Certificate renewal frustration!

brettfk · April 17, 2020, 4:47am

I’m running NextCloud on CentOS 7 for a while and am loving it. Unfortunately I didn’t set up the certificate for automatic renewal (using LetsEncrypt).

So, when the cert expired a couple of weeks back, I renewed the certificate using certbot renew --reuse-key, and this seemed to work without any issues. However, when I access (or try to) the web interface, Chrome tells me that the date on the cert is invalid and I can’t access it.

I’ve seen plenty of posts regarding renewals and the page not loading but none seem to quite match what I’m seeing. Happy to be pointed in the right direction if I missed anything.

eehmke · April 17, 2020, 8:44pm

So you have renewed your certificate, restarted the web server and the browser still tells the certificate is expired?

The certbot puts new certificates in:
/etc/letsencrypt/live/<yourdomain>/
Make sure that your apache/nginx confíguration refers to that address.

brettfk · April 18, 2020, 1:04am

Hi eehmke,

That is correct, I also tried restarting the server itself (VM). As you note, the certs are indeed found in /etc/letsencrypt/live/nextcloud.domain.net:

And I can confirm that my Apache config is pointing to that path - here is /etc/httpd/conf.d/nextcloud.domain.net.conf:

And I may as well show you the Chrome error I get while I am at it as well:

[Album] Imgur

One thing I thought might be the issue is the date and time on the server, which is correct:

[Album] Imgur

I wouldn’t have thought the certificates being symlinked would be a normal thing, and haven’t tried to remove the symlinks and replace them with the actual files in case I broke it more.

And_i · April 18, 2020, 8:51am

You could try to use curl or openssl to verify that the new certificate is used.

curl -vvI https://cloud.domain.tld

I would prefer to use openssl because it is a bit more verbose and output more details about the certificate used, curl only outputs the name and dates

openssl s_client -showcerts -servername cloud.domain.tld -connect cloud.domain.tld:443 | openssl x509 -inform pem -noout -text

If the output matches your certificate data then the new certificate is used. if chrome still reports an date/time error check the time/date on your client, maybe there is a offset between your client and server.

brettfk · April 18, 2020, 9:07am

Thanks for the tip And_i.

As you suggested I ran the OpenSSL command and it is showing that the cert expired on March 31st (which is correct). But if I look at the timestamp of the certificate files being referenced by Apache config, they are showing April 12 (which is when I performed the renewal).

Have I perhaps missed a step after obtaining the new certs?

rakekniven · April 18, 2020, 10:08am

Hello @brettfk,

welcome to the community of Nextcloud.

Your issue with letsencrypt and centos is not related with Nextcloud and therefor offtopic.
You will get better help and other places. Please use your preferred search engine to get help.

eehmke · April 18, 2020, 10:31am

You vhost config is here:

Is there by any chance another vhost declaration that is actually used? Do you have a

/etc/httpd/sites-enabled

Directory?

And_i · April 18, 2020, 10:33am

If the certificate you get when you access the website is different from the one you have in your filesystem. I would guess the webserver does not loaded it.

Try to restart/reload your webserver and test again. You could also try to use a different browser like firefox and check if the same problem occures. If not it could also be a caching problem with the browser.