[SOLVED] Problems renewing letsencrypt certificates

Discussion in 'General' started by Ovidiu, Sep 11, 2017.

  1. Ovidiu

    Ovidiu Active Member

    The problem comes from the fact that this domain once upon a time had an alias domain and now the certificate for the alias-domain cannot be renewed since the domain no longer exists.

    So I went into ISPCFG3 and deleted every trace of this alias domain, then waited for the cert to be renewed but it still seems to not work.

    I looked into:
    /etc/letsencrypt/renewal and see

    -rw-r--r-- 1 root root 758 Sep 11 09:35 intramed.sa.com-0001.conf
    -rw-r--r-- 1 root root 761 May 30 04:05 intramed.sa.com.conf

    the -0001.conf file is actually the correct one as it does not contain the old alias domain. here is the content of

    # renew_before_expiry = 30 days
    version = 0.10.1
    archive_dir = /etc/letsencrypt/archive/intramed.sa.com
    cert = /etc/letsencrypt/live/intramed.sa.com/cert.pem
    privkey = /etc/letsencrypt/live/intramed.sa.com/privkey.pem
    chain = /etc/letsencrypt/live/intramed.sa.com/chain.pem
    fullchain = /etc/letsencrypt/live/intramed.sa.com/fullchain.pem
    # Options used in the renewal process
    account = 67f3e868662cb26281a9f10801ca1e09
    authenticator = webroot
    rsa_key_size = 4096
    installer = None
    www.intramed.sa.com = /usr/local/ispconfig/interface/acme
    intramed-distribution.co.za = /usr/local/ispconfig/interface/acme
    www.intramed-distribution.co.za = /usr/local/ispconfig/interface/acme
    intramed.sa.com = /usr/local/ispconfig/interface/acme
    intramed.sa.com is the current domain, intramed-distribution was the old alias domain.

    What shall I do, edit this file by hand and remove the old alias domain?
    Also, I used to go edit the site in ISPCFG3 and edit the site then save to trigger the cert check/renewal, how else can I do this via command line?
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Do you use ISPConfig 3.1.6? If not, update to 3.1.6, then disable LE in the website settings, click save, then enable LE again.
  3. Ovidiu

    Ovidiu Active Member

    Sorry, totally forgot to mention that I am still on ISPCFG 3.1.5 - will update this weekend. BUT I already tried exactly what you said with 3.1.5 which led to this thread. I just tried again, I see no more errors yet the cert error is still there. I guess its possible this is being cached somewhere? I already tried an incognito browser window.

    Still, these 2 files now have these time stamps:
    -rw-r--r-- 1 root root 758 Sep 11 09:35 intramed.sa.com-0001.conf
    -rw-r--r-- 1 root root 761 May 30 04:05 intramed.sa.com.conf

    seems something is still giving an error.

    I don't see errors inside letsencrypt.log:
     cat /var/log/letsencrypt/letsencrypt.log
    2017-09-11 08:43:06,683:DEBUG:certbot.main:Root logging level set at 20
    2017-09-11 08:43:06,684:INFO:certbot.main:Saving debug log to /var/log/letsencrypt/letsencrypt.log
    2017-09-11 08:43:06,684:WARNING:certbot.cli:You are running with an old copy of letsencrypt-auto that does not receive updates, and is less reliable than more recent versions. We recommend upgrading to the latest certbot-auto script, or using native OS packages.
    2017-09-11 08:43:06,684:DEBUG:certbot.cli:Deprecation warning circumstances: /root/.local/share/letsencrypt/bin/letsencrypt / {'LANG': 'en_GB.UTF-8', 'SHELL': '/bin/sh', 'SHLVL': '3', 'PWD': '/usr/local/ispconfig/server', 'LOGNAME': 'root', 'HOME': '/root', 'PATH': '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', '_': '/root/.local/share/letsencrypt/bin/letsencrypt'}
    2017-09-11 08:43:06,684:DEBUG:certbot.main:certbot version: 0.10.1
    2017-09-11 08:43:06,684:DEBUG:certbot.main:Arguments: ['-n', '--text', '--agree-tos', '--expand', '--authenticator', 'webroot', '--server', 'https://acme-v01.api.letsencrypt.org/directory', '--rsa-key-size', '4096', '--email', '[email protected]', '--domains', 'intramed.sa.com', '--domains', 'www.intramed.sa.com', '--webroot-path', '/usr/local/ispconfig/interface/acme']
    2017-09-11 08:43:06,685:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#standalone,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#webroot,PluginEntryPoint#apache,PluginEntryPoint#null)
    2017-09-11 08:43:06,685:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
    2017-09-11 08:43:06,688:DEBUG:certbot.plugins.selection:Single candidate plugin: * webroot
    Description: Place files in webroot directory
    Interfaces: IAuthenticator, IPlugin
    Entry point: webroot = certbot.plugins.webroot:Authenticator
    Initialized: <certbot.plugins.webroot.Authenticator object at 0x7f0979dab4d0>
    Prep: True
    2017-09-11 08:43:06,689:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x7f0979dab4d0> and installer None
    2017-09-11 08:43:06,729:DEBUG:certbot.main:Picked account: <Account(67f3e868662cb26281a9f10801ca1e09)>
    2017-09-11 08:43:06,730:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/directory.
    2017-09-11 08:43:06,758:DEBUG:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
    2017-09-11 08:43:06,986:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 561
    2017-09-11 08:43:06,987:DEBUG:acme.client:Received response:
    HTTP 200
    Server: nginx
    Content-Type: application/json
    Content-Length: 561
    Boulder-Request-Id: mqB3TlQEI_qfNtpLnxXDWGOeqZxUA6bWHKpPAHvR5ok
    Replay-Nonce: Z4JUSa55Kjl9UOqP9cheWbvSIbgBzHLb4Aez2jjFZuY
    X-Frame-Options: DENY
    Strict-Transport-Security: max-age=604800
    Expires: Mon, 11 Sep 2017 08:43:06 GMT
    Cache-Control: max-age=0, no-cache, no-store
    Pragma: no-cache
    Date: Mon, 11 Sep 2017 08:43:06 GMT
    Connection: keep-alive
      "key-change": "https://acme-v01.api.letsencrypt.org/acme/key-change",
      "meta": {
        "terms-of-service": "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf"
      "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz",
      "new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert",
      "new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg",
      "revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert",
      "yzfTr3YIqm0": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417"
    2017-09-11 08:43:07,419:INFO:certbot.renewal:Cert not yet due for renewal
    2017-09-11 08:43:07,420:INFO:certbot.main:Keeping the existing certificate
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    The relevant changes are in 3.1.6. Please update and try again then.
  5. Ovidiu

    Ovidiu Active Member

    Thanks for the tips, problem solved indeed after the update.
  6. Ovidiu

    Ovidiu Active Member

    Need to open this old thread of mine again. I have hit a problem which looks to be the same one:

    another domain can't get a new certificate as it has an alias domain. I then went and edited the alias domain and ticked the box to "don't add to letsencrypt certificate" but when trying to activate letsencrypt for the main domain I get:

    Date: Sun, 18 Mar 2018 20:40:06 +0100 (CET)
    Subject: 18.03.2018-19:40 - WARNING - Reason for nginx rest...
    18.03.2018-19:40 - WARNING - Reason for nginx restart failure: nginx: [emerg] BIO_new_file("/var/www/clients/client2/web8/ssl/foodandchatter.co.za.crt") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/var/www/clients/client2/web8/ssl/foodandchatter.co.za.crt','r') error:2006D080:BIO routines:BIO_new_file:no such file)
    nginx: configuration file /etc/nginx/nginx.conf test failed
    it is looking for a domain.tld.crt but I only have a domain.tld-le.crt
  7. Ovidiu

    Ovidiu Active Member

    oh and now in /etc/letsencrypt/live/ this domain now has 2 folders one with its name and another one with -0001 at the end :-(
  8. Ovidiu

    Ovidiu Active Member

    OK so I unchecked letsencrypt in ISPCFG 3, then delted the folders for this domain in /etc/letsencrypt/live and all the symlinks inside the domains ssl folder. Then ticked the letsencrypt box in ISPCFG 3 again and am again getting not found for the domain.tld.crt file - why does ISPCFG3 create it with -le at the end? Any tips? The site is now obviously offline until I figure this one out.
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    My guess is that you use an old custom vhost template file in /usr/local/ispconfig/server/conf-custom/ which is not compatible with the ISPConfig version that you are using now. Compare the ssl section of your custom file with the one that ships with ispconfig and adjust the custom file accordingly.
  10. Ovidiu

    Ovidiu Active Member

    Thanks Till, for the pointer and that makes sense. I did an sdiff between the original nginx_vhost.conf.master and mine. The only lines that differ and have anything to do with ssl are these:
    The two original lines in mine have been commented out and replaced by the lines from
            #ssl_certificate <tmpl_var name='document_root'>/ssl/ <
            #ssl_certificate_key <tmpl_var name='document_root'>/ <
            ssl_certificate <tmpl_var name='ssl_crt_file'>;                 
            ssl_certificate_key <tmpl_var name='ssl_key_file'>;             
    And still, after editing this particular site and checking that the vhost file in /etc/nginx/sites-available gets rewritten inside that file I see:
            ssl_certificate /var/www/clients/client2/web8/ssl/foodandchatter.co.za-le.crt;
            ssl_certificate_key /var/www/clients/client2/web8/ssl/foodandchatter.co.za-le.key;
    This seems to have solved the problem as nginx was previously looking for the files without the "-le" so now it looks good.
    till and ahrasis like this.

Share This Page