Renewall Success but the expiry date still the same

Help
1

My domain is: mail.bankvictoriasyariah.co.id

I ran certbot certificates

Below is the output

Found the following certs:
Certificate Name: mail.bankvictoriasyariah.co.id-0001
Domains: mail.bankvictoriasyariah.co.id
Expiry Date: 2020-03-18 02:00:54+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/mail.bankvictoriasyariah.co.id-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/mail.bankvictoriasyariah.co.id-0001/privkey.pem
Certificate Name: mail.bankvictoriasyariah.co.id
Domains: mail.bankvictoriasyariah.co.id webmail.bankvictoriasyariah.co.id
Expiry Date: 2020-03-12 04:21:42+00:00 (INVALID: REVOKED)
Certificate Path: /etc/letsencrypt/live/mail.bankvictoriasyariah.co.id/fullchain.pem
Private Key Path: /etc/letsencrypt/live/mail.bankvictoriasyariah.co.id/privkey.pem

My web server is (include version): nginx

The operating system my web server runs on is (include version): Ubuntu 16

When i check on this site https://check-your-website.server-daten.de/?q=mail.bankvictoriasyariah.co.id, the expiry left in 13 days

https://crt.sh/?q=mail.bankvictoriasyariah.co.id

Where do i find what is wrong and fix it ?

1 Like
2

Can you reproduce the command line options you’ve used getting the certificate? Especially if you used certonly for example?

It could be your certbot didn’t use the nginx installer plugin, so your nging wasn’t reloaded. It could also be your nginx configuration is pointing to the wrong certificate.

2 Likes
3

You have two certs with that FQDN in it (mail.bankvictoriasyariah.co.id).
One is still active and could be used for that name right away - may require restart/reload.
The other was REVOKED and may be still in use (somewhere)
Revokes should never happen within normal operations - why did the REVOKE happen?

1 Like
4

This is the output

root@root:~# certbot certonly --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?

1: mail.bankvictoriasyariah.co.id

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): 1
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn’t close to expiry.
(ref: /etc/letsencrypt/renewal/mail.bankvictoriasyariah.co.id-0001.conf)

What would you like to do?

1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 1
Keeping the existing certificate

Certificate not yet due for renewal; no action taken.

1 Like
5

Let’s see which certs are still in use; please show:
nginx -T | grep ssl_cert

[if you are not using the revoked cert it can be deleted]
[it doesn’t look like the cert with “webmail” is being used]

1 Like
6

Two days ago i started to renew manually by doing certbot renew and i panic because there are 2 certificates, like below

root@root:/etc/letsencrypt/live# ls -l
total 12
drwxr-xr-x 2 root root 4096 Dec 13 12:21 mail.bankvictoriasyariah.co.id [ the first one ]
drwxr-xr-x 2 root root 4096 Dec 19 10:00 mail.bankvictoriasyariah.co.id-0001

  • then i delete by doing rm for mail.bankvictoriasyariah.co.id-0001
  • re run certbot dryrun and gives and error for mail.bankvictoriasyariah.co.id
  • so i revoke and try to delete by doing certbot delete --cert-name example.com but failed
  • later on, i manage to find out the error by editing site default
7

root@root:/etc/letsencrypt/live# nginx -T | grep ssl_cert
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
ssl_certificate /etc/letsencrypt/live/mail.bankvictoriasyariah.co.id/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mail.bankvictoriasyariah.co.id/privkey.pem; # managed by Certbot

I’m not sure, but it think i’m using the mail.bankvictoriasyariah.co.id cert
You are right, i’m not using webmail.bankvictoriasyariah.co.id, how to remove it ?

8

That's odd.. You've specified both certonly and --nginx and certbot seems to ignore the certonly part, as it is using the nginx installer?

@cpu Do you know why certbot ignores the certonly switch? I would think it would use the nginx authenticator but not the nginx installer?

9

These are the valid files:

You are using the revoked files:

You need to find the file with those entries and update them:
grep -ri 'mail.bankvictoriasyariah.co.id/fullchain.pem' /etc/nginx/

1 Like
10

in this server i found out there are more than 1 nginx installed

root@root:/etc/letsencrypt/live# ps -ef | grep nginx
zimbra 4001 1 0 11:50 ? 00:00:00 nginx: master process /opt/zimbra/common/sbin/nginx -c /opt/zimbra/conf/nginx.conf
zimbra 4003 4001 0 11:50 ? 00:00:01 nginx: worker process
zimbra 4004 4001 0 11:50 ? 00:00:04 nginx: worker process
zimbra 4005 4001 0 11:50 ? 00:00:02 nginx: worker process
zimbra 4006 4001 0 11:50 ? 00:00:02 nginx: worker process
zimbra 5855 1 0 11:52 ? 00:00:03 /usr/bin/perl -w /opt/zimbra/libexec/zmstat-nginx
root 17680 5022 0 13:04 pts/0 00:00:00 grep --color=auto nginx

When i try to renew with certbot renew or dryrun it will gives me error -> nginx restart failed, so i changed the path from run/nginx.pid to /opt/zimbra/log/nginx.pid

1 Like
11

Well that would explain the confusion.
There is a system nginx and a zimbra nginx installed.
Show:
which nginx

1 Like
12

root@root:/etc/nginx# which nginx
/usr/sbin/nginx

13

already done this

root@root:/etc/nginx# grep -ri ‘mail.bankvictoriasyariah.co.id/fullchain.pem’ /etc/nginx/ /etc/nginx/sites-available/default: ssl_certificate /etc/letsencrypt/live/mail.bankvictoriasyariah.co.id/fullchain.pem; # managed by Certbot

what next ? should i do certbot renew again ?

14

unnecessary.

You need to edit and change with the file:
/etc/nginx/sites-available/default
the following lines:
[from revoked cert]

ssl_certificate /etc/letsencrypt/live/mail.bankvictoriasyariah.co.id/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mail.bankvictoriasyariah.co.id/privkey.pem;

to:
[valid cert]

ssl_certificate /etc/letsencrypt/live/mail.bankvictoriasyariah.co.id-0001/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mail.bankvictoriasyariah.co.id-0001/privkey.pem;

and then restart/reload nginx

If that doesn't fix it, then we are modifying the wrong nginx :frowning:
Which is most likely the case.
The cert in use has a completely different expiry date from the two shown above:

image
image419×522 11.4 KB

1 Like
15

Hahaha… Will modify in 5 minutes later, what if i want to change the status of the revoked certificated so it will be usable again, is there a command to unrevoked the certificates ?

16

That is a one-way process; there is no undo.

We need to focus on the zimbra nginx - that is the one being used by the system.

1 Like
17

You should probably read through this (you might find what you need towards the end).
Or review how the last cert was installed/previously renewed.
Try:
history
and
su zimbra
history

1 Like
18

When i try to reload nginx, it shows that nginx hasn’t start

root@root:/etc/nginx# service nginx reload
nginx.service is not active, cannot reload.
root@root:/etc/nginx# service nginx start
Job for nginx.service failed because the control process exited with error code. See “systemctl status nginx.service” and “journalctl -xe” for details.
root@root:/etc/nginx# systemctl status nginx.service
● nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Thu 2019-12-19 13:54:30 WIB; 13s ago
Process: 14342 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=1/FAILURE)
Process: 14336 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)

Dec 19 13:54:29 mail nginx[14342]: nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)
Dec 19 13:54:29 mail nginx[14342]: nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
Dec 19 13:54:29 mail nginx[14342]: nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)
Dec 19 13:54:30 mail nginx[14342]: nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
Dec 19 13:54:30 mail nginx[14342]: nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)
Dec 19 13:54:30 mail nginx[14342]: nginx: [emerg] still could not bind()
Dec 19 13:54:30 mail systemd[1]: nginx.service: Control process exited, code=exited status=1
Dec 19 13:54:30 mail systemd[1]: Failed to start A high performance web server and a reverse proxy server.
Dec 19 13:54:30 mail systemd[1]: nginx.service: Unit entered failed state.
Dec 19 13:54:30 mail systemd[1]: nginx.service: Failed with result ‘exit-code’.

ussually i use this command sudo fuser -k 80/tcp

19

root@root:/etc/nginx# service nginx start
Job for nginx.service failed because a timeout was exceeded. See “systemctl stat us nginx.service” and “journalctl -xe” for details.
root@root:/etc/nginx# systemctl status nginx.service
● nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
Active: failed (Result: timeout) since Thu 2019-12-19 14:05:23 WIB; 14s ago
Process: 19572 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
Process: 19568 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)

Dec 19 14:03:53 mail systemd[1]: Starting A high performance web server and a reverse proxy server…
Dec 19 14:03:53 mail systemd[1]: nginx.service: PID file /run/nginx.pid not readable (yet?) after start: No such file or directory
Dec 19 14:05:23 mail systemd[1]: nginx.service: Start operation timed out. Terminating.
Dec 19 14:05:23 mail systemd[1]: Failed to start A high performance web server and a reverse proxy server.
Dec 19 14:05:23 mail systemd[1]: nginx.service: Unit entered failed state.
Dec 19 14:05:23 mail systemd[1]: nginx.service: Failed with result ‘timeout’.

It seems i can’t start nginx because the change i made in nginx.conf not to listen /run/nginx.pid

20

I restarted the server and already read the article, do i need to copy the certificate again ?