Hey! I created certificate crt.sh | korovin80.site. By the way, it notices in browser, that its not protected. I found out that the root server was expired even in 2021. I've tried to --force-renew and it actually worked once, but it didnt apply any changes on crt.sh. So when i tried to obtain these certificates later, when i recreated my server, i fetched old certificates with expired root server. How can i refresh this root server?
Hi @Topper-crypto, and welcome to the LE community forum
Your problem sounds like a chain issue.
See: Long (default) and Short (alternate) Certificate Chains Explained - Issuance Policy - Let's Encrypt Community Support (letsencrypt.org)
Also, don't use:
That's doesn't fix anything.
Hello @Topper-crypto welcome to the Let's Encrypt community.
With https://letsdebug.net/ all 3 Challenge Types have DNS failures
- HTTP-01 - Let's Debug
- DNS-01 - Let's Debug
- TLS-ALPN-01 - Let's Debug
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
Yes you answered this, but a list of all that this topic is about can be helpful.
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you're using Certbot):
Thank you for assisting us in helping YOU!
And https://dnsviz.net/ is showing
korovin80.site | DNSViz
Here DNS Lookup - Check DNS Records no DNS records are found for korovin80.site
What root server are you speaking of? The DNS root server that is the SOA NS for your domain?
My domain is: korovin80.site
I ran this command: certbot certonly --nginx --test-cert --email mail
--agree-tos --no-eff-email -d 'korovin80.site'
-d 'www.korovin80.site' -d 'gitlab.korovin80.site'
-d 'grafana.korovin80.site' -d 'prometheus.korovin80.site'
-d 'alertmanager.korovin80.site'
It produced this output: i was using ansible to configure all automatically, so i didnt get any output
My web server is (include version): nginx 1.18
The operating system my web server runs on is (include version): ubuntu 22.04
My hosting provider, if applicable, is: yandex
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you're using Certbot): When i was using certbot for the first time, i spotted it was old 0.40 certbot version. So after that i updated to 1.21 version.
I'm thinking of that i was using old certbot and somehow he created certificate with expired root Doctored Durian Root CA X3 server, so i need to refresh this certificate. Right now i destroyed all DNS records for those sites, so they are unavailable. Thanks for replies!
@Topper-crypto when you bring back those destroyed DNS records:
Testing and debugging are best done using the Staging Environment as the Rate Limits are much higher. Rate Limits are per week (rolling).
That sounds more like a problem within:
Can we see that script?
-
name: Check if certificate already exists
ansible.builtin.stat:
path: "/etc/letsencrypt/live/{{ virtual_domain }}/cert.pem"
register: letsencrypt_cert -
name: Generate new certificate
ansible.builtin.shell: >
certbot certonly --nginx --test-cert --email '{{ letsencrypt_email }}'
--agree-tos --no-eff-email -d '{{ virtual_domain }}'
-d 'www.{{ virtual_domain }}' -d 'gitlab.{{ virtual_domain }}'
-d 'grafana.{{ virtual_domain }}' -d 'prometheus.{{ virtual_domain }}'
-d 'alertmanager.{{ virtual_domain }}'
I can share fullchain.pem, if it can help to check chain validity
Show:
ls -l /etc/letsencrypt/live/{{ virtual_domain }}/
Is this a test
or production
site?
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.