Linking to wrong certificate


#1

My domain is: spots.school

I ran this command: /opt/letsencrypt/letsencrypt-auto renew

It said it was successful!

My web server is (include version): Apache 2.4

The operating system my web server runs on is CentOS 7

I can login to a root shell on my machine.

I’m not using a control panel to manage my site.


I need to renew the SSL certification for my Linux mail server
#2

I originally posted the problem on github but Matt Nordhoff who kindly responded asked that I post the information here.

I am simply running a routine certificate renew but the file link was not updated to the latest certificate so the webserver and postfix and dovecot all still see the previous certificate.

Here is the output of ls -alR /etc/letsencrypt/{archive,live}/


#3

/etc/letsencrypt/archive/:
total 16
drwx------ 4 root root 4096 Apr 11 17:57 .
drwxr-xr-x 9 root root 4096 Jul 10 17:00 …
drwxr-xr-x 2 root root 4096 Mar 22 14:26 www.spots.school
drwxr-xr-x 2 root root 4096 Apr 11 17:57 www.spots.school-0001

/etc/letsencrypt/archive/www.spots.school:
total 88
drwxr-xr-x 2 root root 4096 Mar 22 14:26 .
drwx------ 4 root root 4096 Apr 11 17:57 …
-rw-r–r-- 1 root root 1870 Sep 22 2017 cert1.pem
-rw-r–r-- 1 root root 2248 Jul 10 17:00 cert2.pem
-rw-r–r-- 1 root root 1895 Dec 20 2017 cert3.pem
-rw-r–r-- 1 root root 1952 Dec 29 2017 cert4.pem
-rw-r–r-- 1 root root 1952 Mar 22 14:26 cert5.pem
-rw-r–r-- 1 root root 1647 Sep 22 2017 chain1.pem
-rw-r–r-- 1 root root 1647 Jul 10 17:00 chain2.pem
-rw-r–r-- 1 root root 1647 Dec 20 2017 chain3.pem
-rw-r–r-- 1 root root 1647 Dec 29 2017 chain4.pem
-rw-r–r-- 1 root root 1647 Mar 22 14:26 chain5.pem
-rw-r–r-- 1 root root 3517 Sep 22 2017 fullchain1.pem
-rw-r–r-- 1 root root 3895 Jul 10 17:00 fullchain2.pem
-rw-r–r-- 1 root root 3542 Dec 20 2017 fullchain3.pem
-rw-r–r-- 1 root root 3599 Dec 29 2017 fullchain4.pem
-rw-r–r-- 1 root root 3599 Mar 22 14:26 fullchain5.pem
-rw-r–r-- 1 root root 1708 Sep 22 2017 privkey1.pem
-rw-r–r-- 1 root root 1704 Jul 10 17:00 privkey2.pem
-rw-r–r-- 1 root root 1704 Dec 20 2017 privkey3.pem
-rw-r–r-- 1 root root 1708 Dec 29 2017 privkey4.pem
-rw-r–r-- 1 root root 1704 Mar 22 14:26 privkey5.pem

/etc/letsencrypt/archive/www.spots.school-0001:
total 24
drwxr-xr-x 2 root root 4096 Apr 11 17:57 .
drwx------ 4 root root 4096 Apr 11 17:57 …
-rw-r–r-- 1 root root 2252 Apr 11 17:57 cert1.pem
-rw-r–r-- 1 root root 1647 Apr 11 17:57 chain1.pem
-rw-r–r-- 1 root root 3899 Apr 11 17:57 fullchain1.pem
-rw-r–r-- 1 root root 1704 Apr 11 17:57 privkey1.pem

/etc/letsencrypt/live/:
total 12
drwx------ 3 root root 4096 Apr 11 18:00 .
drwxr-xr-x 9 root root 4096 Jul 10 17:00 …
drwxr-xr-x 2 root root 4096 Jul 10 17:00 www.spots.school

/etc/letsencrypt/live/www.spots.school:
total 12
drwxr-xr-x 2 root root 4096 Jul 10 17:00 .
drwx------ 3 root root 4096 Apr 11 18:00 …
lrwxrwxrwx 1 root root 45 Jul 10 17:00 cert.pem -> …/…/archive/www.spots.school-0001/cert1.pem
lrwxrwxrwx 1 root root 46 Jul 10 17:00 chain.pem -> …/…/archive/www.spots.school-0001/chain1.pem
lrwxrwxrwx 1 root root 50 Jul 10 17:00 fullchain.pem -> …/…/archive/www.spots.school-0001/fullchain1.pem
lrwxrwxrwx 1 root root 48 Jul 10 17:00 privkey.pem -> …/…/archive/www.spots.school-0001/privkey1.pem
-rw-r–r-- 1 root root 543 Apr 11 17:57 README


#4

There’s your problem.

Someone or something messed up the whole symbolic linking from the live directory to the actual certificates and private keys in the archive directory.

This shouldn’t happen. Most likely someone manually changed the symbolic linking in an attempt to correct something.

Anyway, with the creation date you can see the correct files are timestamped on July 10th at 17:00 with number “2” in the archive directory www.spots.school. But the symbolic links in the live directory of www.spots.school are linking to the wrong archive directory (www.spots.school-0001). And thus the incorrect files.

Also, it shouldn’t happen that certbot renews certificates to a number “in between” currently existing certificates. It should count upwards, so it should have generated files with the number 6. Perhaps someone deleted the number 2 files manually?


#5

I think that’s normal with this issue. It used 2 because the live symlinks and/or the archive -0001 files used 1. It’s properly incrementing the wrong thing. Or the right thing, depending on how you look at it.


#6

Thanks for the info, I cannot recall deleting anything but that does not mean it did not happen!

What can I do to fix it?


#7

You can change the symlinks to point to the right files.

First, can you also post the contents of:

  • /etc/letsencrypt/renewal/www.spots.school.conf
  • /etc/letsencrypt/renewal/www.spots.school-0001.conf

One of them may have to be updated or recreated.


#8

# renew_before_expiry = 30 days version = 0.25.1 archive_dir = /etc/letsencrypt/archive/www.spots.school cert = /etc/letsencrypt/live/www.spots.school/cert.pem privkey = /etc/letsencrypt/live/www.spots.school/privkey.pem chain = /etc/letsencrypt/live/www.spots.school/chain.pem fullchain = /etc/letsencrypt/live/www.spots.school/fullchain.pem

# Options used in the renewal process [renewalparams] authenticator = webroot installer = None account = 6c0d7345972b94c952126c1ec9ca1928 [[webroot_map]] mail.spots.school = /var/www/html class.spots.school = /var/www/html sun.spots.school = /var/www/html www.spots.school = /var/www/html spots.school = /var/www/html /etc/letsencrypt/renewal/www.spots.school.conf (END)


#9

There is no /etc/letsencrypt/renewal/www.spots.school-0001.conf


#10

Configuration file seems to be OK, only the symbolic linking in /etc/letsencrypt/live/www.spots.school and the file numbering in /etc/letsencrypt/archive/www.spots.school seems to be off.

My advice:

  • Delete the files cert3.pem, cert4.pem, cert5.pem, chain3.pem, chain4.pem, chain5.pem, fullchain3.pem, fullchain4.pem, fullchain5.pem, privkey3.pem, privkey4.pem and privkey5.pem from the directory /etc/letsencrypt/archive/www.spots.school (this step might be skipped, but I have no idea if the next renewal will go without any hitch if you let them exist…)
  • Remove the entire directory /etc/letsencrypt/archive/www.spots.school-0001 (it isn’t usedcertcert anyway)
  • Go the the directory /etc/letsencrypt/live/www.spots.school and make the correct symlinks:
    • cd /etc/letsencrypt/live/www.spots.school
    • ln -sf ../../archive/www.spots.school/cert2.pem cert.pem
    • ln -sf ../../archive/www.spots.school/chain2.pem chain.pem
    • ln -sf ../../archive/www.spots.school/fullchain2.pem fullchain.pem
    • ln -sf ../../archive/www.spots.school/privkey2.pem privkey.pem

That should do the trick :slight_smile:

(It is always wise to backup the entire /etc/letsencrypt directory before doing manual stuff like this by the way)


#11

That worked perfectly, thank you very much!

Now Firefox doesn’t go into a tizzy when connecting via https, yay!