Help with Certbot renewal & plugins

where I see cert life,?

also cerbot certificate is it a comment or some file

I don't see one. But your configuration isn't good:


Domainname Http-Status redirect Sec. G
http://vorman.mooo.com/
148.75.65.185 302 http://vorman.mooo.com/index.php/login 0.506 D
http://vorman.mooo.com/index.php/login 200 0.637 H
https://vorman.mooo.com/
148.75.65.185 302 https://vorman.mooo.com/index.php/login 6.486 A
https://vorman.mooo.com/index.php/login 200 2.660 A

You have a redirect to your login page. But the login page uses http, which is bad.

So http -> https, then / -> login.

root@vorman:~/lets# certbot certificates

bash: certbot: command not found

Sorry!
certbot-auto certificates
LOL

1 Like

please show , confused

Check it

https://check-your-website.server-daten.de/?q=vorman.mooo.com

Your browser may cache the https status, so you can't use your browser to test such things.

But a new user doesn't use https if there is no redirect.

thanks let me write this down lol. and how I renewed. next time be easier for me. appreciate the help

Just use:
certbot-auto
or
certbot-auto renew

Which can be called from a cron job (twice a day is the recommendation).
It will only actually renew when less than 30 days are left.

this is still French to me, sorry , how I fix it ?

The config doesn’t force HTTP to HTTPS.
So anyone going to http://vorman.mooo.com/
gets this:
wget http://vorman.mooo.com/
–2018-12-08 11:01:22-- http://vorman.mooo.com/
Resolving vorman.mooo.com (vorman.mooo.com)… 148.75.65.185
Connecting to vorman.mooo.com (vorman.mooo.com)|148.75.65.185|:80… connected.
HTTP request sent, awaiting response… 302 Found
Location: http://vorman.mooo.com/index.php/login [following]
–2018-12-08 11:01:23-- http://vorman.mooo.com/index.php/login
Reusing existing connection to vorman.mooo.com:80.
HTTP request sent, awaiting response… 200 OK

Instead of:
https://vorman.mooo.com/index.php/login

I understand this part but where in the file I fix it ? and how

From example #1 at: https://redmine.lighttpd.net/projects/1/wiki/HowToRedirectHttpToHttps
This will redirect ALL http connections to https.
Add to your LIGHTTPD config (and restart web service):

$HTTP["scheme"] == "http" {
    # capture vhost name with regex conditiona -> %0 in redirect pattern
    # must be the most inner block to the redirect rule
    $HTTP["host"] =~ ".*" {
        url.redirect = (".*" => "https://%0$0")
    }
}
1 Like

Now you have a Grade B, this is ok. Your users are redirected to https, so you don't have http anymore.

Adding HSTS (to get a Grade A) - wait some time.

If HSTS is set and the certificate is expired, the user can't create an exception. So the page would be blocked.

--

So HSTS (+ preload) is a wonderful security feature. But it requires always valide certificates and a working renew function.

1 Like

The server preferred cipher suite order needs some proper re-ordering (in strongest to weakest order):

I'm not SslLabs. This is my own check because I don't want to test all these things manual.

Before, the site had Grade H - no https, now B.

1 Like

I hit the max limit of replies in one day yesterday ,

Thanks a lot to you and @rg305. Very helpful

2 Likes

Why is my certificate showing expired if I renewed it

You have created a new certificate.

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:false;include_subdomains:false;domain:vorman.mooo.com&lu=cert_search

2018-12-08.

But

|CN=vorman.mooo.com (464)|27.09.2018|25.12.2018 expired|vorman.mooo.com - 1 entry

you don’t use it.

Did you restart / reload your server?

Yes but still
Why points to archive I see 2 certificates in fullchain

0 lrwxrwxrwx 1 root root 44 Dec 8 05:46 /etc/letsencrypt/live/vorman.mooo.com/fullchain.pem -> …/…/archive/vorman.mooo.com/fullchain2.pem
root@vorman:/home/pi#

https://www.sslchecker.com/sslchecker

https://www.sslshopper.com/ssl-checker.html#hostname=Vorman.mooo.com

Please show the output of

certbot certificates

Then you have the name of your correct certificate. Then you can change the file names in your vHost.