Our developer left and the certificates are now expired

sensusglobal · 2018-05-01 15:59:56 UTC

The in-house developer for our corporate website and microsites left and he will not provide the username/passwords to the back-end. In the meantime, the certificates have expired because his email address was deactivated and we were unable to renew.

Is it possible to transfer ownership of the account and change the email address so that we can renew the certificates every 60 days?

My domains are:

droughtresourcecenter.com
factorfictionseries.com
sensus-des.com
sensusinjapan.com
sensusinmena.com
sensusreach.com
sensusreach15.com
sensusreach16.com
sensusreach17.com
sensusreach18.com
sensusreach19.com
smartmeterresources.com
smartwaternetworks-uk.com
smartwaternetworks.com
staging.sensus.com
dev.sensus.com

My web server is (include version): NGNIX

The operating system my web server runs on is (include version): Linux

My hosting provider, if applicable, is: DigitalOcean

I can login to a root shell on my machine (yes or no, or I don’t know): No

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

stevenzhu · 2018-05-01 16:32:18 UTC

Hi,

You can check if your server has certbot installed.
By running certbot -v (if there is any output other than can’t found certbot)

If so, try run certbot renew. And see if it’s running. And gave a renewing option (like renewing the certificate)

If not, please follow this guide from digital ocean to install / request certbot.

Thank you

sensusglobal · 2018-05-01 16:37:03 UTC

Thank you for the quick response. Unfortunately, the developer who left not only locked us out of the PC he connected to the server with a SSH key, he will not give us the root password or FTP credentials. We are in the middle of litigation to resolve this. But what do I do in the meantime?

Osiris · 2018-05-01 16:42:39 UTC

I assume you’re still in control of your hostnames.

You can just re-issue the certificate(s) from scratch.

That would imply you control the servers behind the hostnames of course, but I’m reading a lot of trouble with that apparently…

stevenzhu · 2018-05-01 16:51:26 UTC

He won’t be able to install it…

Since he have no control to the server…

jvanasco · 2018-05-01 17:01:32 UTC

I have to ask this first: Have you tried paying/bribing the former employee to provide you with this information?

The only times I’ve seen issues like this happen in the past:

a company defaulted on paying contractors
an employee was fired, treated badly or forced out by a bad relationship

In both those types of situations, the former employee wasn’t motivated to do any more work for their former employer. Lawyers can send threatening letters and even file suit, but it often makes a situation worse and doesn’t work well in the end.

You can contact Digital Ocean to have the hosting account switched to someone at your company if it is not already. A new developer should be able to gain root access through their control panel and reset the passwords.

Osiris · 2018-05-01 17:07:32 UTC

But if he has control over the hostnames, he could erect a new webserver, even if it’s just for a “maintenance” placeholder.

Not sure why such a placeholder would need TLS though

schoen · 2018-05-02 17:29:07 UTC

Overall, if the certificates aren’t auto-renewing on the server, you won’t be able to renew them in production unless you can get into the server or replace the server with another server. There’s never a way to unilaterally renew certificates from the CA side; the renewal is a new certificate issuance which always has to be requested. While a new certificate can potentially be requested using a different server, it can’t be installed on the live server without administrative access to that server.

drxelak · 2018-05-04 17:38:07 UTC

Hi! You can check this article that describes how you can renew Let’s Encrypt with NginX https://itsyndicate.org/blog/install-letsencrypt-on-ubuntu-16-04-and-ubuntu-18-04/ . Also you can request all certificates with new email and you will be able to receive notifications.

schoen · 2018-05-04 17:39:37 UTC

@drxelak, did you read this thread before posting in it? This user’s problem is about not having access to the server at all!

drxelak · 2018-05-04 18:37:19 UTC

Sorry, formulation was not super clear from the first sight. The best option would be accessing Digital Ocean control panel, restore access and re-configure certificates. Here is a screenshot where you can receive new password.

sensusglobal · 2018-05-12 22:20:24 UTC

Thank you, everyone, for your help. We ended up hiring a consultant to access the server and renew the certificates. All is well and we can pivot now to deal with GDPR issues.

system · 2018-06-11 22:20:26 UTC

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.