Revoke expired certificate fails

Hello,
Sorry to bother but so far I have not found any similar posts or solutions to this problem. I have full root access to all my machines and server. I have web, mail, and DNS servers on 3 separate droplets at Digital Ocean. Here’s a quick description, the specifics are below.

I setup a webserver at Digital Ocean. Then I installed the letsencrypt ssl certificate using easyengine. The letsencrypt certificate issued is for the tectonicsystem.ca and also for WWW.tectonicsystem.ca. Everything seemed fine but the 90 day renewal failed, and now the certificate is expired. All attempts to renew or revoke the certificate have failed. Error messages below.

You can see the two certificates here https://crt.sh/?q=tectonicsystem.ca

My domain is: tectonicsystem.ca

here’s a listing of the certificate:
/opt/letsencrypt# ./certbot-auto certificates

Invalid OCSP response for /etc/letsencrypt/live/tectonicsystem.ca/cert.pem: param nextUpdate is in the past.


Found the following certs:
Certificate Name: tectonicsystem.ca
Domains: tectonicsystem.ca www.tectonicsystem.ca
Expiry Date: 2019-05-12 04:00:16+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/tectonicsystem.ca/fullchain.pem
Private Key Path: /etc/letsencrypt/live/tectonicsystem.ca/privkey.pem


I ran this command, in the /opt/letsencrypt/ directory:

./certbot-auto revoke --cert-path /etc/letsencrypt/live/tectonicsystem.ca/fullchain.pem --key-path /etc/letsencrypt/live/tectonicsystem.ca/privkey.pem

It produced this output:

An unexpected error occurred:
The client lacks sufficient authorization :: Certificate is expired

Here is the tail of the logfile: root@beta:/var/log/letsencrypt# tail -100 letsencrypt.log

I got this response:
.
.
.

Connection: close

{
“type”: “urn:ietf:params:acme:error:unauthorized”,
“detail”: “Certificate is expired”,
“status”: 403
}
2019-06-03 10:17:09,024:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/opt/eff.org/certbot/venv/bin/letsencrypt”, line 11, in
sys.exit(main())
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py”, line 1379, in main
return config.func(config, plugins)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py”, line 1087, in revoke
acme.revoke(jose.ComparableX509(cert), config.reason)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/acme/client.py”, line 918, in revoke
return self.client.revoke(cert, rsn)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/acme/client.py”, line 760, in revoke
return self._revoke(cert, rsn, self.directory[‘revokeCert’])
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/acme/client.py”, line 210, in _revoke
reason=rsn))
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/acme/client.py”, line 95, in _post
return self.net.post(*args, **kwargs)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/acme/client.py”, line 1179, in post
return self._post_once(*args, **kwargs)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/acme/client.py”, line 1193, in _post_once
response = self._check_response(response, content_type=content_type)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/acme/client.py”, line 1048, in _check_response
raise messages.Error.from_json(jobj)
Error: urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Certificate is expired
2019-06-03 10:17:09,025:ERROR:certbot.log:An unexpected error occurred:
2019-06-03 10:17:09,025:ERROR:certbot.log:The client lacks sufficient authorization :: Certificate is expired

here is the renewal information in
/etc/letsencrypt/renewal/tectonicsystem.ca.conf

renew_before_expiry = 30 days

version = 0.31.0
archive_dir = /etc/letsencrypt/archive/tectonicsystem.ca
cert = /etc/letsencrypt/live/tectonicsystem.ca/cert.pem
privkey = /etc/letsencrypt/live/tectonicsystem.ca/privkey.pem
chain = /etc/letsencrypt/live/tectonicsystem.ca/chain.pem
fullchain = /etc/letsencrypt/live/tectonicsystem.ca/fullchain.pem

Options used in the renewal process

[renewalparams]
authenticator = webroot
account = redacted
webroot_path = /var/www/tectonicsystem.ca/htdocs,
server = https://acme-v02.api.letsencrypt.org/directory
[[webroot_map]]
tectonicsystem.ca = /var/www/tectonicsystem.ca/htdocs

My web server is (include version): nginx version: nginx/1.14.0 (EasyEngine)

The operating system my web server runs on is (include version):
Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-47-generic x86_64)

My hosting provider, if applicable, is: digital ocean

I can login to a root shell on my machine : yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

certbot 0.34.2

Hi @fuzz500

revoking an expired certificate - why? The certificate is dead.

Looks like this isn't supported, because it's not required.

2 Likes

That’s correct. In fact certificate expiration is “stronger” than revocation in some senses (it’s part of why we use 90d validity periods). There are some user agents that don’t check revocation status but do reject expired certificates.

2 Likes

I appreciate such a quick reply. I thought the same thing, except the website is not loading with encryption (https) it is redirecting to another website on the same server…

I’m going to do some additional testing and get back. Thx Again JuergenAuer.

1 Like

@fuzz500
You’ll need to fix your nginx config, but I think you know that.

What I’m seeing is

$ echo | openssl s_client -connect tectonicsystem.ca:443 -servername tectonicsystem.ca 2>&1 | openssl x509 -noout -subject
subject=CN = www.blackswanfoundation.org

and what I should expect to see is something like

$ echo | openssl s_client -connect tectonicsystem.ca:443 -servername tectonicsystem.ca 2>&1 | openssl x509 -noout -subject
subject=CN =  tectonicsystem.ca
1 Like

Thx for all the ideas. I noticed some changed ownership and file permissions, so to be sure I reset the ownerships and file permissions like so:

I chowned -R the /var/www directory to be owned by www-data.
I chmoded - R 755 the /var/www directory.

Phil_LE: I did not find any anomalies in the nginx redirection statements, see here:

less /var/www/tectonicsystem.ca/conf/nginx/ssl.conf

listen 443 ssl http2;
ssl on;
ssl_certificate /etc/letsencrypt/live/tectonicsystem.ca/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/tectonicsystem.ca/privkey.pem;

less /etc/nginx/conf.d/force-ssl-tectonicsystem.ca.conf

server {
listen 80;
server_name www.tectonicsystem.ca;
return 301 https://www.tectonicsystem.ca$request_uri;
}

ADDED CERTIFICATE FOR SUBDOMAIN WWW.tectonicsystem.ca

/opt/letsencrypt# ./certbot-auto certonly -d www.tectonicsystem.ca
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?


1: Nginx Web Server plugin (nginx)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)


Select the appropriate number [1-3] then [enter] (press ‘c’ to cancel): 1
Plugins selected: Authenticator nginx, Installer None
Obtaining a new certificate

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/www.tectonicsystem.ca/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/www.tectonicsystem.ca/privkey.pem
    Your cert will expire on 2019-09-01. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot-auto
    again. To non-interactively renew all of your certificates, run
    “certbot-auto renew”

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

LIST CERTIFICATES

/opt/letsencrypt# ./certbot-auto certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Invalid OCSP response for /etc/letsencrypt/live/tectonicsystem.ca/cert.pem: param nextUpdate is in the past…


Found the following certs:
Certificate Name: tectonicsystem.ca
Domains: tectonicsystem.ca www.tectonicsystem.ca
Expiry Date: 2019-05-12 04:00:16+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/tectonicsystem.ca/fullchain.pem
Private Key Path: /etc/letsencrypt/live/tectonicsystem.ca/privkey.pem

Certificate Name: www.blackswanfoundation.org
Domains: www.blackswanfoundation.org
Expiry Date: 2019-08-14 14:13:13+00:00 (VALID: 71 days)
Certificate Path: /etc/letsencrypt/live/www.blackswanfoundation.org/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.blackswanfoundation.org/privkey.pem

Certificate Name: www.tectonicsystem.ca
Domains: www.tectonicsystem.ca
Expiry Date: 2019-09-01 15:23:46+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/www.tectonicsystem.ca/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.tectonicsystem.ca/privkey.pem


Restart nginx

systemctl restart nginx.service

trying this in the web browser :https://www.tectonicsystem.ca
still redirects to —> https://www.blackswanfoundation.org

Cant find an error in the nginx redirection
Cant find an error in the letsencrypt configuration

Cant remove Letsencrypt cruft… seems to be a certificate name collision?

= frustration!

@fuzz500

I would need to see all of your nginx vhost configurations to better determine where the issue is.

What does the output of nginx -T show?

2 Likes

That is the best command I didn’t know about!
I picked it apart and managed to connect it all together.
Thank you so much.

I would explain what went wrong, but it was just a sh*tshow of colliding assumptions between easyengine, mail-in-a-box, and letsencrypt.

So now I have a few expired certificates lying around in the /etc/letsencrypt directory… I guess you use the ./certbot-auto delete to clean the LE directories? or just do it by hand…

2 Likes

Glad to be of assistance. :slight_smile: Let me know if you need anymore help.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.