Expired certificate with ISP blocking ports


#1

My certificate has expired: http://otx82wn9xnzcygap6bsc.duckdns.org

The problem is I have recently changed ISP and the new ISP doesn’t allow me to open ports (all ports are blocked). In this situation, till I subscribe to a significantly more expensive broadband package, I’m unable to renew my certificate.

Considering changing my ISP immediately isn’t an option, how do I make Apache locate my new self signed certificate, considering Certbot has installed a completely new configuration file named “000-default-le-ssl.conf” at /etc/apache2/sites-available?

Is there any other solution?

(Needless to say, I used certbot for installation. I’m running Raspbian Jessie)


#2

How will you ever use a cert at this IP (presuming you can get one)?


#3

If you made a self-signed cert…
Point to wherever you made it?

If you want to use the last certbot cert, check that location with:
certbot certificates


#4

How will you ever use a cert at this IP (presuming you can get one)?

I’ll have to generate a self signed certificate for the time being, use it internally within the network and probably upgrade to their more expensive plans later. Right now Safari/Firefox is giving me an ugly error about expired certificate (in fact Safari is refusing to open the page).


#5

Issue the certificate using DNS validation: acme.sh + DuckDNS’ API: https://github.com/Neilpang/acme.sh

No connection to your server required and automatic renewal is supported, but this does mean abandoning Certbot.

Instructions for DuckDNS + acme.sh.


#6

As a very temporary “self-signed” cert, try using the snake-oil cert:

SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

Or wherever it may be located on your system:
find / -name *snakeoil.pem


#7

Thank you @_az

You are amazing! That totally solved the issue. I now have a renewed LE cert even though ports are blocked!


#9

@rg305 @_az

May I ask a silly question? I have 2 ssl.conf files in the /etc/apache2/sites-enabled folder.

The folder has 3 files:
000-default-le-ssl.conf
000-default-ssl.conf
000-default.conf

The first one was created by LE and the last two used to be the default ones before I started using LE. Is it okay to have 2 ssl.conf files or should I delete one of the ssl.conf files and continue my edits with just one of them? In case both configs are valid, which one does apache choose?

In other words, in which conf file should I point my new LE certificates?


#10

Depends what virtualhosts those files actually contain. You could run this command and see how it all maps out:

apachectl -t -D DUMP_VHOSTS

The safe thing to do is update all of them to point to the new acme.sh certificates, even if those virtual hosts are partially redundant.

This is actually a source of pain for many. It seems to be “whichever one it parses first”. You should get rid of duplicates if you can identify them!


#11

Got it! Thanks a lot, again :slight_smile:


closed #12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.