Expired Certificate

danb35 · August 29, 2022, 3:55pm

OK, that looks about as expected. Try this:

First, take a backup of /etc/letsencrypt, just in case this breaks something: tar -cvjSf /root/letsencrypt-backup.tar.bz2 /etc/letsencrypt/
Then, delete the broken certs: certbot delete --cert-name nethserver.cuicable.com and certbot delete --cert-name nethserver.cuicable-0001.com.
Now, see if renewal succeeds: certbot renew
If it did, tell the system to refresh the cert: signal-event certificate-update

gstuart · August 29, 2022, 4:20pm

Ok,

The certbot delete for nethserver.cuicable.com worked, However the 0001 did not work. I am posting the error. Would it be possiable to just delete the directory?

[root@nethserver etc]# certbot delete --cert-name nethserver.cuicable-0001.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certificate(s) are selected for deletion:

  * nethserver.cuicable-0001.com

Are you sure you want to delete the above certificate(s)?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
No certificate found with name nethserver.cuicable-0001.com (expected /etc/letsencrypt/renewal/nethserver.cuicable-0001.com.conf).
[root@nethserver etc]#

danb35 · August 29, 2022, 4:33pm

That looks like it’s there from what you’d posted previously. What does certbot certificates say?

gstuart · August 29, 2022, 4:49pm

yes it is there:

[root@nethserver log]# cd /etc/letsencrypt/
[root@nethserver letsencrypt]# ls
accounts  archive  csr  keys  live  renewal  renewal-hooks
[root@nethserver letsencrypt]# cd renewal
[root@nethserver renewal]# ls
nethserver.cuicable.com-0001.conf  nethserver.cuicable.com-0002.conf
[root@nethserver renewal]# 
[root@nethserver renewal]# 
[root@nethserver renewal]# 
[root@nethserver renewal]# 
[root@nethserver renewal]# 
[root@nethserver renewal]# 
[root@nethserver renewal]# 
[root@nethserver renewal]# ls
nethserver.cuicable.com-0001.conf  nethserver.cuicable.com-0002.conf
[root@nethserver renewal]#

But when I look at the 0001.conf file

# renew_before_expiry = 30 days
version = 1.11.0
archive_dir = /etc/letsencrypt/archive/nethserver.cuicable.com-0001
cert = /etc/letsencrypt/live/nethserver.cuicable.com-0001/cert.pem
privkey = /etc/letsencrypt/live/nethserver.cuicable.com-0001/privkey.pem
chain = /etc/letsencrypt/live/nethserver.cuicable.com-0001/chain.pem
fullchain = /etc/letsencrypt/live/nethserver.cuicable.com-0001/fullchain.pem

Which is expected, But when I go and look in the directory where it is expecting things:
/etc/letsencrypt/live/nethserver.cuicable.com-0001 << here is what I see

[root@nethserver nethserver.cuicable.com-0001]# ls
fullchain.pem  README
[root@nethserver nethserver.cuicable.com-0001]#

I am missing 4 other files that should be there.

gstuart · August 29, 2022, 4:52pm

certbot certificates says the following:

[root@nethserver /]# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/nethserver.cuicable.com-0001.conf produced an unexpected error: expected /etc/letsencrypt/live/nethserver.cuicable.com-0001/cert.pem to be a symlink. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: nethserver.cuicable.com-0002
    Serial Number: 30b5c30203b5109716dc7d9141ac1a650d5
    Key Type: RSA
    Domains: nethserver.cuicable.com mx1.avxinc.com mx1.cuicable.com mx1.millerfoundation.net
    Expiry Date: 2022-11-27 12:20:18+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/nethserver.cuicable.com-0002/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/nethserver.cuicable.com-0002/privkey.pem

The following renewal configurations were invalid:
  /etc/letsencrypt/renewal/nethserver.cuicable.com-0001.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[root@nethserver /]#

danb35 · August 29, 2022, 5:10pm

…and certbot delete --cert-name nethserver.cuicable.com-0001 doesn’t work?

gstuart · August 29, 2022, 5:24pm

Ok, that is weird, it worked this time. I may have mis-typed or something … but … well anyways. So when I do a certbot renew below is what I get:

[root@nethserver nethserver.cuicable.com-0002]# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/nethserver.cuicable.com-0002.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certificates are not due for renewal yet:
  /etc/letsencrypt/live/nethserver.cuicable.com-0002/fullchain.pem expires on 2022-11-27 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[root@nethserver nethserver.cuicable.com-0002]#

Which is awesome, no errors :).

Now yes it is saying that the cert does not need to be renewed. However chain.pem is showing expired 8/26/2022. Which I do not understand how that can happen. It all should have the same Date.

danb35 · August 29, 2022, 5:30pm

chain.pem would have the intermediate CA signing cert(s), and should be valid for quite some time. In what way is it showing expired as of a few days ago? Because it’s looking like you obtained four different certs within five minutes this morning.

gstuart · August 29, 2022, 5:42pm

Here is the screen shot.

danb35 · August 29, 2022, 5:45pm

Have you run signal-event certificate-update?

conan58 · August 29, 2022, 5:51pm

Hello Dan,
This is Greg I used up all of my reply’s "which apparently I can only reply 18 times. Ok, so I was able to use that command and I did not get an error.

danb35 · August 29, 2022, 6:03pm

…and are you now seeing that your cert is current?

conan58 · August 29, 2022, 6:12pm

No it is saying the same thing:

When I download the PEM chain it does match the chain.pem in the 0002 directory.

danb35 · August 29, 2022, 6:18pm

Can you post the contents of fullchain.pem? And what site are you browsing to when you see that error? Because when I browse to nethserver.cuicable.com, I’m seeing a Cloudflare cert.

conan58 · August 29, 2022, 6:24pm

Browsing to mx1.cuicable.com

danb35 · August 29, 2022, 6:47pm

That certificate is valid 29 Aug - 27 Nov, but I’m also seeing that mx1.cuicable.com is serving an expired cert. Restarting the server would likely resolve this, but the certificate-update event should have also. Is mx1.cuicable.com actually hosted on the Nethserver machine?

conan58 · August 29, 2022, 7:15pm

Yes mx1.cuicable.com is hosted on the Nethserver.

michelandre · August 29, 2022, 7:54pm

Hi @conan58

If you have both 0001 and 0002 suffixes, you can have a look at:

Make sure you didn’t reach the 5/7 limit for Let’s Encrypt requests.

Keep in mind that this solution is dangerous…

Michel-André

gstuart · September 7, 2022, 1:58pm

Ok, I just did a data backup and then did a restart. No Sogo is no longer working. The service refuses to start. The error is below.

[root@nethserver log]# systemctl status sogod
● sogod.service - SOGo is a groupware server
   Loaded: loaded (/usr/lib/systemd/system/sogod.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Wed 2022-09-07 08:35:14 CDT; 22min ago
 Main PID: 1616 (code=exited, status=1/FAILURE)

Sep 07 08:35:11 nethserver.cuicable.com systemd[1]: Starting SOGo is a groupware server...
Sep 07 08:35:14 nethserver.cuicable.com sogod[1616]: 2022-09-07 08:35:14.213 sogod[1616:1616] unable to get status of desc...iptor
Sep 07 08:35:14 nethserver.cuicable.com systemd[1]: Started SOGo is a groupware server.
Sep 07 08:35:14 nethserver.cuicable.com systemd[1]: sogod.service: main process exited, code=exited, status=1/FAILURE
Sep 07 08:35:14 nethserver.cuicable.com systemd[1]: Unit sogod.service entered failed state.
Sep 07 08:35:14 nethserver.cuicable.com systemd[1]: sogod.service failed.
Hint: Some lines were ellipsized, use -l to show in full.
[root@nethserver log]#

Now what?

gstuart · September 7, 2022, 2:10pm

This is the error I see in syslog:
nethserver sogod: 2022-09-07 08:19:50.410 sogod[17631:17631] unable to get status of descriptor 2 - Bad file descriptor