Cloudflare and Certificate renewal

CROSP · June 5, 2017, 10:16am

Hi, a week ago I noticed a problem with my website. It returned 403 error for all requests or 404 not found. This problem occurred after migrating to Cloudflare. I didn't recognized what could cause this problem then and solved it by disabling Cloudflare for a while.

Now I've got the same problem. I've just recognized that I set a crontab task to renew my certificate every Monday.

It looks as follows

30 2 * * 1 /usr/bin/certbot renew >> /var/log/le-renew.log

I am getting the following errors in the ssl_error_log file

[Mon Jun 05 05:56:49.730824 2017] [autoindex:error] [pid 2303] [client 162.158.69.120:9264] AH01276: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html,index.php,index.php) found, and server-generated directory index forbidden by Options directive

I've found a lot of similar topics, but still have no luck with setting it up correctly.

I have tried webroot challenge instead. Like that

letsencrypt certonly --webroot --webroot-path /var/www/mysite.net/public_html/ --renew-by-default --email alexander@mysite.net --text --agree-tos -d mysite.net -d www.mysite.net

And got the following output

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/mysite.net/fullchain.pem. Your cert will
   expire on 2017-09-03. To obtain a new or tweaked version of this
   certificate in the future, simply run certbot again. To
   non-interactively renew *all* of your certificates, run "certbot
   renew"

But I still get the same error.

I have the following virtual host configuration

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerAdmin alexander@mysite.net
    ServerName mysite.net
    ServerAlias www.mysite.net
    DocumentRoot /var/www/mysite.net/public_html
    ErrorLog /var/www/mysite.net/logs/error.log
    CustomLog /var/www/mysite.net/logs/requests.log combined
SSLCertificateFile /etc/letsencrypt/live/mysite.net/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mysite.net/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

So all in all. Please help to solve this problem and suggest steps to follow in order to

Get rid of old configuration (if necessary)
Setup valid configuration for issuing certificates for the case of using cloudflare
Setup certificates auto renewal

I would be grateful for any help.

CROSP · June 5, 2017, 11:46am

The most weird thing is that Cloudflare seems to try to access my website without setting the hostname (or something like that), because this error shows that Apache tries to load /var/www/html instead of /var/www/mysite.net/public_html/

[Mon Jun 05 07:38:04.892719 2017] [autoindex:error] [pid 2318] [client 172.68.10.103:33192] AH01276: Cannot serve directory /var/www/html/: No matching DirectoryIndex (index.html,index.php,index.php) found, and server-generated directory index forbidden by Options directive

But this only happens after certificate renewal.

CROSP · June 5, 2017, 2:45pm

I have just faced with another problem. As far as I have been trying to solve my problem, I’ve issued multiple certificates and now I am getting an error

Error creating new cert :: too many certificates already issued for exact set of domains

Is there any way to remove all old certificates ? Or somehow revoke them ?

Thanks.

sahsanu · June 5, 2017, 3:17pm

Hi @CROSP,

1.- Get rid of old configuration (if necessary)

What old configuration means? if we don't know what you did first and how it is impossible to know if you need to remove some old conf.

2.- Setup valid configuration for issuing certificates for the case of using cloudflare

You have used the webroot method that uses http-01 challenge and that should work pretty well with cloudflare.

3.- Setup certificates auto renewal

You can use the same cron job, but I will execute it in a daily basis:

30 2 * * * /usr/bin/certbot renew >> /var/log/le-renew.log

certbot will check if some of your certs expire in less than 30 days and will renew them. If none of them need to be renewed the command will do nothing.

Maybe your default ssl conf in apache has precedence over the virtualhost of mysite.net so it is ignoring the conf of this last conf.

I'm afaraid that you are stuck for 7 days, there is a limit of 5 certificates per 7 days for the same subset of domains in a certificate. That means that you should already have 5 certificates in your server so I don't know why you need more for the same subset of domains.

Removing the limit is not possible and revoking them too (the revokation is useful only if you have lost your private key or it has been stolen, etc. but has no eefect in the applied limits applied).

Anyway, if you add one more domain to your cert that already have www.mysite.net and mysite.net like for example a.mysite.net you it will count as a new domain and you could have a new cert covering the needed domains.

Cheers,
sahsanu

rg305 · June 6, 2017, 5:17am

Validate the cert.
Find the configuration error that refuses to use that cert.
Problem solved... well for 90 days or so.

system · July 6, 2017, 5:17am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.