Renew Let's Encrypt SSL certificate used by GESIS

[rgaiacs]

GESIS certificate will expire on Sep 30 19:53:22 2024 GMT.

openssl s_client -connect notebooks.gesis.org:443

Connecting to 194.95.75.9
CONNECTED(00000003)
depth=2 C=US, O=Internet Security Research Group, CN=ISRG Root X1
verify return:1
depth=1 C=US, O=Let's Encrypt, CN=R10
verify return:1
depth=0 CN=notebooks.gesis.org
verify return:1
---
Certificate chain
 0 s:CN=notebooks.gesis.org
   i:C=US, O=Let's Encrypt, CN=R10
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jul  2 19:53:23 2024 GMT; NotAfter: Sep 30 19:53:22 2024 GMT
 1 s:C=US, O=Let's Encrypt, CN=R10
   i:C=US, O=Internet Security Research Group, CN=ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59 2027 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIE9jCCA96gAwIBAgISBJ/0HWL6aIf30CY3a2Kne5fnMA0GCSqGSIb3DQEBCwUA
MDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQwwCgYDVQQD
EwNSMTAwHhcNMjQwNzAyMTk1MzIzWhcNMjQwOTMwMTk1MzIyWjAeMRwwGgYDVQQD
ExNub3RlYm9va3MuZ2VzaXMub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAoJ+dkI5wnFy5mvgC5OAT5Sgh36ckreFH0H45YT1qCk44a2OOUwk51av9
4+USqSkXFN6UcOfjrO77r23xkffivy7onU6ekRFp/btlGXLZH/ntQZb4XjFDfmPD
ChFAxMgq22eB7i8JOKCLj9VGNxJmQ/1fINNTgtmLiDy+wJtDv2SkEY0QIiHrcHQ/
s9UcUC3QM4UO9k9zsX9uZGGbuWN68PE/ieP7h9tO0a5LBsKTajtfkad0fUqlwYSf
7c8Q9CXDjO7cz5l0p9o4MRuKorvuS43c3C2JhP0zIKm7HuUvIW2SPRDZCrqbu9XN
cu5Hwx0qSIT5Vnsue0fOYnyNSSts2QIDAQABo4ICFzCCAhMwDgYDVR0PAQH/BAQD
AgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAA
MB0GA1UdDgQWBBS5VR39Hf7fEt1i4mOUiqDcHzF4CDAfBgNVHSMEGDAWgBS7vMNH
peS8qcbDpHIMEI2iNeHI6DBXBggrBgEFBQcBAQRLMEkwIgYIKwYBBQUHMAGGFmh0
dHA6Ly9yMTAuby5sZW5jci5vcmcwIwYIKwYBBQUHMAKGF2h0dHA6Ly9yMTAuaS5s
ZW5jci5vcmcvMB4GA1UdEQQXMBWCE25vdGVib29rcy5nZXNpcy5vcmcwEwYDVR0g
BAwwCjAIBgZngQwBAgEwggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdQBIsONr2qZH
NA/lagL6nTDrHFIBy1bdLIHZu7+rOdiEcwAAAZB1OTsuAAAEAwBGMEQCIB4jI2ix
+ohuzOFeSXpqU2QuEdX3Ow1I+5OA4vKtFnd8AiBIRiQwPaWsepVNx+HDfMZViH4N
abUttyynX1V+06LvfgB3AHb/iD8KtvuVUcJhzPWHujS0pM27KdxoQgqf5mdMWjp0
AAABkHU5O2YAAAQDAEgwRgIhAOv2739KzyGos+XEy8Ay0AYIXnZDndX3V+Wjoy8h
H6I2AiEAw4v68lyEhxes4+sbHW+yF3Y4kLtVGAxl89BnbLfu49wwDQYJKoZIhvcN
AQELBQADggEBAIEh1Rc+twsen7HBciHVU1BcafY0gPazAcgLrRdQX7z+Fnwsv9Gf
5E7Ax4u42XwKohnnFICl3zBdSbSBvgRuz1Vshekvp4k36kMcziQSs2rIpdLDUi11
j7+swZUWL67nT7KJ/60YEYrVmtNGbeLYgMNSpcR2wb0z5VvLaaQnhXT1EV66YytR
gphhoy/2VglpxIqtbjZiDuW4bZV8JloazlLgeoX0yqy4ZtXBEddu++FbJR5sg7Kn
tHkbQPrsdJx3X872zE73huwMB+F8VDRqqdemVKrvvy2GWcgmKS+Vjzs110mKqBae
xnA27fCJdavB9+Jj1BCMOApBY6ZbR2l1+FQ=
-----END CERTIFICATE-----
subject=CN=notebooks.gesis.org
issuer=C=US, O=Let's Encrypt, CN=R10
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3128 bytes and written 407 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
closed

[rgaiacs]

I run

certbot renew

to renew the SSL certificate but it fail with

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/notebooks.gesis.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
/opt/certbot/lib/python3.10/site-packages/certbot/ocsp.py:238: CryptographyDeprecationWarning: Properties that return a naïve datetime object have been deprecated. Please switch to this_update_utc.
  if not response_ocsp.this_update:
/opt/certbot/lib/python3.10/site-packages/certbot/ocsp.py:240: CryptographyDeprecationWarning: Properties that return a naïve datetime object have been deprecated. Please switch to this_update_utc.
  if response_ocsp.this_update > now + timedelta(minutes=5):
/opt/certbot/lib/python3.10/site-packages/certbot/ocsp.py:242: CryptographyDeprecationWarning: Properties that return a naïve datetime object have been deprecated. Please switch to next_update_utc.
  if response_ocsp.next_update and response_ocsp.next_update < now - timedelta(minutes=5):
Renewing an existing certificate for notebooks.gesis.org

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: notebooks.gesis.org
  Type:   connection
  Detail: 194.95.75.9: Fetching http://notebooks.gesis.org/.well-known/acme-challenge/f_AAttYeOu8T051UTNzpCZEh_XGYQgpxKJO94DTiHS0: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Failed to renew certificate notebooks.gesis.org with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/notebooks.gesis.org/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

[rgaiacs]

I try to renew the certificate but certbot continues to fail. I will look on Monday.

[rgaiacs]

certbot is failing because of missing rules in the firewall. I requested to IT for the missing rules to be included. If the rules are not added this afternoon, I will temporarily reduce the GESIS contribution to zero until the new firewall rules are added.

[rgaiacs]

Certificate has been renewed.