Missing https cert

You are using UBOS on a Rasberry Pi. Please state which model you are using, e.g. Zero, Zero W, model 3 or such.
Post Reply
adrianblakey
Posts: 5
Joined: Thu Dec 14, 2017 2:47 pm

Missing https cert

Post by adrianblakey » Thu Dec 14, 2017 9:10 pm

I want to upgrade ubos, however it httpd will not run.

/var/log/httpd/error.log says - failed to configure CA certificate chain.

When I first successfully set this up (6 months ago) I used letsencrypt. I beleive an attempt was made to renew the cert in Oct and I suspect that did not happen.

Any thoughts about how to bring this back to life?



j12t
Posts: 79
Joined: Tue Dec 12, 2017 9:17 pm
Contact:

Re: Missing https cert

Post by j12t » Fri Dec 15, 2017 6:30 pm

The Apache folks changed the way they want certificates to be used. It used to be that you'd have three files: 1) private key, 2) your cert, 3) the certificate chain, leading to three entries in the Apache config file. Now they want only two files: 1) private key, 2) all certs, yours and the chain, in the same file.

UBOS switched from the old scheme to the new scheme a few months ago, but it's very possible that the "upgrade" has hiccups.

If you look into /etc/letsencrypt/live/<hostname>, you see the files that Letsencrypt issues: they support both cases (fullchain vs chain and cert). Your error message seems to indicate that the certs entry in the Apache config file points to the chain rather than the fullchain file. To find that entry, as root:

Code: Select all

cd /etc/httpd
grep -r /etc/letsencrypt .
It should say (for each site), as it says for this very site:

Code: Select all

./ubos/sites/s......conf:    SSLCertificateKeyFile /etc/letsencrypt/live/forum.ubos.net/privkey.pem
./ubos/sites/s......conf:    SSLCertificateFile /etc/letsencrypt/live/forum.ubos.net/fullchain.pem
It might be easiest to edit that file and make it point to the right entry. Alternatively, backing up your site, undeploying it and restoring it might also fix it.

After that, restart Apache and certbot:

Code: Select all

sudo systemctl restart ubos-httpd
sudo systemctl restart certbot
Hope this helps!

P.S. I assume your cert is now expired. I don't know what Letsencrypt does when attempting to renew an expired cert. Usually certbot is trying to renew well before the expiration.

adrianblakey
Posts: 5
Joined: Thu Dec 14, 2017 2:47 pm

Re: Missing https cert

Post by adrianblakey » Thu Dec 28, 2017 2:22 am

I suspect something happened during an update. Because the contents of /etc/letsencrypt/live/.../ are:

cert.pem -> ../../archive/.../cert2.pem
chain.pem -> ../../archive/.../chain2.pem
fullchain.pem -> ../../archive/.../fullchain2.pem
privkey.pem -> ../../archive/.../privkey2.pem
README

If I do: openssl s_client -showcerts -connect host:443

It says: CN = localhost.localdomain - so it seems like it's some sort of temporary made up cert.

I looked at the files cert1/fullchain1 etc and they are exactly the same as the "2" files.

Any ideas about how I can run letsencrpyt (certbot?) to hand me an updated cert since whatever I had that was working has gone into the bitbucket.

j12t
Posts: 79
Joined: Tue Dec 12, 2017 9:17 pm
Contact:

Re: Missing https cert

Post by j12t » Thu Dec 28, 2017 7:07 pm

UBOS does SNI so we can do different certs for different hostnames on the same device: https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI

So if you connect like you do with openssl you will get the default cert, which is indeed localhost.localdomain and self-generated. I don't know off-hand whether openssl was extended so it can do SNI. In doubt, try curl.

Post Reply