[SOLVED] Problems renewing letsencrypt certificates

Discussion in 'General' started by Ovidiu, Sep 11, 2017.

  1. Ovidiu

    Ovidiu Active Member

    The problem comes from the fact that this domain once upon a time had an alias domain and now the certificate for the alias-domain cannot be renewed since the domain no longer exists.

    So I went into ISPCFG3 and deleted every trace of this alias domain, then waited for the cert to be renewed but it still seems to not work.

    I looked into:
    /etc/letsencrypt/renewal and see

    -rw-r--r-- 1 root root 758 Sep 11 09:35 intramed.sa.com-0001.conf
    -rw-r--r-- 1 root root 761 May 30 04:05 intramed.sa.com.conf

    the -0001.conf file is actually the correct one as it does not contain the old alias domain. here is the content of
    intramed.sa.com.conf:

    Code:
    # renew_before_expiry = 30 days
    version = 0.10.1
    archive_dir = /etc/letsencrypt/archive/intramed.sa.com
    cert = /etc/letsencrypt/live/intramed.sa.com/cert.pem
    privkey = /etc/letsencrypt/live/intramed.sa.com/privkey.pem
    chain = /etc/letsencrypt/live/intramed.sa.com/chain.pem
    fullchain = /etc/letsencrypt/live/intramed.sa.com/fullchain.pem
    
    # Options used in the renewal process
    [renewalparams]
    account = 67f3e868662cb26281a9f10801ca1e09
    authenticator = webroot
    rsa_key_size = 4096
    installer = None
    [[webroot_map]]
    www.intramed.sa.com = /usr/local/ispconfig/interface/acme
    intramed-distribution.co.za = /usr/local/ispconfig/interface/acme
    www.intramed-distribution.co.za = /usr/local/ispconfig/interface/acme
    intramed.sa.com = /usr/local/ispconfig/interface/acme
    
    intramed.sa.com is the current domain, intramed-distribution was the old alias domain.

    What shall I do, edit this file by hand and remove the old alias domain?
    Also, I used to go edit the site in ISPCFG3 and edit the site then save to trigger the cert check/renewal, how else can I do this via command line?
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Do you use ISPConfig 3.1.6? If not, update to 3.1.6, then disable LE in the website settings, click save, then enable LE again.
     
  3. Ovidiu

    Ovidiu Active Member

    Sorry, totally forgot to mention that I am still on ISPCFG 3.1.5 - will update this weekend. BUT I already tried exactly what you said with 3.1.5 which led to this thread. I just tried again, I see no more errors yet the cert error is still there. I guess its possible this is being cached somewhere? I already tried an incognito browser window.

    Still, these 2 files now have these time stamps:
    -rw-r--r-- 1 root root 758 Sep 11 09:35 intramed.sa.com-0001.conf
    -rw-r--r-- 1 root root 761 May 30 04:05 intramed.sa.com.conf

    seems something is still giving an error.

    I don't see errors inside letsencrypt.log:
    Code:
     cat /var/log/letsencrypt/letsencrypt.log
    2017-09-11 08:43:06,683:DEBUG:certbot.main:Root logging level set at 20
    2017-09-11 08:43:06,684:INFO:certbot.main:Saving debug log to /var/log/letsencrypt/letsencrypt.log
    2017-09-11 08:43:06,684:WARNING:certbot.cli:You are running with an old copy of letsencrypt-auto that does not receive updates, and is less reliable than more recent versions. We recommend upgrading to the latest certbot-auto script, or using native OS packages.
    2017-09-11 08:43:06,684:DEBUG:certbot.cli:Deprecation warning circumstances: /root/.local/share/letsencrypt/bin/letsencrypt / {'LANG': 'en_GB.UTF-8', 'SHELL': '/bin/sh', 'SHLVL': '3', 'PWD': '/usr/local/ispconfig/server', 'LOGNAME': 'root', 'HOME': '/root', 'PATH': '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', '_': '/root/.local/share/letsencrypt/bin/letsencrypt'}
    2017-09-11 08:43:06,684:DEBUG:certbot.main:certbot version: 0.10.1
    2017-09-11 08:43:06,684:DEBUG:certbot.main:Arguments: ['-n', '--text', '--agree-tos', '--expand', '--authenticator', 'webroot', '--server', 'https://acme-v01.api.letsencrypt.org/directory', '--rsa-key-size', '4096', '--email', '[email protected]', '--domains', 'intramed.sa.com', '--domains', 'www.intramed.sa.com', '--webroot-path', '/usr/local/ispconfig/interface/acme']
    2017-09-11 08:43:06,685:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#standalone,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#webroot,PluginEntryPoint#apache,PluginEntryPoint#null)
    2017-09-11 08:43:06,685:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
    2017-09-11 08:43:06,688:DEBUG:certbot.plugins.selection:Single candidate plugin: * webroot
    Description: Place files in webroot directory
    Interfaces: IAuthenticator, IPlugin
    Entry point: webroot = certbot.plugins.webroot:Authenticator
    Initialized: <certbot.plugins.webroot.Authenticator object at 0x7f0979dab4d0>
    Prep: True
    2017-09-11 08:43:06,689:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x7f0979dab4d0> and installer None
    2017-09-11 08:43:06,729:DEBUG:certbot.main:Picked account: <Account(67f3e868662cb26281a9f10801ca1e09)>
    2017-09-11 08:43:06,730:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/directory.
    2017-09-11 08:43:06,758:DEBUG:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
    2017-09-11 08:43:06,986:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 561
    2017-09-11 08:43:06,987:DEBUG:acme.client:Received response:
    HTTP 200
    Server: nginx
    Content-Type: application/json
    Content-Length: 561
    Boulder-Request-Id: mqB3TlQEI_qfNtpLnxXDWGOeqZxUA6bWHKpPAHvR5ok
    Replay-Nonce: Z4JUSa55Kjl9UOqP9cheWbvSIbgBzHLb4Aez2jjFZuY
    X-Frame-Options: DENY
    Strict-Transport-Security: max-age=604800
    Expires: Mon, 11 Sep 2017 08:43:06 GMT
    Cache-Control: max-age=0, no-cache, no-store
    Pragma: no-cache
    Date: Mon, 11 Sep 2017 08:43:06 GMT
    Connection: keep-alive
    
    {
      "key-change": "https://acme-v01.api.letsencrypt.org/acme/key-change",
      "meta": {
        "terms-of-service": "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf"
      },
      "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz",
      "new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert",
      "new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg",
      "revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert",
      "yzfTr3YIqm0": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417"
    }
    2017-09-11 08:43:07,419:INFO:certbot.renewal:Cert not yet due for renewal
    2017-09-11 08:43:07,420:INFO:certbot.main:Keeping the existing certificate
    
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    The relevant changes are in 3.1.6. Please update and try again then.
     
  5. Ovidiu

    Ovidiu Active Member

    Thanks for the tips, problem solved indeed after the update.
     

Share This Page