search

Nitrokey / nextbox

NextBox
GNU General Public License v3.0
32 stars 4 forks source link

Letsencrypt certificate not renewing #114

Open mcnesium opened 2 months ago

mcnesium commented 2 months ago

After running my Nextbox since it was first released, I suddenly get E-Mails from Letsencrypt that my certificate is expiring. Checking the system, everything seems fine:

nextuser@nextbox:~ $ sudo systemctl status certbot.service 
● certbot.service - Certbot
   Loaded: loaded (/lib/systemd/system/certbot.service; static; vendor preset: enabled)
   Active: inactive (dead) since Wed 2024-07-10 04:42:05 BST; 7h ago
     Docs: file:///usr/share/doc/python-certbot-doc/html/index.html
           https://letsencrypt.readthedocs.io/en/latest/
  Process: 16876 ExecStart=/usr/bin/certbot -q renew (code=exited, status=0/SUCCESS)
 Main PID: 16876 (code=exited, status=0/SUCCESS)

Jul 10 04:42:01 nextbox systemd[1]: Starting Certbot...
Jul 10 04:42:05 nextbox systemd[1]: certbot.service: Succeeded.
Jul 10 04:42:05 nextbox systemd[1]: Started Certbot.

However, it says /usr/bin/certbot -q renew in the service. So what about the certificate?

nextuser@nextbox:~ $ sudo /usr/bin/certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
No certs found.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Looks like it does not find it and thus, can not renew ist, because it is not in the default place. certbot is called with a specific config dir in this python script, so shouldn't that also do it in the service?

How did that work in the past anyway? My certificate was renewed last time on April 28th. Was there some update that changed this, recently?

blu-nitro commented 1 month ago

Please note that we can't give support for anything you do directly on the NextBox via ssh. You can check the certificate status in the NextBox App under HTTPS / TLS. Also your browser should warn you if you tried to access your NextBox over HTTPS with an invalid certificate.

Under the hood NextBox does not use the service and instead renews certificates manually. As you found out correctly the certbot config directory used is also not default, so when you look up certificates in the default config directory it obviously can't find any.