How to renew SSL Certificate for domain.

Discussion in 'General' started by Keith Shepherd, Jul 28, 2020.

  1. Keith Shepherd

    Keith Shepherd New Member

    I'm trying to renew the SSL Certificate for a domain.
    I used the following to update the SSL Certificate for ISPConfig:

    cd /usr/local/ispconfig/interface/ssl/
    mv ispserver.crt ispserver.crt-$(date +"%y%m%d%H%M%S").bak
    mv ispserver.key ispserver.key-$(date +"%y%m%d%H%M%S").bak
    mv ispserver.pem ispserver.pem-$(date +"%y%m%d%H%M%S").bak
    ln -s /etc/letsencrypt/live/$(hostname -f)/fullchain.pem ispserver.crt
    ln -s /etc/letsencrypt/live/$(hostname -f)/privkey.pem ispserver.key
    cat ispserver.{key,crt} > ispserver.pem
    chmod 600 ispserver.pem

    This worked for ISPConfig but I'm stuck on how to renew the SSL certificate for my domain.

    I selected 'Sites' in ISPConfig and selected the domain and made sure the Let's Encrypt checkbox was checked and then clicked save.
    I stopped apache2 and re-started it but I'm still getting an error when trying to access the https://mydomain through a browser.
    When I access the ISPConfig SSL tab for the domain it shows values in SSL Key, SSL Request and SSL Certificate.
    When I check the /var/www/clients/client0/web?/SSL directory it still shows the symlinks mydomain-le.bundle, mydomain-le.crt, and mydomain-le.key, but when I check /etc/letsencrypt/live/mydomain it still contains symlinks pointing to ../../archive/mydomain which contains cert1.pem, chain1.pem, fullchain1.pem and privkey1.pem all dated from when I created mydomain.

    I noticed that /var/www/clients/client0/web?/SSL directory as well as containing the symlinks it also contains mydomain.crt, mydomain.csr, mydomain.key and mydomain.key.org.

    Would it solve the problem if I ran le4ispc.sh?

    The server is running Ubuntu 18.04 with ISPConfig Version: 3.1.15p3.

    Any help would be much appreciated.
     
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    If you turn on Let's Encrypt for a website in ISPConfig Panel, the certificate is renewed automatically when cert has less than 30 days left.
    If the certificate is not issued when you turn it on in ISPConfig, see LE error FAQ to find out why: https://www.howtoforge.com/community/threads/lets-encrypt-error-faq.74179/
    If you have used certbot commands yourself from command line, that breaks the LE setup ISPConfig created. If this is the case, undo the damage, there are threads in this forum on how to do that.
     
  3. Keith Shepherd

    Keith Shepherd New Member

    I tailed the last 64 lines of /var/log/letsencrypt/letsencrypt.log and this what I got:

    2020-07-28 05:11:01,640:DEBUG:certbot.log:Exiting abnormally:
    Traceback (most recent call last):
    File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.27.0', 'console_scripts', 'certbot')()
    File "/usr/lib/python3/dist-packages/certbot/main.py", line 1364, in main
    return config.func(config, plugins)
    File "/usr/lib/python3/dist-packages/certbot/main.py", line 1276, in renew
    renewal.handle_renewal_request(config)
    File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 455, in handle_renewal_request
    len(renew_failures), len(parse_failures)))
    certbot.errors.Error: 0 renew failure(s), 2 parse failure(s)
    2020-07-28 13:13:00,576:DEBUG:certbot.main:certbot version: 0.27.0
    2020-07-28 13:13:00,577:DEBUG:certbot.main:Arguments: ['-q']
    2020-07-28 13:13:00,577:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
    2020-07-28 13:13:00,583:DEBUG:certbot.log:Root logging level set at 30
    2020-07-28 13:13:00,584:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
    2020-07-28 13:13:00,585:WARNING:certbot.renewal:
    Traceback (most recent call last):
    File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 64, in _reconstitute
    renewal_candidate = storage.RenewableCert(full_path, config)
    File "/usr/lib/python3/dist-packages/certbot/storage.py", line 420, in __init__
    "file reference".format(self.configfile))
    certbot.errors.CertStorageError: renewal config file {} is missing a required file reference
    2020-07-28 13:13:00,585:WARNING:certbot.renewal:Renewal configuration file /etc/letsencrypt/renewal/mydomain.uk.conf is broken. Skipping.
    2020-07-28 13:13:00,585:DEBUG:certbot.renewal:Traceback was:
    Traceback (most recent call last):
    File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 64, in _reconstitute
    renewal_candidate = storage.RenewableCert(full_path, config)
    File "/usr/lib/python3/dist-packages/certbot/storage.py", line 420, in __init__
    "file reference".format(self.configfile))
    certbot.errors.CertStorageError: renewal config file {} is missing a required file reference

    2020-07-28 13:13:00,586:WARNING:certbot.renewal:
    Traceback (most recent call last):
    File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 64, in _reconstitute
    renewal_candidate = storage.RenewableCert(full_path, config)
    File "/usr/lib/python3/dist-packages/certbot/storage.py", line 439, in __init__
    self._check_symlinks()
    File "/usr/lib/python3/dist-packages/certbot/storage.py", line 498, in _check_symlinks
    "expected {0} to be a symlink".format(link))
    certbot.errors.CertStorageError: expected /etc/letsencrypt/live/mydomain.uk-0001/cert.pem to be a symlink
    2020-07-28 13:13:00,586:WARNING:certbot.renewal:Renewal configuration file /etc/letsencrypt/renewal/mydomain.uk-0001.conf is broken. Skipping.
    2020-07-28 13:13:00,586:DEBUG:certbot.renewal:Traceback was:
    Traceback (most recent call last):
    File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 64, in _reconstitute
    renewal_candidate = storage.RenewableCert(full_path, config)
    File "/usr/lib/python3/dist-packages/certbot/storage.py", line 439, in __init__
    self._check_symlinks()
    File "/usr/lib/python3/dist-packages/certbot/storage.py", line 498, in _check_symlinks
    "expected {0} to be a symlink".format(link))
    certbot.errors.CertStorageError: expected /etc/letsencrypt/live/mydomain.uk-0001/cert.pem to be a symlink

    2020-07-28 13:13:00,587:DEBUG:certbot.log:Exiting abnormally:
    Traceback (most recent call last):
    File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.27.0', 'console_scripts', 'certbot')()
    File "/usr/lib/python3/dist-packages/certbot/main.py", line 1364, in main
    return config.func(config, plugins)
    File "/usr/lib/python3/dist-packages/certbot/main.py", line 1276, in renew
    renewal.handle_renewal_request(config)
    File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 455, in handle_renewal_request
    len(renew_failures), len(parse_failures)))
    certbot.errors.Error: 0 renew failure(s), 2 parse failure(s)

    I don't understand why ISPConfig didn't renew the SSL Certificate automatically, as the first indication that the SSL Certificate had expired was when I tried to access https://mydomain/index.php.

    I'm really stuck on this and would really appreciate some help.
     
  4. Jesse Norell

    Jesse Norell Well-Known Member

    You could disable let's encrypt for the domain, then delete all files related to it under /etc/letsencrypt/ and then enable the let's encrypt checkbox again.
     
  5. Keith Shepherd

    Keith Shepherd New Member

    Hi Jesse,

    It worked. Thanks for your help, much appreciated.
     
  6. ahrasis

    ahrasis Well-Known Member

    Basically, I think you don't have to delete them because untick and then retick the letsencrypt box will force renewal if its certs haven't expired or will create new certs if they have expired.

    ISConfig GUI on this should already work fine and no cli intervention is really neccessary unless seriously warranted; else for doing the same you will still get reminder emails for the renewal of the deleted domain certs.

    Also I noted that you only realised about the certs expiry when you browsed the site which means that either you don't read the email warning sent to you or you didn't setup certbot with proper email.

    Setting up proper email for certbot is very important as a host master for obvious reasons and should be fixed if not.

    Try reading this on how to update email for your certbot: https://serverfault.com/a/827878
     

Share This Page