0

Domain: https://americanselfstorageok.com

Yesterday morning it started giving a "your connection is not private" warning for me and all of the users and client. It didn't renew the certs automatically for some reason.

I ssh'd into the server and did a certonly, successfully renewing the certs.

Now I can access the site just fine and the lock drop-down shows me a cert signed by my local bitdefendor anti-virus. I've checked on Chrome, Firefox, and Edge on my computer. Some other devs have checked and they say it's fine. Everyone else says they are seeing the warning and I get the warning on Chrome, Duckduckgo, and Brave browsers on my phone. Desktop still shows good certs and secure connection for me.

I thought maybe it takes time to propagate or replace old cert requests or something.

I'm a little worried my server was hacked or something. The website looks the same, nothing is 'off' and I pulled from git some changes I pushed locally.

I don't know why else this could be happening. The site has been up for several years without this issue and the certs always auto-renewed. Any advice?

  • Ubuntu 18.04
  • nginx
  • gunicorn
  • cerbot installed through snap

When I use sudo certbot renew it says "Cert not yet due for renewal". I used sudo cerbot certonly and it validated the urls and made the certs. Am I just not using the new certs?

  • Hard to tell what you did but the currently public visible certificate expired at Apr 20 00:28:50 2021 GMT, so browsers rightly complain. Please check without an AV in between because maybe the SSL intercepting AV does not check the certificate properly. *"I thought maybe it takes time to propagate or replace old cert requests or something."* - No, it does not work like this with certificates. See also [the SSLLabs report](https://www.ssllabs.com/ssltest/analyze.html?d=americanselfstorageok.com). – Steffen Ullrich Apr 21 '21 at 17:25
  • 1
    Sounds like the certificate didn't get installed properly. _"It didn't renew the certs automatically for some reason"_ - You should look into that. It might have tried to run and hit an error instead. Did somebody change the something on the server recently? Updated config, pushed new code, updated OS, etc? – Andrew Myers Apr 21 '21 at 17:34

1 Answers1

0

I was running certbot certonly, and certbot renew, and even certbot --force-renewal and would get either that the domain certs updated or that there was nothing to renew. Either way, it wasn't updating the expiry time on sslabs.

I noticed that I was using Letencrypt also. I know they are the same but I think I have two different versions on my server and I'm using the older Letsencrypt.

Long story short, sudo letsencrypt renew said the certs were up to date, but sudo letsencrypt --force-renewal and then allowing the redirects caused everything to update and, like in the comments, the effect was instant.