Open lifeboy opened 1 year ago
ddavness
commented
1 year ago How long until the certificates expire? The certificates are only renewed ~10-14 days before they do so. The logs are reporting "no renewal failures" so it could happen that certbot decided that there was no need to renew anything.
If you run management/ssl_certificates.py from the mail-in-a-box folder (usually at /root/mailinabox), what happens?
lifeboy
commented
1 year ago How long until the certificates expire?
They have already expired and to be able to get back into the web interface I had to comment out the "add_header Strict-Transport-Security" lines in the nginx's local.conf.
# ./ssl_certificates.py
Provisioning TLS certificates for box2.gtahardware.co.za, mta-sts.box2.gtahardware.co.za, openpgpkey.box2.gtahardware.co.za.
skipped: gtahardware.co.za:
The domain has a valid certificate already. (The certificate expires in 89 days on 2022-12-12. Certificate: /home/user-data/ssl/gtahardware.co.za-20221212-717e9a22.pem, private key /home/user-data/ssl/ssl_private_key.pem)
skipped: autoconfig.gtahardware.co.za:
The domain has a valid certificate already. (The certificate expires in 89 days on 2022-12-12. Certificate: /home/user-data/ssl/gtahardware.co.za-20221212-717e9a22.pem, private key /home/user-data/ssl/ssl_private_key.pem)
skipped: autodiscover.gtahardware.co.za:
The domain has a valid certificate already. (The certificate expires in 89 days on 2022-12-12. Certificate: /home/user-data/ssl/gtahardware.co.za-20221212-717e9a22.pem, private key /home/user-data/ssl/ssl_private_key.pem)
skipped: mta-sts.gtahardware.co.za:
The domain has a valid certificate already. (The certificate expires in 89 days on 2022-12-12. Certificate: /home/user-data/ssl/gtahardware.co.za-20221212-717e9a22.pem, private key /home/user-data/ssl/ssl_private_key.pem)
skipped: openpgpkey.gtahardware.co.za:
The domain has a valid certificate already. (The certificate expires in 89 days on 2022-12-12. Certificate: /home/user-data/ssl/gtahardware.co.za-20221212-717e9a22.pem, private key /home/user-data/ssl/ssl_private_key.pem)
skipped: www.gtahardware.co.za:
The domain has a valid certificate already. (The certificate expires in 89 days on 2022-12-12. Certificate: /home/user-data/ssl/gtahardware.co.za-20221212-717e9a22.pem, private key /home/user-data/ssl/ssl_private_key.pem)
skipped: afsarv.com:
The domain name does not resolve to this machine: [Not Set] (A).
skipped: autoconfig.afsarv.com:
The domain name does not resolve to this machine: [Not Set] (A).
skipped: autodiscover.afsarv.com:
The domain name does not resolve to this machine: [Not Set] (A).
skipped: mta-sts.afsarv.com:
The domain name does not resolve to this machine: [Not Set] (A).
skipped: openpgpkey.afsarv.com:
The domain name does not resolve to this machine: [Not Set] (A).
skipped: www.afsarv.com:
The domain name does not resolve to this machine: 198.54.117.210; 198.54.117.211; 198.54.117.212; 198.54.117.215; 198.54.117.216; 198.54.117.217; 198.54.117.218 (A).
skipped: giesler.za.net:
The domain name does not resolve to this machine: [Not Set] (A).
skipped: autoconfig.giesler.za.net:
The domain name does not resolve to this machine: [Not Set] (A).
skipped: autodiscover.giesler.za.net:
The domain name does not resolve to this machine: [Not Set] (A).
skipped: mta-sts.giesler.za.net:
The domain name does not resolve to this machine: [Not Set] (A).
skipped: openpgpkey.giesler.za.net:
The domain name does not resolve to this machine: [Not Set] (A).
skipped: www.giesler.za.net:
The domain name does not resolve to this machine: 162.255.119.253 (A).
installed: box2.gtahardware.co.za, mta-sts.box2.gtahardware.co.za, openpgpkey.box2.gtahardware.co.za:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Performing the following challenges:
http-01 challenge for box2.gtahardware.co.za
http-01 challenge for mta-sts.box2.gtahardware.co.za
http-01 challenge for openpgpkey.box2.gtahardware.co.za
Using the webroot path /home/user-data/ssl/lets_encrypt/webroot for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Server issued certificate; certificate written to /tmp/tmpu20x55xv/cert
Cert chain written to 8
Cert chain written to 9
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/tmp/tmpu20x55xv/cert_and_chain.pem
Your cert will expire on 2022-12-12. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
updating primary certificate
mail services restarted
web updated
giesler.za.net has recently been added but the dns has not been changed from the old addresses yet, so that can be ignored for now. It seems from the result that the manual update I did yesterday is detected and the additional updates have been done. So the problem is then that the ssh_certificates.py script didn't run automatically?
My P-MiaB machine is has not renewed the certificate automatically, although it was originally installed without problems.
I'm currently using the system via a NAT'ed ip address, since I'm using external DNS, so it's working fine.
How can I manually renew the certificate? If I use "certbot certificates" from the console I get not certs. Trying the "install certificate" button from the GUI also has no result.
Here is /var/log/letsencrypt/letsencrypt.log:
I install the certbot nginx plugin and followed what was suggest here, but still no joy.
Running
certbox --nginxmanually allows be to get certificates for the domain I select, but they don't show in the certficates config of the systems