Auto-renew via Certbot not working - Receives HTTP 200

My domain is: uploads.plixer.com

I inherited this system from a previous employee. It uses certbot to auto-renew the certificate. It looks to have worked previously to renew the cert but just failed for me today. I was able to run "certbot run" and it worked manually. I started investigating how the cronjob works and it's set to check if it's within the expiry window every 12 hours.

When checking the letsencrypt.log file (attached) I can see it did a check shortly after it was within the 5 day window. It received an HTTP 200 response which I believe means OK but there is nothing in the log below that so I'm not sure why it didn't install the cert. Yet it worked manually for me when I ran certbot run. It does a check with Cloudflare to verify the domain and that process seems to work just fine.

• My web server is Apache2 2.4.52
• The operating system it runs is Ubuntu 22.04.3
• I am using certbot 2.6.0

letsencrypt.txt (4.2 KB)

Hi @though2, and welcome to the LE community forum

When you ran "certbot run", what other questions/answers were exchanged?

And what shows?:
certbot certificates

And what was the error message shown?

Hi @rg305, thanks for your help. I should have been more clear. What I meant by it failed for me today was that I discovered the webservers cert to be expired, and after looking into the webserver configuration, saw that it was supposed to auto update. So I spent some time reading about how this all works.

When I manually ran "certbot run" (which worked, and my server now has a valid cert, but I want to fix the auto-renewal), I answered the prompt "Which names would you like to activate HTTPS for, I answered 1,2 as the server has two names I want it accessible from. It then requested the certificate, received it, saved, and deployed it to the live directory.

The only place I know to go for error message is the letsencrypt.log which is attached. There are older logs but they just say that certificate is valid, do nothing. If there's another log I can provide please let me know.

certbot certificates:

Found the following certs:
Certificate Name: filemonster.plixer.com
Serial Number: 413f445facb8e984682b52773a9ad4bf376
Key Type: ECDSA
Domains: filemonster.plixer.com uploads.plixer.com
Expiry Date: 2023-11-08 15:07:24+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/filemonster.plixer.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/filemonster.plixer.com/privkey.pem
Certificate Name: plixer.com
Serial Number: 450edb00c63f5fb275a6302a9bd19a828bc
Key Type: ECDSA
Domains: *.plixer.com plixer.com
Expiry Date: 2023-08-10 12:28:38+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/plixer.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/plixer.com/privkey.pem

One cert renewed, the other hasn't renewed.
Can you check if you are still using that second cert?;

The first cert that's valid until 2023-11-08 is the one I manually generated today to get it working. The second cert is the now invalid cert that it was using for the past 3 months, that I expected would auto-update. It is not being used. I'm unsure why it seems to be a wildcard name rather than have a subject name before the domain.

Let's have a look at the renewal config file.
/etc/letsencrypt/renewal/plixer.com.conf ?

/etc/letsencrypt/renewal/plixer.com.conf

renew_before_expiry = 5 days

version = 2.6.0
archive_dir = /etc/letsencrypt/archive/plixer.com
cert = /etc/letsencrypt/live/plixer.com/cert.pem
privkey = /etc/letsencrypt/live/plixer.com/privkey.pem
chain = /etc/letsencrypt/live/plixer.com/chain.pem
fullchain = /etc/letsencrypt/live/plixer.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = 2c7e70a205e0a0fb70ea2d926aba438f

# use ECDSA and 384-bit key
key_type = ecdsa
elliptic_curve = secp384r1

# restart apache after renewal
post_hook = sh /etc/letsencrypt/renewal-hooks/post/filegator.sh

# DNS Authentication via Cloudflare
authenticator = dns-cloudflare

server = https://acme-v02.api.letsencrypt.org/directory
dns_cloudflare_credentials = /root/.certbot/cloudflare.ini

That number is way too low.
[it doesn't leave much room for error]

What shows?
certbot renew --cert-name plixer.com

Perhaps 14 days is more sufficient in case something like this occurs again.

Here is the output of "certbot renew --cert-name plixer.com"

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/plixer.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for *.plixer.com and plixer.com
Failed to renew certificate plixer.com with error: Unable to determine zone_id for plixer.com using zone names: ['plixer.com', 'com']. Please confirm that the domain name has been entered correctly and is already associated with the supplied Cloudflare account.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/plixer.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

It seems that maybe something has changed in Cloudlfare.

Indeed something had changed. I found no API tokens in Cloudflare at all so I created one with the necessary permissions for the zone. After updating the token and running "certbot renew --cert-name plixer.com" again it worked.

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/plixer.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for *.plixer.com and plixer.com
Waiting 10 seconds for DNS changes to propagate

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all renewals succeeded:
  /etc/letsencrypt/live/plixer.com/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

I guess my final question is, why would the last guy set it up in this fashion where the name is just our domain and not have a subject infront of it? I'm unsure if I should delete the cert I manually created earlier (which has a subject and an alternate subject name) and let this new cert take over, since it should auto-renew now that the token is fixed?

Those are likely questions for me to figure out anyway, I greatly appreciate the help!

Should be 30 days currently. At least more than 20 as at 20 days Let's Encrypt sends warning emails of upcoming expiration (if you provided email).

In fact, best to just comment out that line in the renewal conf file

Certbot defaults to 1/3 of its life left which will be helpful rather than using fixed number of days. The industry and LE are moving towards shorter duration certs and a ratio is better.

Not sure what you mean but wildcard certs are more versatile than a cert with just discrete names. But, this only helps when using a large number of names and even a wildcard DNS entry.

You have a wide variety of certs from various Certificate Authorities so I wouldn't want to guess what you should do. Maybe look at the crt.sh public logs and you'll see certs from Let's Encrypt, Google, Cloudflare, Amazon, and DigiCert.

Further, your DNS for plixer.com points to a grouping of AWS EC2 instances whereas filemonster just points to just one IP. Nothing wrong with this it just shows some of the complexity of the system you have.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.