Expired certification

Help
41

root@westfield-nas:/letsencrypt# grep -r ssl_certificate /etc/nginx
/etc/nginx/snippets/snakeoil.conf:ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
/etc/nginx/snippets/snakeoil.conf:ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
/etc/nginx/sites-available/portal_ssl.dhc.nz: ssl_certificate /etc/letsencrypt/live/portal.dhc.nz/fullchain.pem;
/etc/nginx/sites-available/portal_ssl.dhc.nz: ssl_certificate_key /etc/letsencrypt/live/portal.dhc.nz/privkey.pem;
/etc/nginx/sites-available/portal_ssl.dhc.nz: #ssl_certificate /etc/letsencrypt/live/portal.bluedoor.nz/fullchain.pem;
/etc/nginx/sites-available/portal_ssl.dhc.nz: #ssl_certificate_key /etc/letsencrypt/live/portal.bluedoor.nz/privkey.pem;
/etc/nginx/sites-available/portal.dhc.nz: ssl_certificate /etc/letsencrypt/live/portal.dhc.nz/fullchain.pem; # managed by Certbot
/etc/nginx/sites-available/portal.dhc.nz: ssl_certificate_key /etc/letsencrypt/live/portal.dhc.nz/privkey.pem; # managed by Certbot

42

reapply the certificate renewal

root@westfield-nas:/letsencrypt# ./letsencrypt-auto
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Failed to find executable apache2ctl in PATH: /usr/local/sbin:/usr/local/bin:/us r/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?

1: portal.dhc.nz

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel):
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificat e name you requested and isn’t close to expiry.
(ref: /etc/letsencrypt/renewal/portal.dhc.nz.conf)

What would you like to do?

1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 1
Keeping the existing certificate
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/portal.dhc.nz

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP ac cess.

1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you’re confident your site works on HTTPS. You can undo this
change by editing your web server’s configuration.

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/portal.dhc .nz

Congratulations! You have successfully enabled https://portal.dhc.nz

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=portal.dhc.nz

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/portal.dhc.nz/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/portal.dhc.nz/privkey.pem
    Your cert will expire on 2018-07-22. To obtain a new or tweaked
    version of this certificate in the future, simply run
    letsencrypt-auto again with the “certonly” option. To
    non-interactively renew all of your certificates, run
    “letsencrypt-auto renew”

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

root@westfield-nas:/letsencrypt# service nginx restart
root@westfield-nas:/letsencrypt# service nginx stop
root@westfield-nas:/letsencrypt# service nginx start

43

You need to follow the packets…
The external IP I see is: 103.68.58.20
check the firewall logs and see where it leads to.
Maybe you have multiple servers, load-balancer, active/standby servers, etc.
There must be a reason we get two different certs.

Without SNI, the IP returns a cert for: project.dhc.org.nz
Where is that system?

44

thats where their old website is hosted, another linux box

45

And yet it is online via the same IP:
https://www.ssllabs.com/ssltest/analyze.html?d=project.dhc.org.nz&hideResults=on
At least it still has a valid cert:
Valid until Thu, 31 May 2018 00:34:56 UTC (expires in 1 month and 6 days)

What I don’t get is how did you get the cert renewed?
Unless the http connections terminate at this server and the https terminate on the other server? ? ?

It seems to be corrected now:
https://www.ssllabs.com/ssltest/analyze.html?d=portal.dhc.nz&latest

46

You need to follow the packets…
The external IP I see is: 103.68.58.20
check the firewall logs and see where it leads to.
Maybe you have multiple servers, load-balancer, active/standby servers, etc.
There must be a reason we get two different certs.

Without SNI, the IP returns a cert for: project.dhc.org.nz
Where is that system?

`

found the issue. thanks for this advise
certificate is now valid

47

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.