Let's Encrypt certificates 'fail' within a couple of weeks


#1

Hi,

First off, I apologize if this query has been previously answered or contains a very noob error in my approach - SSL certification is still new to me! I’ve checked these forums thoroughly, but can’t seem to find a similar issue.

So… I have successfully installed a multi-domain certificate for several websites that I host using Certbot Auto on my Linux Apache (2.2.31) server via SSH. This was first installed a few months ago, and initially ran fine for around 6 weeks. Then one morning, all the sites began returning ‘Your connection is not secure’ screens. On checking the certificate using ‘certbot-auto certificates’, it still had 40+ days to run. After some initial panic, the problem was simply solved by reinstalling the certificate.

However, this now happens frequently: every two weeks or so. Reinstallation works every time however. This morning’s failure was after only 9 days. I cannot think what might be causing this - largely because I’m pretty inexperienced in this field! Here’s some circumstantial info:

  1. I’ve not yet set up a Cron job to renew the certificate, partly due to time, partly due to the fact that I feel I need to manually manage this at the moment! I’m not sure if this might be a potential cause?
  2. Most times I reinstall the certificate after a failure, certbot updates to a new version… would this have any effect on things?!
  3. There are currently four domains on the certificate (with both bare and ‘www’ variants - so 8 in total). Examples: https://www.antiquity.ac.uk; https://www.virtualststephens.org.uk

This issue is becoming problematic (and embarrassing for my clients), but after weeks of searching for solutions I still can’t find anything. Is there anything I can do to pin down exactly why the certificate is failing? Does certbot retain logs somewhere I can access?

Any help hugely appreciated - I’m a bit at sea here!


#2

It would be super helpful if you had the screenshot of this showing the advanced error details.

For example, “certificate expired”, “certificate not valid for this name”, “certificate not signed by a trusted authority”. That gives the major clue as to what is happening.

Your story sounds like something on the system is reverting your Apache configuration to a state that doesn’t use the Let’s Encrypt certificates you have issued. But honestly, it could easily be something else.

While you have the issue, you can sign up to something like uptimerobot.com and monitor the SSL version of your sites, hopefully you can catch the issue before your visitors do.


#3

Ok, many thanks _az! The next time this happens I’ll ensure I collect more info and post it here.

Also, huge thanks for the uptimerobot.com link - this is just what I’m looking for!


#4

I have the same guess. I suggest saving a copy of the file + timestamp + md5 of your apache file and letsencrypt certs (and save it offline, just to be safe). the next time you have an issue, compare the timestamp/md5s and if there’s an issue - check the archive’s contents.


#5

Ok, so I had another certificate failure last night. After some checking, it turns out that the error message being returned by the sites was:

www.antiquity.ac.uk uses an invalid security certificate.
The certificate expired on 01 January 2018, 13:51. The current time is 10 April 2018, 08:39.
Error code: SEC_ERROR_EXPIRED_CERTIFICATE

On checking the certificate using certbot-auto certificates the return was:

Certificate Name: heritech.co.uk
Domains: virtualststephens.org.uk antiquity.ac.uk middleenglishromance.org.uk www.antiquity.ac.uk www.middleenglishromance.org.uk www.virtualststephens.org.uk www.yecs-cleaning.co.uk yecs-cleaning.co.uk
Expiry Date: 2018-06-10 09:33:45+00:00 (VALID: 61 days)
Certificate Path: /etc/letsencrypt/live/heritech.co.uk/fullchain.pem
Private Key Path: /etc/letsencrypt/live/heritech.co.uk/privkey.pem

I’ve been checking the certificates intermittently since my the last breakage (21 days ago), and every time the certificate has looked fine with plenty of time until expiry. However, this time when I checked, certbot-auto updated to version 23.0… is there any chance that a certbot-auto update (or running an out-of-date version) might break the certificates?

Anyhow, any light you guys might be able to shed is, as always, massively appreciated!


#6

Updating certbot-auto, in and of itself, should do absolutely nothing to the certificates or web server configuration files.

It still sounds like some other software (or coworker) did something to the Apache configuration when you weren’t looking.

The website is working correctly right now, right?

certbot-auto certificates” didn’t show any other certificates, right?

To reference a post in a similar thread, could you make a backup of the Apache configuration, and then compare what’s different next time it breaks – or, if it’s broken right now, after fixing it?

E.g. “sudo tar czf /root/apache-configuration-2018-04-10.tar.gz /etc/apache2/”.

What certificates is Apache configured to use? Something like “grep -ir SSLCertificate /etc/apache2/” can help check.

Are there other certificates not listed by certbot-auto certificates? “sudo ls -lAR /etc/letsencrypt/{archive,live}/”.

Are you using a control panel? Bitnami? Something else that would potentially modify the Apache configuration?

Other people with access to the server?

If you fixed the website today, do you have a recent backup of the (Apache) configuration from when it was broken?


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.