0

tl;dr: I used to use certbot to install a new certificate from LetsEncrypt, but that involved manually updating TXT records. So I tried to switch to lego to do it. But when I use lego to install a new certificate, it doesn't actually install a new certificate (old one still shows in browser).

Longer version:

I'm on an AWS Lightsail instance running Bitnami. I'm a little familiar with Linux, but I wouldn't consider myself "handy" with it.

In the past, I used to do the following to renew my certificates:

DOMAIN=mydomain.com
WILDCARD=*.$DOMAIN
sudo certbot -d $DOMAIN -d $WILDCARD --manual --preferred-challenges dns certonly

(Install TXT records)

sudo /opt/bitnami/ctlscript.sh restart apache

However, this is a bit annoying to have to do, and LetsEncrypt helpfully provides the lego library to do this automatically. So based off the documentation I could find, I did the following:

$ sudo /opt/bitnami/ctlscript.sh stop
Syntax OK
/opt/bitnami/apache2/scripts/ctl.sh : httpd stopped
/opt/bitnami/php/scripts/ctl.sh : php-fpm stopped
/opt/bitnami/mysql/scripts/ctl.sh : mysql stopped

$ sudo /opt/bitnami/letsencrypt/lego --tls --email="myemail@domain.com" --domains="mydomain.com" --domains="www.mydomain.com" --path="/opt/bitnami/letsencrypt" run
2020/02/28 16:58:57 [INFO] [mydomain.com, www.mydomain.com] acme: Obtaining bundled SAN certificate
2020/02/28 16:58:57 [INFO] [mydomain.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/3062019938
2020/02/28 16:58:57 [INFO] [www.mydomain.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/3062019945
2020/02/28 16:58:57 [INFO] [mydomain.com] acme: use tls-alpn-01 solver
2020/02/28 16:58:57 [INFO] [www.mydomain.com] acme: use tls-alpn-01 solver
2020/02/28 16:58:57 [INFO] [mydomain.com] acme: Trying to solve TLS-ALPN-01
2020/02/28 16:58:58 http: TLS handshake error from 74.108.143.17:49475: remote error: tls: illegal parameter
2020/02/28 16:58:58 http: TLS handshake error from 94.6.194.131:59130: remote error: tls: bad certificate
2020/02/28 16:58:58 http: TLS handshake error from 74.108.143.17:49476: remote error: tls: illegal parameter
2020/02/28 16:58:58 http: TLS handshake error from 94.6.194.131:59131: remote error: tls: bad certificate
2020/02/28 16:59:00 http: TLS handshake error from 81.187.9.124:49274: remote error: tls: bad certificate
2020/02/28 16:59:01 http: TLS handshake error from 74.108.143.17:49477: remote error: tls: illegal parameter
2020/02/28 16:59:01 http: TLS handshake error from 94.6.194.131:59136: remote error: tls: bad certificate
2020/02/28 16:59:03 [INFO] [mydomain.com] The server validated our request
2020/02/28 16:59:03 [INFO] [www.mydomain.com] acme: Trying to solve TLS-ALPN-01
2020/02/28 16:59:05 http: TLS handshake error from 94.6.194.131:59137: remote error: tls: bad certificate
2020/02/28 16:59:05 http: TLS handshake error from 74.108.143.17:49478: remote error: tls: illegal parameter
2020/02/28 16:59:06 http: TLS handshake error from 86.163.23.242:53113: remote error: tls: bad certificate
2020/02/28 16:59:08 http: TLS handshake error from 94.6.194.131:59138: remote error: tls: bad certificate
2020/02/28 16:59:08 http: TLS handshake error from 74.108.143.17:49479: remote error: tls: illegal parameter
2020/02/28 16:59:09 [INFO] [www.mydomain.com] The server validated our request
2020/02/28 16:59:09 [INFO] [mydomain.com, www.mydomain.com] acme: Validations succeeded; requesting certificates
2020/02/28 16:59:10 [INFO] [mydomain.com] Server responded with a certificate.

$ sudo /opt/bitnami/letsencrypt/lego --tls --email="myemail@domain.com" --domains="unmodchat.com" --domains="www.mydomain.com" --path="/opt/bitnami/letsencrypt" renew --days 90
2020/02/28 16:59:13 [INFO] [mydomain.com] acme: Trying renewal with 2158 hours remaining
2020/02/28 16:59:13 [INFO] [mydomain.com, www.mydomain.com] acme: Obtaining bundled SAN certificate
2020/02/28 16:59:14 [INFO] [mydomain.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/3062019938
2020/02/28 16:59:14 [INFO] [www.mydomain.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/3062019945
2020/02/28 16:59:14 [INFO] [mydomain.com] acme: authorization already valid; skipping challenge
2020/02/28 16:59:14 [INFO] [www.mydomain.com] acme: authorization already valid; skipping challenge
2020/02/28 16:59:14 [INFO] [mydomain.com, www.mydomain.com] acme: Validations succeeded; requesting certificates
2020/02/28 16:59:14 [INFO] [mydomain.com] Server responded with a certificate.

$ sudo /opt/bitnami/ctlscript.sh start
/opt/bitnami/mysql/scripts/ctl.sh : mysql  started at port 3306
/opt/bitnami/php/scripts/ctl.sh : php-fpm started
Syntax OK
/opt/bitnami/apache2/scripts/ctl.sh : httpd started at port 80

After doing that, and restarting my browser, when I look at the certificate details it lists the same expiration date as before (March 20th, less than a month from now).

What am I doing wrong? I have a feeling that lego might be installing the certificates to the wrong place, but I'm not quite sure how to find where the "right" place is, nor how to tell lego to put them there.

Mike Todd
  • 7,227
  • 2
  • 15
  • 11
  • Are you sure this doesn't belong on Super User? – Andrew Morton Feb 28 '20 at 17:28
  • Bitnami Engineer here, the lego command created a file called "mydomain.com" inside the /opt/bitnami/letsencrypt/cetificates folder. Checking our documentation, we explain how to create a symbolic link to that file so Apache can start to use them, did you create that symlink? You can run this command to verify it `ls -la /opt/bitnami/apache2/conf/server*` – Jota Martos Mar 02 '20 at 10:43
  • @JotaMartos When I run that command it looks like the certificates are from October 30th: lrwxrwxrwx 1 root root 49 Oct 30 2018 /opt/bitnami/apache2/conf/server.crt -> /etc/letsencrypt/live/mydomain.com/fullchain.pem -rw-r--r-- 1 root root 1164 Oct 30 2018 /opt/bitnami/apache2/conf/server.crt.old -rw-r--r-- 1 root root 985 Oct 30 2018 /opt/bitnami/apache2/conf/server.csr.old lrwxrwxrwx 1 root root 47 Oct 30 2018 /opt/bitnami/apache2/conf/server.key -> /etc/letsencrypt/live/mydomain.com/privkey.pem -rw-r--r-- 1 root root 1675 Oct 30 2018 /opt/bitnami/apache2/conf/server.key.old – Mike Todd Mar 02 '20 at 14:51
  • You are not using the certificates that were generated using the lego command. Can you follow the [step 3 of our documentation](https://docs.bitnami.com/aws/how-to/generate-install-lets-encrypt-ssl/#step-3-configure-the-web-server-to-use-the-let-s-encrypt-certificate) to create the new symlinks? – Jota Martos Mar 02 '20 at 15:42
  • @JotaMartos Ok, thanks that worked! I followed step 3, then ran the lego command to renew the certificate, and all is working ok now. – Mike Todd Mar 03 '20 at 16:49

1 Answers1

1

Solution thanks to Jota Martos from Bitnami. The documentation I found wasn't complete, and skipped step 3 from this documentation: https://docs.bitnami.com/aws/how-to/generate-install-lets-encrypt-ssl/#step-3-configure-the-web-server-to-use-the-let-s-encrypt-certificate

After completing those mv commands, and using the lego command again, all is working as it should be now. Thanks Jota!

Mike Todd
  • 7,227
  • 2
  • 15
  • 11