My certificate has been revoked. How and why?

My domain is:
tport.bluebiloba.com

My web server is (include version):
Teleport v8.1.1 git:v8.1.1-0-g8d15472 go1.17.3

The operating system my web server runs on is (include version):
AlmaLinux 8.5

My hosting provider, if applicable, is:
n/a

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.22.0

Because of this:

Just renew your certificate.

4 Likes

You can double-check what @9peppe said by filling out your hostname in the tool here: https://tls-alpn-check.letsencrypt.org/

5 Likes

HEY.

This issue doesn't happen with certbot.

You're not following a tutorial from aws/lightsail telling you to install certbot on a bitnami image, are you?

5 Likes

No I'm not. But I verified that I'm affected.
Also, even after renewing the certificate, the serial number (as seen by the internet) does not change.
There must be something wrong with Teleport, but I still cannot understand what is it.
Sorry for the noise.

1 Like

It probably needs to be told to read the new certificate. A reload should do that. (If it knows where the certificate is.)

2 Likes

It knows: it shows the path in the log when starting up, and it is correct.
I even went as far as rebooting the server (after simply trying to restart the service, obviously), but nothing helps.

This is strange. Maybe it's making its own copy?

... or maybe it's getting its own separate certificate and it has nothing to do with the one you got with certbot. This would also explain why it was revoked in the tls-alpn-01 great revocation of 2022.

2 Likes

Which of those two commands did you use?

teleport configure --acme --acme-email=user@example.com --cluster-name=tele.example.com > /etc/teleport.yaml

or

sudo teleport configure -o file \
    --cluster-name=tele.example.com \
    --public-addr=tele.example.com:443 \
    --cert-file=/var/lib/teleport/fullchain.pem \
    --key-file=/var/lib/teleport/privkey.pem

See here

If you want to use certbot, use the second one with the right /etc/letsencrypt/live paths and a --deploy-hook "the_reload_command" on your certbot invocation.

2 Likes

Thank you @9peppe!!
I had configured Teleport since so many months that I did forget the command used.
Fortunately, bash still had it in its history, so I could check that I had actually used the first command.
Fixing it was just a matter of going into the yaml config file and changing from acme: enabled: "yes" to acme: enabled: "no".
After restarting teleport, it started using the certbot certificates (which were already in the config file, but they weren't used)!!

Cris

3 Likes

Check that certbot renew --dry-run executes without complaining (what's listening on your port 80? haproxy? does it pass onto certbot what it needs?)

2 Likes

@9peppe certbot always worked as expected renewing the certificate, and that hasn't changed.
Only it was previously ignored.
But thank you for the heads-up!
Cris

2 Likes

I'm asking to check the automated renewal process vs. the user-initiated issuance one. There might be some edge cases in which they differ (main of those, you run other commands before and after calling certbot renew).

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.