Bitnami Lightsail AWS - BNCert update has bricked website with inconclusive systemctl status log

[jdavs75]

Platform

AWS

bndiagnostic ID know more about bndiagnostic ID

37a872d5-d77d-502e-c5b8-febcab9b4bf4

bndiagnostic output

[Tue Apr 16 04:51:57.505054 2024] [autoindex:error] [pid 859818:tid 139879828645632] [client ip_address:39064] AH01276: Cannot serve directory /opt/bitnami/wordpress/wp-content/plugins/activecampaign-subscription-forms/: No matching DirectoryIndex (index.html,index.html,index.htm,index.php) found, and server-generated directory index forbidden by Options directive

[Tue Apr 16 17:32:31.819066 2024] [access_compat:error] [pid 859675:tid Press [Enter] to continue: 139879476348672] [client ip_address:44706] AH01797: client denied by server configuration: /opt/bitnami/wordpress/xmlrpc.php [Tue Apr 16 17:32:43.227666 2024] [access_compat:error] [pid 859675:tid 139878889154304] [client ip_address:46110] AH01797: client denied by server configuration: /opt/bitnami/wordpress/xmlrpc.php [Tue Apr 16 17:33:25.647764 2024] [access_compat:error] [pid 859818:tid 139879593649920] [client ip_address:36492] AH01797: client denied by server configuration: /opt/bitnami/wordpress/xmlrpc.php

AH00526: Syntax error on line 5 of /opt/bitnami/apache/conf/vhosts/wordpress-https-vhost.conf: SSLCertificateFile: file '/opt/bitnami/apache/conf/www.[redact].crt' does not exist or is empty

bndiagnostic was not useful. Could you please tell us why?

n/a

Describe your issue as much as you can

• ran bncert update
• cert update failed
• totally bricked the website.
• bitnami fails to start.
• rolled back vhost conf files... still no restart..

Any help/thoughts/gifts of kindness gratefully received.

<img width="1935" alt="Screenshot 2024-04-16 at 13 38 48" src="https://github.com/bitnami/vms/assets/1672

44652/db72d296-8675-4845-8452-9de25661c87d">

[gongomgra]

Hi @jdavs75,

Thanks for using Bitnami. I have checked the bndiagnostic information and I have found the problem. The Apache configuration is pointing the certificates via symlink to a file that doesn't exist on your server

• Apache configuration:

  (...)
  lrwxrwxrwx  1 root    root    67 Jan 23 20:48 www.advent***ple.com.crt -> /opt/bitnami/letsencrypt/certificates/www.advent***ple.com.crt
  lrwxrwxrwx  1 root    root    67 Jan 23 20:48 www.advent***ple.com.key -> /opt/bitnami/letsencrypt/certificates/www.advent***ple.com.key

• Let's Encrypt folder:

  ./certificates:
  total 8
  drwxr-xr-x 2 bitnami root 4096 Apr 16 17:58 .
  drwxr-xr-x 5 bitnami root 4096 Apr 16 17:58 ..

I have then visited your website and I found out that the certificate is expired

$ curl -LI "http://advent***ple.com"
HTTP/1.1 302 Found
Date: Wed, 17 Apr 2024 12:09:05 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Location: https://advent***ple.com/
Content-Type: text/html; charset=iso-8859-1

curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

The thing is that it is not possible to renew an already expired certificate, so you will have to request a new one.

[jdavs75]

Thanks @gongomgra - appreciate the feedback. I ended up spinning up a new server from a backup. It was that expired non-www cert I was trying to replace/renew via bncert that caused the issue. Do you have any suggestions as to why this may have occurred so that i can prevent it happening again on renewal/request? Appreciate your time and insight on this.

[gongomgra]

Hi @jdavs75,

I see in the bndiagnostic information that you already have a cronjob to try to renew the certificate automatically which is run on a daily basis. Unfortunately, I don't know why it has failed to renew the certificates. Can you check cron logs? Can you also share the lego and bncert tools version installed on your server?

/opt/bitnami/letsencrypt/lego --version
/opt/bitnami/bncert-tool --version

Did you try to generate a new certificate?

[github-actions[bot]]

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.

[github-actions[bot]]

Due to the lack of activity in the last 5 days since it was marked as "stale", we proceed to close this Issue. Do not hesitate to reopen it later if necessary.