Corruption du certificat letsencrypt à la mise à jour de yunohost

Mon serveur YunoHost

Matériel: VPS acheté en ligne
Version de YunoHost: 11.2.20.2
J’ai accès à mon serveur : En SSH
Êtes-vous dans un contexte particulier ou avez-vous effectué des modifications particulières sur votre instance ? : non

Description du problème

Les 3 dernières mise à jour de Yunohost ont corrompu le certificat de mon domaine.

Avant mise à jour :

$ sudo yunohost domain cert-status
certificates: 
  mondomaine.tld: 
    CA_type: letsencrypt
    style: success
    summary: letsencrypt
    validity: 88

Après mise à jour :

$ sudo yunohost domain cert-status
  mondomaine.tld: 
    CA_type: other
    style: success
    summary: ok
    validity: 3649
$ ls -l /etc/yunohost/certs/mondomaine.tld/
-rw-r----- 1 root ssl-cert 1229 Jul  6 12:45 crt.pem
-rw-r----- 1 root ssl-cert 2484 Jul  4 16:26 key.pem

On voit que le fichier crt.pem a été mis à jour. Ceci casse, entre autre, postfix qui ne peut plus se connecter avec les autres serveurs mails. C’est maintenant un certificat autosigné (vérifié avec openssl x509).

Je l’ai corrigé par la commande suivante :

$ sudo yunohost domain cert install --force mondomaine.tld

Mais j’aimerais ne plus avoir à corriger cela après chaque mise à jour de Yunohost.

Pour info, les logs de la dernière mise à jour :

Setting up yunohost (11.2.20.2) ...
Regenerating configuration, this might take a while...
Success! Configuration updated for 'dnsmasq'
Launching migrations...
Info: No migrations to run
Re-diagnosing server health...
Success! Everything looks OK for Base system!
Success! Everything looks OK for Internet connectivity! (+ 2 ignored issue(s))
Success! Everything looks OK for DNS records!
Success! Everything looks OK for Ports exposure!
Success! Everything looks OK for Web!
Success! Everything looks OK for Email!
Warning: unable to retrieve string to translate with key 'nginx: [emerg] SSL_CTX_use_PrivateKey("/etc/yu
nohost/certs/mondomaine.tld/key.pem") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_
key:key values mismatch)' for default locale 'locales/en.json' file (don't panic this is just a warning)
Warning: unable to retrieve string to translate with key 'nginx: configuration file /etc/nginx/nginx.con
f test failed' for default locale 'locales/en.json' file (don't panic this is just a warning)
Warning: Found 1 item(s) that could be improved for Services status check.
Success! Everything looks OK for System resources!
Success! Everything looks OK for System configurations!
Success! Everything looks OK for Applications!
Warning: To see the issues found, you can go to the Diagnosis section of the webadmin, or run 'yunohost 
diagnosis show --issues --human-readable' from the command-line.
Refreshing app catalog...
Info: Updating application catalog…
Success! The application catalog has been updated!

et l’erreur indiquée est celle que j’ai corrigée à la main :slight_smile:

$ sudo yunohost diagnosis show --issues --human-readable
Warning: unable to retrieve string to translate with key 'nginx: [emerg] SSL_CTX_use_PrivateKey("/etc/yunohost/certs/mondomaine.tld/key.pem") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)' for default locale 'locales/en.json' file (don't panic this is just a warning)
Warning: unable to retrieve string to translate with key 'nginx: configuration file /etc/nginx/nginx.conf test failed' for default locale 'locales/en.json' file (don't panic this is just a warning)
=================================
Services status check (services)
=================================

[WARNING] Configuration is broken for service nginx!
  - nginx: [emerg] SSL_CTX_use_PrivateKey("/etc/yunohost/certs/mondomaine.tld/key.pem") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
  - nginx: configuration file /etc/nginx/nginx.conf test failed

Bonjour,
nouvelle mise à jour de YHN, et nouvelle corruption de mon certificat:

$ sudo yunohost domain cert status
certificates: 
  mondomaine.tld: 
    CA_type: other
    style: success
    summary: ok
    validity: 3649

J’ai eu les mêmes warnings que précédement pour nginx.

Certes, je sais corrigé le problème à la main, mais je préfèrerai éviter d’avoir à le corriger :grin:
Quelqu’un a-t-il une idée du problème ?

Pardon, j’ai oublié de précisé : yunohost 11.2.24

Aucune idée de pourquoi mettre à jour toucherais au certif … Pour réellement comprendre la cause et identifier à quel moment ça se passe précisément il faudrait le log complet de l’upgrade et refaire le ls -l --full-time pour voir voir à quel moment précis (à la seconde près) ça se passe dans le log d’upgrade …

Merci @Aleks pour ta réponse.
Je vais attendre le prochain upgrade pour voir d’où vient le problème. Comment récupère-t-on le log complet ?

Bonjour @Aleks , cela s’est reproduit avec la mise à jour vers 11.2.25.
Concernant mes clés et certificats “mis à jour” :

$ ls -l --full-time
total 8
-rw-r----- 1 root ssl-cert 1229 2024-08-01 08:06:02.150757082 +0000 crt.pem
-rw-r----- 1 root ssl-cert 2484 2024-07-27 14:28:52.883482445 +0000 key.pem

Et dans les logs, on voit qu’il y a une génértation d’un certificat auto-signé :

2024-08-01 08:06:01,959 DEBUG    yunohost.hook (unknown function) - [2115141.1] Executing command '['sh', '-c', '/bin/bash -x "./02-ssl" post \'\' \'\' \'\' 7>&1']'
2024-08-01 08:06:01,967 DEBUG    yunohost.hook (unknown function) - [2115141.1] + set -e
2024-08-01 08:06:01,968 DEBUG    yunohost.hook (unknown function) - [2115141.1] + ssl_dir=/usr/share/yunohost/ssl
2024-08-01 08:06:01,968 DEBUG    yunohost.hook (unknown function) - [2115141.1] + template_dir=/usr/share/yunohost/conf/ssl/
2024-08-01 08:06:01,968 DEBUG    yunohost.hook (unknown function) - [2115141.1] + ynh_ca=/etc/yunohost/certs/yunohost.org/ca.pem
2024-08-01 08:06:01,968 DEBUG    yunohost.hook (unknown function) - [2115141.1] + ynh_crt=/etc/yunohost/certs/yunohost.org/crt.pem
2024-08-01 08:06:01,968 DEBUG    yunohost.hook (unknown function) - [2115141.1] + ynh_key=/etc/yunohost/certs/yunohost.org/key.pem
2024-08-01 08:06:01,968 DEBUG    yunohost.hook (unknown function) - [2115141.1] + do_post_regen
2024-08-01 08:06:01,968 DEBUG    yunohost.hook (unknown function) - [2115141.1] + regen_conf_files=
2024-08-01 08:06:01,969 DEBUG    yunohost.hook (unknown function) - [2115141.1] ++ openssl x509 -in /etc/yunohost/certs/yunohost.org/ca.pem -text
2024-08-01 08:06:01,970 DEBUG    yunohost.hook (unknown function) - [2115141.1] ++ awk '{print $4}'
2024-08-01 08:06:01,972 DEBUG    yunohost.hook (unknown function) - [2115141.1] ++ tr , '\n'
2024-08-01 08:06:01,973 DEBUG    yunohost.hook (unknown function) - [2115141.1] ++ grep Issuer
2024-08-01 08:06:01,979 DEBUG    yunohost.hook (unknown function) - [2115141.1] + current_local_ca_domain='US
2024-08-01 08:06:01,979 DEBUG    yunohost.hook (unknown function) - [2115141.1] URI:http://r10.i.lencr.org/'
2024-08-01 08:06:01,979 DEBUG    yunohost.hook (unknown function) - [2115141.1] ++ cat /etc/yunohost/current_host
2024-08-01 08:06:01,981 DEBUG    yunohost.hook (unknown function) - [2115141.1] + main_domain=domaine.tld
2024-08-01 08:06:01,981 DEBUG    yunohost.hook (unknown function) - [2115141.1] + '[' -e /usr/share/yunohost/yunohost-config/ssl/yunoCA ']'
2024-08-01 08:06:01,982 DEBUG    yunohost.hook (unknown function) - [2115141.1] + mkdir -p /usr/share/yunohost/ssl/ca /usr/share/yunohost/ssl/certs /usr/share/yunohost/ssl/crl /usr/share/yunohost/ssl/newcerts
2024-08-01 08:06:01,984 DEBUG    yunohost.hook (unknown function) - [2115141.1] + chown root:root /usr/share/yunohost/ssl
2024-08-01 08:06:01,986 DEBUG    yunohost.hook (unknown function) - [2115141.1] + chmod 750 /usr/share/yunohost/ssl
2024-08-01 08:06:01,988 DEBUG    yunohost.hook (unknown function) - [2115141.1] + chmod -R o-rwx /usr/share/yunohost/ssl
2024-08-01 08:06:01,989 DEBUG    yunohost.hook (unknown function) - [2115141.1] + chmod o+x /usr/share/yunohost/ssl/certs
2024-08-01 08:06:01,991 DEBUG    yunohost.hook (unknown function) - [2115141.1] + chmod o+r /usr/share/yunohost/ssl/certs/yunohost_crt.pem
2024-08-01 08:06:01,992 DEBUG    yunohost.hook (unknown function) - [2115141.1] + [[ US
2024-08-01 08:06:01,993 DEBUG    yunohost.hook (unknown function) - [2115141.1] URI:http://r10.i.lencr.org/ != \d\o\m\a\i\n\e\.\t\l\d ]]
2024-08-01 08:06:01,993 DEBUG    yunohost.hook (unknown function) - [2115141.1] + regen_local_ca domaine.tld
2024-08-01 08:06:01,993 DEBUG    yunohost.hook (unknown function) - [2115141.1] + domain=domaine.tld
2024-08-01 08:06:01,993 DEBUG    yunohost.hook (unknown function) - [2115141.1] + echo -e '\n# Creating local certification authority with domain=domaine.tld\n'
2024-08-01 08:06:01,993 DEBUG    yunohost.hook (unknown function) - [2115141.1] 
2024-08-01 08:06:01,993 DEBUG    yunohost.hook (unknown function) - [2115141.1] # Creating local certification authority with domain=domaine.tld
2024-08-01 08:06:01,993 DEBUG    yunohost.hook (unknown function) - [2115141.1] 
2024-08-01 08:06:01,993 DEBUG    yunohost.hook (unknown function) - [2115141.1] + mkdir -p /etc/yunohost/certs/yunohost.org
2024-08-01 08:06:01,995 DEBUG    yunohost.hook (unknown function) - [2115141.1] + mkdir -p /usr/share/yunohost/ssl/ca /usr/share/yunohost/ssl/certs /usr/share/yunohost/ssl/crl /usr/share/yunohost/ssl/newcerts
2024-08-01 08:06:01,996 DEBUG    yunohost.hook (unknown function) - [2115141.1] + pushd /usr/share/yunohost/ssl
2024-08-01 08:06:01,996 DEBUG    yunohost.hook (unknown function) - [2115141.1] /usr/share/yunohost/ssl /usr/share/yunohost/hooks/conf_regen
2024-08-01 08:06:01,997 DEBUG    yunohost.hook (unknown function) - [2115141.1] + RANDFILE=.rnd
2024-08-01 08:06:01,997 DEBUG    yunohost.hook (unknown function) - [2115141.1] + openssl rand -hex 19
2024-08-01 08:06:02,001 DEBUG    yunohost.hook (unknown function) - [2115141.1] + rm -f index.txt
2024-08-01 08:06:02,002 DEBUG    yunohost.hook (unknown function) - [2115141.1] + touch index.txt
2024-08-01 08:06:02,004 DEBUG    yunohost.hook (unknown function) - [2115141.1] + cp /usr/share/yunohost/conf/ssl//openssl.cnf openssl.ca.cnf
2024-08-01 08:06:02,006 DEBUG    yunohost.hook (unknown function) - [2115141.1] + sed -i s/yunohost.org/domaine.tld/g openssl.ca.cnf
2024-08-01 08:06:02,008 DEBUG    yunohost.hook (unknown function) - [2115141.1] + openssl req -x509 -new -config openssl.ca.cnf -days 3650 -out ca/cacert.pem -keyout ca/cakey.pem -nodes -batch -subj /CN=domaine.tld/O=domaine
2024-08-01 08:06:02,014 DEBUG    yunohost.hook (unknown function) - [2115141.1] Generating a RSA private key
2024-08-01 08:06:02,047 DEBUG    yunohost.hook (unknown function) - [2115141.1] .....................+++++
2024-08-01 08:06:02,148 DEBUG    yunohost.hook (unknown function) - [2115141.1] ...........................................................+++++
2024-08-01 08:06:02,149 DEBUG    yunohost.hook (unknown function) - [2115141.1] writing new private key to 'ca/cakey.pem'
2024-08-01 08:06:02,149 DEBUG    yunohost.hook (unknown function) - [2115141.1] -----
2024-08-01 08:06:02,152 DEBUG    yunohost.hook (unknown function) - [2115141.1] + chmod 640 ca/cacert.pem
2024-08-01 08:06:02,153 DEBUG    yunohost.hook (unknown function) - [2115141.1] + chmod 640 ca/cakey.pem
2024-08-01 08:06:02,154 DEBUG    yunohost.hook (unknown function) - [2115141.1] + cp ca/cacert.pem /etc/yunohost/certs/yunohost.org/ca.pem
2024-08-01 08:06:02,156 DEBUG    yunohost.hook (unknown function) - [2115141.1] + ln -sf /etc/yunohost/certs/yunohost.org/ca.pem /etc/ssl/certs/ca-yunohost_crt.pem
2024-08-01 08:06:02,157 DEBUG    yunohost.hook (unknown function) - [2115141.1] + update-ca-certificates
2024-08-01 08:06:02,162 DEBUG    yunohost.hook (unknown function) - [2115141.1] Updating certificates in /etc/ssl/certs...
2024-08-01 08:06:02,706 DEBUG    yunohost.hook (unknown function) - [2115141.1] 0 added, 0 removed; done.
2024-08-01 08:06:02,706 DEBUG    yunohost.hook (unknown function) - [2115141.1] Running hooks in /etc/ca-certificates/update.d...
2024-08-01 08:06:02,707 DEBUG    yunohost.hook (unknown function) - [2115141.1] done.
2024-08-01 08:06:02,711 DEBUG    yunohost.hook (unknown function) - [2115141.1] + popd
2024-08-01 08:06:02,711 DEBUG    yunohost.hook (unknown function) - [2115141.1] /usr/share/yunohost/hooks/conf_regen
2024-08-01 08:06:02,711 DEBUG    yunohost.hook (unknown function) - [2115141.1] + ln -sf /etc/yunohost/certs/domaine.tld/crt.pem /etc/ssl/certs/yunohost_crt.pem
2024-08-01 08:06:02,713 DEBUG    yunohost.hook (unknown function) - [2115141.1] + ln -sf /etc/yunohost/certs/domaine.tld/key.pem /etc/ssl/private/yunohost_key.pem

Mokay ben on dirait que c’est déclenché parce que /etc/yunohost/certs/yunohost.org/ca.pem viens … de Lets Encrypt … mais j’en doute fortement … Est-ce que tu te rappelles avoir bricolé ce fichier à la main ?

Je ne pense pas non. Mais mon installation est assez vieille : j’ai commencé avec un certificat auto-signé, puis je suis passé à Let’s Encrypt quand j’ai vu que c’était supporté.

Mokay alors regardons ce que raconte ls -l /etc/yunohost/certs/yunohost.org/

$ ls -l /etc/yunohost/certs/yunohost.org/
lrwxrwxrwx 1 root ssl-cert   36 Aug 10  2023 ca.pem -> /etc/ssl/certs/domaine.tld/fullchain.pem
-rw-r----- 1 root ssl-cert 3551 Apr 22  2020 crt.pem
-rw-r----- 1 root ssl-cert 1704 Apr 22  2020 key.pem

$ ls -l /etc/ssl/certs/domaine.tld/fullchain.pem
lrwxrwxrwx 1 root root 35 May  1 09:32 /etc/ssl/certs/domaine.tld/fullchain.pem -> /etc/yunohost/certs/domaine.tld/crt.pem

Wtf that makes no sense at all … a CA pointing to a full chain in /etc/ssl … itself pointing to a crt.pem in /etc/yunohost/certs ? What the heck …

Idk let’s just rm /etc/yunohost/certs/yunohost.org/ca.pem

And then maybe yunohost tools regen-conf ssl should recreate a proper ca.pem

1 Like
$ rm ca.pem
$ yunohost tools regen-conf ssl
Warning: Can't open /etc/yunohost/certs/yunohost.org/ca.pem for reading, No such file or directory
Warning: 140443378550080:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:69:fopen('/etc/yunohost/certs/yunohost.org/ca.pem','r')
Warning: 140443378550080:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:76:
Warning: unable to load certificate

Mais j’ai bien un nouveau ca.pem créé:

$ ls -l /etc/yunohost/certs/yunohost.org
total 12
-rw-r----- 1 root root     1229 Aug  1 14:08 ca.pem
-rw-r----- 1 root ssl-cert 3551 Apr 22  2020 crt.pem
-rw-r----- 1 root ssl-cert 1704 Apr 22  2020 key.pem

Et j’arrive bien à accéder à domaine.tld (pas d’erreur de certificat) et le serveur mail fonctionne également.

En relançant la commande de régénration une seconde fois, rien n’a été modifié.

Yup ben ça devrait avoir corrigé le problème en gros

En tout cas si yunohost tools regen-conf ssl ne redéclenche pas le problème (c’est ça qui était déclenché pendant l’upgrade, et potentiellement pas que pendant l’upgrade d’ailleurs) ça devrait être ok

OK, merci @Aleks .
Je vérifie que tout se passe bien au prochain upgrade, et si c’est bien le cas, je passe le thread en corrigé.

Ok suite mise à jour vers 11.2.26

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.