SSL Randomly Failed On Me

scotthe · August 9, 2020, 6:00am

My domain is:
bistrotaiyo.com

I ran this command:
?

It produced this output:
?

My web server is (include version):
apache 2.4.6

The operating system my web server runs on is (include version):
centos 7

My hosting provider, if applicable, is:
linode

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
1.5.0

This SSL certificate was correctly installed and was working. Today it stopped out of blue. In the attachment, my browsers it says its not evening using let’s encrypt… instead it has become a self-assigned from linode… what?? All this just happened today. There was no update of any kind prior to this.

scotthe · August 9, 2020, 6:04am

Current certificate is valid here is the log

indent preformatted text by 4 spaces

[root@bistrotaiyo letsencrypt]# cat /var/log/letsencrypt/letsencrypt.log
2020-08-09 05:56:13,113:DEBUG:certbot._internal.main:certbot version: 1.5.0
2020-08-09 05:56:13,113:DEBUG:certbot._internal.main:Arguments:
2020-08-09 05:56:13,113:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2020-08-09 05:56:13,137:DEBUG:certbot._internal.log:Root logging level set at 20
2020-08-09 05:56:13,137:INFO:certbot._internal.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2020-08-09 05:56:13,139:DEBUG:certbot._internal.plugins.selection:Requested authenticator None and installer None
2020-08-09 05:56:13,352:DEBUG:certbot_apache._internal.configurator:Apache version is 2.4.6
2020-08-09 05:56:13,838:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache._internal.entrypoint:ENTRYPOINT
Initialized: <certbot_apache._internal.override_centos.CentOSConfigurator object at 0x7f6bb0c8b810>
Prep: True
2020-08-09 05:56:13,839:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot_apache._internal.override_centos.CentOSConfigurator object at 0x7f6bb0c8b810> and installer <certbot_apache._internal.override_centos.CentOSConfigurator object at 0x7f6bb0c8b810>
2020-08-09 05:56:13,839:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator apache, Installer apache
2020-08-09 05:56:13,872:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(status=None, terms_of_service_agreed=None, agreement=None, only_return_existing=None, contact=(), key=None, external_account_binding=None), uri=u’https://acme-v02.api.letsencrypt.org/acme/acct/92048845’, new_authzr_uri=None, terms_of_service=None), a1b8b2eef202aae1bf85e8c4b98ad58d, Meta(creation_host=u’li1962-160.members.linode.com’, creation_dt=datetime.datetime(2020, 7, 22, 21, 14, 47, tzinfo=)))>
2020-08-09 05:56:13,874:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2020-08-09 05:56:13,885:INFO:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
2020-08-09 05:56:14,102:DEBUG:urllib3.connectionpool:“GET /directory HTTP/1.1” 200 658
2020-08-09 05:56:14,103:DEBUG:acme.client:Received response:
HTTP 200
content-length: 658
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
cache-control: public, max-age=0, no-cache
date: Sun, 09 Aug 2020 05:56:19 GMT
x-frame-options: DENY
content-type: application/json

{
“keyChange”: “https://acme-v02.api.letsencrypt.org/acme/key-change”,
“lZMrsyGe70w”: “Adding random entries to the directory”,
“meta”: {
“caaIdentities”: [
“letsencrypt.org”
],
“termsOfService”: “https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf”,
“website”: “https://letsencrypt.org”
},
“newAccount”: “https://acme-v02.api.letsencrypt.org/acme/new-acct”,
“newNonce”: “https://acme-v02.api.letsencrypt.org/acme/new-nonce”,
“newOrder”: “https://acme-v02.api.letsencrypt.org/acme/new-order”,
“revokeCert”: “https://acme-v02.api.letsencrypt.org/acme/revoke-cert”
}
2020-08-09 06:01:58,222:ERROR:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/certbot”, line 9, in
load_entry_point(‘certbot==1.5.0’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python2.7/site-packages/certbot/main.py”, line 15, in main
return internal_main.main(cli_args)
File “/usr/lib/python2.7/site-packages/certbot/_internal/main.py”, line 1347, in main
return config.func(config, plugins)
File “/usr/lib/python2.7/site-packages/certbot/_internal/main.py”, line 1095, in run
domains, certname = _find_domains_or_certname(config, installer)
File “/usr/lib/python2.7/site-packages/certbot/_internal/main.py”, line 419, in _find_domains_or_certname
domains = display_ops.choose_names(installer, question)
File “/usr/lib/python2.7/site-packages/certbot/display/ops.py”, line 128, in choose_names
code, names = _filter_names(names, question)
File “/usr/lib/python2.7/site-packages/certbot/display/ops.py”, line 179, in _filter_names
question, tags=sorted_names, cli_flag="–domains", force_interactive=True)
File “/usr/lib/python2.7/site-packages/certbot/display/util.py”, line 252, in checklist
force_interactive=True)
File “/usr/lib/python2.7/site-packages/certbot/display/util.py”, line 178, in input
ans = input_with_timeout(message)
File “/usr/lib/python2.7/site-packages/certbot/display/util.py”, line 82, in input_with_timeout
line = misc.readline_with_timeout(timeout, prompt)
File “/usr/lib/python2.7/site-packages/certbot/compat/misc.py”, line 58, in readline_with_timeout
rlist, _, _ = select.select([sys.stdin], , , timeout)
KeyboardInterrupt
indent preformatted text by 4 spaces

JuergenAuer · August 9, 2020, 6:13am

Hi @scotthe

what says

apachectl -S
certbot certificates

(may be)

httpd -S

If there is a working certificate, try to reinstall it:

certbot --reinstall

PS: Checking your domain - is this that what you want? https://check-your-website.server-daten.de/?q=bistrotaiyo.com

Host	Type	IP-Address	is auth.	∑ Queries	∑ Timeout
bistrotaiyo.com	A	172.105.8.160 Toronto/Ontario/Canada (CA) - Linode, LLC Hostname: bistrotaiyo.com	yes	1	0
	AAAA		yes
www.bistrotaiyo.com	CNAME	pixie.porkbun.com	yes	1	0
	A	44.227.76.166 Portland/Oregon/United States (US) - Amazon.com, Inc. Hostname: ec2-44-227-76-166.us-west-2.compute.amazonaws.com	yes
*.bistrotaiyo.com	A		yes
	A		yes
	AAAA		yes
	AAAA		yes
	CNAME	pixie.porkbun.com	yes
	CNAME	pixie.porkbun.com	yes

Non-www and www have different ip addresses.

There is a wildcard CNAME to pixie.porkbun.com defined, so www uses that ip address.

Looks like the wrong vHost (with the standard self signed certificate) answers.

scotthe · August 9, 2020, 4:09pm

Hi Juergen,

certbot certificates
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: bistrotaiyo.com
Serial Number: 35b06eb31f84ca6eceb9da76f9c9ce8377d
Domains: bistrotaiyo.com
Expiry Date: 2020-10-20 20:15:21+00:00 (VALID: 72 days)
Certificate Path: /etc/letsencrypt/live/bistrotaiyo.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/bistrotaiyo.com/privkey.pem

httpd -s

VirtualHost configuration:

*:8080 bistrotaiyo.com (/etc/httpd/conf/httpd.conf:80)
*:443 is a NameVirtualHost
default server bistrotaiyo.com (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost bistrotaiyo.com (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost bistrotaiyo.com (/etc/httpd/conf/httpd-le-ssl.conf:2)
alias www.bistrotaiyo.com
ServerRoot: “/etc/httpd”
Main DocumentRoot: “/var/www/html”
Main ErrorLog: “/etc/httpd/logs/error_log”
Mutex rewrite-map: using_defaults
Mutex authdigest-client: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/run/httpd/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex authdigest-opaque: using_defaults
Mutex proxy-balancer-shm: using_defaults
PidFile: “/run/httpd/httpd.pid”
Define: _RH_HAS_HTTPPROTOCOLOPTIONS
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name=“apache” id=48
Group: name=“apache” id=48

Regard the dns record, CNAME wild card isn’t technically what I wanted… but I never had to touch it. www does go to my server. As you can see in my apache I have the www alias.

Correct, I don’t know why the wrong Vhost is answering.

Should I reinstall the certificate?

JuergenAuer · August 9, 2020, 4:12pm

There

you see your problem.

Two different combinations port + domain name, that's always wrong.

Merge these in one or delete one.

scotthe · August 10, 2020, 1:59am

Thanks Juergen. That was the problem but it didn’t become apparent until now.
It’s a similar issue as this one
Apache Serving Up Wrong Certs
In the end I commented out the vhost directives as advised.

system · September 9, 2020, 1:59am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.