0

I'm using certbot to generate SSL certs for my website. I had an issue (because of cron script error and out of date python2, now resolved) where auto-update didn't work. I now have up to date license files on my server.

The license files are in an archive under letsencrypt, the number seems to increment each update (fullchain3 is latest):

root@mysite /etc/letsencrypt/live/mysite.com # ls -l ../../archive/mysite.com/ total 48K -rw-r--r-- 1 root root 3.4K Sep 8 2017 fullchain1.pem -rw-r--r-- 1 root root 3.5K May 8 17:02 fullchain2.pem -rw-r--r-- 1 root root 3.5K Jul 7 21:19 fullchain3.pem

a symlink points to the latest, and lighty is set up to follow the link:

root@mysite /etc/letsencrypt/live/mysite.com # ls -l ../../live/mysite.com/fullchain.pem lrwxrwxrwx 1 root root 39 Jul 7 21:19 ../../live/mysite.com/fullchain.pem -> ../../archive/mysite.com/fullchain3.pem

However, SSLLabs tell me my cert is out of date, and when I check serial numbers of license files, it turns out they are getting fullchain2.pem.

Lighty has been restarted. mod-compress is running though, can that be caching the old cert file, even through a restart? and if so how do I tell it not to? if not, what's the cause?

UPDATE : I tried stopping lighty, clearing the cache directory and restarting. Same result, same file seems to be served ...

danmcb
  • 103
  • 5

1 Answers1

0

OK, problem solved.

For lighty an additional step is required after updating certs. Basically a new file has to be manually created by concatenating two files in the cert directory. see link below:

https://www.bytebang.at/Blog/Free+SSL+certificate+for+lighttpd+with+letsencrypt

if this is not done, lighty's error log will be full of "certificate expired" messages.

(Not going to give the full setup procedure here, but, essentially, after updating the certs, you need to do the following:

cat privkey.pem cert.pem > web.pem

which should match the line

ssl.pemfile = "/etc/letsencrypt/live/mysite.com/web.pem"

in your lighty configuration.

As has been pointed out below, it should not in fact be necessary to use the concatenated file with latest lighty, but rather than change my (otherwise stable) configuration, I created a simple bash script to manage the cert update and also creating the concatenation files:

#!/bin/bash

function update_web { cd $1 if [ web.pem -ot cert.pem ]; then echo updating web.pem in $1 cat privkey.pem cert.pem > web.pem fi }

/root/certbot/certbot-auto renew --no-self-upgrade update_web /etc/letsencrypt/live/mysite.com update_web /etc/letsencrypt/live/www.mysite.com

danmcb
  • 103
  • 5
  • You should include the procedure here in your answer, in case the link dies (which happens a lot). – Michael Hampton Aug 23 '20 at 14:19
  • 1
    @danmcb You must be using an older version of lighttpd. lighttpd 1.4.53 (released Jan 2019, a year and a half ago) supports `ssl.privkey` option to define the private key in a separate file. (Combining them into `ssl.pemfile` still works, too) Latest lighttpd release is 1.4.55. – gstrauss Aug 25 '20 at 20:27
  • hmmm. Thank you. But I am on 1.4.53. So I shouldn't need to do this ... odd. – danmcb Aug 29 '20 at 17:06