The website in question has used the ssl certificate for months. Lately, the ssl certificate was renewed before expiration and the main website (on port 80) was using the renewed certificate without a hiccup but Tryton on port 8000 was giving warning about the site’s ssl certificate being expired, showing error like Certificate error! There is a problem with this website’s security certificate. Certificate expired on 5/10/2020!
The certificate is not expired, was not allowed to expire before renewal took place, I have not changed Tryton configuration and database looks good still. I have restarted Tryton but the error continues to show on website.
Server is a gnuhealth 4.3.2, SAO on Opensuse leap 15.1.
How can I make Tryton use the renewed ssl certificate?
This does not tell us which version of Tryton it is.
It depends which process is actually doing the SSL. If it is trytond (which is not recommended) you just have to restart the process. If it is the proxy, you have to reload/restart it.
Well related lines in the configuration are like:
certificate = /etc/letsencrypt/live/www.smoothgift.com/fullchain.pem
privatekey = /etc/letsencrypt/live/www.smoothgift.com/privkey.pem
When fullchain.pem in /etc/letsencrypt/live/www.smoothgift.com/ is viewed ( with openssl) the “not after” date is Oct 3 (expired) but the certificate in /etc/letsencrypt/live/smoothgift.com/fullchain.pem is valid till Dec 5. This means technically that Cerbot saved renewed certificates in the /etc/letsencrypt/live/smoothgift.com/ directory and not in the /etc/letsencrypt/live/www.smoothgift.com/ despite the fact that renewal was made for both www.smoothgift.com and smoothgift.com.
That should be no problem by right as I would have just needed to change Tryton config line to e.g. certificate = /etc/letsencrypt/live/smoothgift.com/ because the certificates there are valid. But if I change Tryton config to certificate = /etc/letsencrypt/live/smoothgift.com/ Tryton refuses to load and leaves me no message in the log or status. And if I leave the config line as certificate = /etc/letsencrypt/live/www.smoothgift.com/ Tryton displays invalid certificate warning in the browser. smoothgift.com (also using apache) displays all good using /etc/letsencrypt/live/www.smoothgift.com/. Why is smoothgift.com not complaining?
Why is Tryton behaving this way? otherwise what 'am I missing?
But the directory has file permission 755 and files have 777 already which is why I guess other users have no problem reading them.
How do you advise I approach this, give tryton user specific access to the directory? create a tryon group and then give them read access to the directory? or something else? given OS is Opensuse. Thanks.
Previously you said that you changed the certficate and it did not work and as you said the the permission on the certificate are correct. I suppose that you did not update the privatekey path.
Both certs and key are usually saved in the same directory by certbot and both are correctly in listed/updated in Tryton config.
So back to user Tryton probable inability to access the directory. How do I give user Tryton the access right needed (suitable to Tryton) as asked earlier above? Thanks Ced.