Page MenuHomePhabricator

Fix renewal issues on WMIT domains
Open, Unbreak Now!Public

Description

After a domain migration we discovered that the Let's Encrypt renewal related to other domains was interrupted and soon, after 2020-10-17 11:09:22 AM CEST, the SSL certificates of these domains will expire:

  • cinquepermille.wikimedia.it
  • libertadigitali.wikimedia.it
  • wikilovemonuments.it
  • www.wikilovemonuments.it
  • sostienilacultura.it
  • www.sostienilacultura.it
  • old.wikilovesmonuments.it
  • valledaosta.wikilovesmonuments.it
  • vda.wikilovesmonuments.it
  • dona.wikimedia.it
  • mb.wikilovesmonuments.it
  • monzaebrianza.wikilovesmonuments.it
  • smssolidale.wikimedia.it

Proposes long-term solution:

Avoid one big certificate shared alongside all these domains, to do not break all other renewal in similar circumstances.

(Check a domain to mark as fixed)

Event Timeline

Apologies for the delay, I was busy AFK.

Let's start:

$ sudo certbot certonly --webroot --webroot-path=/var/www/wmi/libdig/wordpress -d libertadigitali.wikimedia.it
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/libertadigitali.wikimedia.it-0001/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/libertadigitali.wikimedia.it-0001/privkey.pem
   Your cert will expire on 2021-01-15. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le
$ sudo certbot certonly --webroot --webroot-path=/var/www/wlm/wordpress -d wikilovemonuments.it -d www.wikilovemonuments.it
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/wikilovemonuments.it/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/wikilovemonuments.it/privkey.pem
   Your cert will expire on 2021-01-15. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Then edited /etc/httpd/conf/virtual-le-ssl.conf.

$ sudo apachectl configtest
Syntax OK

$ sudo systemctl reload httpd
valerio.bozzolan triaged this task as Unbreak Now! priority.Sat, Oct 17, 5:46 PM
valerio.bozzolan updated the task description. (Show Details)

Continuing:

$ sudo certbot certonly --webroot --webroot-path=/var/www/sostieni/wordpress -d sostienilacultura.it -d www.sostienilacultura.it
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/sostienilacultura.it/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/sostienilacultura.it/privkey.pem
   Your cert will expire on 2021-01-15. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Then edited: /etc/httpd/conf/virtual-le-ssl.conf.

$ sudo apachectl configtest
Syntax OK

$ sudo systemctl reload httpd

Continuing:

$ sudo certbot certonly --webroot --webroot-path=/var/www/wlm/wordpress -d old.wikilovesmonuments.it
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/old.wikilovesmonuments.it/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/old.wikilovesmonuments.it/privkey.pem
   Your cert will expire on 2021-01-15. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Then edited /etc/httpd/conf/virtual-le-ssl.conf.

$ sudo apachectl configtest
Syntax OK
$ sudo systemctl reload httpd

Note that valledaosta.wikilovesmonuments.it is a redirect to a domain that is not handled by this server. So, replaced:

Redirect / http://valledaosta.wikilovesmonuments.it/

With:

DocumentRoot /var/www/html
RewriteEngine on
RewriteRule "^/.well-known" - [L]
RewriteRule . http://valledaosta.wikilovesmonuments.it/ [L,R=303]

Same for vda.wikilovesmonuments.it.

Then:

$ sudo certbot certonly --webroot --webroot-path=/var/www/html -d valledaosta.wikilovesmonuments.it -d vda.wikilovesmonuments.it
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for valledaosta.wikilovesmonuments.it
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/valledaosta.wikilovesmonuments.it/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/valledaosta.wikilovesmonuments.it/privkey.pem
   Your cert will expire on 2021-01-15. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Then replaced certs in the related virtualhost and reloaded Apache HTTPd gracefully.

Continuing:

$ sudo certbot certonly --webroot --webroot-path=/var/www/wmw/worddona -d dona.wikimedia.it
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/dona.wikimedia.it/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/dona.wikimedia.it/privkey.pem
   Your cert will expire on 2021-01-15. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Then replaced certs in the related virtualhost and reloaded Apache HTTPd gracefully.

Note that monzaebrianza.wikilovesmonuments.it is a redirect to a domain that is not handled by this server. So, replaced:

Redirect / https://www.wikimedia.it/tag/monza-e-brianza/

With:

DocumentRoot /var/www/html
RewriteEngine on
RewriteRule "^/.well-known" - [L]
RewriteRule . https://www.wikimedia.it/tag/monza-e-brianza/ [L]
$ sudo certbot certonly --webroot --webroot-path=/var/www/html -d monzaebrianza.wikilovesmonuments.it -d mb.wikilovesmonuments.it
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/monzaebrianza.wikilovesmonuments.it/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/monzaebrianza.wikilovesmonuments.it/privkey.pem
   Your cert will expire on 2021-01-15. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF: 

Then replaced certs in the related virtualhost and reloaded Apache HTTPd gracefully.

Note that smssolidale.wikimedia.it is a redirect to a domain that is not handled by this server. So, replaced:

Redirect / https://www.wikimedia.it/cosa-facciamo/progetti-le-scuole/campagna-sms-solidale/annuncio-sms-solidale-2016-2017/

With:

DocumentRoot /var/www/html
RewriteEngine on
RewriteRule "^/.well-known" - [L]
RewriteRule . https://www.wikimedia.it/cosa-facciamo/progetti-le-scuole/campagna-sms-solidale/annuncio-sms-solidale-2016-2017/ [L]
$ sudo certbot certonly --webroot --webroot-path=/var/www/html -d smssolidale.wikimedia.it
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/smssolidale.wikimedia.it/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/smssolidale.wikimedia.it/privkey.pem
   Your cert will expire on 2021-01-15. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Then replaced certs in the related virtualhost and reloaded Apache HTTPd gracefully.

valerio.bozzolan updated the task description. (Show Details)
valerio.bozzolan closed this task as Resolved.Sat, Oct 17, 7:27 PM
Nemo_bis reopened this task as Open.Fri, Oct 23, 4:28 PM
Nemo_bis added a subscriber: Nemo_bis.

https://wikilovesmonuments.wikimedia.it/ still has an expired certificate for me.