openaustralia / infrastructure

Automated setup and configuration for most of OpenAustralia Foundation's servers

8 stars 2 forks source link

SSL cert expiry on multiple sites #146

Closed jamezpolley closed 4 years ago

jamezpolley commented 4 years ago

We've had people alert us to expired certificates on www.oaf.org.au and planningalerts.org.au.

I expected that these would have been updated automatically by certbot after #143..

Front conversations

jamezpolley commented 4 years ago

From /var/log/letsencrypt/letsencrypt.log:

2020-03-20 07:13:51,323:WARNING:certbot.renewal:Attempting to renew cert (planningalerts.org.au) from /etc/letsencrypt/renewal/planningalerts.org.au.conf produced an unexpected error: Problem binding to port 80: Could not bind to IPv4 or IPv6.. Skipping.

Looks like it's trying to use the standalone method.

jamezpolley commented 4 years ago

Certbot stores information about how to renew the cert in a config file


root@ip-172-31-2-61:/etc/letsencrypt/renewal# cat oaf.org.au.conf
# renew_before_expiry = 30 days
cert = /etc/letsencrypt/live/oaf.org.au/cert.pem
privkey = /etc/letsencrypt/live/oaf.org.au/privkey.pem
chain = /etc/letsencrypt/live/oaf.org.au/chain.pem
fullchain = /etc/letsencrypt/live/oaf.org.au/fullchain.pem
version = 0.23.0
archive_dir = /etc/letsencrypt/archive/oaf.org.au

Options and defaults used in the renewal process

[renewalparams] installer = None authenticator = standalone account = xxxxxxxxx



because we'd previously been using the standalone updater that's how it was trying to renew them.

Running certbot once with `--nginx` or `--apache` updates the files to use that method, and subsequent calls to certbot will honour what's in the config file.

jamezpolley commented 4 years ago

5dc776cb9dc73be24d21a093cfb682062ea697d3 moved the certbot_webserver to the top-level host variables.

After that, an ansible ad-hoc command forcibly renewed all certs using the appropriate webserver:

.venv/bin/ansible ec2 --become -a "certbot renew --non-interactive --force-renew --{{ certbot_webserver}}"

Future renewals should work as expected.

jamezpolley commented 4 years ago

<@U04NJDA7L> My antivirus software is blocking me from accessing all https://www.oaf.org.au/ pages due to an expired security certificate.. I've also received a number of notifications about 'Suspicious connections' being blocked while going about my usual work, i.e. I've only got gmail, TVFY and Slack open. I'm going to log out of everything now, restart and then try only going onto TVFY to see if that's the problem.. _{View in Slack}