Weird SSL Renewal Problem

uksitebuilder · April 13, 2020, 10:02am

I have a problem with SSL Renewal

Certificate status in mailinabox admin is:
Signed & valid. The certificate expires in 13 days on 04/27/20

However, if I SSH into the box and run:
certbot renew
I get:
/etc/letsencrypt/live/box.xxxxxxxxx.xxx/fullchain.pem expires on 2020-06-01 (skipped)

I also tried to renew using the management/ssl_certificates.py tool and got the following:

error: box.xxxx.xxx and lots of other subdomains:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Performing the following challenges:
dns-01 challenge for box.xxx.xxx
Cleaning up challenges
Encountered exception during recovery:
Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 75, in handle_authorizations
resp = self._solve_challenges(aauthzrs)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 139, in _solve_challenges
resp = self.auth.perform(all_achalls)
File “/usr/lib/python3/dist-packages/certbot/plugins/manual.py”, line 155, in perform
self._verify_ip_logging_ok()
File “/usr/lib/python3/dist-packages/certbot/plugins/manual.py”, line 182, in _verify_ip_logging_ok
if display.yesno(msg, cli_flag=cli_flag, force_interactive=True):
File “/usr/lib/python3/dist-packages/certbot/display/util.py”, line 542, in yesno
self._interaction_fail(message, cli_flag)
File “/usr/lib/python3/dist-packages/certbot/display/util.py”, line 469, in _interaction_fail
raise errors.MissingCommandlineFlag(msg)
certbot.errors.MissingCommandlineFlag: Missing command line flag or config entry for this setting:
NOTE: The IP of this machine will be publicly logged as having requested this certificate. If you’re running certbot in manual mode on a machine that is not your server, please ensure you’re okay with that.

Are you OK with your IP being logged?

(You can set this with the --manual-public-ip-logging-ok flag)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot/error_handler.py”, line 108, in _call_registered
self.funcs-1
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 323, in _cleanup_challenges
self.auth.cleanup(achalls)
File “/usr/lib/python3/dist-packages/certbot/plugins/manual.py”, line 242, in cleanup
env = self.env.pop(achall)
KeyError: KeyAuthorizationAnnotatedChallenge(challb=ChallengeBody(chall=DNS01(token=b’\x18\x9b\xa0.\x07\x08\xb0\x87k\x96O\x16\xbc\xa1\xfd>\xedT\x9b\xd2\xbb\xdd-S#\xed~@\xa0\xc1\xa6\x92’), uri=‘some acme address’, _url=‘https://acme-v02.api.letsencrypt.org/acme/chall-v3/3926075353/rGfcuA’, status=Status(pending), validated=None, error=None), domain=‘xxx.xxxxx.xxx’, account_key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPrivateKey object at 0x7f5eb30a52e8>)>))
Missing command line flag or config entry for this setting:
NOTE: The IP of this machine will be publicly logged as having requested this certificate. If you’re running certbot in manual mode on a machine that is not your server, please ensure you’re okay with that.

Are you OK with your IP being logged?

(You can set this with the --manual-public-ip-logging-ok flag)

uksitebuilder · April 13, 2020, 10:38am

OK, I got a little further with this.

Edited mailinabox/management/ssl_certificates.py

Added a flag:
"--manual-public-ip-logging-ok",

After:
"--config-dir", account_path,

Run the mailinabox/management/ssl_certificates.py tool and certificate has now renewed

Also, mailinabox admin now reports the date as expected.

Guess I will have to see in 90 days if the SSL certs autorenew

alento · April 13, 2020, 5:30pm

I cannot speculate on what the underlying issue is, or if your changes will fix it going forward.

What I can do though is explain why you have a certificate with a different date.

Although MiaB uses certbot, it does not use the implementation that is installed directly. It calls that installation with several variables which direct the location of the stored certificate, etc. So, while you were successful in issuing a cert expiring on 6/1/2020 (which makes no sense as if you ran it on 4/14 the cert should expire on 7/13). The certificate was placed in Certbot’s default location, not where MiaB searches for the certificates when it calls certbot itself.

uksitebuilder · April 13, 2020, 5:52pm

Thanks for the reply.

That makes sense.

What would the location of the MIAB certs be on a ubuntu box default set-up?

alento · April 13, 2020, 6:04pm

/home/user-data/ssl

uksitebuilder · April 13, 2020, 6:13pm

Thanks

I think I got messed up some time ago with a previous renewal problem and used certbot to try and fix the problem.

so when I run certbot certificates, it is looking at the wrong certificates and giving the expiry of June 1st 2020

Looking in /home/user-data/ssl I see a symlinked cert pem file created today which looks to have the expiry as part of the filename xxxx–20200712-c51b9c7e.pem which does seem to be correct.

Thanks for your help.

Of course I will forget all of this in 90 days time when the renewal comes due again and back around in circles I will go again lol.