I'm using a mattermost docker installation. My certificate expired for the second time - once after 90 days, and today, after 180 days. I did the standard renewal. The output says the certificate has been renewed. But sslchecker says it is not. And I still get untrusted certificate error. What am I doing wrong? Please help.
My domain is: matter.takshashila.org.in
I ran this command:
./scripts/issue-certificate.sh -d matter.takshashila.org.in -o /root/docker/certs
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewing an existing certificate for matter.takshashila.org.in
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/matter.takshashila.org.in-0001/fullchain.pem
Key is saved at: /etc/letsencrypt/live/matter.takshashila.org.in-0001/privkey.pem
This certificate expires on 2023-01-24.
These files will be updated when the certificate renews.
NEXT STEPS:
- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.
Someone, please help. This is a production environment, and I cannot understand why the certificate isn't getting applied despite the renewal. Thanks!
When I see -0001 in the cert file names it usually means there was a problem getting certs and a second set was created. I think your nginx system is probably still configured to use the original certificate set.
There are a couple ways to resolve this. Looking at your nginx config will help. Can you upload the .txt file resulting from this command?
nginx -T >forum.txt
3 Likes
Thanks @MikeMcQ . It didn't work as desired. So I'm pasting the docker-compose.nginx.yml file. Hopefully that gives an idea about my config.
version: "2.4"
services:
nginx:
depends_on:
- mattermost
container_name: nginx_mattermost
image: nginx:${NGINX_IMAGE_TAG}
restart: ${RESTART_POLICY}
security_opt:
- no-new-privileges:true
pids_limit: 100
read_only: true
tmpfs:
- /var/run
- /var/cache
- /var/log/nginx
volumes:
- ${NGINX_CONFIG_PATH}:/etc/nginx/conf.d:ro
- ${NGINX_DHPARAMS_FILE}:/dhparams4096.pem
- ${CERT_PATH}:/cert.pem:ro
- ${KEY_PATH}:/key.pem:ro
- shared-webroot:/usr/share/nginx/html
environment:
# timezone inside container
- TZ
ports:
- ${HTTPS_PORT}:443
- ${HTTP_PORT}:80
# Shared volume for Let's Encrypt certificate renewal with a webroot
volumes:
shared-webroot:
name: shared-webroot
# This network name is being used for Let's Encrypt certificate renewal
networks:
default:
name: mattermost
1 Like
And this is the nginx.conf file I'm using.
onf.txt (1.5 KB)
Is it possible and advisable to delete the existing certificates and start a new chain?
Update: I think this info might help. I'm attaching the log file. It doesn't seem to be normal.
logfile.txt (3.6 KB)
The nginx conf file (onf.txt) you uploaded is not complete. It does not show the certificate lines.
And, yes, your certbot log shows a problem with that config too. Can you show result of this command?
certbot certificates
3 Likes
It was a standard docker script which invokes certbot. Attaching it.
issue_certificate.txt (2.1 KB)
This was the result of "certbot certificates"
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/matter.takshashila.org.in.conf produced an unexpected error: renewal config file {} is missing a required file reference. Skipping.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following renewal configurations were invalid:
/etc/letsencrypt/renewal/matter.takshashila.org.in.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
MikeMcQ
October 27, 2022, 1:42am
11
Can you show the contents of that file?
Also, show result of this command:
ls -l /etc/letsencrypt/{renewal,live}
3 Likes
Hi @MikeMcQ . So there are two conf files in that directory. I'm pasting the contents below.
for *-001.conf
# renew_before_expiry = 30 days
version = 1.26.0
archive_dir = /etc/letsencrypt/archive/matter.takshashila.org.in-0001
cert = /etc/letsencrypt/live/matter.takshashila.org.in-0001/cert.pem
privkey = /etc/letsencrypt/live/matter.takshashila.org.in-0001/privkey.pem
chain = /etc/letsencrypt/live/matter.takshashila.org.in-0001/chain.pem
fullchain = /etc/letsencrypt/live/matter.takshashila.org.in-0001/fullchain.pem
# Options used in the renewal process
[renewalparams]
account = 4ad0cb51bc9ff2069d23f1372f201e7d
authenticator = standalone
server = https://acme-v02.api.letsencrypt.org/directory
key_type = rsa
for matter.takshashila.org.in.conf
# renew_before_expiry = 30 days
version = 1.26.0
archive_dir = /etc/letsencrypt/archive/matter.takshashila.org.in
cert = /etc/letsencrypt/live/matter.takshashila.org.in/cert.pem
privkey = /etc/letsencrypt/live/matter.takshashila.org.in/privkey.pem
chain = /etc/letsencrypt/live/matter.takshashila.org.in/chain.pem
fullchain = /etc/letsencrypt/live/matter.takshashila.org.in/fullchain.pem
# Options used in the renewal process
[renewalparams]
account = 4ad0cb51bc9ff2069d23f1372f201e7d
authenticator = webroot
server = https://acme-v02.api.letsencrypt.org/directory
key_type = rsa
webroot_path = /usr/share/nginx/html,
[[webroot_map]]
webroot_path = /usr/share/nginx/html,
[[webroot_map]]
webroot_path = /usr/share/nginx/html,
[[webroot_map]]
webroot_path = /usr/share/nginx/html,
[[webroot_map]]
webroot_path = /usr/share/nginx/html,
[[webroot_map]]
webroot_path = /usr/share/nginx/html,
[[webroot_map]]
webroot_path = /usr/share/nginx/html,
[[webroot_map]]
webroot_path = /usr/share/nginx/html,
[[webroot_map]]
webroot_path = /usr/share/nginx/html,
[[webroot_map]]
Output of the ls command
/root/docker/certs/etc/letsencrypt/live:
total 12
-rw-r--r-- 1 root root 740 Apr 28 16:51 README
drwxr-xr-x 2 root root 4096 Jul 28 10:13 matter.takshashila.org.in
drwxr-xr-x 2 root root 4096 Oct 26 13:56 matter.takshashila.org.in-0001
/root/docker/certs/etc/letsencrypt/renewal:
total 8
-rw-r--r-- 1 root root 609 Oct 26 13:32 matter.takshashila.org.in-0001.conf
-rw-r--r-- 1 root root 1067 Oct 26 13:32 matter.takshashila.org.in.conf
MikeMcQ
October 27, 2022, 3:55am
13
Sorry. I should have asked to see this
ls -lR /etc/letsencrypt/live
Also, for your original cert you used the webroot method. For your -0001 cert you used standalone. Was there a reason the webroot method quit working?
3 Likes
Here it is:
total 12
-rw-r--r-- 1 root root 692 Apr 28 16:51 README
lrwxrwxrwx 1 root root 49 Oct 27 04:06 cert.pem -> ../../archive/matter.takshashila.org.in/cert4.pem
lrwxrwxrwx 1 root root 50 Oct 27 04:06 chain.pem -> ../../archive/matter.takshashila.org.in/chain4.pem
lrwxrwxrwx 1 root root 54 Oct 27 04:06 fullchain.pem -> ../../archive/matter.takshashila.org.in/fullchain4.pem
-rw-r--r-- 1 root root 5619 Jul 28 10:02 fullchain.pem.backup
lrwxrwxrwx 1 root root 52 Oct 27 04:06 privkey.pem -> ../../archive/matter.takshashila.org.in/privkey4.pem
certs/etc/letsencrypt/live/matter.takshashila.org.in-0001:
total 4
-rw-r--r-- 1 root root 692 Jul 28 10:25 README
lrwxrwxrwx 1 root root 54 Oct 26 13:32 cert.pem -> ../../archive/matter.takshashila.org.in-0001/cert3.pem
lrwxrwxrwx 1 root root 55 Oct 26 13:32 chain.pem -> ../../archive/matter.takshashila.org.in-0001/chain3.pem
lrwxrwxrwx 1 root root 59 Oct 26 13:32 fullchain.pem -> ../../archive/matter.takshashila.org.in-0001/fullchain3.pem
lrwxrwxrwx 1 root root 57 Oct 26 13:32 privkey.pem -> ../../archive/matter.takshashila.org.in-0001/privkey3.pem
No, I didn't change anything sepcifically about the webroot or standalone options.
rg305
October 27, 2022, 11:37am
15
pranaykotas:
total 12
That's a high number.
Why is that file in that directory?
2 Likes
MikeMcQ
October 27, 2022, 7:36pm
16
You issued two new certs today (and two yesterday) and your server is sending out the latest one from today (Oct27) (see here ).
Do you still need help? You still might have two methods for getting certs. If you want help removing the unused one can you show result of these:
certbot certificates --cert-name matter.takshashila.org.in
certbot certificates --cert-name matter.takshashila.org.in-0001
3 Likes
Thanks @MikeMcQ I still need help to ensure that this doesn't repeat three months from now. As I mentioned in the original post, I was able to generate certificates, but I was still getting the untrusted certificate error.
Here is the output of the commands:
certbot certificates --cert-name matter.takshashila.org.in
Renewal configuration file /etc/letsencrypt/renewal/matter.takshashila.org.in.conf produced an unexpected error: renewal config file {} is missing a required file reference. Skipping.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following renewal configurations were invalid:
/etc/letsencrypt/renewal/matter.takshashila.org.in.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
certbot certificates --cert-name matter.takshashila.org.in-0001
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/matter.takshashila.org.in.conf produced an unexpected error: renewal config file {} is missing a required file reference. Skipping.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following renewal configurations were invalid:
/etc/letsencrypt/renewal/matter.takshashila.org.in.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 Like
MikeMcQ
October 28, 2022, 12:07pm
18
How did you get fresh certs? Because both of your certbot renewal files look faulty. I don't see how that can work to get a cert.
The output you show for certbot certificates --cert-name matter.takshashila.org.in-0001
looks wrong. The info names your other renewal file and not the -0001 file. Did you copy/paste that wrong?
certbot certificates --cert-name matter.takshashila.org.in-0001
Renewal configuration file /etc/letsencrypt/renewal/matter.takshashila.org.in.conf produced an unexpected error: renewal config file {} is missing a required file reference. Skipping.
Your nginx system needs to be reloaded after getting a fresh cert. That may be why you did not see a new cert in SSL Checker. But, the latest cert is being used now.
4 Likes
system
Closed
November 27, 2022, 12:08pm
19
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.