Rate limits problem

jaimiris · October 21, 2018, 11:53am

Hi all,

I really need your help. Thanks in advance

I had my certificate running fine for 3 months. I thought it was going to renew automatically, but it looks it didn’t as it expired.
I made some attempts with command ‘sudo certbot --apache’, ‘sudo certbot --webroot’… but despite of successful results for the command, any try on the web was giving the SEC_ERROR_EXPIRED_CERTIFICATE, serving the old certificate.
I tried remaking it from the scratch, revoking and deleting, but when tried to make a new one I ran with the “too many certificates already issued for exact set of domains” result.
I’m really lost, my server is down for it and seems it will be for 1 week, that’s a disaster for us.
I’m wondering what to do next:

Try to roll back to an insecure version of the site?
Any idea you can give me about rescuing the successfully renewed certificates?
If having the renewed or waiting a week? How to actually set the new one and not getting the expired when browsing?

My domain is: circusofthings.com

I ran this command: sudo certbor --apache (and --webroot)

It produced this output: Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/circusofthings.com-0001/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/circusofthings.com-0001/privkey.pem
Your cert will expire on 2019-01-18. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew all of your certificates, run
“certbot renew”

My web server is (include version): Tomcat 7

The operating system my web server runs on is (include version): Ubuntu 14.04 64 bits

My hosting provider, if applicable, is: ovh

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Osiris · October 21, 2018, 12:23pm

Check your Apache configuration: in which directory is it looking for fullchain.pem?

I think you managed to get yourself a new certificate within a new directory (see the -0001 extension in the “Congratulations!” thingy).

In the future, try certbot renew to renew your certificate

JuergenAuer · October 21, 2018, 12:42pm

Hi @jaimiris

you have created 10 certificates today:

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=p:Y2lyY3Vzb2Z0aGluZ3MuY29tOmZhbHNlOmZhbHNlOjpFQUU9&cert_search=include_expired:false;include_subdomains:false;domain:circusofthings.com&lu=cert_search_cert

Did you revoke / delete these? If yes, you have to wait one week.

Check your configuration with

certbot certificates

if there is one of the new certificates.

Please don't delete files if you don't have a backup.

jaimiris · October 21, 2018, 2:56pm

Hi, @Osiris, thanks for replying.
Yes, I’m aware that those are new certificates in the new directories… I had the original and *-0001 and *-0002 from my different attempts while it was not reflected in the web. But none of them was working.
(BTW: Now I wonder if my browser was lying to me with a false cache certificate)
But, when you ask about where my Apache is pointing to ‘fullchain.pem’: I don’t know if you mean my tomcat’s server.xml file. I can say it was pointing a completely different *.pfx file in my keystore param. This is an old self-signed certificate and now I don’t know why it hasn’t been a problem for my let’s encrypt set this last 3 months (¿¿??).
Still I have the same problem: why certbot was giving a success result while not updating the certificate to the visitor?

Osiris · October 21, 2018, 3:01pm

Depends on how you got to install the certificate in the first place. Now you're talking about Tomcat instead of Apache (the use of the apache plugin suggested the use of Apache, so I assumed Apache was indeed the TLS endpoint of your website).

Did you install the certificate manually? Or did you use certbot for that? If you'd use the apache plugin, certbot would reload Apache automatically and thus "installing" the certificate at the same time. If you have used the webroot previously without an installer plugin, such as apache, certbot would have gotten you the certificate, but you would have to install it manually. And when installing it manually, certbot wouldn't know how to "reinstall" the renewed certificate.

So it really depends on how you installed the certificate in the first place.

Also, now your site is answering plain HTTP on port 443 instead of HTTPS...

jaimiris · October 21, 2018, 3:01pm

Hi @JuergenAuer, thanks for your time.
Yes I revoked and deleted everything as the new certificates weren't working. And, as you point,

certbot certificates

corroborate it.
I have saved the certificate shown in the web error. Would it be enough as a backup?
And why having a correct certificate still is showing the out of date to the visitor?

Osiris · October 21, 2018, 3:03pm

The certificates and corresponding private keys were fine. The fact they weren't installed properly is the fact they "weren't working".

A certificate without its private key is useless.

Because "issuing" and "installing" are two different things. You can get a thousand or even millions of perfectly working certificates, if your software doesn't get it, the visitor doesn't get it.

jaimiris · October 21, 2018, 3:11pm

@Osiris

Also, now your site is answering plain HTTP on port 443 instead of HTTPS…

Yes, i did it manually. I roll back to none https site to keep the business going (i don't have a better idea...)

So it really depends on how you installed the certificate in the first place.

I really can't recover this information. Should I start it again from the beginning next week?

Or did you use certbot for that?

Yes, I used Certbot

Osiris · October 21, 2018, 3:17pm

To get the certificate or to install the certificate too?

jaimiris · October 21, 2018, 3:27pm

@Osiris

To get the certificate or to install the certificate too?

Not 100% sure of my memory, but I'm sure I used it to "install" too

On the other hand, I see in my
/etc/letsencrypt/archive/circusofthings.com-0001/
directory that I still have this files:
cert1.pem chain1.pem fullchain1.pem privkey1.pem
May it help to set it again?

Osiris · October 21, 2018, 3:28pm

Could be.

It could also be your current expired certificate. You can check with

openssl x509 -noout -text <cert1.pem

and check the expiration date.

jaimiris · October 21, 2018, 3:34pm

Maybe I am lucky:

Validity
Not Before: Oct 20 16:29:34 2018 GMT
Not After : Jan 18 16:29:34 2019 GMT

Any suggestion on what to do with it? I have a bunch of directories with pem files... not to clean

JuergenAuer · October 21, 2018, 3:39pm

Looks like you didn't delete all files. Check

https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html

search something like

Listen 443
<VirtualHost *:443>
    ServerName www.yourdomain.com
    SSLEngine on
    SSLCertificateFile "/path/to/www.example.com.cert"
    SSLCertificateKeyFile "/path/to/www.example.com.key"
</VirtualHost>

and change the two rows

    SSLCertificateFile "/path/to/www.example.com.cert"
    SSLCertificateKeyFile "/path/to/www.example.com.key"

with your own files.

jaimiris · October 21, 2018, 3:45pm

Not sure where you mean, which file? did you notice I’m using a Tomcat server?

JuergenAuer · October 21, 2018, 3:50pm

Sorry, I saw your certbot command with --apache. Tomcat requires additional steps.

But you should be able to use this certificate.

jaimiris · October 21, 2018, 3:53pm

You are right it was confusing with my reference to Apache above.
I was trying to show you my server.xml… but for some reason I can’t.
Anyway, I’ll will try to reset it as before and point to this files like you suggested but in Tomcat. I’ll tell you when I’m done

Osiris · October 21, 2018, 4:06pm

certbot can't install certificates on Tomcat. So all this time, you must have installed it manually, about 90 days ago.

jaimiris · October 21, 2018, 5:20pm

Yes @Osiris, it is. I assumed it was made by certbot, but I did manually.
I don’t have success yet, but I think I’m closer.
I removed my old entry from my keystore:

keytool -delete -alias cotcert -keypass *** -storepass ***

I added it again signed with the up to date cert we find before:

keytool -import -alias cotcert -keypass *** -file /etc/letsencrypt/archive/circusofthings.com-0001/cert1.pem -storepass ***

Now it is supossed to be right in my .keystore at my root directory.

In fact I check and date is fine and emiter is Let’s Encrypt.

I copy that to my /user/share/tomcat7 as my server.xml was pointing to /user/share/tomcat7/cot.pfx

I think cot.pfx is the same concept as .keystore… but no idea on how to convert it… I think after it it should work

sahsanu · October 21, 2018, 6:07pm

Hi @jaimiris,

If you want to create a pfx file from your renewed cert, use below commands:

1.- First, backup your existing pfx file

cp -p /user/share/tomcat7/cot.pfx /user/share/tomcat7/cot.pfx.backup

2.- Combine the fullchain.pem and privkey.pem files into a pfx bundle.

openssl pkcs12 -export -in /etc/letsencrypt/archive/circusofthings.com-0001/fullchain.pem -inkey /etc/letsencrypt/archive/circusofthings.com-0001/privkey.pem -out /user/share/tomcat7/cot.pfx -password pass:HERETHEPASSWORD

I assume you have configured your server.xml to use the pfx file and the keystore is configured as keystoreType="PKCS12", also, the above HERETHEPASSWORD should be the same password you have configured in your server.xml conf file keystorePass="HERETHEPASSWORD"

Of course, you must reload/restart tomcat to refresh the cert in use.

Good luck,
sahsanu

jaimiris · October 21, 2018, 6:16pm

@sahsanu, my friend, I have another question:
where is the button here to invite you some beers?!
That was it… you made my day. Thank you
@ JuergenAuer and @Osiris are also invited