SSL Cert renewals issue fixed


#1

Hi All,

There was an issue with some of our SSL certs not renewing properly from letsencypt. I have now resolved this issue, and the affected services will now work over SSL again. The letsencrypt renewal service was checking Ipv6 preferentially over IPv4. The ACME validation check failed as it was attempted over IPv6 rather than IPv4.

To resolve this, all hosted projects that use SSL now listen on both IPv4 and IPv6. I could not check this previously as I have no host that has native IPv6 support (whoops!).

Affected Services were:

  • Comet competition server
  • Branding/Landing page

The new configuration used by the affected service is as below:

server {
	listen 80;
        listen [::]:80;
	listen 443 ssl;
	listen [::]:443 ssl;

	ssl_certificate /etc/letsencrypt/live/comp.fossgalaxy.com/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/comp.fossgalaxy.com/privkey.pem;
	ssl_session_timeout 1d;
	ssl_session_cache shared:SSL:50m;
	ssl_session_tickets off;

        # openssl dhparam -out dhparam.pem 2048
	ssl_dhparam /etc/nginx/dhparam.pem;

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
	ssl_prefer_server_ciphers on;

	ssl_stapling on;
	ssl_stapling_verify on;
	#ssl_trusted_certificate /etc/letsencrypt/live/comp.fossgalaxy.com/chain.pem;

        ## verify chain of trust of OCSP response using Root CA and Intermediate certs
        #ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
	resolver 8.8.8.8 8.8.4.4 valid=86400;
	resolver_timeout 10;

	server_name comp.fossgalaxy.com competitions.pacmanvghosts.co.uk;
	root /opt/docker-compose/comet/webroot;

	location / {
		uwsgi_pass 127.0.0.1:8100;
		include uwsgi_params; 
            proxy_redirect     off;
            proxy_set_header   Host $http_host;
            proxy_set_header   X-Real-IP $remote_addr;
            proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header   X-Forwarded-Host $server_name;
            proxy_set_header   X-Forwarded-Protocol $scheme;
	}

        # Spoof /.well-known/ for lets encrypt
	location /.well-known/ {
		alias /opt/docker-compose/comet/webroot/.well-known/;
		autoindex on;
	}

        # spoof static for django
	location /static/ {
		alias /opt/docker-compose/comet/webroot/static/;
		autoindex off;
	}

}