[Symbiosis] Letsencrypt cert error

After a v recent Letsencrypt update one of my wordpress sites is showing a certificate error.

The error message - This server couldn’t prove that it’s www.goathornpiercottage.co.uk ; its security certificate is from goathornpiercottage.co.uk . This may be caused by a misconfiguration or an attacker intercepting your connection.

As the error suggests, when the wordpress settings are edited to view the site at goathornpiercottage.co.uk then the site displays without certificate errors.

I suspect there is a small config error somewhere but where to check?

I'm not sure where to look for this on an old Symbiosis Jessie vm

Environment

The site is hosted on a Symbiosis Jessie vm which I intend to migrate to the next update of Sympl.

  • Debian Version [Buster/Stretch]:
  • Hardware Type? VM
  • Hosted On? Bytemark

I can’t really provide much in the way of support for Symbiosis directly, but off the top of my head running symbiosis-ssl --verbose --force goathornpiercottage.co.uk should force a new certificate to be generated.

Hi Paul,

Fully understood and appreciated. I reached out because you probably wrote the code.

Bytemark have just sent this working fix through:

If you are running Symbiosis you may resolve the issue with the SSL certificate as follows:

  1. Login to the server as the root user
  2. Run the following command: symbiosis-ssl -vf goathornpiercottage.co.uk
  3. Wait for the completion of the command in step 2 and once completed successfully run the following command:
    apachectl -t

Note: This should return: Syntax OK

  1. If apachectl -t returns OK then you may run the following command:

systemctl restart apache2

  1. Check the site in your browser and it should now be providing SSL certificate coverage for the www and root domain.

Thanks very much indeed for your kind response and keep up the good work with Sympl.

…………………

Regards Pete

I’ve seen this error quite often - one of the site’s SSL certs gets issued (E.g. www.example.com) but the other doesn’t - and visitors to example.com get an SSL error.

My fix is to do something like :

symbiosis-ssl --list example.com
(move to previous set that hopefully hasn’t expired yet)
symbiosis-ssl --set 24 example.com
rm -Rf /srv/example.com/config/ssl/sets/25
symbiosis-ssl --verbose example.com
symbiosis-ssl-configure exmaple.com

(as a side note, I never really understand why the Apache config couldn’t have the SSL certs as /srv/example.com/config/ssl/current/whatever.pem … instead of being linked against a specific set).

I kept having this problem with a few servers, so have ended up disabling the symbiosis-ssl cron job (edit /etc/cron.d/symbiosis-common, disable the symbiosis-ssl line).

and run something like :

#!/bin/bash

set -u


function do_it() {

	domain=$1
	echo "Domain : $domain"
	domain=$(basename $domain)

	if [ -f /srv/$domain/.skip_ssl ]; then
		echo "skipping : $domain - /srv/$domain/.skip_ssl exists"
		return 1
	fi

	if [ -L /srv/$domain/config/ssl.key ] && [ -e /srv/$domain/config/ssl.key ] ; then
		echo "already moved to letsencrypt :) $domain"
		return 1
	fi

	if [ ! -e /srv/$domain/config ]; then
		echo "Can't handle: /srv/$domain/ - no config dir"
		return 1
	fi

	if [ ! -L /etc/apache2/sites-enabled/$domain.conf ]; then
		echo "/etc/apache2/sites-enabled/$domain.conf doesn't exist?";
		return 1
	fi

	certbot --apache certonly -n -d $domain -d www.$domain
	if [ $? -ne 0 ]; then
		echo "Failed to get certs for www.$domain / $domain ; retrying with -allow-subset-of-names ??"
		certbot --apache certonly -n --allow-subset-of-names -d $domain -d www.$domain || exit 1
	fi

	cd /srv/$domain/config
	ln -s /etc/letsencrypt/live/$domain/privkey.pem ssl.key
	ln -s /etc/letsencrypt/live/$domain/chain.pem ssl.bundle
	ln -s /etc/letsencrypt/live/$domain/cert.pem ssl.crt
	echo "false" > /srv/$domain/config/ssl-provider
	rm /srv/$domain/config/ssl/current || true

	symbiosis-httpd-configure --verbose $domain

	apache2ctl configtest
	if [ ! -f /etc/apache2/sites-enabled/$domain.conf ]; then
		echo "Check : $domain - missing apache config file???"
		exit 1
	fi
}

for domain in /srv/*
do
	do_it $domain
done