Page MenuHomePhabricator
Create Task
Maniphest T265698

Fix renewal issues on WMIT domains in server fabula
Closed, ResolvedPublic
Actions

Description

After a domain migration we discovered that the Let's Encrypt renewal related to other domains was interrupted and soon, after 2020-10-17 11:09:22 AM CEST, the SSL certificates of these domains will expire:

  • cinquepermille.wikimedia.it
  • libertadigitali.wikimedia.it
  • wikilovemonuments.it
  • www.wikilovemonuments.it
  • wikilovesmonuments.it
  • www.wikilovemonuments.it
  • sostienilacultura.it
  • www.sostienilacultura.it
  • old.wikilovesmonuments.it
  • valledaosta.wikilovesmonuments.it
  • vda.wikilovesmonuments.it
  • dona.wikimedia.it
  • mb.wikilovesmonuments.it
  • monzaebrianza.wikilovesmonuments.it
  • smssolidale.wikimedia.it

Proposes long-term solution:

Avoid one big certificate shared alongside all these domains, to do not break all other renewal in similar circumstances.

(Check a domain to mark as fixed)

Related Objects
Search...

Event Timeline

valerio.bozzolan created this task.Oct 16 2020, 12:54 AM
valerio.bozzolan added a comment.Oct 17 2020, 5:46 PM

Apologies for the delay, I was busy AFK.

Let's start:

$ sudo certbot certonly --webroot --webroot-path=/var/www/wmi/libdig/wordpress -d libertadigitali.wikimedia.it
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/libertadigitali.wikimedia.it-0001/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/libertadigitali.wikimedia.it-0001/privkey.pem
   Your cert will expire on 2021-01-15. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le
$ sudo certbot certonly --webroot --webroot-path=/var/www/wlm/wordpress -d wikilovemonuments.it -d www.wikilovemonuments.it
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/wikilovemonuments.it/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/wikilovemonuments.it/privkey.pem
   Your cert will expire on 2021-01-15. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Then edited /etc/httpd/conf/virtual-le-ssl.conf.

$ sudo apachectl configtest
Syntax OK

$ sudo systemctl reload httpd
valerio.bozzolan triaged this task as Unbreak Now! priority.Oct 17 2020, 5:46 PM
valerio.bozzolan updated the task description. (Show Details)
valerio.bozzolan added a comment.Oct 17 2020, 5:51 PM

Continuing:

$ sudo certbot certonly --webroot --webroot-path=/var/www/sostieni/wordpress -d sostienilacultura.it -d www.sostienilacultura.it
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/sostienilacultura.it/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/sostienilacultura.it/privkey.pem
   Your cert will expire on 2021-01-15. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Then edited: /etc/httpd/conf/virtual-le-ssl.conf.

$ sudo apachectl configtest
Syntax OK

$ sudo systemctl reload httpd
valerio.bozzolan updated the task description. (Show Details)Oct 17 2020, 5:52 PM
valerio.bozzolan added a comment.Oct 17 2020, 6:39 PM

Continuing:

$ sudo certbot certonly --webroot --webroot-path=/var/www/wlm/wordpress -d old.wikilovesmonuments.it
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/old.wikilovesmonuments.it/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/old.wikilovesmonuments.it/privkey.pem
   Your cert will expire on 2021-01-15. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Then edited /etc/httpd/conf/virtual-le-ssl.conf.

$ sudo apachectl configtest
Syntax OK
$ sudo systemctl reload httpd
valerio.bozzolan updated the task description. (Show Details)Oct 17 2020, 6:40 PM
valerio.bozzolan added a comment.Oct 17 2020, 7:04 PM

Note that valledaosta.wikilovesmonuments.it is a redirect to a domain that is not handled by this server. So, replaced:

Redirect / http://valledaosta.wikilovesmonuments.it/

With:

DocumentRoot /var/www/html
RewriteEngine on
RewriteRule "^/.well-known" - [L]
RewriteRule . http://valledaosta.wikilovesmonuments.it/ [L,R=303]

Same for vda.wikilovesmonuments.it.

Then:

$ sudo certbot certonly --webroot --webroot-path=/var/www/html -d valledaosta.wikilovesmonuments.it -d vda.wikilovesmonuments.it
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for valledaosta.wikilovesmonuments.it
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/valledaosta.wikilovesmonuments.it/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/valledaosta.wikilovesmonuments.it/privkey.pem
   Your cert will expire on 2021-01-15. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Then replaced certs in the related virtualhost and reloaded Apache HTTPd gracefully.

valerio.bozzolan updated the task description. (Show Details)Oct 17 2020, 7:05 PM
valerio.bozzolan added a comment.Oct 17 2020, 7:12 PM

Continuing:

$ sudo certbot certonly --webroot --webroot-path=/var/www/wmw/worddona -d dona.wikimedia.it
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/dona.wikimedia.it/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/dona.wikimedia.it/privkey.pem
   Your cert will expire on 2021-01-15. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Then replaced certs in the related virtualhost and reloaded Apache HTTPd gracefully.

valerio.bozzolan updated the task description. (Show Details)Oct 17 2020, 7:12 PM
valerio.bozzolan added a comment.Oct 17 2020, 7:17 PM

Note that monzaebrianza.wikilovesmonuments.it is a redirect to a domain that is not handled by this server. So, replaced:

Redirect / https://www.wikimedia.it/tag/monza-e-brianza/

With:

DocumentRoot /var/www/html
RewriteEngine on
RewriteRule "^/.well-known" - [L]
RewriteRule . https://www.wikimedia.it/tag/monza-e-brianza/ [L]
$ sudo certbot certonly --webroot --webroot-path=/var/www/html -d monzaebrianza.wikilovesmonuments.it -d mb.wikilovesmonuments.it
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/monzaebrianza.wikilovesmonuments.it/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/monzaebrianza.wikilovesmonuments.it/privkey.pem
   Your cert will expire on 2021-01-15. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:

Then replaced certs in the related virtualhost and reloaded Apache HTTPd gracefully.

valerio.bozzolan updated the task description. (Show Details)Oct 17 2020, 7:17 PM

Note that smssolidale.wikimedia.it is a redirect to a domain that is not handled by this server. So, replaced:

Redirect / https://www.wikimedia.it/cosa-facciamo/progetti-le-scuole/campagna-sms-solidale/annuncio-sms-solidale-2016-2017/

With:

DocumentRoot /var/www/html
RewriteEngine on
RewriteRule "^/.well-known" - [L]
RewriteRule . https://www.wikimedia.it/cosa-facciamo/progetti-le-scuole/campagna-sms-solidale/annuncio-sms-solidale-2016-2017/ [L]
$ sudo certbot certonly --webroot --webroot-path=/var/www/html -d smssolidale.wikimedia.it
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/smssolidale.wikimedia.it/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/smssolidale.wikimedia.it/privkey.pem
   Your cert will expire on 2021-01-15. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Then replaced certs in the related virtualhost and reloaded Apache HTTPd gracefully.

valerio.bozzolan claimed this task.Oct 17 2020, 7:19 PM
valerio.bozzolan updated the task description. (Show Details)
valerio.bozzolan closed this task as Resolved.Oct 17 2020, 7:27 PM
Nemo_bis reopened this task as Open.Oct 23 2020, 4:28 PM
Nemo_bis subscribed.

https://wikilovesmonuments.wikimedia.it/ still has an expired certificate for me.

valerio.bozzolan closed this task as Resolved.Nov 6 2020, 12:50 AM
In T265698#6574713, @Nemo_bis wrote:

https://wikilovesmonuments.wikimedia.it/ still has an expired certificate for me.

Ouch. I have some time now. Here the intervention:

$ sudo certbot certonly --webroot --webroot-path=/var/www/wmi/wiklov/wordpress -d wikilovesmonuments.wikimedia.it
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/wikilovesmonuments.wikimedia.it/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/wikilovesmonuments.wikimedia.it/privkey.pem
   Your cert will expire on 2021-01-31. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Then deployed the new certificate in /etc/httpd/conf/virtual-le-ssl.conf in the right virtualhost and issued apachectl graceful.

Now online again. Yuppie!

valerio.bozzolan moved this task from Backlog to 🏛️ Organiz/Infra on the WMIT-Infrastructure board.Dec 16 2020, 9:46 AM
valerio.bozzolan added a subtask: T274134: Fix access to https://wikimedia.it (URL without www) caused by expired certificate in server fabula.Feb 8 2021, 12:30 PM
valerio.bozzolan closed subtask T274134: Fix access to https://wikimedia.it (URL without www) caused by expired certificate in server fabula as Resolved.Feb 8 2021, 6:01 PM
valerio.bozzolan updated the task description. (Show Details)Feb 9 2021, 2:11 AM
valerio.bozzolan updated the task description. (Show Details)
valerio.bozzolan mentioned this in rWIINa0fe8db398b6: fix 'wikilovesmonuments.it' (loves, not love) in server fabula.Feb 9 2021, 2:35 AM
valerio.bozzolan mentioned this in rWIIN1aeabd5c6bd4: fix wikilovesmonuments.it' (love, not loves) in server fabula.Feb 9 2021, 3:06 AM
valerio.bozzolan renamed this task from Fix renewal issues on WMIT domains to Fix renewal issues on WMIT domains in server fabula.Jan 2 2022, 3:33 PM
valerio.bozzolan moved this task from 🏛️ Organiz/Infra to 🌐 Web on the WMIT-Infrastructure board.Jul 26 2022, 1:03 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits