SSL not being renewed after successful message


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: giz.impacthub.net

I ran this command: rwssl

It produced this output:
root@-ubuntu-s-1vcpu-1gb-nyc3-01:~# rwssl
Traceback (most recent call last):
_ File “/usr/local/bin/rwssl”, line 7, in _
_ from rwssl.rwssl import main_
_ File “/usr/local/lib/python2.7/dist-packages/rwssl/rwssl.py”, line 7, in _
_ import validators_
_ File “/usr/local/lib/python2.7/dist-packages/validators/init.py”, line 1, in _
_ from .between import between # noqa_
_ File “/usr/local/lib/python2.7/dist-packages/validators/between.py”, line 2, in _
_ from .utils import validator_
_ File “/usr/local/lib/python2.7/dist-packages/validators/utils.py”, line 5, in _
_ import six_
ImportError: No module named six

My web server is (include version): 7.2

The operating system my web server runs on is (include version): Ubuntu 16.04.5 LTS (GNU/Linux 4.4.0-131-generic x86_64)

My hosting provider, if applicable, is: Digital Ocean / Server pilot

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

Hello Folks, I have an issue with the one website certificate
http://giz.impacthub.net, it produced error you see above, I have reinstalled phyton and rwssl run command again got a successful message but it didn’t change it on the website. The website had a new RWSSL version installed previously, working fine before I tried to reinstall cert few times and reached the limit of duplicates. Now when I check it https://crt.sh/?id=907108172 it shows that cert is valid but on the website its still the old cert

I have another that has the same issue but I am reluctant to do the same thing.

Also, this check doesn’t match with what is shown on the websites when I check their certificate on the browser
https://tools.letsdebug.net/cert-search?m=domain&q=impacthub.net&d=2160
for example
brasilia.impacthub.net 12.12.2018 Expires in 4 days
https://budapest.impacthub.net/ 4.12.2018 Expires in 5 days
geneva.impacthub.net 10.1.2019 Expires in 5 days

Thank you in advance
Nikola


#2

Hi,

Could you please try to run rwssl -re (just to see if the certificate could be refreshed…)

Also, please also check if the obtained certificate (from Oct. 31th) exists on your system.

Thank you


#3

Hey Stevenzhu, thanks for responding,

I did it before and tried it now and it still didn’t make any change

root@giz-ubunt-fra1-01:~# rwssl -re
Deleting SSL vhost /etc/nginx-sp/vhosts.d/giz-ssl.conf
Refreshing SSL certificates for 1 apps. Obsolete vhosts will be cleaned.
Obtaining SSL certificate for the app giz.
4 valid domains found for the app
SSL certificate has been successfully obtained for giz.impacthub.net partnership4sdgs.impacthub.net www.giz.impacthub.net www.partnership4sdgs.impacthub.net
Writing NGINX vhost file for the app giz
Virtual host file created!
Reloading NGINX server…
SSL should have been installed and activated for the app giz

If I am looking at the right place I would say its still old one

root@giz-ubuntu-s-1vcpu-1gb-fra1-01:~# ls -l /etc/letsencrypt/live/giz.impacthub.net/cert.pem
lrwxrwxrwx 1 root root 41 Mar 6 2018 /etc/letsencrypt/live/giz.impacthub.net/cert.pem -> …/…/archive/giz.impacthub.net/cert1.pem
root@giz-ubuntu-s-1vcpu-1gb-fra1-01:~# ls -l /etc/letsencrypt/live/giz.impacthub.net/privkey.pem
lrwxrwxrwx 1 root root 44 Mar 6 2018 /etc/letsencrypt/live/giz.impacthub.net/privkey.pem -> …/…/archive/giz.impacthub.net/privkey1.pem
root@giz-ubuntu-s-1vcpu-1gb-fra1-01:~#

Thanks
Nikola


#4

Hi,

I do believe that the site is using this certificate (which is definitly outdated)

Please share us the content of /etc/nginx-sp/vhosts.d/giz-ssl.conf

Thank you


#5

Here it is

server {
    # SSL conf added by rwssl (https://github.com/rehmatworks/serverpilot-letsencrypt)
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name giz.impacthub.net partnership4sdgs.impacthub.net www.giz.impacthub.net www.partnership4sdgs.impacthub.net;
    ssl on;
    ssl_certificate /etc/letsencrypt/live/giz.impacthub.net//fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/giz.impacthub.net//privkey.pem;
    root /srv/users/serverpilot/apps/giz/public;
    access_log /srv/users/serverpilot/log/giz/dev_nginx.access.log main;
    error_log /srv/users/serverpilot/log/giz/dev_nginx.error.log;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-SSL on;
    proxy_set_header X-Forwarded-Proto $scheme;
    include /etc/nginx-sp/vhosts.d/giz.d/*.conf;
}

#6

Hi,

Could you please make a backup of the /etc/letsencrypt/live/giz.impacthub.net/ and then try to delete it, try the issurance process again?

Also, are you using the server pilot free plan?

Thank you


#7

Hey stevezhu,

thank you for your reply I just did and it is still the same… I am not sure where to go from here and yes it is grandfathered free plan

Thanks
Nikola


#8

Hi @alokiN_R

you have created new certificates:

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=p:Z2l6LmltcGFjdGh1Yi5uZXQ6ZmFsc2U6ZmFsc2U6NDQyODYyNDQ5ODAwODg1MzgyNzpFQUU9&cert_search=include_expired:false;include_subdomains:false;domain:giz.impacthub.net;issuer_uid:4428624498008853827&lu=cert_search_cert

Last 2018-11-08 with four domain names:

giz.impacthub.net
partnership4sdgs.impacthub.net
www.giz.impacthub.net
www.partnership4sdgs.impacthub.net

But you don’t use it. What’s the content of

ssl_certificate /etc/letsencrypt/live/giz.impacthub.net//fullchain.pem;

And: If you use rwssl (I don’t use it): Does rwssl use the same directory as certbot?

Or did you run a certbot?


#9

Hey thanks for replying this is the actual folder /etc/letsencrypt/live/giz.impacthub.net-0001

and fulchain.pem contains 2 keys

-----BEGIN CERTIFICATE-----
MIIFtDCCBJygAwIBAgISA0oezO6jqsC9E6yU/h9wu69gMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDV
.
.
.
AHe1KJ9LXCqXriDdY8RP1/9b6k0O8w230pKrkwT8PudtAG2AFeJub1FjKrNqlk1k
PNHyxLTC0M8JwfH0OghhDW69MJry5hEBuwdHyg72ST4W6xiSL5jy7cxyE2uHxJRH
rkKTvwLlGzInvv1IHrRxWMJc/+4Q9Doh
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
.
.
.
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----

Does rwssl use the same directory as certbot?
I am not familiar with this, can you please let me know how can I check?

Or did you run a certbot?
No I haven t I have only used this script https://github.com/rehmatworks/serverpilot-letsencrypt and I beleive its starts it on the first install


#10

I need the complete content. This is your public certificate, so it’s not a security risk. (Your private key should be secure). The second is the public part of the Letsencrypt certificate.

I want to check if this is the certificate with four domain names.

Or save this content in a separate file (windows - extension .crt), then you can check if this certificate has 4 domain names.


#11

Conversely, posting redacted excepts of the private key would be a security risk. :slight_smile:


#12

Alright here it is, thanks!

-----BEGIN CERTIFICATE-----
MIIFtDCCBJygAwIBAgISA0oezO6jqsC9E6yU/h9wu69gMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODExMTQwODQ3MTVaFw0x
OTAyMTIwODQ3MTVaMBwxGjAYBgNVBAMTEWdpei5pbXBhY3RodWIubmV0MIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzxoazqMP0kEPPYhsDgbaquYjTKOt
gmRU2FwAEyDgpYPINXWNB8w1vj1ZP5fRlUu76ozRikvgmDayzipYr16dwXKSa8Hc
Au9ZzikpII9RqksUjF7NWOKYI6KpbXQ7feLtvN75gy9OQ9Afzl72Ht7oKnYdrpl4
OcTON+m5n7DCb2aJo59VyMOBeyNTANJ8AMNWzTGKV+BoQf0+rs5Ao1oRHEGGaeTE
A4IB3DRrqtrfbp5opANQjm+lfXbTx1zLgdoM/8xiZ8GbBJqgtsvzN2t7CY3NEvjk
Xc33Pm0F61LI3U+exWSydTAaPNs3GckwnEvVFtQ3GTIkz5nb8pXP1NJojwIDAQAB
o4ICwDCCArwwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
BgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRL9DMNmTIJixatIsDi0Wig
/piJVDAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEFBQcB
AQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5jcnlw
dC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlw
dC5vcmcvMHcGA1UdEQRwMG6CEWdpei5pbXBhY3RodWIubmV0gh5wYXJ0bmVyc2hp
cDRzZGdzLmltcGFjdGh1Yi5uZXSCFXd3dy5naXouaW1wYWN0aHViLm5ldIIid3d3
LnBhcnRuZXJzaGlwNHNkZ3MuaW1wYWN0aHViLm5ldDBMBgNVHSAERTBDMAgGBmeB
DAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxl
dHNlbmNyeXB0Lm9yZzCCAQMGCisGAQQB1nkCBAIEgfQEgfEA7wB1AFWB1MIWkDYB
SuoLm1c8U/DA5Dh4cCUIFy+jqh0HE9MMAAABZxGeJSoAAAQDAEYwRAIgXQhz9HGl
SeCmT16OazfSuB78YxGTzHYo5xDPObXCHC8CICXczwUJ1VRU6pih7/P0gc+mlzgf
qJHT8zbxLAPxkOP9AHYAY/Lbzeg7zCzPC3KEJ1drM6SNYXePvXWmOLHHaFRL2I0A
AAFnEZ4h7gAABAMARzBFAiA+2cAH7lQYMb+BG0kPPgEphVyV1HVoQYEQvbeNTmyq
iwIhAMYEEaUFA2MMt9KLZhpZsKXFRsUwR/YKuhbZGWTIF2yzMA0GCSqGSIb3DQEB
CwUAA4IBAQCDQIQKqH+rtNg5OWI1t+5OjBULbgGiLRrsfweR2ytro3hzdGlmnsG1
Uiv8R8cHaPRlg21dkn9KzL79wNVfZIRepiRwwFJH/c8rieUKBVgY9epcAOQiz5eB
snE+bf6oyNDPXOA7BfhU0mcc1wIXRbDq93cE6lhMQOpVakAyAtn7VbFvEDrv2jhh
AHe1KJ9LXCqXriDdY8RP1/9b6k0O8w230pKrkwT8PudtAG2AFeJub1FjKrNqlk1k
PNHyxLTC0M8JwfH0OghhDW69MJry5hEBuwdHyg72ST4W6xiSL5jy7cxyE2uHxJRH
rkKTvwLlGzInvv1IHrRxWMJc/+4Q9Doh
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----


#13

The first certificate has 4 domain names:

DNS-Name=giz.impacthub.net
DNS-Name=partnership4sdgs.impacthub.net
DNS-Name=www.giz.impacthub.net
DNS-Name=www.partnership4sdgs.impacthub.net

and expires 12. ‎Februar ‎2019 09:47:15, so it’s the correct certificate.

The second is the Letsencrypt intermediate certificate.

But you don’t use it.

Is it possible that there is a second nginx - configuration which is used instead of this

SSL conf added by rwssl

#14

I can only assume if it was done by serverpilot somehow? If that makes any sense?