synodins.com**
** Expiry Date: 2017-11-17 10:48:00+00:00 (VALID: 89 days)**
** Certificate Path: /etc/letsencrypt/live/synodins.com-0002/fullchain.pem**
** Private Key Path: /etc/letsencrypt/live/synodins.com-0002/privkey.pem**
-------------------------------------------------------------------------------

So, icemaps.com is using this path /etc/letsencrypt/live/synodins.com/ for the certs and synodins.com is using this one /etc/letsencrypt/live/synodins.com-0001/ but you said that your web server conf files for both domains point to /etc/letsencrypt/live/synodins.com/ which seems it is not true, synodins.com conf file must be using /etc/letsencrypt/live/synodins.com-0001/ if it is not there is in some conf file.

There is no problem at all if you know what you are doing.

Good luck.
sahsanu

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.