Auto renew messages

Hi guys,

I have an issue and some doubts about the auto-renew procedure.
I haven't tried to fix it by myself because its an extremely important environment, and I still have few days until it expires, so I came here to see the options I have.

I hope you guys can help me because it seems to be something easy to handle, and I'm not very experienced guy with all this, so asking for who understand better than me, it is the only option I have.

We have an environment using Let's Encrypt certificate. I installed the certificate following those steps below:

(Apache and Ubuntu 20)

During the installation, everything went very smoothly. After the installation, I understood the certificate would be renewed automatically, 30 days before it expires, but I just put an email reminder, just in case it didn't work, properly, and it didn't work properly. As you guys can see below, I received this email below warning me about the expiring date of the certificate.

Before I panic, I decided to come here and ask help for the community.

My questions are:
How do I check the "health" of my certificate, to verify why the certificate is not renewing automatically?
Do I need to set up it manually? If yes, how?
How do I renew the certificate manually, if necessary?

Need help!

Thanks!

You can use a site like this SSL Checker

An auto-renew may have been setup by Certbot depending on the options you chose. It just might not be working.

You can test a renew with this command. It will try to renew your cert against the Let's Encrypt test system and will not overwrite any cert on your system.

sudo certbot renew --dry-run

If your cert has less than 30 days before expiry then we'll need answers to the questions from the form you were shown when posting this topic. So, let us know what the above shows and we can go from there.

Especially when you admit to not being very experienced it is important we know at least your domain name to provide quality prompt advice.

Additioanlly, many times those emails are referring to certificates which are no longer being used.
That tends to happen during the first cert installation and the inherent testing/readjustments made.
I would first check the FQDN that was in the email notice at: https://crt.sh/
To see if more than one cert was issued and if more than one is currently active.

Hi,

Thanks for replying me.
I just executed the command you suggested me and I got the following results:
Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: xxxxxx.com.au
Type: connection
Fetching http://xxxxxx.com.au/.well-known/acme-challenge/YkLYBEueTuty_5Wha2LHUoZjLsJA8DNIXQUxvTOHRaw: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Failed to renew certificate xxxxxx.com.au with error: Some challenges have failed.

All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/xxxxxx.com.au/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

I also check the log file and I got this:

2022-06-03 02:30:13,298:DEBUG:certbot._internal.error_handler:Calling registered functions
2022-06-03 02:30:13,298:INFO:certbot._internal.auth_handler:Cleaning up challenges
2022-06-03 02:30:13,444:ERROR:certbot._internal.renewal:Failed to renew certificate xxxxxx.com.au with error: Some challenges have failed.
2022-06-03 02:30:13,445:DEBUG:certbot._internal.renewal:Traceback was:
Traceback (most recent call last):
File "/snap/certbot/2035/lib/python3.8/site-packages/certbot/_internal/renewal.py", line 484, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File "/snap/certbot/2035/lib/python3.8/site-packages/certbot/_internal/main.py", line 1541, in renew_cert
renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
File "/snap/certbot/2035/lib/python3.8/site-packages/certbot/_internal/main.py", line 129, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File "/snap/certbot/2035/lib/python3.8/site-packages/certbot/_internal/renewal.py", line 344, in renew_cert
new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
File "/snap/certbot/2035/lib/python3.8/site-packages/certbot/_internal/client.py", line 441, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/snap/certbot/2035/lib/python3.8/site-packages/certbot/_internal/client.py", line 493, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
File "/snap/certbot/2035/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 106, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/snap/certbot/2035/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 206, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2022-06-03 02:30:13,447:DEBUG:certbot._internal.display.obj:Notifying user:

2022-06-03 02:30:13,448:ERROR:certbot._internal.renewal:All simulated renewals failed. The following certificates could not be renewed:
2022-06-03 02:30:13,448:ERROR:certbot._internal.renewal: /etc/letsencrypt/live/xxxxxx.com.au/fullchain.pem (failure)
2022-06-03 02:30:13,448:DEBUG:certbot._internal.display.obj:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2022-06-03 02:30:13,448:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/snap/certbot/2035/bin/certbot", line 8, in
sys.exit(main())
File "/snap/certbot/2035/lib/python3.8/site-packages/certbot/main.py", line 19, in main
return internal_main.main(cli_args)
File "/snap/certbot/2035/lib/python3.8/site-packages/certbot/_internal/main.py", line 1744, in main
return config.func(config, plugins)
File "/snap/certbot/2035/lib/python3.8/site-packages/certbot/_internal/main.py", line 1630, in renew
renewal.handle_renewal_request(config)
File "/snap/certbot/2035/lib/python3.8/site-packages/certbot/_internal/renewal.py", line 510, in handle_renewal_request
raise errors.Error(
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)
2022-06-03 02:30:13,448:ERROR:certbot._internal.log:1 renew failure(s), 0 parse failure(s)

I can't share the domain name here, sorry. If there is a way to share it privately, I'll be happy to do it.
Also, I check the health using the website you send to me, and everything was ok.

Thank you

image1010×98 63.6 KB

Not sure if that means I have 4 certificates, but all IDs are different.

That will prevent you renewing (or re-creating) your cert. You could try using Let's Debug test site after you fix the reason for this failure. Basically, the Let's Encrypt server is not able to reach your server.

You could try traceroute or other such tools from machines outside your local network to isolate your problem spot.

There's not much more I can do without it. You could DM me (click my name in my post) but new members sometimes can't. Also, know that it is not private as the site mods also can see all DM's (direct message).

As for your later post, on crt.sh there will be two entries for each cert - a "pre cert" and a "leaf". Note everyone can see every name in crt.sh so your domain is not a secret.

And, if that's a crt.sh display you only have 12 days left before expiry. Normally auto-renews are done with 30 days remaining. You need to fix your timeout problem.

Well, let me know once you got the domain name and I deleted that, let me know when you are around. I'll be refreshing the page. Can't send message for you rn.

Also, I'm running the tests, getting this for now.

"This test has been running for a while. Usually this indicates that one or more of the domain's nameservers are either inaccessible or offline. Please be patient, it may take 5-15 minutes but this test should eventually complete."

Thanks,

The test on the WebSite has falied.

Hopefully it provided some useful messages. I am signing off for the day.

Any posts here are sometimes picked up by search or archival sites almost immediately. So, posting and deleting won't necessarily keep your name secret.

Anyone trying to help will want to know how you are connected to the public internet. Are you self-hosted at home? Or through a hosting service? If so, which one? Do you have a company network or similar with network experts to help? That sort of thing.

Answering the questions as best you can avoids wasting everyone's time

========================
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Your webserver is not responding on TCP port 80 or your firewall is blocking it. HTTP validation uses (starts with) http, not https.

Also check if you have a web application firewall (I'm guessing you do) as they have been known to have special limits on /well-known/acme-challenge http requests, in particular Palo Alto recently changed their default policy to block these requests (so you have to enable it to allow them).

Thanks for the reply.
How can I enable that? Is that a port that need to be open?

Yes, it is required.
HTTP authentication requires that HTTP [TCP port 80] reach your server.

Where do you need to open it?
Wherever it is closed.

It can either be something you need to configure on your server or it can be at a higher networking level.

There is likely a firewall in front of your server as well as firewall functionality on the server itself, your webserver also needs to be configure to listen on port 80 (which we would assume it is). If your server is cloud hosted then it can also be in the control panel for the virtual machine.

If you are unsure you will need to find a networking administrator in your organisation to help. [Judging by your domain, opening port 80 will involve a service request to the network admin team and by default they probably block all ports and would have an audit process to ensure this is followed]

Hi guys,

Thanks for the assistance so far.

Port 80 is open now and, when I "curled" my domain it is fine. Now when I run the command:

sudo certbot renew --dry-run, I got the "Congratulations, all simulated renewals succeeded:"

But my certificate is still going to expire in few days, is it now going to renew automatically? Or should I do it manually?

Thanks!

I would try it manually.

Show:
certbot certificates

If your cronjob or systemd timer is set up correctly, it should attempt to renew twice a day, so I'd say: let it try to renew automatically, but keep a very close eye on if it actually does. With just "a few days" there's not much room to spare.

Hi there,

I have got this results below:

image1146×241 44 KB

However, when I go to my domain using my browser, I see this:

Clearly, certbot has a renewed cert [through 2022-09-04].

You now just need to get your system to use it.

Yes, certbot has renewed it and, accorrding to the website SSL Checker, is already being in use.

image819×379 10.8 KB

I just don't get why when I access the WebSite, I still can't see the new expire date there.
I'll clear the cache there and see if it works. I'll keep you guys posted.

Again, thanks for the assistance <3

Thanks