Site not working after renewal of certificate


#1

Hello and Happy New Year!

I search a bit the forum but have not found anything that helped much (apart from finding lots of useful commands!)

My domain is: ha.ppmt.org

I ran this command: certbot renew

It produced this output: I don’t have it but it said it was sucessful

My web server is (include version): Nginx 1.10.3

The operating system my web server runs on is (include version): Debian 9.3

My hosting provider, if applicable, is: my own server

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

I received an email saying that my domain certificate was about to expire so I tried to renew it and eventually got it to renew. It initially complained it was missing a file in :

/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory

I ended up copying the directory from the staging directory (probably should not have!):

/etc/letsencrypt/accounts/acme-staging.api.letsencrypt.org

After that the renewal was successful but even after restarting nginx and even the server the site is not working. I tries to connect but can’t do it.

I checked the certificates on my server:

openssl x509 -in /etc/letsencrypt/live/ha.ppmt.org/cert.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
fa:aa:1c:0a:6b:e6:4e:88:b3:2b:f7:50:61:13:54:d4:e3:51
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = Fake LE Intermediate X1
Validity
Not Before: Dec 30 12:32:32 2017 GMT
Not After : Mar 30 12:32:32 2018 GMT
Subject: CN = ha.ppmt.org

I can see that the date is now Marc 30 (it was Jan 18 before).

But in Firefox it still shows Jan 18 but also say that it has blocked some part of the website. If I unblock these part then it tells me the connection is not secure

The owner of ha.ppmt.org has configured their web site improperly. To protect your information from being stolen, Firefox has not connected to this web site.

This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox only connect to it securely. As a result, it is not possible to add an exception for this certificate.

Is there any way to recover this situation?

Thanks in advance
Philippe


#2

Fake LE Intermediate X1

You have installed a certificate from the test/staging CA. It is not trusted by browsers:

I ended up copying the directory from the staging directory (probably should not have!):

Indeed.

Is there any way to recover this situation?

I think you should delete the certificate and try to issue it again.

certbot delete
certbot ... # however you issued initially

#3

And move/delete that account directory.


#4

Thanks a lot to both of you. I have deleted the directory and started from scratch using the following command

I then restarted the server and now all is good. I just add to refresh the browser and now my certificate is due to expire in April

Is there other checks I can make to make sure all is good?


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.