Site still missing the cert

facildeanotar · February 8, 2020, 1:29pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.slidepipe.com

I ran this command: sudo certbot-auto renew

It produced this output:
The following certs are not due for renewal yet:
/etc/letsencrypt/live/slidepipe.com/fullchain.pem expires on 2020-05-08 (skipped)
/etc/letsencrypt/live/www.slidepipe.com/fullchain.pem expires on 2020-05-08 (skipped)
No renewals were attempted.

My web server is (include version):nginx

I renewed the cert but in the web is still missing it.
Renewal output

renew_before_expiry = 30 days

version = 1.2.0
archive_dir = /etc/letsencrypt/archive/slidepipe.com
cert = /etc/letsencrypt/live/slidepipe.com/cert.pem
privkey = /etc/letsencrypt/live/slidepipe.com/privkey.pem
chain = /etc/letsencrypt/live/slidepipe.com/chain.pem
fullchain = /etc/letsencrypt/live/slidepipe.com/fullchain.pem

Options used in the renewal process

[renewalparams]
authenticator = nginx
account = 2eb7b708af1bf4815e897cfabe830f21
server = https://acme-v02.api.letsencrypt.org/directory

Osiris · February 8, 2020, 2:29pm

Your renewal configuration file is ‘missing’ an installer line. Perhaps you’ve used certbot-auto with the certonly method, which gives you a renewable certificate, but needs you to install the cert manually into the webserver. In that case, after renewal, nginx isn’t reloaded automatically. Most users use a deploy-hook to reload their webserver after renewal.

JuergenAuer · February 8, 2020, 3:00pm

Hi @facildeanotar

you have created two certificate, one per domain name (non-www and www):

Issuer	not before	not after	Domain names	LE-Duplicate	next LE
Let’s Encrypt Authority X3	2020-02-08	2020-05-08	www.slidepipe.com - 1 entries	duplicate nr. 1
Let’s Encrypt Authority X3	2020-02-08	2020-05-08	slidepipe.com - 1 entries	duplicate nr. 1

So install both with one command per domain name:

certbot --reinstall -i nginx slidepipe.com
certbot --reinstall -i nginx www.slidepipe.com

Certbot should find the matching certificate and should try to install it. Then restart your nginx.

Osiris · February 8, 2020, 3:10pm

I’m pretty sure reloading is the prefered method compaired to restarting. With reloading there is no downtime.

facildeanotar · February 8, 2020, 4:39pm

Hi @JuergenAuer

Thanks a lot for your help.

I tried to run:
certbot --reinstall -i nginx slidepipe.com
certbot --reinstall -i nginx www.slidepipe.com

get the output: sudo: certbot: command not found

Can you help me?

JuergenAuer · February 8, 2020, 4:40pm

Use your certbot-auto.

facildeanotar · February 8, 2020, 4:45pm

I’m sorry to ask a lot. But can’t still do it:

root@slidepipe-master:/etc/letsencrypt/live/slidepipe.com# sudo certbot-auto -i nginx slidepipe.com
/usr/local/bin/certbot-auto has insecure permissions!
To learn how to fix them, visit Certbot-auto deployment best practices
usage:
certbot-auto [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] …

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: unrecognized arguments: slidepipe.com

JuergenAuer · February 8, 2020, 4:47pm

Yes, a -d flag is missing.

facildeanotar · February 8, 2020, 5:42pm

This is the output:

:/etc/letsencrypt/live# sudo certbot-auto certonly -n -d slidepipe.com -d www.slidepipe.com
/usr/local/bin/certbot-auto has insecure permissions!
To learn how to fix them, visit Certbot-auto deployment best practices
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Missing command line flags. For non-interactive execution, you will need to specify a plugin on the command line.

Osiris · February 8, 2020, 6:36pm

@facildeanotar This isn’t going to work. From my perspective, it looks like you’re randomly mixing command line options without actually doing what @JuergenAuer recommends. For example, where does the certonly come from? That is exactly the opposite of -i nginx. Or the -n?

facildeanotar · February 8, 2020, 10:16pm

honestly Im lost. I trying to solve the question, but I cant

Osiris · February 8, 2020, 10:43pm

As your nginx currently only serves the www subdomain certificate, which isn’t very good if someone would try to connect to https://slidepipe.com, I would suggest just getting a brand new certificate covering both your hostnames:

sudo certbot-auto --nginx -d slidepipe.com -d www.slidepipe.com

facildeanotar · February 8, 2020, 10:46pm

how can I thank you?

worked!!! thank you so much!!!

facildeanotar · February 8, 2020, 10:49pm

a question: how do you know that my nginx just serves the subdomain certificate?

Osiris · February 8, 2020, 11:09pm

It did that, but now that you’ve got a certificate with both hostnames, there’s no certificate issue any longer. Also, your HTTP site redirected all non-encrypted traffic to the www subdomain with HTTPS, so normally users wouldn’t be bothered by a warning, as normally users would not end up to the HTTPS non-www hostname.

I tested the above with the command:

openssl s_client -connect slidepipe.com:443 -servername slidepipe.com | openssl x509 -noout -text

Which shows the contents of the certificate provided by the webserver for the hostname earlier in the command.

system · March 12, 2020, 7:28am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.