Let's Encrypt certificate renewal

adhawkins 2016-04-15 14:41:22 UTC #1

Hi,

It's been a while since I migrated to a Jessie BigV instance including the new Let's Encrypt support.

I notice that the certificate expiry for my main domain is 3rd May, which is only just over two weeks away.

When should I expect to see a new certificate be requested and start to be used?

Thanks

Andy

ieiloart 2016-04-15 15:14:52 UTC #2

Hi Andrew,

According to the docs "Symbiosis uses a command ‘symbiosis-ssl` to manage domains’ certificates. It is run on a daily basis to check and replace certificates that are due to expire in the next 10 days, or are otherwise missing."

http://symbiosis.bytemark.co.uk/docs/symbiosis.html#_generating_certificates_with_command_symbiosis_ssl_command

So, check back in a week (say 24 April), for peace of mind!

adhawkins 2016-04-15 15:43:40 UTC #3

Excellent, didn't think to check the docs. Doh!

Thanks for that

Andy

anahata 2016-04-25 12:26:05 UTC #4

I've been getting emails lately from Letsencrypt, warning me that a domain has 10 days to go. I think there's a race condition here, so I've altered the cron entry (in /etc/cron.d/symbiosis.common) to set the threshold to 12 days, thus hopefully ensuring the renewal happens before letsencrypt.org detects a warning condition.

adhawkins 2016-04-27 20:46:05 UTC #5

I've seen some of the certificates renew, but one of my domains still seems to be using the old certificate, even though symbiosis-ssl says the domain's certificate has been renewed:

* Examining certificates for gently.org.uk Current SSL set 1: signed by /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3, expires 2016-07-22 22:00:00 UTC

However, if I view the certificate in my browser, it says it expires in early May...

Looking at the apache sites-enabled file for the domain, the SSL certificate is pointing at set 0, not set 1 (which is the newer one). What is responsible for rotating this? If I've manually edited this file, will this stop it regenerating? Why doesn't it just point to 'current' rather than a specific certificate set?

Thanks

Andy

pcherry 2016-04-28 12:16:54 UTC #6

@anahata: I'd not realised that Let's Encrypt send emails at 19 days to go (or so) so I've upped the renewal threshold to 21 days from 10.

@adhawkins: The symbiosis-ssl part does not make assumptions about what is using the certificates, so it neither reconfigures nor restarts apache. However symbiosis-httpd-configure is run hourly, and should re-jig the apache config and reload as needed.

pcherry 2016-04-28 12:18:50 UTC #7

Also @adhawkins it should point at "current" -- there's clearly a bug there.

In that case (where symbiosis-httpd-configure) does not modify the configuration, then you have to wait until the daily reload is called as part of the logrotate scripts, which should cause apache to reload its SSL config.

adhawkins 2016-04-28 12:32:49 UTC #8

Hi Patrick,

Thanks for the response. Glad you agree that the apache configs should point at 'current' and not a specific set. I've modified the config for the domain concerned, and will keep an eye on the others to check that they update to 'current' as and when an update is release.

Cheers

Andy

adhawkins 2016-05-10 11:32:09 UTC #9

Hi,

Just wondering if there's been any progress on this?

Andy

martinbartos 2016-07-11 16:50:07 UTC #10

@adhawkins it's worth putting the @ version of the person - I think the forum system will probably do some notification.

@pcherry - looking back I think the bit which remains unanswered/ambiguous is whether the current version of symbiosis-http blah does now ensure that ssl config of apache does always point at current, or whether your message of Apr28th was indicating that it didn't need a bug fixed because for some reason the daily apache reload(?) fixes a misconnected ssl reference..?

like @adhawkins I'm not quite sure whether things are fixed - unlike him, I'm not however manually watching my domains - I'm expecting this stuff to happen automatically. Should I be worried?

adhawkins 2016-07-11 19:15:23 UTC #11

@martinbartos, you're right, I was questioning whether the links in the Apache config files have been changed to reference 'current' rather than a specific set.

Looking at my current config files, it doesn't look like they have. As such I'd expect that when the key expires for the domain I've had to customise, it's not going to correctly roll over to the new keys.

Any change this is going to be fixed @pcherry?

Thanks

Andy

pcherry 2016-07-15 11:55:59 UTC #12

I came to the conclusion that using the "versioned" certificates in the apache config snippets isn't a bug after all.

If the Apache config is pointing at the incorrect certificate, i.e. the configuration is out of date, then it will be regenerated to point at the new certificate and then Apache is reloaded, which means that we've a neat way to deal with certificates changing. Also it removes a bit of a race condition if apache were to restart between the symlinks for the certificate and key being put into current/

If the config is pointed at the current symlink, then the configuration would always be correct, whilst checking to see if Apache is using the correct certificate for a domain is possible, the action to take if the certificate is somehow incorrect is not necessarily clear, or easy to describe. There are a lot of corner cases.

I think for the moment I'll leave this as-is. This will work for people who have not edited their apache templates, but it will not work for people who have, which is an issue, and a really knobbly one to solve.

Patrick

adhawkins 2016-07-15 13:08:22 UTC #13

The only reason I've had to change the config file manually, is to change the http -> https redirect rule such that it points to the 'www.' version of the domain, rather than the bare one.

I don't suppose this is somehow configurable? Perhaps the 'ssl-only' file behaviour could be changed such that if it's not an empty file, the URL within it is used as the target for the redirect?

That way I could revert to the 'standard' file generation, and the SSL certificate stuff would just continue to work.

Thanks

Andy

martinbartos 2016-07-20 14:44:27 UTC #14

Thanks @pcherry for the update/clarity about roll-over certs.

@adhawkins - interesting idea and suggestion.

It's certainly a problem if innocent tweaks to apache config can cause as significant a functional breakdown as failure of cert changeover..

I wonder if a more general solution would be to extend symbiosis-http(?) somehow to support automated incorporation of Apache directives/snippets such as rewrites..? or perhaps a specific 'redirect' file (containing a target) would be worth consideration?
Just thinking about those times when I would like to conveniently redirect a domain somewhere else..

It would also be rather good to be able to validate a symbiosis setup for automated behaviour.. is there a symbiosis-test which will do that for a domain?

iainharrison 2016-08-14 11:30:56 UTC #15

Would there be a way to have a section of the apache templates for a user-configurable section? One that is just included when the .conf is generated.

kevinbeynon 2016-09-21 11:02:05 UTC #16

Since yesterday, a number of my sites using SSL from Let's Encrypt are displaying as expired in Firefox.

Using symbiosis-ssl shows that most of my sites have two sets. SSL set 0: Not valid has expired, but Current SSL set 1 from Let's Encrypt is valid and expires at the end of November.

Some of the sites with two sets work fine, others show as expired, even though symbiosis-ssl says their Let's Encrypt cert is up-to-date. They were all generated at the same time. The current symlink for each seems to point to Set 1, the valid Let's Encrypt cert, so maybe I'm chasing a red herring with the sets thing.

Any ideas would be much appreciated.

adhawkins 2016-09-21 12:34:36 UTC #17

Check the Apache config file for each domain points to the correct set. From memory, the apache config doesn't point to 'current', rather to a specific set.

If you've made any manual modifications to your apache config, this prevents symbiosis from updating it.

Andy

kevinbeynon 2016-09-21 12:38:50 UTC #18

Thanks. Will check that.

kevinbeynon 2016-09-24 16:39:57 UTC #19

I tried it straight away and it worked a treat. Thank you very much.

Kevin