Error: certificate that contains a portion

ulfaberg · August 24, 2023, 2:14pm

Hi,

I have used certbot for over a year on this EC2 instance and added many subdomains. Today it doesn't work, for some reason I cannot understand.

Note: I have two aws.osmium.app server blocks in nginx, one of which is "ignored", is that a problem?

Thank you!

My domain is: qr.osmium.app

I ran this command: sudo certbot --nginx -d qr.osmium.app

It produced this output:
You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/aws.osmium.app.conf)

It contains these names:

You requested these names for the new certificate: qr.osmium.app.

My web server is (include version): nginx version: nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version): ubuntu pro 22.04 LTS

My hosting provider, if applicable, is: AWS EC2

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.6.0

MikeMcQ · August 24, 2023, 2:23pm

Can you show result of this?

sudo certbot certificates

And, what do you mean by this? Do you have two server blocks with the exact same domain name for the same listen criteria? Because that is not a valid nginx config

Or, maybe because your DNS for these two domain names point to different EC2 instances? Please clarify - thanks.

nslookup aws.osmium.app
Address: 3.124.109.158
Address: 2a05:d014:f2f:9100:efd6:39cb:af42:31c

nslookup qr.osmium.app
Address: 3.65.242.224

ulfaberg · August 24, 2023, 2:36pm

Thank you for your quick response:

~$ sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
verifying the signature of the certificate located at /etc/letsencrypt/live/aws.osmium.app/cert.pem has failed.                 Details: 
Traceback (most recent call last):
  File "/snap/certbot/3024/lib/python3.8/site-packages/certbot/crypto_util.py", line 308, in verify_renewable_cert_sig
    verify_signed_payload(pk, cert.signature, cert.tbs_certificate_bytes,
  File "/snap/certbot/3024/lib/python3.8/site-packages/certbot/crypto_util.py", line 333, in verify_signed_payload
    public_key.verify(
  File "/snap/certbot/3024/lib/python3.8/site-packages/cryptography/hazmat/backends/openssl/rsa.py", line 571, in verify
    _rsa_sig_verify(
  File "/snap/certbot/3024/lib/python3.8/site-packages/cryptography/hazmat/backends/openssl/rsa.py", line 322, in _rsa_sig_verify
    raise InvalidSignature
cryptography.exceptions.InvalidSignature
Renewal configuration file /etc/letsencrypt/renewal/aws.osmium.app.conf produced an unexpected error: verifying the signature of the certificate located at /etc/letsencrypt/live/aws.osmium.app/cert.pem has failed.                 Details: . Skipping.

This seems to be the problem? Or no, you are right, the IP addresses should be the same! I'll double check this and write back soon.

Yes, I have to confess that I have two server blocks with aws.osmium.app - it happened at setup and nginx -t warns about it but says it's OK. I didn't want to take the risk to mess with those serverblocks as we're running some production loads, so decided to let it be.

ulfaberg · August 24, 2023, 2:44pm

Yes, my mistake, the IP address was from an old record. Now I have corrected that, but the error persists. I was too quick to paste the output of sudo certbot certificate, here is the rest:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: demos.osmium.app
    Serial Number: 4e2ff91c0241599bc090106e980dea263ac
    Key Type: RSA
    Domains: demos.osmium.app
    Expiry Date: 2023-10-24 04:08:46+00:00 (VALID: 60 days)
    Certificate Path: /etc/letsencrypt/live/demos.osmium.app/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/demos.osmium.app/privkey.pem
  Certificate Name: dev3.osmium.app
    Serial Number: 4c0cf9e31140fbe8e7758ffd92fb8e74a41
    Key Type: RSA
    Domains: dev3.osmium.app
    Expiry Date: 2023-10-17 13:53:09+00:00 (VALID: 53 days)
    Certificate Path: /etc/letsencrypt/live/dev3.osmium.app/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/dev3.osmium.app/privkey.pem
  Certificate Name: europa.osmium.app
    Serial Number: 3a514d5a4cf1b8ae422a89aab5597f88435
    Key Type: RSA
    Domains: europa.osmium.app
    Expiry Date: 2023-10-05 22:36:18+00:00 (VALID: 42 days)
    Certificate Path: /etc/letsencrypt/live/europa.osmium.app/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/europa.osmium.app/privkey.pem
  Certificate Name: masx.osmium.app
    Serial Number: 4a381a9b4bed93eb417eca804247cfd3f45
    Key Type: RSA
    Domains: masx.osmium.app
    Expiry Date: 2023-11-06 11:02:04+00:00 (VALID: 73 days)
    Certificate Path: /etc/letsencrypt/live/masx.osmium.app/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/masx.osmium.app/privkey.pem
  Certificate Name: mpfiltri.osmium.app
    Serial Number: 39d93b8bc86bffbe634da7bfe3374099c38
    Key Type: RSA
    Domains: mpfiltri.osmium.app
    Expiry Date: 2023-09-25 09:56:12+00:00 (VALID: 31 days)
    Certificate Path: /etc/letsencrypt/live/mpfiltri.osmium.app/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/mpfiltri.osmium.app/privkey.pem
  Certificate Name: ph.osmium.app
    Serial Number: 3d0aaa51b91cd2f14ece9bb5306f759e78c
    Key Type: RSA
    Domains: ph.osmium.app
    Expiry Date: 2023-10-13 05:10:45+00:00 (VALID: 49 days)
    Certificate Path: /etc/letsencrypt/live/ph.osmium.app/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/ph.osmium.app/privkey.pem
  Certificate Name: pilots.osmium.app
    Serial Number: 4ea8ea5a5b5c6e4f646f39e7aaae3b48ef3
    Key Type: RSA
    Domains: pilots.osmium.app
    Expiry Date: 2023-10-22 21:59:43+00:00 (VALID: 59 days)
    Certificate Path: /etc/letsencrypt/live/pilots.osmium.app/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/pilots.osmium.app/privkey.pem
  Certificate Name: skye.osmium.app
    Serial Number: 47fb8c36d3f2123bdcf82b1e54f42fa9015
    Key Type: RSA
    Domains: skye.osmium.app
    Expiry Date: 2023-11-22 12:42:25+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/skye.osmium.app/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/skye.osmium.app/privkey.pem

The following renewal configurations were invalid:
  /etc/letsencrypt/renewal/aws.osmium.app.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

How do I go about sorting this out? Just remove one server block? Which one?

Many thanks

MikeMcQ · August 24, 2023, 2:53pm

You corrected the IPv4 address for qr so that's good. But, I see you have an IPv6 only for the aws subdomain and not any of your others. This requires some care in your nginx config to work right so is something you should review carefully.

Hmmm. What did you do to that certificate?

Can you show this

sudo ls -lR /etc/letsencrypt/{live,archive}/aws.osmium.com

ulfaberg · August 24, 2023, 3:02pm

Thanks for the ipv6 advice - I thought we needed ipv6 but turned out it wasn't necessary so I only did ipv4 for the later subdomains.

I changed your command to sudo ls -lR /etc/letsencrypt/{live,archive}/aws.osmium.app as we don't have .com, output:

$ sudo ls -lR /etc/letsencrypt/{live,archive}/aws.osmium.app
/etc/letsencrypt/archive/aws.osmium.app:
total 260
-rw-r--r-- 1 root root 1842 Jul  3  2021 cert1.pem
-rw-r--r-- 1 root root 1842 Dec 27  2022 cert10.pem
-rw-r--r-- 1 root root 1838 Feb 26 10:44 cert11.pem
-rw-r--r-- 1 root root 1842 Apr 27 23:28 cert12.pem
-rw-r--r-- 1 root root 1976 Aug  7 08:08 cert13.pem
-rw-r--r-- 1 root root 1842 Sep  1  2021 cert2.pem
-rw-r--r-- 1 root root 1842 Nov  1  2021 cert3.pem
-rw-r--r-- 1 root root 1842 Dec 31  2021 cert4.pem
-rw-r--r-- 1 root root 1842 Mar  1  2022 cert5.pem
-rw-r--r-- 1 root root 1842 Apr 30  2022 cert6.pem
-rw-r--r-- 1 root root 1842 Jun 30  2022 cert7.pem
-rw-r--r-- 1 root root 1842 Aug 29  2022 cert8.pem
-rw-r--r-- 1 root root 1842 Oct 28  2022 cert9.pem
-rw-r--r-- 1 root root 3750 Jul  3  2021 chain1.pem
-rw-r--r-- 1 root root 3750 Dec 27  2022 chain10.pem
-rw-r--r-- 1 root root 3750 Feb 26 10:44 chain11.pem
-rw-r--r-- 1 root root 3750 Apr 27 23:28 chain12.pem
-rw-r--r-- 1 root root 3750 Jun 27 10:55 chain13.pem
-rw-r--r-- 1 root root 3750 Sep  1  2021 chain2.pem
-rw-r--r-- 1 root root 3750 Nov  1  2021 chain3.pem
-rw-r--r-- 1 root root 3750 Dec 31  2021 chain4.pem
-rw-r--r-- 1 root root 3750 Mar  1  2022 chain5.pem
-rw-r--r-- 1 root root 3750 Apr 30  2022 chain6.pem
-rw-r--r-- 1 root root 3750 Jun 30  2022 chain7.pem
-rw-r--r-- 1 root root 3750 Aug 29  2022 chain8.pem
-rw-r--r-- 1 root root 3750 Oct 28  2022 chain9.pem
-rw-r--r-- 1 root root 5592 Jul  3  2021 fullchain1.pem
-rw-r--r-- 1 root root 5592 Dec 27  2022 fullchain10.pem
-rw-r--r-- 1 root root 5588 Feb 26 10:44 fullchain11.pem
-rw-r--r-- 1 root root 5592 Apr 27 23:28 fullchain12.pem
-rw-r--r-- 1 root root 5515 Jun 27 10:55 fullchain13.pem
-rw-r--r-- 1 root root 5592 Sep  1  2021 fullchain2.pem
-rw-r--r-- 1 root root 5592 Nov  1  2021 fullchain3.pem
-rw-r--r-- 1 root root 5592 Dec 31  2021 fullchain4.pem
-rw-r--r-- 1 root root 5592 Mar  1  2022 fullchain5.pem
-rw-r--r-- 1 root root 5592 Apr 30  2022 fullchain6.pem
-rw-r--r-- 1 root root 5592 Jun 30  2022 fullchain7.pem
-rw-r--r-- 1 root root 5592 Aug 29  2022 fullchain8.pem
-rw-r--r-- 1 root root 5592 Oct 28  2022 fullchain9.pem
-rw------- 1 root root 1708 Jul  3  2021 privkey1.pem
-rw------- 1 root root 1708 Dec 27  2022 privkey10.pem
-rw------- 1 root root 1704 Feb 26 10:44 privkey11.pem
-rw------- 1 root root 1708 Apr 27 23:28 privkey12.pem
-rw------- 1 root root 1704 Jun 27 10:55 privkey13.pem
-rw------- 1 root root 1704 Sep  1  2021 privkey2.pem
-rw------- 1 root root 1704 Nov  1  2021 privkey3.pem
-rw------- 1 root root 1708 Dec 31  2021 privkey4.pem
-rw------- 1 root root 1704 Mar  1  2022 privkey5.pem
-rw------- 1 root root 1704 Apr 30  2022 privkey6.pem
-rw------- 1 root root 1704 Jun 30  2022 privkey7.pem
-rw------- 1 root root 1708 Aug 29  2022 privkey8.pem
-rw------- 1 root root 1704 Oct 28  2022 privkey9.pem

/etc/letsencrypt/live/aws.osmium.app:
total 8
-rw-r--r-- 1 root root  692 Jul  3  2021 README
lrwxrwxrwx 1 root root   39 Jun 27 10:55 cert.pem -> ../../archive/aws.osmium.app/cert13.pem
lrwxrwxrwx 1 root root   40 Jun 27 10:55 chain.pem -> ../../archive/aws.osmium.app/chain13.pem
lrwxrwxrwx 1 root root   44 Jun 27 10:55 fullchain.pem -> ../../archive/aws.osmium.app/fullchain13.pem
-rw------- 1 root root 3414 Aug  7 08:07 key.pem
lrwxrwxrwx 1 root root   42 Jun 27 10:55 privkey.pem -> ../../archive/aws.osmium.app/privkey13.pem

MikeMcQ · August 24, 2023, 3:23pm

Looks like something happened to the cert13.pem file. Note its date is different than the privkey and fullchain it should be matched with.

This explains the error Certbot has for this domain.

You have several problems to sort but I won't have more time until later today. Maybe someone else will pickup

Your duplicate domain names in nginx
The error shown in your first post that Certbot says aws subdomain part of qr request
That nginx sends an aws.osmium.app cert for requests to qr domain

rg305 · August 24, 2023, 3:30pm

ulfaberg:

-rw-r--r-- 1 root root 1842 Dec 27  2022 cert10.pem
-rw-r--r-- 1 root root 1838 Feb 26 10:44 cert11.pem
-rw-r--r-- 1 root root 1842 Apr 27 23:28 cert12.pem
-rw-r--r-- 1 root root 1976 Aug  7 08:08 cert13.pem

And "13" is more than 100 bytes bigger than the previous ones.

If it isn't being used [very likely], you can just copy "12" as "13" to get through that error message.

sudo cp /etc/letsencrypt/archive/aws.osmium.app/cert12.pem /etc/letsencrypt/archive/aws.osmium.app/cert13.pem

9peppe · August 24, 2023, 3:34pm

You do

We are a bit spoiled, with all our IPv4.

ulfaberg · August 24, 2023, 3:40pm

I'm very humbled by your willingness to help. Much appreciated.

Before I copy the 12 as 13, what's the danger? We've got a fleet of wind turbines running on this subdomain. It's working fine on the server, I can get all the pages in my browsers.

rg305 · August 24, 2023, 4:05pm

You lose a broken 13 cert.
[which is unused and public information]
see: crt.sh | 9761037601

I say unused because typically the fullchain.pem file is used [not cert.pem]

MikeMcQ · August 24, 2023, 4:07pm

Actually this one as above is precert

ulfaberg · August 24, 2023, 4:10pm

OK, thank you, I copied over the cert12.pem to the cert13.pem. Website still works, pfew

now I get another error:

$ sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/aws.osmium.app.conf produced an unexpected error: fullchain does not match cert + chain for aws.osmium.app!. Skipping.

ideas?

rg305 · August 24, 2023, 4:14pm

O M G, What's with all the [unnecessary] validations??? LOL

I guess you will have to replace the 13 with the actual real contents.
See previous post [by @MikeMcQ]
In case you missed it: https://crt.sh/?d=9777347192

And in case you can't get that:

ulfaberg · August 24, 2023, 4:40pm

Thank you!

That sorted the error in sudo certbot certificates and let me run sudo certbot --nginx -d qr.osmium.app without the previous problem.

I now only need sort out the double serverblocks.

Differences:

The second one has

server {
	if ($host = aws.osmium.app) {
		return 301 https://$host$request_uri;
	} # managed by Certbot
	server_name aws.osmium.app; # managed by Certbot
	return 404; # managed by Certbot

at the beginning and the first one just server_name aws.osmium.app;

also, the first one has

listen [::]:443 ssl ipv6only=on; # managed by Certbot

whereas the second one has

listen [::]:443 ssl; # managed by Certbot

I've added some error handling to the first server block, which is working on the website, so my hunch is that it is the first one which is active and that I should delete the second one? (I've never really understood the reason for the return 404; # managed by Certbot line.)

rg305 · August 24, 2023, 4:58pm

Show both blocks.

ulfaberg · August 24, 2023, 5:09pm

block 1

server {

	root /opt/ops/docroot;

	# Custom error 404 page
	recursive_error_pages off;
	error_page 404 = /errors/expired_link.php;


	# Add index.php to the list if you are using PHP
	index index.html index.php index.htm index.nginx-debian.html;

	client_max_body_size 10M;

	server_name aws.osmium.app;

	location ~ /.git/ {
		deny all;
	}

	location / {
		try_files $uri $uri/ =404;
	}

	location /phpmyadmin {
		root /opt/ops/admin;
		location ~ \.php$ {
			fastcgi_pass unix:/run/php/php7.4-fpm.sock;
			fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
			include fastcgi_params;
			include snippets/fastcgi-php.conf;
			fastcgi_intercept_errors on;
		}
	}

	location /socket.io {
		proxy_pass http://127.0.0.1:3332;
		proxy_http_version 1.1;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection 'upgrade';
		proxy_cache_bypass $http_upgrade;
	}

	# pass PHP scripts to FastCGI server
	#
	location ~ \.php$ {
		fastcgi_pass unix:/run/php/php7.4-fpm.sock;
		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
		include fastcgi_params;
		include snippets/fastcgi-php.conf;
	}

	# Handling error pages
	location ^~ /errors/ {
		internal;

		# root /var/www/xxxxx; # ulf #

		fastcgi_pass unix:/run/php/php7.4-fpm.sock;
		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
		include fastcgi_params;
		include snippets/fastcgi-php.conf;

		fastcgi_intercept_errors off;
	}

	listen [::]:443 ssl ipv6only=on; # managed by Certbot
	listen 443 ssl; # managed by Certbot
	ssl_certificate /etc/letsencrypt/live/aws.osmium.app/fullchain.pem; # managed by Certbot
	ssl_certificate_key /etc/letsencrypt/live/aws.osmium.app/privkey.pem; # managed by Certbot


	include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
	ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

block 2

server {
	if ($host = aws.osmium.app) {
		return 301 https://$host$request_uri;
	} # managed by Certbot
	server_name aws.osmium.app; # managed by Certbot
	return 404; # managed by Certbot

	root /opt/ops/docroot;

	# Add index.php to the list if you are using PHP
	index index.html index.php index.htm index.nginx-debian.html;


	client_max_body_size 10M;

	location ~ /.git/ {
		deny all;
	}

	location /phpmyadmin {
		root /opt/ops/admin;
		location ~ \.php$ {
			fastcgi_pass unix:/run/php/php7.4-fpm.sock;
			fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
			include fastcgi_params;
			include snippets/fastcgi-php.conf;
		}
	}



	location / {
		try_files $uri $uri/ =404;
	}


	location /socket.io {
		proxy_pass http://127.0.0.1:3332;
		proxy_http_version 1.1;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection 'upgrade';
		proxy_cache_bypass $http_upgrade;
	}

	# passing PHP scripts to FastCGI server
	#
	location ~ \.php$ {
		fastcgi_pass unix:/run/php/php7.4-fpm.sock;
		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
		include fastcgi_params;
		include snippets/fastcgi-php.conf;
	}

	listen [::]:443 ssl; # managed by Certbot
	listen 443 ssl; # managed by Certbot
	ssl_certificate /etc/letsencrypt/live/aws.osmium.app/fullchain.pem; # managed by Certbot
	ssl_certificate_key /etc/letsencrypt/live/aws.osmium.app/privkey.pem; # managed by Certbot
	include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
	ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

} 

(paragraphs are not in the same order, sorry)

thank you

MikeMcQ · August 24, 2023, 5:42pm

ulfaberg:

block 2

server {
	if ($host = aws.osmium.app) {
		return 301 https://$host$request_uri;
	} # managed by Certbot
	server_name aws.osmium.app; # managed by Certbot
	return 404; # managed by Certbot
        ... (omitted) ...
	listen [::]:443 ssl; # managed by Certbot
	listen 443 ssl; # managed by Certbot
        ...(omitted)...

I don't see how this server block is active.

That "if ($host..." redirect is correctly used in a server block for port 80 to redirect to HTTPS (443). Your block2 is for port 443 already so this redirect would come back to itself causing a loop.

The if combined with the return 404 are only helpful when that server block is also your default. That means you either explicitly set it as such or it is the first server block nginx sees which becomes the default.

These make sure only valid SNI requests for that domain name are redirected to HTTPS (when properly in an HTTP server block). Often bots and IP scanners are not well-behaved so this keeps some load off your server to handle the second request. It also doesn't "leak" info about your domain name if the scanner was just using an IP address (although this is somewhat obscure).

Having these in other server blocks is not (usually) helpful as nginx will only choose non-default server blocks for legit SNI requests matching the server_name. I say usually because people can do weird things with listen clauses where this can get messy.

UPDATE:
Also, you should remove the AAAA record from the DNS for aws.osmium.app until you are able to get it working. And, you should try to do that.

But, connections on IPv6 are not working right now so the faulty AAAA can cause problems.

ulfaberg · August 24, 2023, 6:04pm

Thank you for all your advice Mike, and for your explanation of the 404 line.

I have removed the second serverblock and the website works fine. Running sudo nginx -t shows no warnings.

I will deal with the ipv6 DNS tomorrow, but all my issues are now solved.

Massive thanks to a great community.