Should This Expired Certificate Be Removed? And How?

MichaelJ · February 7, 2023, 6:44am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: elkhornmediagroup.com

I ran this command:

It produced this output:

My web server is (include version): Apache

The operating system my web server runs on is (include version): Linux

My hosting provider, if applicable, is: AWS Lightsail

I can login to a root shell on my machine (yes or no, or I don't know): No

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

This site began experiencing 502 errors today after a certificate expired, but I'm not sure how to solve. There was a Let's Encrypt certificate issued when the site was created and the domain plus two subdomains were resolving to the IP address of a Lightsail WordPress instance. But since that original certificate was issued, a Lightsail distribution was created and the domain and subdomains now resolve to it. The distribution has its own certificate attached to it. When I tried renewing the original expired certificate, I get the message, 'The domain resolves to a different IP address than the one detected for this machine. Please fix its DNS entries or remove it.'
Should I remove the original certificate? If so, what is the correct way to do this? I appreciate any guidance you can offer!

MikeMcQ · February 7, 2023, 10:01am

The 502 is coming from CloudFront. You should review this topic

Did you add CloudFront recently?

MichaelJ · February 7, 2023, 9:47pm

Hi @MikeMcQ,
Thank you so much for responding. Cloudfront was added in March 2022 and everything has been functioning correctly until this.
Thank you for the doc. I reviewed it when I first learned of the error. Then I discovered the client had previously received an email notice from Let's Encrypt that their certificate was expiring 02/06/23. In the browser, however, the certificate has an expiration of April 15 2023. I ran

openssl s_client -connect elkhornmediagroup.com:443 -servername 
elkhornmediagroup.com | openssl x509 -text | grep Validity -A 3

and it returned

Validity
            Not Before: Mar 16 00:00:00 2022 GMT
            Not After : Apr 15 23:59:59 2023 GMT
        Subject: CN = elkhornmediagroup.com

When I run the command

sudo /opt/bitnami/letsencrypt/lego --path /opt/bitnami/letsencrypt list

it returns

Found the following certs:
  Certificate Name: elkhornmediagroup.com
    Domains: elkhornmediagroup.com, homeshow.elkhornmediagroup.com, staging.elkhornmediagro
up.com, www.elkhornmediagroup.com
    Expiry Date: 2023-02-06 23:00:27 +0000 UTC
    Certificate Path: /opt/bitnami/letsencrypt/certificates/elkhornmediagroup.com.crt

So it appears that there are two certificates, one for the original instance, that expired on 02/06/23, and one generated when the distribution was created in March 2022.

When I first tried renewing the expired certificate with the command

sudo /opt/bitnami/letsencrypt/lego --tls --email="braden@elkhornmediagroup.com" --domains="elkhornmediagroup.com homeshow.elkhornmediagroup.com staging.elkhornmediagroup.com www.elkhornmediagroup.com" --path="/opt/bitnami/letsencrypt" renew --days 90

it returned

The domain elkhornmediagroup.com resolves to a different IP address than the one detected for this machine. Please fix its DNS entries or remove it.

Now when I try to renew the certificate using the same command, it returns

Error while loading the certificate for domain elkhornmediagroup.com ho
meshow.elkhornmediagroup.com staging.elk
hornmediagroup.com www.elkhornmediagroup.com
open /opt/bitnami/letsencrypt/certificates/elkhornmediagroup.com homeshow.elkhornme
diagroup.com staging.elk
hornmediagroup.com www.elkhornmediagroup.com.crt: no such file or directory

So I'm not able to renew the expired certificate, but it seems to be causing this 502 error.

Is removing this certificate a viable option? And if it is, what is the correct way to do so?

My apologies for such a lengthy reply. I appreciate your input!

Best,
Michael

MikeMcQ · February 7, 2023, 10:22pm

Yes, that shows the cert the CloudFront CDN edge is using. Note the CN=Amazon (also see cert history link here)

openssl s_client -connect elkhornmediagroup.com:443
Certificate chain
 0 s:CN = elkhornmediagroup.com
   i:C = US, O = Amazon, OU = Server CA 1B, CN = Amazon
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Mar 16 00:00:00 2022 GMT; NotAfter: Apr 15 23:59:59 2023 GMT

When you run lego on the origin server you see, well, the cert on that server.

With a CDN there are two HTTP(S) connections. One from the client(browser) to the CDN Edge (like CloudFront). The other is between that Edge and the Origin Server. If both are HTTPS there is one cert for each connection (at the respective server)

There are many ways to configure CDN's and Origin Servers (in AWS and in other providers). I don't have a single quick answer due to the complexity and choices to be made by the system designers

Personally, with CloudFront, I like to have my Origin server with its own domain name so I can talk with it directly from any client and bypass CloudFront (for admin functions). It also makes cert acquisition clearer (at least to me). But, I don't have first-hand experience with LightSail and how that might affect things.

In your case you are trying to get a cert for domain names that CloudFront sees first. You have to get the HTTP Challenge requests to flow through to your Origin Server. Or, use a DNS Challenge. I think lego is doing a public IP check even before trying the HTTP Challenge and seeing the public DNS is different than your origin server and is not even trying to get a cert (assuming it will fail).

Something must have changed significantly in this config to have the Origin server cert renewal start failing. My thought was CloudFront was new so I'm puzzled when you say it has been in place for a year.

I hope this helps

system · March 9, 2023, 10:23pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.