NethServer Version: NethServer release 7.9.2009 (final)
Module: Lets Encrypt
Hi all,
As above, I have just updated my SSL certificates using Lets Encrypt. No issues but a possible strange result, I now have two folders called “mail.gmcomputers.co.za” and “mail.gmcomputers.co.za-0002” in the path /etc/letsencrypt/live/. Is this by design? Just curious more than anything as all seems to be working fine.
Hi @markdewet
No’ anything in LE with 001, 002, 003 or so at the end is an indication something’s not working as intended.
I generally remove all certs in the folders (and GUI), and completly recreate the LE.
That usually works.
My 2 cents
Andy
@Andy_Wismer Hi again, thank you for your reply. LOL, sorry but what is LE?
Lets Encrypt…
Check:
- /etc/letsencrypt/live
- /etc/letsencrypt/archive
- /etc/letsencrypt/renewal
I have a client rigjht now with the same issue…
LOL, duh!! It’s late here, my apologies. Ok, I did try that, initially, but then Apache kept throwing errors about not finding various .pems and would not start, so I placed an expired certificate in the original folder “mail.gmcomputers.co.za” and httpd then started no problem, but then when running the Let’s Encrypt update, same thing, a new folder with -0002 at the end. So not sure where to from here.
Here it’s 23:24, close to midnight, also “late”.
Only after midnight can one officially call it “early”…
As you can see here, I’ve got those 002 files/folders in these two folders als, besides the live flder.
I remove all three in all subfolders, then recreate the LE right from Cockpit…
I just did it, it worked. I now have nly one file in all three folders, with the correct name as expected…
Removing the files / folders using the console does not trigger an apache restart.
Once the LE supplies the SSL cert, then apache is restarted by the Cockpit GUI - but then the new, valid cert is in place…
Ah Ok, so you are an hour behind me! It’s 00H26 here.
Ok, let me look into those other paths and folders and see what I can do about this, I just don’t want to break it again, as I said, things are working, so I’m of the “if it ain’t broke, don’t fix it” type of person.
I’m in Switzerland, MET Timezone (I think english it’s called CET?)
Where are you located in?
These errors do cause issues, but then, you don’t think LE culd be the cause, so plenty of time wasted…
Yep, in English it’s CET (Central European Time)
I’m in South Africa, Cape Town.
I’m not quite sure what you mean here, sir, apologies.
These LE errors can run a while without any obvious errors…
Weeks later some smartphone gets certificate errors and can’t sync calendars, adressbooks or mail.
Then more and more such errors crop up. Working Outlook suddenly doesn’t work correctly anymore…
→ Sure, it (LE ssl cert) is cached in the browser or client app somewhere, until expired and uncorrect ssl certs make it refuse the connection…
Such stuff can happen!
I don’t recall what’s the real cause (something about domain order?) but some time ago recollected some information about it:
Other users like @michelandre and @danb35 also dealt with the same.
This error can crop up, but luckily doesn’t happen too often…
I don’t think anyone has actually found the cause or what triggers this, it’s a minor PITA, but still a PITA.
In case anyone’s asking, PITA here does not imply a form of bread, but rather "Pain in the A…)…
My 2 cents
Andy
Ah Ok, fair enough, let me look into it and come back and reply with results. I have to ask though, the following:
1: I remove the SSL certificates for the Cockpit GUI, first, correct?
1: Do I then delete just the contents of the folders or do I delete the actual folders as well? That is, do I delete folders “mail.gmcomputers.co.za” and “mail.gmcomputers.co.za-0002”?
3: What do I do if/when httpd throws up th error of not being able to find the .pem files? Can I edit the httpd.conf file to temporarily remove all references to the certificates?
@dnutan Thank you, sire, for your reply and guides, I will look into those, hopefully I can understand what is to be done, LOL
LOL, yes I know what PITA is
Yes
Before erasing the extra folders, switch the SSL certificate to the self created one. That prevents httpd from having an error…
Once you’ve got new LE certs, set these as default (three dots), then log out from Cockpit. (Maybe even reboot your Neth). Cockpit needs a bit longer to reload the certs…
You should have correct LE SSL certs now…
My 2 cents
Andy
Hi @markdewet
- You clean the browser cache
- You clean the station cache:
ipconfig /flushdns
That will do the job to take the new certificate.
Michel-André
@Andy_Wismer and @dnutan Thank you for all your assistance, things are back to how they should be, no folder with -0002 at the end.
For those who want the sequence it’s as follows:
1: Set your certificate to the original self-signed certificate via the Cockpit GUI for Certificates
2: Remove any and all LE or other certificates from the Cockpit GUI for certificates.
3: Using WinSCP (or any other such program) go through each of the following folders and delete everything in them EXCEPT the readme:
- /etc/letsencrypt/live
- /etc/letsencrypt/archive
- /etc/letsencrypt/renewal
4: Run Let’s Encrypt to renew the Certificate(s)
5: Reboot Nethserver. (Just a precaution, but better safe than sorry).
Hope this helps someone else with a similar issue.