SLL is Installed, but Not Working?

getivan · October 19, 2019, 8:57pm

My domain is:

I ran this command:
Originally installed through openlitespeed from the GCP Marketplace.
Recently tried to follow instructions for CertBot, and get good indications that the SSL certificates have been installed, but the expiry headers are set to today, so it’s not working properly, and the dry runs, for auto-renew, are failing.
Tired of jacking with this crap every 6-months, and thought Litespeed would know better, and have this pre-configured.

My web server is (include version):
openlitespeed

The operating system my web server runs on is (include version):
Ubuntu 18.04

My hosting provider, if applicable, is:
Google Cloud Platform (GCP)

I can login to a root shell on my machine (yes or no, or I don’t know):
Yup

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
Nope

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.31.0

_az · October 19, 2019, 9:03pm

Expiry looks fine to me.

$ openssl s_client -connect www.getivan.com:443 -showcerts 2>/dev/null | openssl x509 -noout -subject -issuer -dates
subject=CN = www.getivan.com
issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
notBefore=Oct 19 18:49:56 2019 GMT
notAfter=Jan 17 18:49:56 2020 GMT

If you are checking inside your browser, they can be pretty lazy about showing new SSL information unless you close and re-open the tab.

What's the error?

getivan · October 19, 2019, 9:21pm

Hey, AZ, thanks for replying so quickly.
Yeah, I literally just discovered it was working, right after I submitted this post.

You were correct about opening new tabs.
I was refreshing, and clearing browser cache, but none of that worked.

Only discovered it, because someone mentioned it looked fine, and I opened it up in another Firefox browser, to see.
The Auto-Renew is still not working, though.

Tried this:

sudo certbot renew --dry-run

Threw this error:
> Cert not due for renewal, but simulating renewal for dry run

Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for getivan.com
http-01 challenge for www.getivan.com
Cleaning up challenges
Attempting to renew cert (www.getivan.com) from /etc/letsencrypt/renewal/www.getivan.com.conf
produced an unexpected error: Missing command line flag or config entry for this setting:
Input the webroot for getivan.com:. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/getivan.com/fullchain.pem (failure)
/etc/letsencrypt/live/www.getivan.com/fullchain.pem (failure)

** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/getivan.com/fullchain.pem (failure)
/etc/letsencrypt/live/www.getivan.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)

mnordhoff · October 19, 2019, 9:35pm

Can you post the contents of /etc/letsencrypt/renewal/www.getivan.com.conf? (Normally none of it is sensitive.)

How recently did you start using Certbot?

https://crt.sh/?q=getivan.com

It looks like certificates have been successfully issued every ~60 days since 2017, with a few extra ones at various points.

There was even one issued on the normal schedule a month ago.

system · November 18, 2019, 9:35pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.