Renewed certificate not working (HTTPS warning)

Help
1

I've read it could be related to the server still using the old certificate. If that's the case, how can I fix it properly (so it won't happen again)? If not, does anyone have any idea on what the problem could be?

If you try to access https://svr.updevs.net OR https://svr.updevs.net:27017 (my mongodb instance) you get an HTTPS error, saying the certificate is invalid.

My domain is: svr.updevs.net

The operating system my web server runs on is (include version): Ubuntu 22.04

My hosting provider, if applicable, is: Contabo

I can login to a root shell on my machine (yes or no, or I don't know): YES

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Extra information

.conf:

# renew_before_expiry = 30 days
version = 2.11.0
archive_dir = /etc/letsencrypt/archive/svr.updevs.net
cert = /etc/letsencrypt/live/svr.updevs.net/cert.pem
privkey = /etc/letsencrypt/live/svr.updevs.net/privkey.pem
chain = /etc/letsencrypt/live/svr.updevs.net/chain.pem
fullchain = /etc/letsencrypt/live/svr.updevs.net/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = YYY
post_hook = ./cert-post-hook.sh
authenticator = standalone
server = https://acme-v02.api.letsencrypt.org/directory
key_type = ecdsa

Output of:

sudo ls -lRa /etc/letsencrypt
sudo certbot certificates

/etc/letsencrypt:
total 28
drwxr-xr-x  7 root root 4096 Aug 26 03:05 .
drwxr-xr-x 78 root root 4096 May 25 18:57 ..
drwx------  3 root root 4096 May 25 14:23 accounts
drwx------  3 root root 4096 May 25 14:24 archive
drwx------  3 root root 4096 May 25 14:24 live
drwxr-xr-x  2 root root 4096 Jul 24 17:12 renewal
drwxr-xr-x  5 root root 4096 May 25 14:23 renewal-hooks

/etc/letsencrypt/accounts:
total 12
drwx------ 3 root root 4096 May 25 14:23 .
drwxr-xr-x 7 root root 4096 Aug 26 03:05 ..
drwx------ 3 root root 4096 May 25 14:23 acme-v02.api.letsencrypt.org

/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org:
total 12
drwx------ 3 root root 4096 May 25 14:23 .
drwx------ 3 root root 4096 May 25 14:23 ..
drwx------ 3 root root 4096 May 25 14:24 directory

/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory:
total 12
drwx------ 3 root root 4096 May 25 14:24 .
drwx------ 3 root root 4096 May 25 14:23 ..
drwx------ 2 root root 4096 May 25 14:24 6e81b7407901490b60ea12b15d415aed

/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/6e81b7407901490b60ea12b15d415aed:
total 20
drwx------ 2 root root 4096 May 25 14:24 .
drwx------ 3 root root 4096 May 25 14:24 ..
-rw-r--r-- 1 root root   88 May 25 14:24 meta.json
-r-------- 1 root root 1632 May 25 14:24 private_key.json
-rw-r--r-- 1 root root   80 May 25 14:24 regr.json

/etc/letsencrypt/archive:
total 12
drwx------ 3 root root 4096 May 25 14:24 .
drwxr-xr-x 7 root root 4096 Aug 26 03:05 ..
drwxr-xr-x 2 root root 4096 Jul 24 17:12 svr.updevs.net

/etc/letsencrypt/archive/svr.updevs.net:
total 40
drwxr-xr-x 2 root root 4096 Jul 24 17:12 .
drwx------ 3 root root 4096 May 25 14:24 ..
-rw-r--r-- 1 root root 1489 May 25 14:24 cert1.pem
-rw-r--r-- 1 root root 1269 Jul 24 17:12 cert2.pem
-rw-r--r-- 1 root root 1826 May 25 14:24 chain1.pem
-rw-r--r-- 1 root root 1566 Jul 24 17:12 chain2.pem
-rw-r--r-- 1 root root 3315 May 25 14:24 fullchain1.pem
-rw-r--r-- 1 root root 2835 Jul 24 17:12 fullchain2.pem
-rw------- 1 root root  241 May 25 14:24 privkey1.pem
-rw------- 1 root root  241 Jul 24 17:12 privkey2.pem

/etc/letsencrypt/live:
total 16
drwx------ 3 root    root    4096 May 25 14:24 .
drwxr-xr-x 7 root    root    4096 Aug 26 03:05 ..
-rw-r--r-- 1 root    root     740 May 25 14:24 README
drwxr-xr-x 2 mongodb mongodb 4096 Jul 24 17:12 svr.updevs.net

/etc/letsencrypt/live/svr.updevs.net:
total 12
drwxr-xr-x 2 mongodb mongodb 4096 Jul 24 17:12 .
drwx------ 3 root    root    4096 May 25 14:24 ..
-rw-r--r-- 1 mongodb mongodb  692 May 25 14:24 README
lrwxrwxrwx 1 mongodb mongodb   38 Jul 24 17:12 cert.pem -> ../../archive/svr.updevs.net/cert2.pem
lrwxrwxrwx 1 mongodb mongodb   39 Jul 24 17:12 chain.pem -> ../../archive/svr.updevs.net/chain2.pem
lrwxrwxrwx 1 mongodb mongodb   43 Jul 24 17:12 fullchain.pem -> ../../archive/svr.updevs.net/fullchain2.pem
lrwxrwxrwx 1 mongodb mongodb   41 Jul 24 17:12 privkey.pem -> ../../archive/svr.updevs.net/privkey2.pem

/etc/letsencrypt/renewal:
total 16
drwxr-xr-x 2 root root 4096 Jul 24 17:12 .
drwxr-xr-x 7 root root 4096 Aug 26 03:05 ..
-rwxr-xr-x 1 root root  383 May 25 14:40 cert-post-hook.sh
-rw-r--r-- 1 root root  563 Jul 24 17:12 svr.updevs.net.conf

/etc/letsencrypt/renewal-hooks:
total 20
drwxr-xr-x 5 root root 4096 May 25 14:23 .
drwxr-xr-x 7 root root 4096 Aug 26 03:05 ..
drwxr-xr-x 2 root root 4096 May 25 14:23 deploy
drwxr-xr-x 2 root root 4096 May 25 14:23 post
drwxr-xr-x 2 root root 4096 May 25 14:23 pre

/etc/letsencrypt/renewal-hooks/deploy:
total 8
drwxr-xr-x 2 root root 4096 May 25 14:23 .
drwxr-xr-x 5 root root 4096 May 25 14:23 ..

/etc/letsencrypt/renewal-hooks/post:
total 8
drwxr-xr-x 2 root root 4096 May 25 14:23 .
drwxr-xr-x 5 root root 4096 May 25 14:23 ..

/etc/letsencrypt/renewal-hooks/pre:
total 8
drwxr-xr-x 2 root root 4096 May 25 14:23 .
drwxr-xr-x 5 root root 4096 May 25 14:23 ..

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: svr.updevs.net
    Serial Number: XXX
    Key Type: ECDSA
    Domains: svr.updevs.net
    Expiry Date: 2024-10-22 14:12:41+00:00 (VALID: 57 days)
    Certificate Path: /etc/letsencrypt/live/svr.updevs.net/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/svr.updevs.net/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2

Why is that mongodb mongodb ?
[instead of root root]

2 Likes
3

Hi, that instruction was provided by mongoDB's installation tutorial. I think that might be required so the mongodb user can access the certificates.

4

Those are bad instructions.
Now certbot is unable to access that folder.
[certbot uses root user for access]

3 Likes
5

Is there a way to allow both users to access that file, I know that I can't change mongodb's files to use root, since that would be a security issue. Is there a way to make certbot run with mongodb's user or maybe I could add both to a group. Still, that could give mongodb's user more permissions than it should have... just before I start focusing on a solution for mongodb's user to have proper access to those files (won't be hard) without root user, are you sure that's the reason for my problem? I'm asking that because the certificate was renewed.

6

The simplest method is to run a script that copies the files every time they are renewed from that root root folder to another folder that can be mongodb mongodb.

3 Likes
7

I'm pretty sure that is a problem.
I can't be sure [yet] that is the only problem you have.

4 Likes
8

I understand, the fix should be pretty simple. I'm gonna work on it, test and add the results here. Thanks for now.

3 Likes
9

It was renewed 33 days ago.
When did you change that to mongodb mongodb?

3 Likes
10

Before that, on May 24/25

11

hmm...

Let's try this change and see where that gets us.

2 Likes
12

Of course, but that's why I asked if you were sure, because it didn't much sense since the renew worked. In any case, it could've been the post script changing that... I'll investigate it further and keep you posted, thanks again.

2 Likes
13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.