Not Secure after certificate was issued

WeLooop · January 22, 2023, 11:49pm

Thank you both very much for your valuable info!
I still need time to digest everything you said, let me ask a question from a different angle:

Suppose I haven't issued any commands yet, I will do it for the very first time, what would the command look like if I want the certificate has the potentials of easy and automatic renewal? Assuming I have a Ubuntu machine fully under my control.

The whole thing looks pretty complicated, I wonder if you have tutorial videos with full syntax explained?

WeLooop · January 22, 2023, 11:54pm

Many things are still confusing, e.g.
I know I got a valid certificate, and I uploaded to Oracle, and it is working... but, when I do:

root@certbot:/home/ubuntu# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

No certificates found.

it says "No certificates found."?

MikeMcQ · January 23, 2023, 12:00am

Is that where you ran Certbot when you got the certs?

Because that is odd it wouldn't show any after getting one.

If same machine are you running in any kind of container?

MikeMcQ · January 23, 2023, 12:02am

That depends ... do you need a wildcard? Because then auto-renew requires some way to auto-update DNS. Either with a plug-in or a script as --manual-auth-hook

If you don't need a wildcard what kind of web server are you running?

WeLooop · January 23, 2023, 12:02am

Yes, that's the machine (actually the only machine) where I got my certificate

MikeMcQ · January 23, 2023, 12:03am

Are you running in something like a Docker Container? Because it looks like your system has lost the local copy of the cert somehow.

WeLooop · January 23, 2023, 12:06am

I don't need a wildcard right now (I may in the future), I put the wildcard there just because I thought it is convenient to do 2 things in one shot. I am running Oracle Apex (Application Express), I don't know and I don't have access to the web server (I guess it is a weblogic), because Apex pre-configured everything.

WeLooop · January 23, 2023, 12:07am

No container, it is plain compute instance in Oracle Cloud

WeLooop · January 23, 2023, 12:12am

Oh, because I changed directory and/or file permission? I had to download the files but some directory and files are only accessible by root, so I had to change the permission. Next time, I will make a copy, and change the permission on the copy only.

Bruce5051 · January 23, 2023, 12:14am

To avoid running into the Rate Limits I suggest testing on the Staging Environment first.

WeLooop · January 23, 2023, 12:17am

Thank you!

MikeMcQ · January 23, 2023, 12:21am

No, not just that. Is it the same instance?

Certbot places its files under /etc/letsencrypt

What does this show

ls -l /etc/letsencrypt/{live,renewal}

WeLooop · January 23, 2023, 12:24am

root@certbot:/home/ubuntu# ls -l /etc/letsencrypt/{live,renewal}
ls: cannot access '/etc/letsencrypt/live': No such file or directory
ls: cannot access '/etc/letsencrypt/renewal': No such file or directory

MikeMcQ · January 23, 2023, 12:30am

Then Certbot's folders are gone.

As for web server, I am not familiar with that system (Apex).

To use an automated HTTP Challenge you'll need to know the "document root" for the web server. Refer to those docs or an Apex forum.

WeLooop · January 23, 2023, 12:38am

that's wired, I never touched /etc directory after I created that instance.

My certificate files are here: (note "archive/welooop.com" twice in the path)

root@certbot:/home/ubuntu/archive/welooop.com/archive/welooop.com# ll
total 28
drwxr-xr-x 2 root root 4096 Jan 22 13:57 ./
drwx---r-- 3 root root 4096 Jan 22 13:57 ../
-rw-r--r-- 1 root root 1854 Jan 22 13:57 cert1.pem
-rw-r--r-- 1 root root 3749 Jan 22 13:57 chain1.pem
-rw-r--r-- 1 root root 5603 Jan 22 13:57 fullchain1.pem
-rw-r--r-- 1 root root 1704 Jan 22 13:57 privkey1.pem

Bruce5051 · January 23, 2023, 12:40am

Those permissions feel wrong to me for a Private Key.

WeLooop · January 23, 2023, 12:43am

you are right, I used SecureFX to download the file, because I can't login as root, so I changed the permission, login as ubuntu, and download the file, I just changed it back.

root@certbot:/home/ubuntu/archive/welooop.com/archive/welooop.com# ll
total 28
drwxr-xr-x 2 root root 4096 Jan 22 13:57 ./
drwx---r-- 3 root root 4096 Jan 22 13:57 ../
-rw-r--r-- 1 root root 1854 Jan 22 13:57 cert1.pem
-rw-r--r-- 1 root root 3749 Jan 22 13:57 chain1.pem
-rw-r--r-- 1 root root 5603 Jan 22 13:57 fullchain1.pem
-rw------- 1 root root 1704 Jan 22 13:57 privkey1.pem

WeLooop · January 23, 2023, 12:48am

wait a min, I do see the directory:

root@certbot:/etc/letsencrypt# ll
total 12
drwxr-xr-x 3 root root 4096 Jan 23 00:45 ./
drwxr-xr-x 104 root root 4096 Jan 22 06:43 ../
drwxr-xr-x 5 root root 4096 Jan 21 14:14 renewal-hooks/
root@certbot:/etc/letsencrypt# cd renewal-hooks/
root@certbot:/etc/letsencrypt/renewal-hooks# ll
total 20
drwxr-xr-x 5 root root 4096 Jan 21 14:14 ./
drwxr-xr-x 3 root root 4096 Jan 23 00:45 ../
drwxr-xr-x 2 root root 4096 Jan 21 14:14 deploy/
drwxr-xr-x 2 root root 4096 Jan 21 14:14 post/
drwxr-xr-x 2 root root 4096 Jan 21 14:14 pre/

WeLooop · January 23, 2023, 12:53am

although nothing under deploy, post, pre directories

MikeMcQ · January 23, 2023, 1:37am

You should review this topic
https://eff-certbot.readthedocs.io/en/stable/using.html#where-are-my-certificates