I've got a server which had an expired letsenrypt certificate. To fix that, I simply ran certbot --apache which ran without problems and solved the expired certificate.
To prevent this problem in the future, I wanted to have the certificate automatically renew itself, so following the instructions here I ran certbot renew --dry-run, but that ends in an error:
Attempting to renew cert from /etc/letsencrypt/renewal/cms.ourdomain.com.conf produced an unexpected error: Failed authorization procedure. cms.ourdomain.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: SERVFAIL looking up CAA for cms.ourdomain.com. Skipping.
Since certbot --apache worked perfectly well I wouldn't know why this renewal would fail with a DNS problem. To be sure I ran certbot --apache again to force and renew the cert again, which again worked fine. So nothing seems to be wrong with the DNS.
Does anybody know what could be the cause of this problem or how I can debug this? All tips are welcome!
From what I have seen, certbot and certbot --apache actually take some significantly different code paths. Perhaps try certbot --apache --dryrun?
Incidentally, I have given up on the Apache specific implementation. I have found that stopping apache and running certbot certonly --standalone -d example.com does a good job of generating keys and certs (point to them manually in your apache config) and then certbot renew with pre and post hook scripts in /etc/letsencrypt/renewal-hooks/{pre|post}/apache2.sh to stop and start apache works really well.
My scripts look like:
#!/bin/bash
# certbot pre renewal
# stop apache
systemctl stop apache2
sleep 5s
#!/bin/bash
# certbot post renewal
# start apache
systemctl start apache2
Related
So, I have OpenLightSpeed server with CyberPanel installed. My issue is that once I issue the SSL with a standard CyberPanel tool, it works for 90 days only, regular Lets Encrypt cert.
There is a CRON job add possibility in the CP, but I`m not sure it will work properly to auto-renew. Esspecialy the restart part. Here it is:
/root/.acme.sh/acme.sh --issue -d yourdomainname.com -d www.yourdomainname.com --cert-file /etc/letsencrypt/live/yourdomainname.com/cert.pem --key-file /etc/letsencrypt/live/yourdomainname.com/privkey.pem --fullchain-file /etc/letsencrypt/live/yourdomainname.com/fullchain.pem -w /home/yourdomainname.com/public_html –-force && systemctl restart lsws
Could someone advise, please? Thanks in advance.
The SSL renewal is auto in CyberPanel. Like after 90 days this cron will automatically run to issue SSL in cyberpanel you can see the command in the CyberPanel main log but if due to some issue like forceful redirection or anything SSL not successfully issued you have to issue manually then.
There is a LetsEncrypt SSL cert on a Digital Ocean OpenLiteSpeed sever I'm managing, which has the wrong name. Does anyone know if there is a way I can either remove the cert and make a new one or edit it? If I add a second cert with the correct information, does anyone know how that would play out? Thank you in advance for any help you can offer.
for removing ssl in digital ocean you can use
$ sudo certbot delete
there is no way to edit ssl becasue SSL is an encrypted format system.you can delete ssl from ssl or make a new ssl for your domain
first of all, if you are applying the wrong domain or subdomain and you want to correct it so no need to correct it. change your SSL by using these steps :
Open DigitalOcean Console :
Step1: login with your username and password.
Step2: use this command sudo add-apt-repository ppa:certbot/certbot
Step 3: command sudo apt-get update
Step 4: sudo apt-get install python-certbot-apache
Now The certbot Let’s Encrypt client is now ready to use.
Set Up the SSL Certificate
Step 5: sudo certbot --apache -d example.com <<<<use your own domain or subdomain instead of example.com
Verifying Certbot Auto-Renewal
sudo certbot renew --dry-run
If you want to delete SSL CERTBOT from your site use these commands:
Command to Delete Certbot Certificate
$ sudo certbot delete
Delete Certbot Certificate by Domain Name
$ sudo certbot delete --cert-name example.com
I guess you are asking about how to update the new LE cert on OpenLiteSpeed.
Basically you can follow this official doc to apply the cert and update the correct certificate & key path to the listener>SSL via web admin at port 7080.
Best
This is my very first attempt to generate a Letsencrypt certificate:
# ufw allow 80
# certbot certonly --standalone --preferred-challenges http -d xyz.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for xyz.com
Cleaning up challenges
Problem binding to port 80: Could not bind to IPv4 or IPv6.
I've tried some other things too, and I'm not getting anywhere with this. Can anyone help me figure out what I'm missing?
My website keeps getting "NET::ERR_CERT_DATE_INVALID" error.
I have renewed the certificate using:
sudo certbot certonly --webroot -w /var/www/html -d startuplab.io
and have restarted nginx.
It used to work fine before, my other websites work fine as well.
How do I figure out what went wrong?
Edit:
This tool shows me that certificate expired 21 days ago.
Letsencrypt tells me:
Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/startuplab.io-0001/fullchain.pem. Your cert
will expire on 2019-05-22. To obtain a new or tweaked version of
this certificate in the future, simply run certbot again. To
non-interactively renew all of your certificates, run "certbot
renew"
Edit 2:
Aha! My ssl-startuplab.io.conf snippet points to
ssl_certificate /etc/letsencrypt/live/startuplab.io/fullchain.pem;
but certbot has put it into
ssl_certificate /etc/letsencrypt/live/startuplab.io-0001/fullchain.pem;
Does anybody know why this happens? What should I do to fix this and avoid it in the future?
Edit 3:
Just renaming the startuplab.io-0001 folder into startuplab.io fixed the issue. But why did this happen to begin with? How do I make sure it never happens again? I'd appreciate any advice!
For your edit 3, from https://certbot.eff.org/docs/using.html#renewing-certificates emphasis added:
An alternative form that provides for more fine-grained control over the renewal process (while renewing specified certificates one at a time), is certbot certonly with the complete set of subject domains of a specific certificate specified via -d flags. ...
All of the domains covered by the certificate must be specified in this case in order to renew and replace the old certificate rather than obtaining a new one; don’t forget any www. domains! Specifying a subset of the domains creates a new, separate certificate containing only those domains, rather than replacing the original certificate. When run with a set of domains corresponding to an existing certificate, the certonly command attempts to renew that specific certificate.
Your old cert was for startuplab.io AND webacademy.io -- not only the former.
I'm having issues trying to renew a recently expired certificate issued with let's encrypt.
I tried launching the following commands:
./letsencrypt-auto renew
and
sudo ./letsencrypt-auto certonly --text --agree-tos --email dev#intuizone.com --renew-by-default --webroot --webroot-path /home/lovegistics -d lovegistics.it
which was the code I used to issue the certificate. Both of the command said that the certificate was succesfully renewed/issued, but it still gives me unsecure connection.
Since I was on WHM, I took a look on the manage SSL page, and it says that the certificate has actually expired yesterday.
The output for the second command:
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/lovegistics.it/fullchain.pem. Your cert will
expire on 2016-11-20. To obtain a new or tweaked version of this
certificate in the future, simply run letsencrypt-auto again. To
non-interactively renew *all* of your certificates, run
"letsencrypt-auto renew"
I'm sorry, but I lost the output for the first one. Strangely, when I try to relaunch the renew command, it says that the certificates are not due for renewal yet.
How can I renew this certificate?
Thank you all in advance for your help.
EDIT: I restarted the web server (Apache) after each of these commands
Finally I managed to solve my problem. The certificates were created successfully, but since I was on a CPanel server, they must be installed. In the following link there is an explanation directly from the cpanel team with a pearl code to copy-paste and execute when you have generated the certificate.
cpanel forum explanation
Happy coding!
Check certificate:
certbot certificates
Renew command:
certbot renew --force-renewal --cert-name api2.example.in --deploy-hook "sudo service nginx restart"
have to go through a minimum number of measures to [instal Let's Encrypt SSL certificates][1].
First, by accessing active domains such as http:/yourdomain.com:2083 or http:/yourdomain.com/cpanel, go to cPanel.
When you proceed to the protection tab, the Let's Encrypt SSL icon is visible to you.
Click on the + Issue button as soon as you proceed to the Issuing a New Certificate arena.
You've got to click on your domain name then. Email the server when you're done with it. Then pick, and confirm, HTTP-01.
Click the problem button once you finish it.