Why is tryton not using renewed ssl certificate?

Hello guys,

The website in question has used the ssl certificate for months. Lately, the ssl certificate was renewed before expiration and the main website (on port 80) was using the renewed certificate without a hiccup but Tryton on port 8000 was giving warning about the site’s ssl certificate being expired, showing error like Certificate error! There is a problem with this website’s security certificate. Certificate expired on 5/10/2020!

The certificate is not expired, was not allowed to expire before renewal took place, I have not changed Tryton configuration and database looks good still. I have restarted Tryton but the error continues to show on website.

Server is a gnuhealth 4.3.2, SAO on Opensuse leap 15.1.

How can I make Tryton use the renewed ssl certificate?

I will appreciate your help,

Thank you.

This does not tell us which version of Tryton it is.

It depends which process is actually doing the SSL. If it is trytond (which is not recommended) you just have to restart the process. If it is the proxy, you have to reload/restart it.

trytond 5.0.23.

Not a proxy. I restarted gnuhealth, got no joy, restarted the machine, still no joy!

Then probably the configuration is pointing the the old certificate.

Well related lines in the configuration are like:
certificate = /etc/letsencrypt/live/www.smoothgift.com/fullchain.pem
privatekey = /etc/letsencrypt/live/www.smoothgift.com/privkey.pem

When fullchain.pem in /etc/letsencrypt/live/www.smoothgift.com/ is viewed ( with openssl) the “not after” date is Oct 3 (expired) but the certificate in /etc/letsencrypt/live/smoothgift.com/fullchain.pem is valid till Dec 5. This means technically that Cerbot saved renewed certificates in the /etc/letsencrypt/live/smoothgift.com/ directory and not in the /etc/letsencrypt/live/www.smoothgift.com/ despite the fact that renewal was made for both www.smoothgift.com and smoothgift.com.

That should be no problem by right as I would have just needed to change Tryton config line to e.g. certificate = /etc/letsencrypt/live/smoothgift.com/ because the certificates there are valid. But if I change Tryton config to certificate = /etc/letsencrypt/live/smoothgift.com/ Tryton refuses to load and leaves me no message in the log or status. And if I leave the config line as certificate = /etc/letsencrypt/live/www.smoothgift.com/ Tryton displays invalid certificate warning in the browser. smoothgift.com (also using apache) displays all good using /etc/letsencrypt/live/www.smoothgift.com/. Why is smoothgift.com not complaining?

Why is Tryton behaving this way? otherwise what 'am I missing?

Many thanks again!

The user probably does not have the right to read them.

But the directory has file permission 755 and files have 777 already which is why I guess other users have no problem reading them.

How do you advise I approach this, give tryton user specific access to the directory? create a tryon group and then give them read access to the directory? or something else? given OS is Opensuse. Thanks.

If you change de certficate you must change also the privatekey.

I don’t understand what you mean here Ced. I thought you were talking about user permission

Previously you said that you changed the certficate and it did not work and as you said the the permission on the certificate are correct. I suppose that you did not update the privatekey path.

Both certs and key are usually saved in the same directory by certbot and both are correctly in listed/updated in Tryton config.

So back to user Tryton probable inability to access the directory. How do I give user Tryton the access right needed (suitable to Tryton) as asked earlier above? Thanks Ced.