Opened 18 months ago

Last modified 13 months ago

#102 new defect

Security certificate issue

Reported by: russell Owned by: chris
Priority: major Milestone: Maintenance
Component: crin4 Version:
Keywords: Cc:
Estimated Number of Hours: 0 Add Hours to Ticket: 0
Billable?: no Total Hours: 0.9

Description

Hi Chris,

I'm having trouble browsing to the stage site today on crin4 - I'm getting:

SEC_ERROR_EXPIRED_CERTIFICATE

.. trying to view stage.crin.org

Are you able to help there?

Many thanks,
Russell

Change History (10)

comment:1 Changed 18 months ago by russell

  • Component changed from backups to crin4

comment:2 Changed 18 months ago by chris

  • Add Hours to Ticket changed from 0 to 0.25
  • Total Hours set to 0.25

I think the problem was that Nginx needs a restart before a new cert is used and the Let's Encryypt certs are only valid for three months, I have restarted Nginx and it looks OK:

I have added this root crontab:

# restart nginx as certbot doesn't
01 01 01 * * service nginx restart

If/when I rebuild the servers with Debian stretch then I'd switch to using acme.sh for the certs as it can also restart services:

comment:3 Changed 18 months ago by russell

Thanks Chris

comment:4 Changed 17 months ago by russell

Hi Chris,

It looks a bit like this has happened again:

dev.crin.org uses an invalid security certificate. The certificate expired on 22 April 2017 00:02. The current time is 25 April 2017 11:30. Error code: SEC_ERROR_EXPIRED_CERTIFICATE

Do we think that restart's not sorting it out?

Thanks,
Russell

comment:5 Changed 17 months ago by chris

  • Add Hours to Ticket changed from 0 to 0.15
  • Total Hours changed from 0.25 to 0.4

Sorry about this, a nginx restart has solved the problem, the crontab was set to run on the first of each month, I have changed this to every night, which isn't a perfect solution but should work.

comment:6 Changed 15 months ago by russell

Hi Chris,

I'm seeing that expired certificate again:
https://dev.crin.org/

Would we expect that to roll round on cron tonight?

Thanks,
Russell

Last edited 15 months ago by russell (previous) (diff)

comment:7 Changed 15 months ago by chris

  • Add Hours to Ticket changed from 0 to 0.25
  • Total Hours changed from 0.4 to 0.65

I restarted Nginx and it is OK now:

I'm not sure why this root crontab isn't doing the trick:

01 01 * * * service nginx restart

I should probably switch the server over to use acme.sh:

comment:8 Changed 15 months ago by russell

Thanks Chris,

We seem to have a very old version of the dev. site there, presume that's from the DB recovery. I'll resync dev from live and rebuild.

comment:9 Changed 15 months ago by russell

prod > dev DB sync underway.

It will take a long time.

comment:10 Changed 13 months ago by chris

  • Add Hours to Ticket changed from 0 to 0.25
  • Total Hours changed from 0.65 to 0.9

This issue still hasn't been solved, I have just restarted Nginx to solve it for the next 6 weeks...

Note: See TracTickets for help on using tickets.