Context Navigation

← Previous Ticket
Back to Query
Next Ticket →

#102 new defect

Security certificate issue

Reported by:	russell	Owned by:	chris
Priority:	major	Milestone:	Maintenance
Component:	crin4	Version:
Keywords:		Cc:
Estimated Number of Hours:	0	Add Hours to Ticket:	0
Billable?:	no	Total Hours:	0.9

Description

Hi Chris,

I'm having trouble browsing to the stage site today on crin4 - I'm getting:

SEC_ERROR_EXPIRED_CERTIFICATE

.. trying to view stage.crin.org

Are you able to help there?

Many thanks,
Russell

Change History (10)

comment:1 Changed 18 months ago by russell

Component changed from backups to crin4

comment:2 Changed 18 months ago by chris

Add Hours to Ticket changed from 0 to 0.25
Total Hours set to 0.25

I think the problem was that Nginx needs a restart before a new cert is used and the Let's Encryypt certs are only valid for three months, I have restarted Nginx and it looks OK:

https://www.ssllabs.com/ssltest/analyze.html?d=dev.crin.org

I have added this root crontab:

# restart nginx as certbot doesn't
01 01 01 * * service nginx restart

If/when I rebuild the servers with Debian stretch then I'd switch to using acme.sh for the certs as it can also restart services:

https://github.com/Neilpang/acme.sh

comment:3 Changed 18 months ago by russell

Thanks Chris

comment:4 Changed 17 months ago by russell

Hi Chris,

It looks a bit like this has happened again:

dev.crin.org uses an invalid security certificate. The certificate expired on 22 April 2017 00:02. The current time is 25 April 2017 11:30. Error code: SEC_ERROR_EXPIRED_CERTIFICATE

Do we think that restart's not sorting it out?

Thanks,
Russell

comment:5 Changed 17 months ago by chris

Add Hours to Ticket changed from 0 to 0.15
Total Hours changed from 0.25 to 0.4

Sorry about this, a nginx restart has solved the problem, the crontab was set to run on the first of each month, I have changed this to every night, which isn't a perfect solution but should work.