JUST HORRIBLE TIME - continues???

Discussion in 'ISPConfig 3 Priority Support' started by craig baker, Oct 14, 2020.

  1. craig baker

    craig baker Member HowtoForge Supporter

    I was getting odd SMTP errors this morning and discovered that my ssl cert attached to postfix was length 0!
    in /etc/postfix:
    lrwxrwxrwx 1 root root 54 Jun 23 2019 smtpd.cert -> /etc/letsencrypt/live/ns9.cdbsystems.com/fullchain.pem
    -rw-r--r-- 1 root root 2163 May 13 2018 smtpd.cert-180519192132.bak
    lrwxrwxrwx 1 root root 52 Jun 23 2019 smtpd.key -> /etc/letsencrypt/live/ns9.cdbsystems.com/privkey.pem
    in /etc/letsencrypt/live/ns9.cdbsystems.com:
    lrwxrwxrwx 1 root root 43 Sep 1 14:35 cert.pem -> ../../archive/ns9.cdbsystems.com/cert15.pem
    lrwxrwxrwx 1 root root 44 Sep 1 14:35 chain.pem -> ../../archive/ns9.cdbsystems.com/chain15.pem
    lrwxrwxrwx 1 root root 48 Sep 1 14:35 fullchain.pem -> ../../archive/ns9.cdbsystems.com/fullchain15.pem
    lrwxrwxrwx 1 root root 46 Sep 1 14:35 privkey.pem -> ../../archive/ns9.cdbsystems.com/privkey15.pem

    and the privkey and fullchain files were ZERO length. (they are not above because they are now the same as the xxxx14.pem keys)
    I manually copied *14.pem to *15.pem. so put cert14.pem on cert15.pem, privekey14.pem on privkey15.pem etc.
    now TLS sessions were validated, but cert was expired (according to test site I had run check).
    I thought to myself 'lets be clever' and ran
    /opt/certbot/certbot-auto (no parameters).
    I told it c to cancel out rather than give any numbers for domains, but thought it would update the ns9 key since it should appear old???.
    was there some parameter I should have passed??? or was this a really stupid thing to do?
    (probably the latter with my luck these days).
    then I went to ispconfig3 and unchecked the SSL/Letsencrypt boxes for ns9.cdbystems.com (vhost). waited for red circle to go away.
    then checked them again thinking it would recreate the certs for ns9.
    but it has not... so I still get TLS sessions that are encrypted, but with an expired key. and I'm still using the old pems that I copied from sept 1.
    how do I recreate JUST the ns9.cdbsystems.com key if the above does not work???

    and would running certbot-auto have any other bad effect that I have to panic over?

    thanks again!
  2. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    Certbot-auto is NOT the way to go, it is just to install/update certbot manually.
    You have to use "certbot renew" if system-certbot is installed or "/opt/eff.org/venv/bin/certbot renew" if not.

    Side note: PLEASE stop using those thread titles. They are disturbing and mis-leading.
  3. craig baker

    craig baker Member HowtoForge Supporter

    will do :) its just my life :)
  4. craig baker

    craig baker Member HowtoForge Supporter

    I ran certbot its in /opt/eff.org/certbot/venv/bin .. but it says...
    Processing /etc/letsencrypt/renewal/ns9.cdbsystems.com.conf
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Traceback (most recent call last):
    File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/crypto_util.py", line 351, in _load_cert_or_req
    return load_func(typ, cert_or_req_str)
    File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/OpenSSL/crypto.py", line 1794, in load_certificate
    File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/OpenSSL/_util.py", line 54, in exception_from_error_queue
    raise exception_type(errors)
    Error: [('PEM routines', 'get_name', 'no start line')]
    Renewal configuration file /etc/letsencrypt/renewal/ns9.cdbsystems.com.conf (cert: ns9.cdbsystems.com) produced an unexpected error: [('PEM routines', 'get_name', 'no start line')]. Skipping.

  5. craig baker

    craig baker Member HowtoForge Supporter

    ok found one of the *15.pem files was zero again. copied all *14.pem files to *15.pem files and reran .certbot renew
    and voila! ns9 now has a shiny new cert and problem seems solved!

    many thanks. and sorry if my titles were disturbing. I've been VERY DISTURBED <grin>
    but you folks have (as always) been super.
    Th0m likes this.
  6. craig baker

    craig baker Member HowtoForge Supporter

    have been checking my ssl cert for ns9.cdbsystems.com (after I restarted httpd - so the online checkers would see the new cert and one of them gives a clean bill of health the other says that my cert is good chain cert is good - but Root 1 is missing! do I care?
    it offers to let me download it.
    thanks again...
  7. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    I wouldn't; you don't normally include root certificates if the certificate is to be verified as trusted, because the verification has to happen all the way to a well-known, previously trusted root certificate.

Share This Page