Page 3 of 3 FirstFirst 123
Results 21 to 29 of 29

Thread: LetsEncrypt - SSL certificate is not valid

  1. #21
    Join Date
    Sep 2011
    Location
    Behind you!
    Beans
    1,562
    Distro
    Ubuntu 20.04 Focal Fossa

    Re: LetsEncrypt - SSL certificate is not valid

    Your installation of certbot is not how I have mine installed so I don't know the differences.

    This is how I installed it on my servers:

    Code:
    sudo apt install certbot python3-certbot-apache

  2. #22
    Join Date
    Dec 2019
    Beans
    27

    Re: LetsEncrypt - SSL certificate is not valid

    Thanks for replying!
    I've already tried this but the missing certificate was not installed
    Code:
    sudo apt-get --reinstall install certbot python3-certbot-apache ca-certificates libarray-diff-perl libconvert-asn1-perl libdatetime-format-strptime-perl
    Code:
    cat /usr/lib/ssl/certs/2e5ac55d.0
    
    -----BEGIN CERTIFICATE-----
    MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
    MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
    DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
    PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
    Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
    AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
    rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
    OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
    xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
    7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
    aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
    HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
    SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
    ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
    AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
    R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
    JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
    Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
    -----END CERTIFICATE-----
    

  3. #23
    Join Date
    Sep 2011
    Location
    Behind you!
    Beans
    1,562
    Distro
    Ubuntu 20.04 Focal Fossa

    Re: LetsEncrypt - SSL certificate is not valid

    Re-install of binaries won't fix any configuration issues.

    MAKE SURE YOU HAVE A BACKUP

    I would purge everything off the server related to certbot (especially its config files) and then install from scratch.

    MAKE SURE YOU HAVE A BACKUP

    LHammonds

  4. #24
    Join Date
    Dec 2019
    Beans
    27

    Re: LetsEncrypt - SSL certificate is not valid

    thank you!
    for now it works, I will wait & see what happens after the LetsEncrypt changes on sept. 30

  5. #25
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: LetsEncrypt - SSL certificate is not valid

    I had some issues a few years ago and switched from using certbot to using acme.sh.
    About 18 months ago, Let's Encrypt changed some of their policies and started requiring that random sites around the world have access to the website or they wouldn't issue certs. I was blocking access from many countries where attacks against my servers were originating with a huge set of ipset subnets. For a few weeks, I couldn't understand that my firewall blocks was preventing VPS servers in these locations from access, so LE refused to renew certs. Then I accidentally disabled the firewall and ran the update process ... and all the certs were renewed, quickly. Instead of ~3min per cert, all of them were being renewed in under 2 minutes. It was amazing.
    The last 15+ months, I've disabled my ipset rules, run the cert renewal process, then re-enabled them every 75 days or so. Works well.

    It is nice to spend just a few minutes on these things. I don't really trust automation for something so important that happens so seldom. My calendar has an entry to renew. That's the least I can do - watch a script run while it renews.

    99% of the how-to guides explain how to get a new cert, but they all gloss over renewal. In theory, renewals should be trivial and much easier. I also dislike how they say not to run as root ... if not as root, how can the renewal certs get placed where they have to be for nginx to pick up the new certs? Riddle me that one Batman.

  6. #26
    Join Date
    Mar 2007
    Location
    Denver, CO
    Beans
    7,915
    Distro
    Ubuntu Mate 16.04 Xenial Xerus

    Re: LetsEncrypt - SSL certificate is not valid

    @TheFu

    Do you find acme.sh easier to work with than certbot? I use a combination of both tools and can't figure out what I like better. Acme.sh is very chatty as I see it modifies a lot of its own configuration files quite frequently.

  7. #27
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: LetsEncrypt - SSL certificate is not valid

    Quote Originally Posted by kevdog View Post
    @TheFu

    Do you find acme.sh easier to work with than certbot? I use a combination of both tools and can't figure out what I like better. Acme.sh is very chatty as I see it modifies a lot of its own configuration files quite frequently.
    There wasn't any grand scheme of thought involved.

    Certbot wasn't working, likely due to my ignorance, since 1M+ other people use it fine. After screwing around with it for a few hours over a month and being unsuccessful at renewal, it was time to move on.

    acme.sh was easier and more understandable TO ME for how things work. The code is right there to read. I've changed from 1 cert per domain to 1 cert with all the CN in it and back to 1 cert per domain. Seems that attackers are looking at certs to decide which domains to attack, so having an all-in-one cert wasn't helping combat attackers.
    Plus, I have certs on mixed systems and stand alone systems, some with multiple backends going through a reverse proxy/load balancer. A few are not available on the internet, but we still wanted LE certs to keep the internal users from browser issues. The acme.sh standalone method of renewal worked and was easy to get working. I really should be using DNS to prove domain ownership, but that isn't easy to automate with multiple DNS providers - some only have web interfaces. I'd rather bring down all the websites for 2 minutes every 77 days during renewal.

    Did I mention that I use a mix of nginx, apache and custom web-apps that don't use either?

  8. #28
    Join Date
    Mar 2007
    Location
    Denver, CO
    Beans
    7,915
    Distro
    Ubuntu Mate 16.04 Xenial Xerus

    Re: LetsEncrypt - SSL certificate is not valid

    Honestly just sounds like you would simply some things by using a Traefik for Caddy reverse proxy for auto certificate management. I'm aware you might want the certificates for other reasons however. In terms of multiple DNS providers -- yeah that kind of painful -- however just use the ones that integrate with DNS challenge ()

  9. #29
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu

    Re: LetsEncrypt - SSL certificate is not valid

    Quote Originally Posted by kevdog View Post
    Honestly just sounds like you would simply some things by using a Traefik for Caddy reverse proxy for auto certificate management. I'm aware you might want the certificates for other reasons however. In terms of multiple DNS providers -- yeah that kind of painful -- however just use the ones that integrate with DNS challenge ()
    a) we don't (won't) use docker. The idea of using dockerhub is just too scary.
    b) it ain't broke, so why fix it?
    c) I'm not anti-GoLang, but it would be something else to be installed. We decided against using Puppet and Chef over the Ruby requirement - I love Ruby, BTW.

Page 3 of 3 FirstFirst 123

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •