Hi guys, I have a cron set up to auto renew which does not seem to be working, but that is not the main concern as I can do them manually, so the main issue is that after renewing the certs:
sudo ./certbot-auto renew
The following certs were successfully renewed:
/etc/letsencrypt/live/BLAHBLAH/fullchain.pem (success)
I am still getting privacy error on the sites in question. One being: https://www.techbubble.info/
NET::ERR_CERT_DATE_INVALID
How did you get the certificate in the first place? Using the certonly method?
If so, certbot won’t reload your webserver automatically. If you point to the correct location of the certificate in your webserver configuration, the only thing you’ll have to do is reload the webserver so it will use the new certificate.
If the above is the case, you might want to look into the --deploy-hook or --post-hook options of certbot.
Thanks for the quick reply, I was under the impression you create the certs with:
sudo ./certbot-auto certonly
and then set up a cron for:
root ./certbot-auto renew
I have rebooted the server and there is no change, still privacy error, the renew script said everything was renewed successfully.
Any more info on this please, this is a big issue for us and clients.
Hi @AMBTB,
Seems you haven't issue any new certificate since 28th June so your cron job is not working as expected.
Could you please execute the command manually and show the output?
cd /path/where/is/certbot-auto/
sudo ./certbot-auto renew
Note: Seems obvious but just in case, you need to replace /path/where/is/certbot-auto/ with the real path where you have certbot-auto.
Cheers,
sahsanu
Thanks I mentioned I knew the cron was not working but I have renewed the certs today manually.
I issued that command today and the output now is as follows as the certs were renewed earlier:
The following certs are not due for renewal yet:
ALL CERTS
Exact output (minus some errors from sites that no longer exist:
sudo ./certbot-auto renew
/opt/eff.org/certbot/venv/lib/python2.6/site-packages/cryptography/init.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6
DeprecationWarning
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Cert not yet due for renewal
Cert not yet due for renewal
Cert not yet due for renewal
Cert not yet due for renewal
Cert not yet due for renewal
@AMBTB, execute this command and show the output:
sudo ./certbot-auto certificates
Also, please, show the Apache VirtualHost conf for this domain.
Cheers,
sahsanu
/opt/eff.org/certbot/venv/lib/python2.6/site-packages/cryptography/__init__.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6
DeprecationWarning
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Found the following certs:
Certificate Name: taxiai.techbubbletechnologies.com
Domains: taxiai.techbubbletechnologies.com
Expiry Date: 2017-12-26 09:01:00+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/taxiai.techbubbletechnologies.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/taxiai.techbubbletechnologies.com/privkey.pem
Certificate Name: www.techbubble.info
Domains: www.techbubble.info
Expiry Date: 2017-12-26 09:01:00+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/www.techbubble.info/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.techbubble.info/privkey.pem
Certificate Name: shieldaigkennels.com
Domains: shieldaigkennels.com
Expiry Date: 2017-12-26 09:01:00+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/shieldaigkennels.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/shieldaigkennels.com/privkey.pem
Certificate Name: techbubble.info
Domains: techbubble.info
Expiry Date: 2017-12-26 09:02:00+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/techbubble.info/fullchain.pem
Private Key Path: /etc/letsencrypt/live/techbubble.info/privkey.pem
Certificate Name: floorwiseextranet.uk
Domains: floorwiseextranet.uk
Expiry Date: 2017-12-26 09:02:00+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/floorwiseextranet.uk/fullchain.pem
Private Key Path: /etc/letsencrypt/live/floorwiseextranet.uk/privkey.pem
Certificate Name: tass.techbubbletechnologies.com
Domains: tass.techbubbletechnologies.com
Expiry Date: 2017-10-26 23:11:00+00:00 (VALID: 29 days)
Certificate Path: /etc/letsencrypt/live/tass.techbubbletechnologies.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/tass.techbubbletechnologies.com/privkey.pem
Certificate Name: ai.techbubbletechnologies.com
Domains: ai.techbubbletechnologies.com
Expiry Date: 2017-10-29 18:27:00+00:00 (VALID: 32 days)
Certificate Path: /etc/letsencrypt/live/ai.techbubbletechnologies.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/ai.techbubbletechnologies.com/privkey.pem
Certificate Name: kidsinai.tech
Domains: kidsinai.tech
Expiry Date: 2017-12-26 09:02:00+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/kidsinai.tech/fullchain.pem
Private Key Path: /etc/letsencrypt/live/kidsinai.tech/privkey.pem
Certificate Name: homesdirect.es
Domains: homesdirect.es
Expiry Date: 2017-12-26 09:02:00+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/homesdirect.es/fullchain.pem
Private Key Path: /etc/letsencrypt/live/homesdirect.es/privkey.pem
Certificate Name: globaltribenetwork.com
Domains: globaltribenetwork.com
Expiry Date: 2017-10-08 16:35:00+00:00 (VALID: 11 days)
Certificate Path: /etc/letsencrypt/live/globaltribenetwork.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/globaltribenetwork.com/privkey.pem
Certificate Name: thelittlewhitebull.com
Domains: thelittlewhitebull.com
Expiry Date: 2017-12-19 08:59:00+00:00 (VALID: 82 days)
Certificate Path: /etc/letsencrypt/live/thelittlewhitebull.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/thelittlewhitebull.com/privkey.pem
Certificate Name: tia.techbubbletechnologies.com
Domains: tia.techbubbletechnologies.com
Expiry Date: 2017-10-26 23:01:00+00:00 (VALID: 29 days)
Certificate Path: /etc/letsencrypt/live/tia.techbubbletechnologies.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/tia.techbubbletechnologies.com/privkey.pemSo your certs are ok, the problem is your Apache conf, right now it is pointing to a cPanel expired certificate so you should change the right directives in your Apache domains conf to point to letsencrypt certificates instead of the cPanel ones.
Another thing to know when using cron jobs for automated renewal is that if you got the certificate with a certonly method, the renew command does not reload your web server after a renewal, which means the web server will not automatically know about the existence of the renewed certificate. You can use a separate command or a --renew-hook option in Certbot to cause the web server to be reloaded after a successful renewal.
However, what @sahsanu pointed out is a more important, more fundamental problem in your particular situation right now—the Apache configuration needs to be set up to use the valid Let’s Encrypt certificates that you have.
Is everything really OK? The “certbot-auto certificates” command shows a lot of certificates, 2 of which expire in 29 days, and 1 which expires in 11 days.
Either the default renewal period has been changed, or they aren’t all being successfully renewed.
@AMBTB, what was the rest of the output of “sudo ./certbot-auto renew”? What you posted earlier showed 6 certificates, while the “sudo ./certbot-auto certificates” command you posted later showed far more, several of which will expire in the next few weeks.
Hi guys thanks for the replies, it is ok we are using the CPanel autorenew system now, the additional ones you mention above are sites that no longer exist on the server, I mentioned that earlier that there were a few sites that were not getting renewed that no longer exists so that was expected.
Thanks for the help guys, I wasnt aware that CPanel did the free autorenews, it makes more sense to use the built in functionality.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.