Expiring cert. When does it renew?

[Nick]

Hi,

I didn't run the server for a long time. I started it this morning in command prompt mode, and I see in Studio that a cert is expiring in a few days. I thought that it would renew automatically when I run the server, but even after hitting F5 several times, I see that's it's still expiring soon.

How/when does it renew?

Thanks

[iftah]

Hi Nick,

The certificate should refresh on the first Saturday when there are less than 30 days left for expiration or any day when there are 20 days or less left.
If it didn't, please follow this:

1. Open the studio and go to Manage Server -> Admin Logs to see what's going wrong (keep it open when making the request in step 2).

2. We are currently working on a UI and CLI command for this... but right now you need to issue a POST request (you can use powershell, curl, wget, postman...)
You should make the request to https://<your-server-url>/admin/certificates/letsencrypt/force-renew with an empty body. If running in a cluster make this request to the leader node.

See this example of issuing a post request in powershell: https://ravendb.net/docs/article-page/4.0/csharp/server/security/encryption/database-encryption#windows-example

3. If the certificate doesn't renew please post the error from the logs and the RavenDB version you are running.

Also try to restart the server and see if the certificate gets loaded (after the renew process).

Hopes this solves the issue,

Iftah.

[Nick]

This is what I get after typing the command:

Invoke-WebRequest https://<my server url>/admin/certificates/letsencrypt/force-renew -Method POST

Failed to update certificate from Lets Encrypt, EXCEPTION: System.InvalidOperationException: Your license is associated with the following domains: dbs.local.ravendb.net but the PublicServerUrl configuration setting is: Raven.Server.Config.Settings.UriSetting.There is a mismatch, therefore cannot automatically renew the Lets Encrypt certificate. Please contact support.

[Nick]

I know, I forgot the -Certificate $cert param. But even after adding it, I get the same error.

[Iftah Ben Zaken]

Yeah sorry that's a bug, we will fix it shortly.

In the meantime if you really need to renew the certificate you can do the following workaround:

1. Shut down the server.

2. Complete the setup wizard again for the same license, domain and IP addresses.
Do this on a different temporary RavenDB folder, not on your current working server. It's just to fetch a new certificate.
If you have a cluster fill in all the IPs of the cluster during setup.

This should get a new certificate with the same domain name(s).
Once you have the ZIP file get the server certificate from there (node A folder).

3. Replace the current expiring certificate with the new one (see the certificate path in settings.json) and restart the server.

If you have a cluster, replace the certificate in all nodes.
(it's the same certificate for every node, only do the setup once)

Iftah.

--
You received this message because you are subscribed to the Google Groups "RavenDB - 2nd generation document database" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ravendb+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Nick]

Depends on the timeframe for the bug fix...

To unsubscribe from this group and stop receiving emails from it, send an email to ravendb+u...@googlegroups.com.

[Oren Eini (Ayende Rahien)]

The bug is fixed, we'll have a release this week that'll include it.

Hibernating Rhinos Ltd  

Oren Eini l CEO l Mobile: + 972-52-548-6969

Office: +972-4-622-7811 l Fax: +972-153-4-622-7811

 

To unsubscribe from this group and stop receiving emails from it, send an email to ravendb+unsubscribe@googlegroups.com.

[Nick]

Seems there was no new build?

My cert expires tomorrow. Will the new version be able to issue a new cert as if it was a renewal?

[Nick]

Oh wait, just a realease now... let me try it.

[Nick]

Doesn't work. New exception:

2018-03-19T13:12:01.7830004Z, 13, Operations, Raven/Server, Raven.Server.RavenServer, Failed to replace the server certificate., EXCEPTION: System.InvalidOperationException: Failed to update certificate from Lets Encrypt ---> System.InvalidOperationException: Your license is associated with the following domains: ravendb.community but the PublicServerUrl configuration setting is: https://a.nicolas.dbs.local.ravendb.net.There is a mismatch, therefore cannot automatically renew the Lets Encrypt certificate. Please contact support.

[Oren Eini (Ayende Rahien)]

What is the license id that are you using?

To unsubscribe from this group and stop receiving emails from it, send an email to ravendb+unsubscribe@googlegroups.com.

[Nick]

f12b1594-023b-4f0b-8c5a-3e4fea3e6413

[Oren Eini (Ayende Rahien)]

Can you try now? 

To unsubscribe from this group and stop receiving emails from it, send an email to ravendb+unsubscribe@googlegroups.com.

[Nick]

This time:

2018-03-19T13:29:17.4550004Z, 28, Operations, Raven/Server, Raven.Server.RavenServer, Failed to replace the server certificate., EXCEPTION: System.InvalidOperationException: Failed to update certificate from Lets Encrypt ---> System.InvalidOperationException: Your license is associated with the following emails: <insert my email here> but the Security.Certificate.LetsEncrypt.Email configuration setting is: .There is a mismatch, therefore cannot automatically renew the Lets Encrypt certificate. Please contact support.

[Grisha Kotler]

Please send to support the settings.json file and the email that you used for registration.

Hibernating Rhinos Ltd  

Grisha Kotler l RavenDB Core Team Developer l Mobile: +972-54-586-8647

Office: +972-4-622-7811 l Fax: +972-153-4-622-7811

RavenDB paving the way to "Data Made Simple" http://ravendb.net/

To unsubscribe from this group and stop receiving emails from it, send an email to ravendb+unsubscribe@googlegroups.com.

[Nick]

Done

[Grisha Kotler]

The issue was that "Security.Certificate.LetsEncrypt.Email" was missing.

Hibernating Rhinos Ltd  

Grisha Kotler l RavenDB Core Team Developer l Mobile: +972-54-586-8647

Office: +972-4-622-7811 l Fax: +972-153-4-622-7811

RavenDB paving the way to "Data Made Simple" http://ravendb.net/

To unsubscribe from this group and stop receiving emails from it, send an email to ravendb+unsubscribe@googlegroups.com.

[Nicolas Cadilhac]

Was it the result of a previous issue? Or did I do something wrong in the past?

ok, so now I get this:

2018-03-19T13:53:04.6350004Z, 12, Operations, ServerStore, Raven.Server.ServerWide.ServerStore, The server certificate was successfully replaced on node A.

2018-03-19T17:53:04.7810004Z, 34, Information, Server, Raven.Server.Https.HttpsConnectionAdapter, Failed to authenticate client, EXCEPTION: System.IO.IOException: Authentication failed because the remote party has closed the transport stream.

   at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)

   at System.Net.Security.SslState.PartialFrameCallback(AsyncProtocolRequest asyncRequest)

--- End of stack trace from previous location where exception was thrown ---

   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()

   at System.Net.Security.SslState.InternalEndProcessAuthentication(LazyAsyncResult lazyResult)

   at System.Net.Security.SslState.EndProcessAuthentication(IAsyncResult result)

   at System.Net.Security.SslStream.EndAuthenticateAsServer(IAsyncResult asyncResult)

   at System.Threading.Tasks.TaskFactory`1.FromAsyncCoreLogic(IAsyncResult iar, Func`2 endFunction, Action`1 endAction, Task`1 promise, Boolean requiresSynchronization)

--- End of stack trace from previous location where exception was thrown ---

   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()

   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

   at Raven.Server.Https.HttpsConnectionAdapter.<InnerOnConnectionAsync>d__10.MoveNext() in C:\Builds\RavenDB-4.0-Patch\src\Raven.Server\Https\HttpsConnectionAdapter.cs:line 83

so it seems the cert was renewed but I get this exception just after...

Also, find attached the list of certs given by the UI. The old cert still appears in the list. Will it be like this each time there is a renewal, creating bit by bit a very long list?

And the name terminology differs. The old cert and the new one have names that aren't the sames...

Nicolas

--
You received this message because you are subscribed to a topic in the Google Groups "RavenDB - 2nd generation document database" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ravendb/hJtXAh4-nzc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ravendb+unsubscribe@googlegroups.com.

[Oren Eini (Ayende Rahien)]

The old cert is still there, yes, because in a cluster, another node in the cluster may still be running using the old cert.

In fact, in our production system, that is the situation right now.

I'm not sure about the names, though.