I am using Let’s encrypt on my production server to handle SSL certificate.
My website certificate will expire next week so I regenerated it using the letsencrypt-auto renew command (I didn’t set cron task yet)
The last log I get is 2016-08-20 17:12:20,305:DEBUG:certbot.renewal:no renewal failures which mean certificate has been successfully regenerated
But when I go back to my website and check the certificate properties it still says that it will expire next week.
So:
Does Let’s Encrypt wait the last day of certificate to update its new expiration in browser ?
Did my new certificate is not working properly which explain browser still give me next week as expiration ?
Can someone help me to clarify the way certificates expiration date works ?
Thanks for your help !
Thanks to Let's Encrypt community, I have been able to figured out what was wrong: I just needed to reload my Nginx server and it updated the expiration time for certificate !
I'll just follow up here with a bit more information, for those who are looking at this question for answers.
If you have the renew running in crontab, and you have this issue, you can specify command option: --post-hook 'some command'. And that 'some command' should be the shell command necessary to reload your web server.
Though coming late, might be useful to someone.
Even after restarting apache I still had the issue. A full machine reboot solved it for me. This will be useful only if you have full control of the server machine though.
Related
With KB5018410 Windows update installed in Windows 10 recently, my Delphi REST applications have stopped working. It seems that TLS 1.2 is turned off. Insomnia, Firefox etc can access the URL below, but not a "default" set of TRESTClint/TRESTRequest/TRESTResponse components dropped on a form with the minimal required Properties modifications.
https://yams.ked.co.za/version
Checking boxes under TRESTClient.SecureProtocols also does not seem to make any difference.
How can I get my (very large) REST application going again!?
Check this conversation out on Reddit - Global Protect TLS issue after install of KB5018410
https://www.reddit.com/r/paloaltonetworks/comments/y21chi/some_of_our_users_are_having_issues_connecting_to/
Check your ssl cert and make sure your cert is not valid for more than 1 year 365 days. If it is issued to be longer than a year try switching your cert to one that is only good for 1 year and see if it solves it. That fixed my Palo Alto global protect vpn issue.
My final solution was to use another, 3rd party component (Chilkat) to carry out the REST functionality.
There is also the option of rolling back (and then blocking repeat upgrading) the Windows 10 KB5018410 upgrade.
The problem with the Embarcadero REST components was reported on the Issues site, and has now been elevated from "Reported" to "Open" status.
I've been using cert manager for 87 days now and saw some certs which are due in 3 days (duration of 90 days) are not being renewed automatically. At first, the certificates weren't tagged with a duration or renewBefore spec. This should default to 90/30 according to the documentation.
I've already tried using cmctl to force renew, added the duration and renewBefore specs and spent a lot of time looking at the logs of all the CM pods. Since starting my debugging journey, I saw that the cert indeed got a renewalTime added to it. But the certificates are not being renewed at all. Could it be possible that cert manager isn't checking for certificates to renew?
I've got about 20 which are due this week, and ~100 this month so I would really like this auto renewal to work.
If any configuration is needed, I'll gladly provide additional info.
we use bluemix-letsencrypt for generating SSL certificates (as mentioned for example here).
When you run the script, at the end of the process, there is mentioned a limitation - you're not able to update existing certificate without downtime. You need to delete the old certificate first and then upload a new one. But this procedure means unacceptable downtime.
The mentioned solution is that we should use IBM Cloud console where should be possible to upload new SSL certs over the old ones, it means without downtime. This solution worked recently (2-3 months ago), but not anymore.
A few days ago I wanted to do the same as I did four times over the last 12 months (every 3 months), but the design of the console has been changed and now it's impossible to do that.
This is really bad. While we use HTTPS Strict Transport Security, any downtime of SSL certificate is critical for us.
Anyone who knows how we could solve this issue?
Thank you.
From time to time we have problems with the signing process of install4j and it seems to be a problem with the connection to the signing service. Related tpo the thread SocketTimeoutException during signing process we increased the timeout to 60 seconds. However we got still the problem with the connection and now we will check the infrastructer of our build environment. Furthermore we want to install a connection check for the signing url. Therefore we need the url that is used to sign up the executables. Is the following one the right one: http://timestamp.verisign.com/scripts/timstamp.dll? It was logged by install4j during an error build run.
Yes, http://timestamp.verisign.com/scripts/timstamp.dll is the URL that is used to generate the timestamp signature.
You can change that URL by setting the VM parameter -Dinstall4j.timestampUrl=[url]. See Alternative timestamping services for Authenticode for alternative URLs.
I need help. I'm trying to update a certificate used for paypal but I'm getting an error (see below).
I am following the steps provided by paypal seen here: https://cms.paypal.com/uk/cgi-bin/?cmd=_render-content&content_ID=developer/e_howto_html_encryptedwebpayments#id08A3I0P20E9.
Here is the error:
PHP Exception
A PHP exception has occured!
Could not sign data: error:0906D06C:PEM routines:PEM_read_bio:no start line
Please check your configuration.
I have done this successfully in the past on the same server following the same steps. I have no idea whats going on. Does this mean anything to anyone?
Figured it out. The path to the certificate was invalid and the error was because the cert file could not be found.
It took me forever to figure this out because I was simply updating an existing certificate that had expired so all I was doing was replacing the file. The cert file I was replacing was named my-pubcert.pem which worked fine for a few years but for whatever reason it wasn't working now. All I did was rename the file to something else and it worked.
Pretty dumb, no idea why that occurred and frustrated that I wasted so much time trying to figure out such a simple thing. Hopefully this helps someone in the future.