Website down for 24 hours: SSL certificate update failed – checking the contents of your certificate bundle

My SSL certificate for this site was about to expire this week, so I paid for an update for another year and then proceeded to upload my new certificate bundle to my server. Having been through this process a few times, I have a couple of posts describing the steps for configuring nginx with SSL certs here:

… and how to create a certificate bundle here:

I normally concatenate the root, intermediate and my site certificate manually before uploading using the steps in the post above. This time though I noticed the updated certifcate had a bundle download, so I downloaded this and uploaded straight to my site and then restarted…

Unfortunately, since I run nginx in a Docker container, on restarting the container it failed and then went into a restart loop. While constantly failing and restarting like this, it’s not possible (that I know of) to ‘docker exec -it bash’ into the container since it hasn’t completely started. In hindsight maybe ‘docker log’ would have told be what I needed to know, but I wanted to look at the /var/log/nginx/error.log inside the container to see what the issue was. I found a neat trick to do this which I’ll cover in another post.

In the meantime, I found the error in the nginx error.log was this:

2024/06/12 16:31:02 [emerg] 56#56: SSL_CTX_use_PrivateKey_file("/etc/nginx/ssl-certs/my-site.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)

This seemed odd since I generated my CSR for the new certificate on the server and had the key for the request and new certificate. This post for this error luckily had suggestions to look at the contents of the bundle, using:

openssl x509 -noout -text -in yourcert.cert

And exactly as one of the answers suggested, the ‘Subject:’ field in the certificate was not for my domain, it was for the CA instead. The bundle that I downloaded after purchasing my new certificate contained the CA and the Intermediate certs but not the cert for my domain… I should have followed my own instructions for combining all three and including my own site certificate.

I created my new bundle by hand, uploaded to my server and now everything is back to normal with the new SSL certificate.

In hindsight I should have tested my updates on my test server before upload direct to my live server, but since moving house recently I no longer have the HP rackserver I had before, on which I used to run a test server that mirrored the config of my live site. Lesson learned, I need to set up a new test server…

Deploying a Docker container to AWS Elastic Beanstalk

In my previous post, I looked at using the EB cli to deploy a Spring Boot app to Beanstalk. If you have an app that you have packaged in a Docker container, you can prepare this for deployment to Beanstalk using the EB cli command:

$ eb init -p docker application-name

This is described in the docs here.

This command inits the app for deployment, creating a default .elasticbeanstalk/config.yml file that looks like this:

environment: null
group_suffix: null
application_name: beanstalk-docker-with-mounted-volume
branch: null
default_ec2_keyname: null
default_platform: Docker
default_region: us-west-2
include_git_submodules: true
instance_profile: null
platform_name: null
platform_version: null
profile: null
repository: null
sc: null
workspace_type: Application

Next create a Beanstalk environment for deploying your app:

$ eb create environment-name

This will take a few minutes on your first deploy as it provisions everything required for running your app on Beanstalk, including an Auto Scaling Group and an EC2 instance.

Updating local versions of Docker images if using the latest tag

I have an ubuntu:latest image pulled locally from a couple of years ago, and it’s obviously not the latest since it’s over 2 years old. ‘docker images’ shows:

ubuntu                                                                           latest                     d5ca7a445605   2 years ago     65.6MB

If I run the image with -it and cat the /etc/lsb-release file, it shows it’s 20.04. Docker Hub is currently showing latest as 22.04.

To update it, if I ‘docker pull ubuntu:latest’ then it shows:

> docker pull ubuntu:latest
latest: Pulling from library/ubuntu
70104cd59e2a: Pull complete
Digest: sha256:1b8d8ff4777f36f19bfe73ee4df61e3a0b789caeff29caa019539ec7c9a57f95
Status: Downloaded newer image for ubuntu:latest

If I now start it and cat /etc/lsb-release, it shows 22.04. Done!

Moving from msql client to mysqlsh

I posted a while back about running mysql in a Docker container on an Apple Silicon MacBook. It’s been a while since I’ve run mysql locally, and it seems the mysqlsh client is now preferred over the previous mysql client.

With mysqlsh, after connecting, to issue a ‘use’ command to select a db, use ‘\use dbname’

Once a db is selected, to issue other mysql commands enter the sql mode with ‘\sql’ command.