Certificate Renewal

JuergenAuer · August 24, 2020, 8:44am

Please read your own output.

But why is this a Windows-box?

Your https runs under nginx. Under Windows?

Looks like you don't know your own configuration.

That's already shared - your port 443 answers, your port 80 not. That's the problem.

PS:

My web server is (include version): nginx/1.14.0 (Ubuntu)

There is a (etdemo)

Server: nginx/1.15.10

freessltools.com · August 24, 2020, 8:45am

I can access both etrust.pacifictrustees.com and etdemo.pacifictrustees.com over https, but they have different expired certificates.

LJW · August 24, 2020, 8:48am

I'm accessing my server remotely

Yes but I was surprised you can access it outside through both http and https.

freessltools.com · August 24, 2020, 8:50am

With your telnet, are you using port 23 or port 80? More importantly, why are you not using SSH?

freessltools.com · August 24, 2020, 8:51am

We can't access it using http, my friend. That's the point.

LJW · August 24, 2020, 8:54am

let me check that out.

before i joined this company, they were already using ssl and it was a vendor who set it up. How do I check if telnet is using 23 or 80?

you're right

9peppe · August 24, 2020, 8:57am

Yeah... ssh isn't there.

% nmap -A etrust.pacifictrustees.com
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-24 10:53 CEST
Nmap scan report for etrust.pacifictrustees.com (211.24.110.124)
Host is up (0.37s latency).
rDNS record for 211.24.110.124: cgw-211-24-110-124.bbrtl.time.net.my
Not shown: 997 filtered ports
PORT     STATE SERVICE       VERSION
443/tcp  open  ssl/http      nginx 1.15.10
| http-git: 
|   211.24.110.124:443/.git/
|     Git repository found!
|     Repository description: Unnamed repository; edit this file 'description' to name the...
|     Remotes:
|_      ssh://git@git.datumcorp.com:10034/simon/pact-client.git
|_http-server-header: nginx/1.15.10
|_http-title: 400 The plain HTTP request was sent to HTTPS port
| ssl-cert: Subject: commonName=etrust.pacifictrustees.com
| Subject Alternative Name: DNS:etrust.pacifictrustees.com
| Not valid before: 2020-05-20T15:00:09
|_Not valid after:  2020-08-18T15:00:09
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
| tls-nextprotoneg: 
|_  http/1.1
7443/tcp open  tcpwrapped
8443/tcp open  ssl/https-alt nginx
|_http-server-header: nginx
|_http-title: 400 The plain HTTP request was sent to HTTPS port
|_ssl-date: TLS randomness does not represent time

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 124.76 seconds

freessltools.com · August 24, 2020, 8:58am

There’s more than a little history.

https://crt.sh/?q=pacifictrustees.com

freessltools.com · August 24, 2020, 9:00am

Exactly what I noticed. Neither is telnet...

freessltools.com · August 24, 2020, 9:04am

Telnet can be used as a general tool for checking ports. The typical telnet port is 23, but you should be using SSH for remote access via port 22.

freessltools.com · August 24, 2020, 9:06am

@9peppe is right though. Where we stand:

You need port 80 to use http challenges to renew your certificates.
You could just use dns challenges to get your https up and running for now then fix your http as you can.

LJW · August 24, 2020, 9:07am

According to my vendor

the docker containers ports are published by docker-proxy

and he has said that

the nginx config is set to auto forward any port 80 to 443

All this in regards to when queried about access internally and outside of my office network. To note, I am not able to access either using http or https.

freessltools.com · August 24, 2020, 9:10am

You can’t correctly access content via https because certificates are expired. Do you have access to the DNS records? Do you know how to install the new certificate and private key on your system. If yes to both, we can have you with new certificates in a blink. Problem solved…er sidestepped.

9peppe · August 24, 2020, 9:11am

Your vendor is not aware of what your firewall is doing, and is not realizing that a docker container and nginx are fighting for control over port 80.

freessltools.com · August 24, 2020, 9:13am

Based on the cert history, I’d say they were definitely renewing manually every month.

LJW · August 24, 2020, 9:13am

he has said that all the ports published here are under docker-proxy

9peppe · August 24, 2020, 9:16am

ok, your external nginx and your external certbot are new additions to your config, right?

Your nginx is entirely dockerized, you need to install the certs in there.

I don’t know how your config is working but there should be some acme client configured to install stuff in the nginx image (even a certbot docker container, maybe)

LJW · August 24, 2020, 9:19am

I'm lost here

Then I think I used port 23 as I did not do any changes

Do you have tutorial on how to do this?

Um but I have to pay for a certificate right? Unless there are free alternatives out there

I should alert him

The vendor was helping to renew it for us, so I'm not clear on what they did. Perhaps it was through the letsencrypt panel.

freessltools.com · August 24, 2020, 9:20am

You're on Let's Encrypt, friend. We're all about free certificates here.

9peppe · August 24, 2020, 9:21am

Ok, let’s start over.

What issues did you notice and what actions did you take in response?