Bug: Expired cert used after renewal

My Syncloud is currently using an expired TLS certificate stored at /var/snap/platform/current/syncloud.crt. Judging from the logs, when certbot is run automatically it fails because it hits LetsEncrypt’s rate limit for renewals. It seems to have successfully renewed on 2021-11-15 and 2021-11-11 judging from these records. That renewed certificate (from the 15th) is present at /var/snap/platform/common/syncloud.crt. Because certbot is run with --force-renewal it does not respect the rate limit error.

I have already tried:

  • restarting snap.platform.nginx-public
  • refreshing the platform snap
  • rebooting the device
  • re-activating the device

Misc. info:
System version: 2110221095
Installer version: 210929152
Output of nmap -p 80,443 $mydomain.syncloud.it is:

PORT STATE SERVICE
80/tcp open http
443/tcp open https

Is anybody else encountering this? Thanks in advance.

There was a bug as I remember during the recent upgrades but it was fixed later.
When did you upgrade to this version?

Also to check if you still have this bug you can run this command and should only print one log setting:

grep common -R /var/snap/platform/current/certbot/renewal

/var/snap/platform/current/certbot/renewal/[domain].syncloud.it.conf:logs_dir = /var/snap/platform/common/log

If it prints more that means we have not manage to fix it for all use cases.
Of it pronts one line most likely you just need to eait for 10 days since the upgrade.

I upgraded from 2109251054 on the 11th.

That search finds:

/var/snap/platform/current/certbot/renewal/[domain].syncloud.it.conf:archive_dir = /var/snap/platform/common/certbot/archive/[domain].syncloud.it
/var/snap/platform/current/certbot/renewal/[domain].syncloud.it.conf:cert = /var/snap/platform/common/certbot/live/[domain].syncloud.it/cert.pem
/var/snap/platform/current/certbot/renewal/[domain].syncloud.it.conf:privkey = /var/snap/platform/common/certbot/live/[domain].syncloud.it/privkey.pem
/var/snap/platform/current/certbot/renewal/[domain].syncloud.it.conf:chain = /var/snap/platform/common/certbot/live/[domain].syncloud.it/chain.pem
/var/snap/platform/current/certbot/renewal/[domain].syncloud.it.conf:fullchain = /var/snap/platform/common/certbot/live/[domain].syncloud.it/fullchain.pem
/var/snap/platform/current/certbot/renewal/[domain].syncloud.it.conf:logs_dir = /var/snap/platform/common/log

I don’t see an issue that matches, is it related to this change?

I have the same problem.
System version: 2110221095
Installer version: 210929152

Have you already found a solution? I can no longer access Nextcloud. But I need it every day for my work.

@clustertrump the output above is showing that migration did not go right. Can you run this and post the output?

/snap/platform/current/bin/migrate_certbot_to_current.sh

Then again:

grep common -R /var/snap/platform/current/certbot/renewal

root@syncloud:~# grep common -R /var/snap/platform/current/certbot/renewal
/var/snap/platform/current/certbot/renewal/[domain].syncloud.it.conf:archive_dir = /var/snap/platfor/common/certbot/archive/[domain].syncloud.it
/var/snap/platform/current/certbot/renewal/[domain].syncloud.it.conf:cert = /var/snap/platform/commo/certbot/live/[domain].syncloud.it/cert.pem
/var/snap/platform/current/certbot/renewal/[domain].syncloud.it.conf:privkey = /var/snap/platform/commo/certbot/live/[domain].syncloud.it/privkey.pem
/var/snap/platform/current/certbot/renewal/[domain].syncloud.it.conf:chain = /var/snap/platform/commo/certbot/live/[domain].syncloud.it/chain.pem
/var/snap/platform/current/certbot/renewal/[domain].syncloud.it.conf:fullchain = /var/snap/platform/commo/certbot/live/[domain].syncloud.it/fullchain.pem
/var/snap/platform/current/certbot/renewal/[domain].syncloud.it.conf:logs_dir = /var/snap/platform/common/log
root@syncloud:~#

What is the output of the migration script?

root@syncloud:~# sh /snap/platform/current/bin/migrate_certbot_to_current.sh 
/snap/platform/current/bin/migrate_certbot_to_current.sh: 7: /snap/platform/current/bin/migrate_certbot_to_current.sh: [[: not found
/snap/platform/current/bin/migrate_certbot_to_current.sh: 16: /snap/platform/current/bin/migrate_certbot_to_current.sh: [[: not found

grep’s output is unchanged.

Could you run it without sh?

root@syncloud:~# /snap/platform/current/bin/migrate_certbot_to_current.sh 
root@syncloud:~# echo $?
0

root@syncloud:~# grep common -R /var/snap/platform/current/certbot/renewal
/var/snap/platform/current/certbot/renewal/[domain].syncloud.it.conf:archive_dir = /var/snap/platform/common/certbot/archive/[domain].syncloud.it
/var/snap/platform/current/certbot/renewal/[domain].syncloud.it.conf:cert = /var/snap/platform/common/certbot/live/[domain].syncloud.it/cert.pem
/var/snap/platform/current/certbot/renewal/[domain].syncloud.it.conf:privkey = /var/snap/platform/common/certbot/live/[domain].syncloud.it/privkey.pem
/var/snap/platform/current/certbot/renewal/[domain].syncloud.it.conf:chain = /var/snap/platform/common/certbot/live/[domain].syncloud.it/chain.pem
/var/snap/platform/current/certbot/renewal/[domain].syncloud.it.conf:fullchain = /var/snap/platform/common/certbot/live/[domain].syncloud.it/fullchain.pem
/var/snap/platform/current/certbot/renewal/[domain].syncloud.it.conf:logs_dir = /var/snap/platform/common/log

Also if helpful:

root@syncloud:~# bash -x /snap/platform/current/bin/migrate_certbot_to_current.sh 
+ bash -x /snap/platform/current/bin/migrate_certbot_to_current.sh
+ OLD_CERTBOT=/var/snap/platform/common/certbot
+ NEW_CERTBOT=/var/snap/platform/current/certbot
+ [[ -d /var/snap/platform/common/certbot ]]
+ [[ -d /var/snap/platform/current/certbot ]]
++ ls -la /var/snap/platform/current/certbot/live
++ wc -l
+ certs=5
+ [[ 5 -gt 5 ]]
+ [[ ! -d /var/snap/platform/current/certbot ]]
root@syncloud:~# echo $?
+ echo 0
0

Ok, can you remove new (not working) certbot config:

rm -rf /var/snap/platform/current/certbot

And run migration again:

/snap/platform/current/bin/migrate_certbot_to_current.sh 
1 Like

After doing that and restarting nginx the correct cert is being used. Thanks for the help!

Sorry for that seems like migration did not go wrong for some users in past.

Hi @boris, can you confirm that if the output of the following command shows only 1 line (as in your example) then the only thing to do is wait ?

I’m just wondering if I’m waiting for nothing and if there is something else to check or not.
Thanks !

Hi Boris,
I apply your solution, describe above.
It’s work fine.

Thank you.
Pierre

Check your /var/snap/platform/common/log/letsencrypt.log and see what is the reason?
Is it rate limit or something else?
Do not paste the log here as it will reveal your domain name.

Thanks ! It was indeed a rate limit error.
It’s all good now.