Recreate SSL Certificate after Server re built


#1

Hi everyone. I created a SSL certifiacte from a Lets Encrypt. After some time the server was re built.
But now the SSL disappeared. I tried to create another one for the same domain, but got some issues that i didnt face during the first installation. But it seems like the certificate is still valid when i test it with https://www.ssllabs.com

This is the error:

Domain: mysite.pl
   Type:   unauthorized
   Detail: Invalid response from
   http://mysite.pl/.well-known/acme-challenge/wc7Romm8QfnvUMxqn4YnSm48XNeOHGkyvmGPA_8Yb4Q:
   "
   <!DOCTYPE html>
   <!--[if lt IE 7 ]><html class="ie ie6" lang="en" prefix="og:
   http://ogp.me/ns#"> <![endif]-->
   <!--[if IE 7 ]"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

#2

Hi @devPassion96

there is nothing to see.

Please answer the following questions:


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):


#3

Thanks for your help.
I think the main issue is that my Archive and Live folders in the lets Encrypt directory is deleted after the server was rebuilt, which means that the keys are lost.
But when i test for the domain, the domain is still certified by Lets Encrypt and its valid till march 13th. But the website is not secured now.
Domain: deeds.gamregistry.com
Command: sudo certbot --apache -d deeds.gamregistry.com
Output:
Failed authorization procedure. deeds.gamregistry.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://deeds.gamregistry.com/.well-known/acme-challenge/7KBczclLLqOG3O185xcCoOJZ6gIi1fYcafRzwQOhLjk: "\n<html lang=“en” xmlns=“http://www.w3.org/1999/xhtml”>\n\n<link rel=“stylesheet” href=“https://cdn.sucuri.net

IMPORTANT NOTES:

Web server: Apache2
OS: ubuntu 16.04 LTS
I can login to a root shell on my Machine
Am not using Control panel
The version for certbot is: certbot 0.28.0


#4

Your current certificate is ok.

CN=deeds.gamregistry.com
	13.12.2018
	13.03.2019
	deeds.gamregistry.com - 1 entry

But your settings are wrong ( https://check-your-website.server-daten.de/?q=deeds.gamregistry.com )

Domainname Http-Status redirect Sec. G
http://deeds.gamregistry.com/
192.124.249.110 403 0.043 M
Forbidden
https://deeds.gamregistry.com/
192.124.249.110 403 5.506 M
Forbidden
http://deeds.gamregistry.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
192.124.249.110 403 0.043 M
Forbidden

If you use http-01 - validation, Certbot creates a file under /.well-known/acme-challenge, Letsencrypt checks this file.

So you must allow anonymous access to /.well-known/acme-challenge.

But there is a Forbidden - 403.

Checked with my browser:

Access Denied - Sucuri Website Firewall

Block reason: Access from your Country was disabled by the administrator.

This is always bad. Letsencrypt uses different ip addresses.


#5

According to this: https://kb.sucuri.net/firewall/Configuration/how-to-enable-SSL
We partnered with Let’s Encrypt to provide HTTPS support to all plans.

Well it seems that Geo-Location blocking supersedes that partnership:
curl -Iki http://deeds.gamregistry.com/
HTTP/2 403
server: nginx
date: Tue, 22 Jan 2019 21:22:53 GMT
content-type: text/html
content-length: 146
x-sucuri-id: 17010
x-xss-protection: 1; mode=block
x-frame-options: SAMEORIGIN
x-content-type-options: nosniff
content-security-policy: upgrade-insecure-requests;
x-sucuri-block: GEO02


#6

Yes, the certificate is Okay, but i dont know why it doesn’t appear on the website now.
The website was secured by lets Encrypt before the server was rebuilt.
After the rebuilt, the certificate is still valid but the website is not secured anymore.
That is what i dont understsnd


#7

Your website is secure. There is the certificate, which is valide.

I don’t see the content because the firewall blocks.

And you must remove this blocking if you want to renew the certificate.

But your website is ok, FireFox shows a green lock.

Same with Chrome:

This page is secure (valid HTTPS).
Certificate - valid and trusted
The connection to this site is using a valid, trusted server certificate issued by Let's Encrypt Authority X3.
View certificate
Connection - secure (strong TLS 1.3)
The connection to this site is encrypted and authenticated using TLS 1.3 (a strong protocol), X25519 (a strong key exchange), and AES_256_GCM (a strong cipher).
Resources - all served securely
All resources on this page are served securely.

#8

Are you hitting the same IP as the Internet users hit?
I see:
Name: deeds.gamregistry.com
Address: 192.124.249.110


#9

Yes, i think the the firewall is blocking the https connection, because it does not get the corresponding keys to the server anymore. It was blown away when the server was rebuilt. I can only access it with http connection now.
i do not have these directories in my server anymore:
/etc/letsencrypt/live/deeds.gamregistry.com/fullchain.pem
/etc/letsencrypt/live/deeds.gamregistry.com/privkey.pem


#10

The firewall doesn’t block the https connection. I can see your valide certificate, valid until 2019-03-13.

You must have the keys. If not, your server couldn’t show a correct certificate.

I can use the https

https://deeds.gamregistry.com/

the content is blocked, this is a different thing.

What’s the content of

/etc/letsencrypt/live/

#11

The Live directory cannot be found


#12

These are the folders i have under /etc/letsencrypt/
accounts certbot-auto cli.ini csr keys options-ssl-apache.conf renewal renewal-hooks


#13

Your output ( https://check-your-website.server-daten.de/?q=deeds.gamregistry.com ):

Forbidden
Server: Sucuri/Cloudproxy
Date: Tue, 22 Jan 2019 15:10:00 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
X-Sucuri-ID: 15010
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Content-Security-Policy: upgrade-insecure-requests;
X-Sucuri-Block: GEO02

I don’t know how Sucuri handles certificates. But this instance has a correct certificate.


#14

After troubleshooting with sucuri, this is what i got from them:

And I’ve found the following potential problems:

- Your hosting server is forcing the use of plain HTTP, but your SSL Mode setting is set to ‘Full HTTPS’. You should change that to ‘Partial HTTPS’.


#15

This makes sense:
Your hosting server is forcing the use of plain HTTP
Your server now only supports HTTP (no HTTPS or HTTPS is broken/unusable - from their perspective).

Your SSL Mode setting is set to ‘Full HTTPS’. You should change that to ‘Partial HTTPS’.
This is something they should have walked you through with. [It should be a setting in their software/panel].

Once you get HTTPS working (properly), you can then switch back to ‘Full HTTPS’.


#16

Thanks. This worked for me


#17

Thank you both. Really appreciate your support :+1:


#18

Hi, I just ran into another issue. After changing to Partial HTTPS, am having issues visiting the admin side of the app.
This is what it brings:


#19

Is there any way to completely remove the SSL certificate and then issue it again?


#20

The attached picture is of a Sucuri Website Firewall requesting a two-factor authorization token.

Do you use Sucuri to protect your web site?
Did you configure it to require 2FA?