Invalid certificate after successful certbot procedure

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: app.gridt.org & api.gridt.org

I ran this command:

#!/bin/bash

if ! [ -x “$(command -v docker-compose)” ]; then
echo ‘Error: docker-compose is not installed.’ >&2
exit 1
fi

domains=(api.gridt.org app.gridt.org)
rsa_key_size=4096
data_path="./data/certbot"
email="info@gridt.org" # Adding a valid address is strongly recommended
staging=1 # Set to 1 if you’re testing your setup to avoid hitting request limits

if [ -d “$data_path” ]; then
read -p "Existing data found for $domains. Continue and replace existing certificate? (y/N) " decision
if [ “$decision” != “Y” ] && [ “$decision” != “y” ]; then
exit
fi
fi

if [ ! -e “$data_path/conf/options-ssl-nginx.conf” ] || [ ! -e “$data_path/conf/ssl-dhparams.pem” ]; then
echo “### Downloading recommended TLS parameters …”
mkdir -p “$data_path/conf”
curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > “$data_path/conf/options-ssl-nginx.conf”
curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem > “$data_path/conf/ssl-dhparams.pem”
echo
fi

for domain in “${domains[@]}”; do
echo “### Creating dummy certificate for $domain …”
path="/etc/letsencrypt/live/$domain"
mkdir -p “$data_path/conf/live/$domain”
docker-compose run --rm --entrypoint "
openssl req -x509 -nodes -newkey rsa:1024 -days 1
-keyout ‘$path/privkey.pem’
-out ‘$path/fullchain.pem’
-subj ‘/CN=localhost’" certbot
done
echo

echo “### Starting nginx …”
docker-compose up --force-recreate -d nginx
echo

for domain in “${domains[@]}”; do
echo “### Deleting dummy certificate for $domain …”
docker-compose run --rm --entrypoint "
rm -Rf /etc/letsencrypt/live/$domain &&
rm -Rf /etc/letsencrypt/archive/$domain &&
rm -Rf /etc/letsencrypt/renewal/$domain.conf" certbot
done
echo

echo “### Requesting Let’s Encrypt certificate for all domains…”
#Join domains to -d args domain_args="" for domain in "{domains[@]}"; do
domain_args="$domain_args -d $domain"
done

Select appropriate email arg

case “$email” in
“”) email_arg="–register-unsafely-without-email" ;;
*) email_arg="–email $email" ;;
esac

Enable staging mode if needed

if [ $staging != “0” ]; then staging_arg="–staging"; fi

for domain in “${domains[@]}”; do
docker-compose run --rm --entrypoint "
certbot certonly --webroot -w /var/www/certbot
$staging_arg
$email_arg
-d $domain
–rsa-key-size $rsa_key_size
–agree-tos
–force-renewal" certbot
done
echo

echo “### Reloading nginx …”
docker-compose exec nginx nginx -s reload

Based off this article: https://medium.com/@pentacent/nginx-and-lets-encrypt-with-docker-in-less-than-5-minutes-b4b8a60d3a71

But modified so that it would run the procedure twice. Once for each subdomain.

It produced this output:
Existing data found for api.gridt.org. Continue and replace existing certificate? (y/N) y

Creating dummy certificate for api.gridt.org

Generating a RSA private key
.+++++
…+++++
writing new private key to ‘/etc/letsencrypt/live/api.gridt.org/privkey.pem’

Creating dummy certificate for app.gridt.org

Generating a RSA private key
…+++++
…+++++
writing new private key to ‘/etc/letsencrypt/live/app.gridt.org/privkey.pem’

Starting nginx …

Recreating gridt-server_certbot_1 … done
Recreating gridt-server_db_1 … done
Recreating gridt-server_web_1 … done
Recreating gridt-server_nginx_1 … done

Deleting dummy certificate for api.gridt.org

Deleting dummy certificate for app.gridt.org

Requesting Let’s Encrypt certificate for all domains…

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/api.gridt.org/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/api.gridt.org/privkey.pem
    Your cert will expire on 2020-07-13. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew all of your certificates, run
    “certbot renew”
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Plugins selected: Authenticator webroot, Installer None
    Obtaining a new certificate

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/app.gridt.org/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/app.gridt.org/privkey.pem
    Your cert will expire on 2020-07-13. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew all of your certificates, run
    “certbot renew”

Reloading nginx …

2020/04/14 15:24:12 [notice] 9#9: signal process started

My web server is (include version): nginx:1.15-alpine (docker)

The operating system my web server runs on is (include version): Ubuntu 19.10

My hosting provider, if applicable, is: TransIP Blade VPS

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no (terminal/ssh)

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot/certbot

2

Error was fully on my part. I had left staging on. This is why the procedure succeeded, but the certificate was not trusted. Having resolved that minor issue running the script generated a good certificate.

1 Like
3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.