Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com ), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: openvpn.vohraphysicians.com
I ran this command:
sudo service openvpnas stop
sudo service nginx stop
sudo ln -s -f /etc/letsencrypt/live/openvpn.vohraphysicians.com/cert.pem /usr/local/openvpn_as/etc/web-ssl/server.crt
sudo ln -s -f /etc/letsencrypt/live/openvpn.vohraphysicians.com/privkey.pem /usr/local/openvpn_as/etc/web-ssl/server.key
sudo ln -s -f /etc/letsencrypt/live/openvpn.vohraphysicians.com/chain.pem /usr/local/openvpn_as/etc/web-ssl/chain.crt
sudo ln -s -f /etc/letsencrypt/live/openvpn.vohraphysicians.com/fullchain.pem /usr/local/openvpn_as/etc/web-ssl/fullchain.crt
sudo service nginx start
sudo service openvpnas start
It produced this output: None
My web server is (include version): Access Server 2.1.4b
The operating system my web server runs on is (include version): Ubuntu 16.04.1 LTS
My hosting provider, if applicable, is: AWS
I can login to a root shell on my machine (yes or no, or I don’t know): Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No
My problem is that I requested new certificates; but my web server is still using the old ones which are now expired.
Hi @jorgeramos78 ,
Could you take a look in the web server configuration? What files is it pointing at for the certificate and key according to that configuration?
I wasn’t the one who configured this server, so I am not sure how to access the web server configuration
Maybe grep -r ssl_certificate /etc/nginx
to find where it’s specified.
Is this what you mean?
openvpnas@openvpnas2:~$ grep -r ssl_certificate /etc/nginx
/etc/nginx/snippets/snakeoil.conf:ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
/etc/nginx/snippets/snakeoil.conf:ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
To be clear; I had been using Letsencrypt certificates without any issues before they expired a few days ago.
Yes, but it doesn’t seem to show the reference to your Let’s Encrypt certificates anywhere. Maybe you could also try something like
grep -r /etc/letsencrypt /etc/nginx
Do you know how your nginx server was configured to use your previous Let’s Encrypt certificate?
I ran that grep command, but it didn’t return anything.
I first installed Certbot, per https://certbot.eff.org/lets-encrypt/ubuntuxenial-nginx
I think that the configuration file for my site is located at /etc/letsencrypt/renewal/openvpn.vohraphysicians.com.conf, the contents of that file are below:
renew_before_expiry = 30 days
version = 0.21.1
archive_dir = /etc/letsencrypt/archive/openvpn.vohraphysicians.com
cert = /etc/letsencrypt/live/openvpn.vohraphysicians.com/cert.pem
privkey = /etc/letsencrypt/live/openvpn.vohraphysicians.com/privkey.pem
chain = /etc/letsencrypt/live/openvpn.vohraphysicians.com/chain.pem
fullchain = /etc/letsencrypt/live/openvpn.vohraphysicians.com/fullchain.pem
Options used in the renewal process
[renewalparams]
account = 81b9cef32c2e17ff8290b642c28a3263
installer = None
authenticator = standalone
I also found the /etc/letsencrypt/options-ssl-nginx.conf file, whose content is below:
ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_timeout 1440m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:EC$
I got it to work with the new certificates; although I am not entirely sure how. I ran the sudo certbot --nginx command and ended up restoring my server from a backup after the OpenVPN site failed to load.
I hope this goes a little more smoothly the next time I need to renew my certs.
Thanks for your help.
system
Closed
June 22, 2018, 1:53pm
12
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.