Need to reinstall certificate frequently


#1

My domain is: https://aviateprotect.com

My web server is (include version): Trusty

My hosting provider, if applicable, is: OVH

I can login to a root shell on my machine (yes or no, or I don’t know): Yes


Every few days I get a ‘can’t provide a secure connection’ error on this site. Once I reinstall the certificate everything works fine but then again the same thing seems to happen a few days later.

I posted this topic before (Need to reinstall certificate every few days) but no one could help as I had renewed the certificate and the issue could not be seen. The same issue has happened again and I would be really grateful if someone could help ASAP as obviously I can’t leave this site down for a long time.

Any ideas as to why this would be happening?

Thanks


#2

At the moment, the site is doing HTTP on the HTTPS port.

http://aviateprotect.com:443/

When a client tries to connect using HTTPS, it results in a weird error message of some sort.

So, probably something or someone changed the Apache configuration. Disabled the SSL stuff, or added a different virtual host. Or something like that.

:confused:


#3

Thanks for the reply.

This seems to happen frequently, as far as I am aware nothing has changed. As soon as I reinstall the certificate the problem gets resolved.


#4

Something must have changed.

Can you examine your Apache configuration? Or make a copy of it? And see what files have been modified most recently?

Maybe there’s a cron job or coworker making changes?


#5

I am a bit of a server novice, I wouldn’t know how to make a copy of the Apache config. Could you advise at all?

Thanks


#6

sudo cp -ai /etc/apache2/ ~/apache2-backup/” or something like that, I guess.


#7

The server provider said the error is:
Error code: SSL_ERROR_RX_RECORD_TOO_LONG and port 443 is open.

Any ideas what that means?


#8

As I said:

That’s one of the weird errors I was referring to.

Other browsers and clients may have different weird error messages, but it’s the same situation.


#9

Please show the whole command you used to issue your certificate.
Regarding the problem: there must be an interfering process which rolls back your config file changes and restarts the webserver software.


#10

ssl1

This is how I reinstall the certificate.


#11

This does not include your command line. Just show the command you enter before this dialogue occurs.


#12

$ sudo certbot --apache


#13

The site is running TLS again on port 443. Did you reinstall it already?

The fact just reinstalling an existing certificate through certbot would suggest something is breaking the Apache configuration in a periodic manner.

I would suggest looking very good at every cron job or systemd timer you’ve got running on your server and if they could manipulate the Apache configuration somehow.

Also, it would be very helpful if you could make two copies of all the configuration files in /etc/apache2/: one when everything is running fine (like now) and one when everything is broken again. Then, we can compare both configurations and see what’s wrong.


#14

Sounds like a configuration config tool like Puppet/Ansible/Salt might be the thing that “fixes” the Apache config file, or even replacing your certificates… difficult to guess without some other information like the config when this happens, the config after the reinstallation, crontab entries, other software running, how you update/etc. the website.
Perhaps your renewal script might be at fault here too?