Https says certificate expired. certbot says it's good


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: a-view.org

I ran this command:certbot certonly --cert-name a-view.org

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Could not open file: /etc/nginx/sites-enabled/159.65.74.127.conf

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Nginx Web Server plugin - Alpha (nginx)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator nginx, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): lewis@neilson-levin.org
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Starting new HTTPS connection (1): supporters.eff.org
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): a-view.org lnotes.a-view.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for a-view.org
http-01 challenge for lnotes.a-view.org
Waiting for verification...
Cleaning up challenges
Could not open file: /etc/nginx/sites-enabled/159.65.74.127.conf

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/a-view.org/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/a-view.org/privkey.pem
   Your cert will expire on 2018-11-30. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

My web server is (include version):nginx/1.10.3 (Ubuntu)

The operating system my web server runs on is (include version):Ubuntu 16.04.4 LTS

My hosting provider, if applicable, is: Digital Ocean

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

Here is the confirmation that the cert was updated:

certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: a-view.org
    Domains: a-view.org lnotes.a-view.org
    Expiry Date: 2018-11-30 15:41:08+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/a-view.org/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/a-view.org/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

#2

Hi,

Can you please try to open your Nginx virtual host configuration file and reload Nginx afterward?

Since your renewed certificate is saved, but Nginx might not be reloaded…

Thank you


#3

I ran service nginx restart multiple times. The log shows it restarted.


#4

Hi,

Can you share us your website configuration file? (the virtual host file for your site)

Thank you


#5

This is for ssl:

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name a-view.org;
    root /var/www/a-view/ghost/system/nginx-root;

    ssl_certificate /etc/letsencrypt/a-view.org/fullchain.cer;
    ssl_certificate_key /etc/letsencrypt/a-view.org/a-view.org.key;
    include /etc/nginx/snippets/ssl-params.conf;

    location / {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $http_host;
        proxy_pass http://127.0.0.1:2368;
        
    }

    location ~ /.well-known {
        allow all;
    }

    client_max_body_size 50m;
}

This is for port 80:

server {
    listen 80;
    listen [::]:80;

    server_name a-view.org;
    root /var/www/a-view/ghost/system/nginx-root;

    location / {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $http_host;
        proxy_pass http://127.0.0.1:2368;
        
    }

    location ~ /.well-known {
        allow all;
    }

    client_max_body_size 50m;
}

It used to work but the original certificate expired 8/29.

The renewal worked, but I think that perhaps when I originally configured I had the certs in a different location.


#6

Hi,

Can you please change two lines of this virtual host file?

Please remove the two lines:

ssl_certificate /etc/letsencrypt/a-view.org/fullchain.cer;
ssl_certificate_key /etc/letsencrypt/a-view.org/a-view.org.key;

Please add the following lines:

ssl_certificate /etc/letsencrypt/live/a-view.org/fullchain.pem
ssl_certificate_key /etc/letsencrypt/live/a-view.org/privkey.pem

Afterward please reload nginx…

Thank you


#7

Hi @lewisl

Your files are fullchain.pem / privkey.pem.

So change your configuration file.


#8

Got to have semi-colons!

That’s it.

Is “live” like “sites-available” for nginx?

I guess that the first time I did everything manually and put the certs in a different directory than certbot puts things.

Thanks.


#9

Yup…

The live folder is where let’s encrypt put the keys & certificates to (kind of similiar to sites-enabled)


#10

So, I was set up–probably incorrectly–for automatic renewals.

File /etc/cron.d/certbot looks like this:

# /etc/cron.d/certbot: crontab entries for the certbot package
#
# Upstream recommends attempting renewal twice a day
#
# Eventually, this will be an opportunity to validate certificates
# haven't been revoked, etc.  Renewal will only occur if expiration
# is within 30 days.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew

I always forget the cron timing codes, but does this look right?
Why didn’t it happen? The file create date is Jul 21, 2018.


#11

Hi,

This looks good…

I’m not sure what’s happened…

By the way, could you please check if /run/systemd/system is existed?

Take a look at this please:

Thank you


#12

The directory /run/systemd/system exists.

I am not sure what you mean by certbot cron job.

Just above I showed the file for cron.d.

There is also a file called certbot.timer:

[Unit]
Description=Run certbot twice daily

[Timer]
OnCalendar=*-*-* 00,12:00:00
RandomizedDelaySec=43200
Persistent=true

[Install]
WantedBy=timers.target

You guys are great. Definitely a donation coming. Best supported open source project/service ever.


#13

I just donated to both eff.org and Let’s Encrypt.

Great work.


#14

Hi,

As the cron.d line states, if the system folder exists… It would not execute (I guess that’s why it’s not running correctly)

I actually have no idea about the certbot.timer one as I never used it… But I guess only one of the two need to exist… (Or it might cause conflicts I guess?) (Sorry I never used the timer one before…)

Hope others in this forum could assist you with this (auto run) issue…

Thank you


#15

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.