Renewal didn't work?


#1

Last night I did a manual certificate renewal for cloudconfusing.com. The first time issued the command:

$ sudo ./certbot-auto renew

it didn’t work. I got an error about my A Names (I think). I waited a bit and sent up the same command… and it worked! I got the confirmation message and everything. But now when I go to confirm the renewal I don’t see the new dates.

Any ideas?


#2

Hi,

Please try two commands.

First one ./certbot-auto certificates (list all certificates) (if the certificate date is correct, proceed to the second command… else, rerun the renew…)

Second one, sudo systemctl restart apache (if you were using certbot with certonly, you’ll need to reload certbot…)

Thank you


#3

There are issues with the domain’s DNS configuration, so it works unreliably.

According to the TLD, the domain’s nameservers are:

cloudconfusing.com.     172800  IN      NS      ns-551.awsdns-04.net.
cloudconfusing.com.     172800  IN      NS      ns-396.awsdns-49.com.
cloudconfusing.com.     172800  IN      NS      ns-1563.awsdns-03.co.uk.
cloudconfusing.com.     172800  IN      NS      ns-1203.awsdns-22.org.

According to the NS records on those nameservers, they are:

cloudconfusing.com.     172800  IN      NS      ns-1266.awsdns-30.org.
cloudconfusing.com.     172800  IN      NS      ns-2041.awsdns-63.co.uk.
cloudconfusing.com.     172800  IN      NS      ns-245.awsdns-30.com.
cloudconfusing.com.     172800  IN      NS      ns-607.awsdns-11.net.

That’s wrong: The second group of nameservers refuses queries for the domain.

You need to fix the NS records in the Route 53 hosted zone for DNS to work well.

crt.sh is running a bit behind. It will likely show up in a couple days.

Google’s CT search site shows a certificate issued yesterday:

https://transparencyreport.google.com/https/certificates/fzLGKSdJLyyj8sXjoifmfUVDEL89Y%2BfnvhO0EX3%2FK48%3D


#4

Thanks you @mnordhoff that’s a great find! I’m awful at DNS and the combination of Route 53 and Lightsail have me beyond confused. I see now that my first attempt was a total hack, so I’m sort of shocked that the site worked most of the time.

I just matched put the Lightsail nameservers into the Route 53 NS record:

ns-1450.awsdns-53.org
ns-524.awsdns-01.net
ns-83.awsdns-10.com
ns-2012.awsdns-59.co.uk

And put A records for the domain and www. subdomain in Route 53. I guess I could do them in Lightsail as well, but their “easy” platform is just too confusing.

I’ve run sudo certbot renew --dry-run a bunch of time and seen no problems. I’m unable to do a normal run because the cert is not yet up for renewal:

....../cloudconfusing.com/fullchain.pem expires on 2018-10-09 (skipped)

As for confirmation: Google Transparency report looks good, crt.sh and SSLshopper don’t. Is it common (possible) for them to be running behind?

Oh hey, SSL Labs looks OK.


#5

You can force it “early”, if you need to, with ./certbot-auto renew --force-renewal (or certonly [... various stuff ...] --force-renewal). These aren’t good commands to run routinely in production because they’ll run up against the rate limits quickly.


#6

The result is cached: If you are diagnosing a certificate installation problem, you can get uncached results by clicking here.

Is very backlogged and takes a long time to see most new certificates.


#7

@_az Where do I click for uncached results? (your “here” has no link). I guess I could just open an incognito browser and look at the cert through the browser as well.


#8

Sorry, the quote is taken from the sslshopper site. If you look for that text on their page, it has a link.


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.