What is a Testing certificate and how do I make it live?

wdma · July 30, 2021, 6:05pm

I thought I had this right, but no. I am trying to set-up automatic certificate renewals according to the instructions found here (final step):

Here is my ssl-renew file

#!/bin/bash

COMPOSE="/usr/bin/docker-compose --no-ansi"
DOCKER="/usr/bin/docker"

cd /home/weilidma/dsp-ui
$COMPOSE run nginx renew && $COMPOSE kill -s SIGHUP nginx
$DOCKER system prune -af

and here is a partial email I am receiving from Certbot:

[ Note: This message is from the Let's Encrypt staging environment. It likely is not relevant to any live web site. ]

You issued a testing cert (not a live one) from Let's Encrypt staging environment. This mail takes the place of what would normally be a renewal reminder, but instead is demonstrating delivery of renewal notices. Have a nice day!

We recommend renewing certificates automatically when they have a third of their total lifetime left. For Let's Encrypt's current 90-day certificates, that means renewing 30 days before expiration. See https://letsencrypt.org/docs/integration-guide/ for details.

My domain is:

www.hippocampusanalytics.com

I ran this command:

The instructions specify the ssl-renew file should reference certbot in the line starting with $COMPOSE as shown below, but in that case, I receive an email telling me that the certificate is about to expire.

#!/bin/bash

COMPOSE="/usr/bin/docker-compose --no-ansi"
DOCKER="/usr/bin/docker"

cd /home/weilidma/dsp-ui
$COMPOSE run certbot renew && $COMPOSE kill -s SIGHUP nginx
$DOCKER system prune -af

It produced this output:

My web server is (include version):

Nodejs

The operating system my web server runs on is (include version):
Ubuntu 20

My hosting provider, if applicable, is:

Digital Ocean

I can login to a root shell on my machine (yes or no, or I don't know):
Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

rg305 · July 30, 2021, 7:14pm

Your docker-compose.yml file probably contains a line like this one (shown in the guide you followed):
[wrapped for visibility]

command: certonly --webroot --webroot-path=/var/www/html \
--email sammy@example.com --agree-tos --no-eff-email \
--staging -d example.com  -d www.example.com

As you can see, it contains "--staging", this will force the use of the staging/test environment.
Now that you have passed all the testing you can remove that parameter and it will then use the production/live system.

wdma · July 30, 2021, 8:04pm

@rg305 Thank you for your reply. I checked and it does not have --staging in it.

Here is the relevant line in my docker-compose file:

command: certonly --cert-name hippocampusanalytics.com --webroot --webroot-path=/usr/share/nginx/html -d "hippocampusanalytics.com,www.hippocampusanalytics.com" --keep

Also, in case this is the source of the problem, can you tell me which of these options is correct?

Option 1

$COMPOSE run nginx renew && $COMPOSE kill -s SIGHUP nginx

Option 2

$COMPOSE run certbot renew && $COMPOSE kill -s SIGHUP nginx

As you might guess, "nginx" is the name of the nginx container and "certbot" is the name of the certbot container.

rg305 · July 30, 2021, 8:08pm

I would expect "Option 2" would actually run certbot and would renew certs when needed.
But the certbot container may not include the relevant nginx web server; as there is also mention of an nginx container (presumably running the relevant nginx).

But I'm just guessing...

rg305 · July 30, 2021, 8:10pm

If there is no --staging found in the code...
Then I would delete the current (staging) cert and re-obtain a new one.

system · August 29, 2021, 8:10pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.