Our site kind of seriously "damaged" by the Certbot renewal

Hi,

we are using the certbot at least like 2-3 years already, and each 3 months or how often I do the manual renewing of the certificate.

I do it like this in the cmd line:

certbot -d *.site.com -d site.com --manual --preferred-challenges dns certonly

Then the site owner adds the DNS txt records and I confirm the command.

So far it always worked. Also when I did it last time, it said success also.

After the cmd above I do also this command:

service apache2 reload

Then I check the certificate information by clicking the lock icon in the desktop Chrome, to verify new certificate is installed.

Also when I did it last time, I saw the new certificate there. But then very serious problem happened.

When calendar date moved the way that the old SSL certificate expired, the site stopped working in many browsers.

We discovered it with the site owner like 3 days after.

Notice that he is running popular site with like 500k+ visitors or something, and that this site is paying my living btw. (I am 100% dependant on it)

So very serious problem happened, that in SOME browser was the new certificate, and in many or most of them there was the OLD certificate not valid already, and the visitors have substantially dropped.

When I checked the site in other browser on my desktop eg Safari, there was really the warning that the certificate has expired. Also in the Safari on the iPhone and in the Chrome on the iPhone.

Also btw notice, that it seems it is not possible to check the certificate info in the iPhone browser in advance as in the desktop browsers, so that is quite problem too.

Anyways how this problem could have happened, that in my desktop Chrome it was fine and in majority of browsers there was the old certificate?

This is first time, this problem happened. Is the code of certbot somehow changed now that could have caused some problem?

I repeat that for us this is a serious problem. We need to work it flawlessly as it worked so far.

What I did when the site owner told me about the problem was, that I ran these commands:

service apache2 reload
service apache2 restart

But I am 100% sure, I ran the reload before, and that I saw the new certificate in the Chrome before, and as I say, so far was never problem with this and I was always using so far only apache reload.

Also is there some way how to analyze how much visitors / browser have been affected to be displayed the browser warning "this is not a safe site", to have the ssl issues? Via Google analytics or Apache log or something?

Thank you

1 Like

Various things can cause this. You might have a stuck Apache worker using the old cert. Or, your DNS has multiple IP addresses and one of those point to a server using the old cert.

We could help debug those if you provide your domain name.

Also, if you have a busy website you should be using an automated method to renew your certs and not a manual one. We also recommend renewing with 1/3 of the cert life remaining (so, 30 days currently) to give you chance to fix problems without downtime.

You could use these sites to check your certs (among many others)

3 Likes

In addition to what my fellow volunteer has already said and just to be absolutely clear: you're using the certonly subcommand of Certbot, so no modification to the Apache configuration will be made by Certbot. The only thing Certbot does, is get a new certificate from the ACME server. You can verify the integrity of the certificate and chain manually if you'd like, but I'm pretty sure they're fine.

Anything else, or anything for that matter, is NOT due to Certbot.

3 Likes

So sharing the domain name of the site should not be a problem.
Please share the domain name. :slight_smile:

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.