Deleting certs while testing and reached the limit


#1

Hello,

I am using nginx and of course gets warned fullchain.pem no such file when doing nginx -t. :frowning:
I just knew the rule for the limit. Now I am done for. But how to keep my site running HTTPS while waiting for the certs for a week?
My site currently showing https, I didn’t restart nginx since the tragedy. :frowning2:


#2

For testing you should always use the test / staging server - although a little late for that now :wink:

I assume you didn’t take a backup when you deleted the certs ?

Do you still have your private key you used to generate the certs ? if so you may be able to obtain the certs from crt.sh


#3

Hi Serverco and thanks for your replay,

I do not know about which is the private key, but…

Yes, I have no backup of those certs. I deleted all files in /etc/letsencrypt/live and /etc/letsencrypt/renewal.

If there is no way restoring the certs, could I just keep my site running HTTPS for a week untill the certs refreshed? Because I am running a production site and I guess error would come if I restarted nginx.

Thank you


#4

It does sound as if just leaving your site running is the best way, yes.


#5

Thanks,

What do you think if I restarted nginx? Would my site be getting down? What kind of error might occurred?
Thank you


#6

Did you delete all of /etc/letsencrypt or just /etc/letsencrypt/live and /etc/letsencrypt/renewal? Those two directories are not actually that critical. The private key is in /etc/letsencrypt/keys.


#7

Hello mnordhoff and thank you,

No, I didn’t delete the parent directory (/etc/letsencrypt),
I just deleted all files in those two folders (/etc/letsencrypt/live and /etc/letsencrypt/renewal).
Any ideas? :slight_smile: Could you safe my life?


#8

If you look in /etc/letsencrypt/archive you should find all the certs you got.


#9

It’s a somewhat advanced thing to experiment with, but it should be possible to get the private key out of the web server’s memory. Additionally, it is possible although unlikely that the web server keeps the private key file open, in which case the OS has not actually deleted it yet and a usable link to it can be found somewhere in /proc.

If you find the web server’s PID(s) with ps, you can cd into /proc/<webserverpid> and then try sudo ls -l fd which will show whether you have your privkey file still open; if you’re lucky you might possibly see something like

l-wx------ 1 you you 64 Jan 14 12:00 17 -> /etc/letsencrypt/archive/example.com/privkey2.pem (deleted)

which is good news because then that is your private key, which could then be copied out of fd/17. :slight_smile:

For the memory-searching example, you can use the gdb attach method in

The private key should be somewhere in the resulting core file (maybe in PEM format, which is the comparatively easy case; maybe not, which is the comparatively trickier case).

I would not recommend using the kill method because if it doesn’t work, you’ve lost your working web server!


#10

schoen && cool110;

You slay, Men!!! You really safe my life!


#11

@cool110’s suggestion is a lot more straightforward than mine… :slight_smile:


#12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.