Staging site cert not valid


#1

I have a wordpress multisite with a subdomain of staging.bell-computing.com. I have a certificate for it
Certificate Name: staging.bell-computing.com
Domains: staging.bell-computing.com
Expiry Date: 2018-10-01 12:24:09+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/staging.bell-computing.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/staging.bell-computing.com/privkey.pem

What do I need to do to make it recognised? It is in my conf list of other recognised servers and also in the list of domains in serverpilot. When I test it it says there is a name mismatch with gourmetbritain-competition.com.

When I do an autorenew dry run it can renew staging but not gourmetbritain. How do I fix this?
sudo certbot renew --dry-run Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/bell-computing.com.conf

Attempting to parse the version 0.25.1 renewal configuration file found at /etc/letsencrypt/renewal/bell-computing.com.conf with version 0.25.0 of Certbot. This might not work.
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for bell-computing.com
http-01 challenge for www.bell-computing.com
Waiting for verification…
Cleaning up challenges


new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/bell-computing.com/fullchain.pem


Processing /etc/letsencrypt/renewal/staging.bell-computing.com.conf

Attempting to parse the version 0.25.1 renewal configuration file found at /etc/letsencrypt/renewal/staging.bell-computing.com.conf with version 0.25.0 of Certbot. This might not work.
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for staging.bell-computing.com
Waiting for verification…
Cleaning up challenges


new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/staging.bell-computing.com/fullchain.pem


Processing /etc/letsencrypt/renewal/pmcarpetsandflooring.com.conf

Attempting to parse the version 0.25.1 renewal configuration file found at /etc/letsencrypt/renewal/pmcarpetsandflooring.com.conf with version 0.25.0 of Certbot. This might not work.
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for pmcarpetsandflooring.com
http-01 challenge for www.pmcarpetsandflooring.com
Waiting for verification…
Cleaning up challenges


new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/pmcarpetsandflooring.com/fullchain.pem


Processing /etc/letsencrypt/renewal/gourmetbritain-competition.com.conf

Attempting to parse the version 0.25.1 renewal configuration file found at /etc/letsencrypt/renewal/gourmetbritain-competition.com.conf with version 0.25.0 of Certbot. This might not work.
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for gourmetbritain-competition.com
http-01 challenge for www.gourmetbritain-competition.com
Cleaning up challenges
Attempting to renew cert (gourmetbritain-competition.com) from /etc/letsencrypt/renewal/gourmetbritain-competition.com.conf produced an unexpected error: Problem binding to port 80: Could not bind to IPv4 or IPv6… Skipping.
The following certs could not be renewed:
/etc/letsencrypt/live/gourmetbritain-competition.com/fullchain.pem (failure)


** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

The following certs were successfully renewed:
/etc/letsencrypt/live/bell-computing.com/fullchain.pem (success)
/etc/letsencrypt/live/staging.bell-computing.com/fullchain.pem (success)
/etc/letsencrypt/live/pmcarpetsandflooring.com/fullchain.pem (success)

The following certs could not be renewed:
/etc/letsencrypt/live/gourmetbritain-competition.com/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)


#2

Issue the cert from the production server, rather than staging. Staging certs are never recognized by clients.


#3

If you don’t specify an installer (or use certonly), then Certbot isn’t going to do anything except issue the certificate. Actually deploying it to your website is a separate step.

So, you have a couple of choices.

Have Certbot install the certificate:

certbot -d staging.bell-computing.com --nginx

or manually configure your web server to use it: https://mozilla.github.io/server-side-tls/ssl-config-generator/

I’m not sure which is the better choice with ServerPilot, since SP manages its own nginx instance that Certbot may not be able to identify automatically.


#4

I thought thats what I had done with
./certbot-auto certonly --webroot -w /srv/users/serverpilot/apps/wordpress/public -d staging.bell-computing.com

doing it again just tells me it already exists

The same command seems to work fine for pmcarpetsandflooring
./certbot-auto certonly --webroot -w /srv/users/serverpilot/apps/wordpress/public -d pmcarpetsandflooring.com -d www.pmcarpetsandflooring.com
the only difference is that there is an actual DNS record for pmcarpetsandflooring.com


#5

To put it another way: certonly just creates a certificate, but doesn’t use it for anything. That’s up to you. As “step two”, you need to tell ServerPilot’s nginx configuration for that domain (in /etc/nginx-sp/vhosts.d/) to then use that certificate.

Based on how your server responds, you haven’t done that.


#6

Hmm, but I have it in my app’s conf for that certificate - what stage am I missing?

  server {

      listen 443 ssl http2;

      listen [::]:443 ssl http2;

     server_name

          178.62.53.135

          bell-computing.com

                  paulmarshallcarpetsandflooring.com                 staging.bell-computing.com       ;     ssl on;     # letsencrypt certificates     ssl_certificate      /etc/letsencrypt/live/bell-computing.com/fullchain.pem;     ssl_certificate_key  /etc/letsencrypt/live/bell-computing.com/privkey.pem;         #SSL Optimization     ssl_session_timeout 1d;     ssl_session_cache shared:SSL:20m;     ssl_session_tickets off;         # modern configuration     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;         ssl_prefer_server_ciphers on;         ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';         # OCSP stapling         ssl_stapling on;         ssl_stapling_verify on;         # verify chain of trust of OCSP response         ssl_trusted_certificate /etc/letsencrypt/live/bell-computing.com/chain.pem;         #root directory and logfiles         root /srv/users/serverpilot/apps/wordpress/wordpress_nginx/public;         access_log /srv/users/serverpilot/log/wordpress/wordpress_nginx.access.log main;         error_log /srv/users/serverpilot/log/wordpress/wordpress_nginx.error.log;         #proxyset         proxy_set_header Host $host;         proxy_set_header X-Real-IP $remote_addr;         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;         proxy_set_header X-Forwarded-SSL on;         proxy_set_header X-Forwarded-Proto $scheme;         #includes         include /etc/nginx-sp/vhosts.d/wordpress.d/*.nonssl_conf;         include /etc/nginx-sp/vhosts.d/wordpress.d/*.conf; }

#7

The certificate for your staging domain is located in /etc/letsencrypt/live/staging.bell-computing.com/.

You’re not using it in that configuration.

You’re using the certificate for bell-computing.com, which is a separate certificate.


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.