z0mbi
April 10, 2024, 3:43pm
1
My domain is: z0m.bi
My web server is (include version): nginx/1.18.0 (Ubuntu)
The operating system my web server runs on is (include version): Ubuntu 22.04.3 LTS
My hosting provider, if applicable, is: Digital Ocean
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.21.0
Issue started when I moved my site to a fresh VM. I wanted to swap over to the wildcard DNS domain authentication method which I've used successfully for other sites. I don't remember all of the things that I've done at this point, but what seems to be occurring is even tho my certificate is renewing correctly (visiting crt.sh shows that it shouldn't expire until June) the site itself has a certificate that shows it expired a week ago. I believe what's happening is the old method of the certificate is linked to the site, because it never asked me to set up TXT records to authenticate the certificate like it has for every other site I've used the wildcard DNS setup on. idk how to fix this conflict, can I remove the certificate and start fresh somehow?
Osiris
April 10, 2024, 5:19pm
2
Please provide the actual commands used to get the certificate. For some reason you seem to find it necessary to remove those questions from the questionnaire.
Note that if you try to renew with the --dry-run option, you can check if the authorization step is actually working. This is because valid authorizations are cached for 30 days, but the --dry-run option actively deactivates currently cached authorizations on the staging environment. (This won't work for production, but testing on staging should suffice.)
2 Likes
z0mbi
April 10, 2024, 5:37pm
3
# sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/z0m.bi.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for z0m.bi and *.z0m.bi
Waiting 10 seconds for DNS changes to propagate
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded:
/etc/letsencrypt/live/z0m.bi/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# sudo certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/z0m.bi.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not yet due for renewal
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certificates are not due for renewal yet:
/etc/letsencrypt/live/z0m.bi/fullchain.pem expires on 2024-06-03 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
but certificate on site still shows old expired one
z0mbi
April 10, 2024, 6:23pm
5
It's got the auto-config certbot settings added to the enabled site config:
server {
root /var/www/z0m.bi/public_html;
index index.php index.html;
server_name z0m.bi www.z0m.bi;
error_page 400 401 403 404 500 502 504 /error_nginx.php;
location / {
try_files $uri $uri/ =404;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php8.1-fpm.sock;
fastcgi_intercept_errors on;
}
location = /error_nginx.php {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php8.1-fpm.sock;
fastcgi_intercept_errors off;
ssi on;
internal;
auth_basic off;
root /var/www/z0m.bi/public_html;
}
location ~ /\.ht {
deny all;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/z0m.bi/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/z0m.bi/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = www.z0m.bi) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = z0m.bi) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name z0m.bi www.z0m.bi;
return 404; # managed by Certbot
}
Osiris
April 10, 2024, 6:29pm
6
What's the contents of /etc/letsencrypt/renewal/z0m.bi.conf and did you reload nginx after renewing? (Although the latter shouldn't be necessary as the nginx configuration suggests the usage of the nginx installer, but good to check anyway.)
Also, is the IP address of your new VM 164.92.90.64? Or could that perhaps be the old VM?
2 Likes
z0mbi:
certbot 1.21.0
It would be necessary to have something reload nginx as it wasn't until v1.27.0 that --installer nginx would cause a reload by Certbot.
We know they aren't using --nginx as an authenticator as their certs are wildcards.
1.27.0 - 2022-05-03
@z0mbi It will be very helpful to see the renewal config file @Osiris asked for. And also to verify the DNS IP.
2 Likes
Osiris
April 10, 2024, 7:17pm
8
That's only when certonly is used, but the nginx configuration mentions "# managed by Certbot", so the nginx installer is actually used without certonly, at least, somewhere in Certbots usage. It's currently unknown if that's actually the case for this certificate (the comment in the configuration might just be an artifact from the previous setup), so we'd need to see the renewal configuration file to know it instead of guessing
Also, it doesn't really matter for renewals, as a renewal is a different subcommand than certonly, so if the installer is actually configured as such, it should reload nginx.
2 Likes
z0mbi
April 10, 2024, 8:36pm
9
The contents of /etc/letsencrypt/renewal/z0m.bi.conf is:
# renew_before_expiry = 30 days
version = 2.9.0
archive_dir = /etc/letsencrypt/archive/z0m.bi
cert = /etc/letsencrypt/live/z0m.bi/cert.pem
privkey = /etc/letsencrypt/live/z0m.bi/privkey.pem
chain = /etc/letsencrypt/live/z0m.bi/chain.pem
fullchain = /etc/letsencrypt/live/z0m.bi/fullchain.pem
# Options used in the renewal process
[renewalparams]
account = [accountnumber]
authenticator = dns-digitalocean
server = https://acme-v02.api.letsencrypt.org/directory
key_type = ecdsa
dns_digitalocean_credentials = /home/user/certbot-creds.ini
No, that's the correct IP address.
Yes several times. unfortunately. It is possible that the nginx config certbot bit could be left over from the previous set up, I don't remember at this point tbh.
Osiris
April 10, 2024, 8:57pm
10
There's no installer configured nor is there a deploy hook, so manually reloading/restarting nginx would be required. But you did that you said.
Please show the output of sudo nginx -T.
1 Like
z0mbi
April 10, 2024, 9:36pm
11
output of sudo nginx -T:
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}
# configuration file /etc/nginx/modules-enabled/50-mod-http-geoip2.conf:
load_module modules/ngx_http_geoip2_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-image-filter.conf:
load_module modules/ngx_http_image_filter_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf:
load_module modules/ngx_http_xslt_filter_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-mail.conf:
load_module modules/ngx_mail_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-stream.conf:
load_module modules/ngx_stream_module.so;
# configuration file /etc/nginx/modules-enabled/70-mod-stream-geoip2.conf:
load_module modules/ngx_stream_geoip2_module.so;
# configuration file /etc/nginx/mime.types:
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/png png;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
image/svg+xml svg svgz;
image/webp webp;
application/font-woff woff;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.wap.wmlc wmlc;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
application/vnd.openxmlformats-officedocument.wordprocessingml.document docx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx;
application/vnd.openxmlformats-officedocument.presentationml.presentation pptx;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}
# configuration file /etc/nginx/conf.d/errors.conf:
# error_page 400 401 403 404 500 502 504 @errors;
map $status $status_text {
400 'Bad Request';
401 'Unauthorized';
402 'Payment Required';
403 'Forbidden';
404 'Not Found';
405 'Method Not Allowed';
406 'Not Acceptable';
407 'Proxy Authentication Required';
408 'Request Timeout';
409 'Conflict';
410 'Gone';
411 'Length Required';
412 'Precondition Failed';
413 'Payload Too Large';
414 'URI Too Long';
415 'Unsupported Media Type';
416 'Range Not Satisfiable';
417 'Expectation Failed';
418 'I\'m a teapot';
421 'Misdirected Request';
422 'Unprocessable Entity';
423 'Locked';
424 'Failed Dependency';
425 'Too Early';
426 'Upgrade Required';
428 'Precondition Required';
429 'Too Many Requests';
431 'Request Header Fields Too Large';
451 'Unavailable For Legal Reasons';
500 'Internal Server Error';
501 'Not Implemented';
502 'Bad Gateway';
503 'Service Unavailable';
504 'Gateway Timeout';
505 'HTTP Version Not Supported';
506 'Variant Also Negotiates';
507 'Insufficient Storage';
508 'Loop Detected';
510 'Not Extended';
511 'Network Authentication Required';
default 'Something is wrong';
}
# configuration file /etc/nginx/sites-enabled/z0m.bi:
server {
root /var/www/z0m.bi/public_html;
index index.php index.html;
server_name z0m.bi www.z0m.bi;
error_page 400 401 403 404 500 502 504 /error_nginx.php;
location / {
try_files $uri $uri/ =404;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php8.1-fpm.sock;
fastcgi_intercept_errors on;
}
location = /error_nginx.php {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php8.1-fpm.sock;
fastcgi_intercept_errors off;
ssi on;
internal;
auth_basic off;
root /var/www/z0m.bi/public_html;
}
location ~ /\.ht {
deny all;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/z0m.bi/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/z0m.bi/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = www.z0m.bi) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = z0m.bi) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name z0m.bi www.z0m.bi;
return 404; # managed by Certbot
}
# configuration file /etc/nginx/snippets/fastcgi-php.conf:
# regex to split $uri to $fastcgi_script_name and $fastcgi_path
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
# Check that the PHP script exists before passing it
try_files $fastcgi_script_name =404;
# Bypass the fact that try_files resets $fastcgi_path_info
# see: http://trac.nginx.org/nginx/ticket/321
set $path_info $fastcgi_path_info;
fastcgi_param PATH_INFO $path_info;
fastcgi_index index.php;
include fastcgi.conf;
# configuration file /etc/nginx/fastcgi.conf:
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param REQUEST_SCHEME $scheme;
fastcgi_param HTTPS $https if_not_empty;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param REMOTE_USER $remote_user;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;
# configuration file /etc/letsencrypt/options-ssl-nginx.conf:
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file. Contents are based on https://ssl-config.mozilla.org
ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
z0mbi
April 10, 2024, 10:20pm
12
I've managed to get it working after couple more restarts of the server, idk if something is cached somewhere or what. The same thing happened to me last time the certificate expired as well a few months back. I don't know what else to look at, I do have this file /etc/letsencrypt/renewal-hooks/post/reload-nginx.sh which is just:
#!/bin/bash
service nginx reload
as far as nginx reloads go. I guess I'll wait to see if it happens again in June.
version = 2.9.0
Isn't this mean there are two certbots on that server? 2.9 and 1.21?
3 Likes
rg305
April 11, 2024, 12:33am
14
What shows?:certbot certificates
3 Likes
