LetsEncrypt - certificate refuses to renew

Discussion in 'ISPConfig 3 Priority Support' started by miguelpinheiro, Apr 24, 2019.

  1. Hi!
    I'm running ISPConfig 3.1 (latest). Today I received an email from LetsEncrypt telling that one of my certificates was not renewed and it will going to expire in 20 days.
    I dig a little and found that I did not have certbot installed (don't know why because always worked. I installed certbot-auto for Debian Jessie and changed the /init from
    0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew
    0 */12 * * * root test -x /usr/local/bin/certbot-auto -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot-auto -q renew
    Then, I run:
    certbot-auto -q renew
    to renew the certificate right way. I got errors because the certificate I want to renew is tied to 2 domains (domain A1 and domain A2) and one of those domains was not renewed (A2). As soon as I figured this, I went to ISPConfig Admin Panel and remove DNS entries and Aliasdomain for that domain - A2 (this is why they were related). They I tick again the Letsencrypt option in the Web domain A1 but this option is not maintained (image).

    Then, I run
    certbot-auto -q renew
    getting the following errors:
    A1 and A2 are the domain names.
    So, I still see that certbot is renewing certificate from both domains.

    Attached is the log file from letsencrypt.

    I'm a bit lost here. I do not know how to fix this and be able to issue certificates again inside ISPConfig.
    Any hints would be much appreciated. Thanks.

    Attached Files:

    • log.txt
      File size:
      39.4 KB
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    The renew is run by ISPConfig, don't add a separate cronjob for certbot renewals.

    Besides that, current certbot versions have a bug, they fail to write the domains correctly to the renewal config file. We implemented a workaround for this in ispconfig. Update ispconfig to git-stable version with the ispconfig_update.sh command. Then log in to ispconfig, go to the website, untick the lets encrypt checkbox, press save, then go back to the site and enable the let's encrypt checkbox again.
  3. Thanks till. I followed your steps and the ssl for letsencrypt is now enabled for that website (and keeps enabled).
    I will update this thread today with the results after the cronjob for certbot (from ISPConfig) runs and renews the certificate.
  4. Updated info! I just checked and it seems that the certificate was renewed. However, it kind of create a new certificate and keep the other unrenewed for the domain. Here is the logfile after running certbot-auto certificates:

    2019-04-25 13:23:46,965:DEBUG:certbot.main:certbot version: 0.33.1
    2019-04-25 13:23:46,965:DEBUG:certbot.main:Arguments: []
    2019-04-25 13:23:46,965:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
    2019-04-25 13:23:46,992:DEBUG:certbot.log:Root logging level set at 20
    2019-04-25 13:23:46,993:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
    2019-04-25 13:23:47,004:DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): ocsp.int-x3.letsencrypt.org:80
    2019-04-25 13:23:47,074:DEBUG:urllib3.connectionpool:http://ocsp.int-x3.letsencrypt.org:80 "POST / HTTP/1.1" 200 527
    2019-04-25 13:23:47,077:DEBUG:certbot.ocsp:OCSP certificate status for /etc/letsencrypt/live/abaco44.es-0001/cert.pem is: OCSPCertStatus.GOOD
    2019-04-25 13:23:47,079:DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): ocsp.int-x3.letsencrypt.org:80
    2019-04-25 13:23:47,320:DEBUG:urllib3.connectionpool:http://ocsp.int-x3.letsencrypt.org:80 "POST / HTTP/1.1" 200 527
    2019-04-25 13:23:47,321:DEBUG:certbot.ocsp:OCSP certificate status for /etc/letsencrypt/live/abaco44.es/cert.pem is: OCSPCertStatus.GOOD
    As you can see, abaco44.es-0001 was created and the certificate was issued correctly BUT the previous entry for that domain abaco44.es was not renewed. Here is the output of certbot-auto certificates:
    Found the following certs:
      Certificate Name: abaco44.es-0001
        Domains: abaco44.es abaco44.com www.abaco44.com www.abaco44.es
        Expiry Date: 2019-07-23 16:02:31+00:00 (VALID: 89 days)
        Certificate Path: /etc/letsencrypt/live/abaco44.es-0001/fullchain.pem
        Private Key Path: /etc/letsencrypt/live/abaco44.es-0001/privkey.pem
      Certificate Name: abaco44.es
        Domains: abaco44.es abaco44.com aurt.es www.abaco44.com www.abaco44.es www.aurt.es
        Expiry Date: 2019-05-14 00:59:04+00:00 (VALID: 18 days) <- NOT RENEWED
        Certificate Path: /etc/letsencrypt/live/abaco44.es/fullchain.pem
        Private Key Path: /etc/letsencrypt/live/abaco44.es/privkey.pem
    Is this going to cause any problem? Can it be fixed?
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    That's ok. That's the way certbot works when both certs contain different domains.
  6. Great! Thanks :)

Share This Page