I ran after a reboot the dry run, again.
certbot renew --dry-run
The error is still there.
Probably because the renewal configuration file requires to contain WAY more than just the post_hook option.
Did you by any chance do something like echo "post_hook = cat ..." > /etc/letsencrypt/renewal/kpurrr.com.conf instead of using >>?
2 Likes
LIKE THIS
echo "post_hook = cat /etc/letsencrypt/live/kpurrr.com/fullchain.pem /etc/letsencrypt/live/kpurrr.com/privkey.pem " > /etc/icecast2/bundle.pem && service icecast2 restart
Why are you using a post hook?
I think you would do better with a deploy hook.
2 Likes
That was post on how t install your certificate a couple with and Icecast server. I did try deploy
echo "deploy_hook = cat /etc/letsencrypt/live/kpurrr.com/fullchain.pem /etc/letsencrypt/live/kpurrr.com/privkey.pem " > /etc/icecast2/bundle.pem && service icecast2 restartI'm not sure that is doing what you would expect.
Please review the output of:
cat /etc/icecast2/bundle.pem
[don't post any of that output here as it may contain the private key]
If it contains no cert files, as I suspect, it might need to be reworked.
I suspect that file contains only the text string:
[not the actual output of that "intended command"]
deploy_hook = cat /etc/letsencrypt/live/kpurrr.com/fullchain.pem /etc/letsencrypt/live/kpurrr.com/privkey.pem
To help confirm, you can post the output of:
ls -l /etc/icecast2/bundle.pem
3 Likes
is there a way to check the date of expiration of the certificate and manual renew the certificate? If so how what's code for ubuntu? I want to run on port 8000 and 8443 instead of 80 and port 443. Please help
1 Like
There are several ways:
If the cert is being served to the Internet, then there are many ways to show the expiration date.
If the cert is not being served to the Internet, then you can use OpenSSL:
openssl x509 -enddate -noout -in cert.pem
certbot renew
If you are going to continue using HTTP-01 authentication, you will need to use port 80.
2 Likes
yes, that's my web server at port 80 on a MacMini with OSX. For now, I have changed the port to 80 for the Icecast servers running Ubuntu on another MacMini so I can renew your certificate.
Did you miss my post #20?:
I asked for you to do two things.
2 Likes
root@louie:~# ls -l /etc/icecast2/bundle.pem
-rw-rw-rw- 1 joe joe 7283 Mar 23 13:06 /etc/icecast2/bundle.pem
root@louie:~#
here is the first
By using > instead of >>, you've deleted the original contents of the renewal configuration file, effectively destroying all the required information for Certbot to even recognise the cert.
> truncates the original, >> appends to the original. You want to use >> and not >. Not that it matters now, as the original is gone.
You probably want to delete the current certificate and generate a new one. When doing so, please use the --deploy-hook option instead of manually messing with the renewal configuration file.
3 Likes
Second one cat /etc/icecast2/bundle.pem
It won't let me post. one pending, ok and big red delete button
???
7283 bytes does seem about the right size.
I'm still not sure why you aren't using a deploy hook for this.
2 Likes
I specifically asked you NOT to post it:
Please read the entire instruction before proceeding.
3 Likes
I agree, a deploy hook would be the better choice instead of a post hook.
4 Likes
how do I delete the current certificate?
Depends if Certbot can still delete it, as the renewal configuration file is broken. Please see User Guide — Certbot 2.4.0 documentation.
Or even better: generate a new certificate with a different name (using --cert-name) and start using that one first before deleting anything.
3 Likes
Something like:
certbot --cert-name IceCast -d kpurrr.com -d www.kpurrr.com
[along with any other "words" previous used: "--standalone" or "--webroot" etc. ]
2 Likes
Here is a list of issued certificates https://crt.sh/?q=kpurrr.com, latest being 2023-03-23.
And the presently being served certificate https://decoder.link/sslchecker/kpurrr.com/443
1 Like