I was getting odd SMTP errors this morning and discovered that my ssl cert attached to postfix was length 0! in /etc/postfix: lrwxrwxrwx 1 root root 54 Jun 23 2019 smtpd.cert -> /etc/letsencrypt/live/ns9.cdbsystems.com/fullchain.pem -rw-r--r-- 1 root root 2163 May 13 2018 smtpd.cert-180519192132.bak lrwxrwxrwx 1 root root 52 Jun 23 2019 smtpd.key -> /etc/letsencrypt/live/ns9.cdbsystems.com/privkey.pem in /etc/letsencrypt/live/ns9.cdbsystems.com: lrwxrwxrwx 1 root root 43 Sep 1 14:35 cert.pem -> ../../archive/ns9.cdbsystems.com/cert15.pem lrwxrwxrwx 1 root root 44 Sep 1 14:35 chain.pem -> ../../archive/ns9.cdbsystems.com/chain15.pem lrwxrwxrwx 1 root root 48 Sep 1 14:35 fullchain.pem -> ../../archive/ns9.cdbsystems.com/fullchain15.pem lrwxrwxrwx 1 root root 46 Sep 1 14:35 privkey.pem -> ../../archive/ns9.cdbsystems.com/privkey15.pem and the privkey and fullchain files were ZERO length. (they are not above because they are now the same as the xxxx14.pem keys) I manually copied *14.pem to *15.pem. so put cert14.pem on cert15.pem, privekey14.pem on privkey15.pem etc. now TLS sessions were validated, but cert was expired (according to test site I had run check). I thought to myself 'lets be clever' and ran /opt/certbot/certbot-auto (no parameters). I told it c to cancel out rather than give any numbers for domains, but thought it would update the ns9 key since it should appear old???. was there some parameter I should have passed??? or was this a really stupid thing to do? (probably the latter with my luck these days). then I went to ispconfig3 and unchecked the SSL/Letsencrypt boxes for ns9.cdbystems.com (vhost). waited for red circle to go away. then checked them again thinking it would recreate the certs for ns9. but it has not... so I still get TLS sessions that are encrypted, but with an expired key. and I'm still using the old pems that I copied from sept 1. how do I recreate JUST the ns9.cdbsystems.com key if the above does not work??? thanks. and would running certbot-auto have any other bad effect that I have to panic over? thanks again! cdb.
Certbot-auto is NOT the way to go, it is just to install/update certbot manually. You have to use "certbot renew" if system-certbot is installed or "/opt/eff.org/venv/bin/certbot renew" if not. Side note: PLEASE stop using those thread titles. They are disturbing and mis-leading.
I ran certbot its in /opt/eff.org/certbot/venv/bin .. but it says... Processing /etc/letsencrypt/renewal/ns9.cdbsystems.com.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Traceback (most recent call last): File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/crypto_util.py", line 351, in _load_cert_or_req return load_func(typ, cert_or_req_str) File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/OpenSSL/crypto.py", line 1794, in load_certificate _raise_current_error() File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/OpenSSL/_util.py", line 54, in exception_from_error_queue raise exception_type(errors) Error: [('PEM routines', 'get_name', 'no start line')] Renewal configuration file /etc/letsencrypt/renewal/ns9.cdbsystems.com.conf (cert: ns9.cdbsystems.com) produced an unexpected error: [('PEM routines', 'get_name', 'no start line')]. Skipping. ack!!!
ok found one of the *15.pem files was zero again. copied all *14.pem files to *15.pem files and reran .certbot renew and voila! ns9 now has a shiny new cert and problem seems solved! many thanks. and sorry if my titles were disturbing. I've been VERY DISTURBED <grin> but you folks have (as always) been super. cdb.
have been checking my ssl cert for ns9.cdbsystems.com (after I restarted httpd - so the online checkers would see the new cert and one of them gives a clean bill of health the other says that my cert is good chain cert is good - but Root 1 is missing! do I care? it offers to let me download it. thanks again...
I wouldn't; you don't normally include root certificates if the certificate is to be verified as trusted, because the verification has to happen all the way to a well-known, previously trusted root certificate.