Outdated self-signed cerificate keeps coming back

Detlef · September 20, 2020, 10:05am

Installation: RPI4, ubuntu 20.94, latest NGINX, MariaDB, NC 19.0.3. letsencrypt & SCME. All works fine, just: users (on the same LAN) with Thunderbird/Windows, IOS and Android keep betting warnings about an invalid self-signed certificate, which expired in 2017. SSL Checker reports valid cert from Ler’s encrypt, only.

I can’t find the source of the ss-certificate and stop it.

Please provide a hint.

In order to help you as quickly as possible, before clicking Create Topic please provide as much of the below as you can. Feel free to use a pastebin service for logs, otherwise either indent short log examples with four spaces:

example

Or for longer, use three backticks above and below the code snippet:

longer
example
here

Some or all of the below information will be requested if it isn’t supplied; for fastest response please provide as much as you can

[/details]

Nextcloud version (eg, 18.0.2):
Operating system and version (eg, Ubuntu 20.04):
Apache or nginx version (eg, Apache 2.4.25):
PHP version (eg, 7.1):

The issue you are facing:

Is this the first time you’ve seen this error? (Y/N):

Steps to replicate it:

The output of your Nextcloud log in Admin > Logging:

PASTE HERE

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

PASTE HERE

The output of your Apache/nginx/system log in /var/log/____:

PASTE HERE

tflidd · September 20, 2020, 10:06am

How do you access nextcloud on your local network? The same URL like outside?

The problem is probably your webserver configuration, that with local access, you use a different vhost configuration which has still the old self-signed certificate and not the letsencrypt one.

Detlef · September 21, 2020, 12:37pm

Hi tflidd, thx for advise. Yes, I am using the same URL and it works fine with the new cert from let’s encrypt. Thing I noted meanwhile: the old ss-cert did show on Thunderbird and Iphone and not on Honor6x. The H6s has been run empty and fully restarted meanwhile. Therefore I have erased the cache of TB and Iphone. Now I keep fingers crossed.

Detlef · January 11, 2021, 2:34pm

@tflidd: sorry to come back. Outdated cert keeps coming back on Thunderbird via network. Tried to ignore it for a while - running out of patience now. Please drop a hint on where and how to look in vhost configuration.
Thx in advance.

tflidd · January 11, 2021, 4:10pm

Check the vhosts for ssl configuration, there could be several ones. In case you certificated was already renewed, perhaps it just needs to restart nginx. If the certificate wasn’t renewed, renew the certificate (check for new folders in /etc/letsencrypt/live/youdomain/*) and check the date.

Detlef · January 11, 2021, 6:41pm

Thanks a lot,tflidd. I had already restarted nginx several times.

On the user side I am receiving a nice, clean certificate, which is good for a quarter and renews. In addition only Thunderbird in the same network receives an old certificate which expired in 2017 and never renews.

Have gone down and up the vhost configuration and found only one ssl-conf. The list of ecc-certs looks clean and up to date.

Looks like I have somewhere a ghost. Looking now for some sw to control the traffic to find our where the outdated one comes from. Only other solution would be a fresh installation.

tflidd · January 12, 2021, 8:16am

then check all the ssl vhosts of nginx. egrep ssl * in the nginx config-folder. Perhaps there is a configs-enable or some similar folder you might want to check as well.

Detlef · January 18, 2021, 10:36am

Funny outcome in the end: there is some strange behaviour with Ubuntu and NGINX, where I had to stop NGINX and then also kill the the processes.

Here is my source with details: