Kindly renew SSL certificate at iddev.fedorainfracloud.org
Exception: HTTPSConnectionPool(host='iddev.fedorainfracloud.org', port=443): Max retries exceeded with url: /openidc/Token (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1122)')))
2020/12/31
We only give power/ping to this system. I don't see that we set up letsencrypt for the server so it was done by the admins of the box.
What I have done: 0. Checked playbooks to see if iddev was using certgetter for certs. (No) 1. Checked certgetter01 just in case the certs were there. 2. logged into iddev to see what was going on. 3. run yum update (this does not seem to have been done in a long time) 4. ran systemctl status certbot-renew.service
systemctl status certbot-renew.service
This gave the error
-- Subject: Unit certbot-renew.service has begun start-up -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit certbot-renew.service has begun starting up. Dec 14 12:17:14 iddev.fedorainfracloud.org certbot[21399]: Saving debug log to /var/log/letsencrypt/letsencrypt.log Dec 14 12:17:14 iddev.fedorainfracloud.org certbot[21399]: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Dec 14 12:17:14 iddev.fedorainfracloud.org certbot[21399]: Processing /etc/letsencrypt/renewal/iddev.fedorainfracloud.org.conf Dec 14 12:17:14 iddev.fedorainfracloud.org certbot[21399]: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Dec 14 12:17:14 iddev.fedorainfracloud.org certbot[21399]: Cert is due for renewal, auto-renewing... Dec 14 12:17:14 iddev.fedorainfracloud.org certbot[21399]: Plugins selected: Authenticator standalone, Installer None Dec 14 12:17:14 iddev.fedorainfracloud.org certbot[21399]: Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org Dec 14 12:17:15 iddev.fedorainfracloud.org certbot[21399]: Renewing an existing certificate Dec 14 12:17:15 iddev.fedorainfracloud.org certbot[21399]: Performing the following challenges: Dec 14 12:17:15 iddev.fedorainfracloud.org certbot[21399]: http-01 challenge for iddev.fedorainfracloud.org Dec 14 12:17:15 iddev.fedorainfracloud.org certbot[21399]: Cleaning up challenges Dec 14 12:17:15 iddev.fedorainfracloud.org certbot[21399]: Attempting to renew cert (iddev.fedorainfracloud.org) from /etc/letsencrypt/renewal/iddev.fedorainfracloud.org.conf produced an une Dec 14 12:17:15 iddev.fedorainfracloud.org certbot[21399]: All renewal attempts failed. The following certs could not be renewed: Dec 14 12:17:15 iddev.fedorainfracloud.org certbot[21399]: /etc/letsencrypt/live/iddev.fedorainfracloud.org/fullchain.pem (failure)
Dec 14 12:17:15 iddev.fedorainfracloud.org certbot[21399]: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Dec 14 12:17:15 iddev.fedorainfracloud.org certbot[21399]: All renewal attempts failed. The following certs could not be renewed: Dec 14 12:17:15 iddev.fedorainfracloud.org certbot[21399]: /etc/letsencrypt/live/iddev.fedorainfracloud.org/fullchain.pem (failure) Dec 14 12:17:15 iddev.fedorainfracloud.org certbot[21399]: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Dec 14 12:17:15 iddev.fedorainfracloud.org certbot[21399]: 1 renew failure(s), 0 parse failure(s) Dec 14 12:17:15 iddev.fedorainfracloud.org systemd[1]: certbot-renew.service: main process exited, code=exited, status=1/FAILURE Dec 14 12:17:15 iddev.fedorainfracloud.org systemd[1]: Failed to start This service automatically renews any certbot certificates found. ```
Metadata Update from @smooge: - Issue assigned to smooge - Issue tagged with: cloud, low-gain, medium-trouble, ops
I found that I needed to stop apache
[root@iddev ~][PROD]# systemctl stop httpd [root@iddev ~][PROD]# /usr/bin/certbot renew --noninteractive --no-random-sleep-on-renew --force-renewal --standalone
and this updated the certs. I have restarted apache. I believe that the scripts for certbot have updated and the system owner will need to make changes in their configurations.
Metadata Update from @smooge: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @smooge: - Issue priority set to: Waiting on Assignee (was: Needs Review)
works for me now; thanks!
Login to comment on this ticket.