Automatic renewal?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:engineersneedart.com

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

When I first set up Let's Encrypt (using certbot) I followed the instructions and, I believe, set up a kind of auto-renewal for the certificate(s)? Perhaps it was a cron job that would kick it off? I don't recall.

Recently though, some months back and then again now, I am being prompted to manually renew the certification.

The only thing I can think that may have "broke" it was that one of my original domains I let expire.

Any pointers to how I can find the issue, get my auto-certify going again?

Sure, I can see your cert history points to a change with lainecalhoun.com. Is that still yours? I ask because an nginx server replies to HTTP requests for that domain. But, your other domains are handled by Apache.

Your cert history is kind of interesting. See: Let's Debug Toolkit

In any case, let's start by you showing output of this

sudo certbot certificates

Also where are you being prompted? Are you getting an email from Let's Encrypt or is it something else? Currently your certs for that domain seem sot be renewing based on crt.sh | engineersneedart.com

There are overlapped certs confusing matters. Better seen with: Let's Debug Toolkit

crt.sh does not show the full set of domains on a cert (w/out looking at each one).

Will ssh over and run the command.

Yes lainecalhoun.com was the domain I let expire. I had heard people might snap up expired domains because they think they'll get the "traffic"? Yeah, looks like it might be a Chinese site now, ha ha.

It was email. Perhaps it is just the missing lainecalhoun.com domain then that is kicking off the email (I really don't think it's phishing). Perhaps the others are being renewed (engineersneedart.com, kardland.com, mooncraft2000.com are the ones that come to mind.)

Yeah any certificate you had that includes a domain you no longer host/control will not be able to auto renew anymore.

I think the way to remove a domain you don't have anymore is sudo certbot delete --cert-name <domain> but I'm not a certbot expert.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: engineersneedart.com
    Serial Number: 3f8841cfc726fa196b4f388b6138b607418
    Key Type: RSA
    Domains: engineersneedart.com www.engineersneedart.com
    Expiry Date: 2024-12-07 00:19:28+00:00 (VALID: 19 days)
    Certificate Path: /etc/letsencrypt/live/engineersneedart.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/engineersneedart.com/privkey.pem
  Certificate Name: kardland.com
    Serial Number: 35516832edc5cd6122af4efd39074081f7e
    Key Type: RSA
    Domains: kardland.com www.kardland.com
    Expiry Date: 2024-12-07 00:19:41+00:00 (VALID: 19 days)
    Certificate Path: /etc/letsencrypt/live/kardland.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/kardland.com/privkey.pem
  Certificate Name: www.mooncraft2000.com
    Serial Number: 4afffff17e017696e3e9c19209dff52dab7
    Key Type: RSA
    Domains: www.mooncraft2000.com mooncraft2000.com
    Expiry Date: 2024-12-07 00:20:01+00:00 (VALID: 19 days)
    Certificate Path: /etc/letsencrypt/live/www.mooncraft2000.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.mooncraft2000.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

What do you make of it? I see the three domains I expect (with www. variants). Perhaps then the cron job is also trying to renew lainecalhoun.com and failing? Just a guess.

So I did (some months back) sudo certbot delete --cert-name [obsolete-domain.com](http://obsolete-domain.com) to get rid of lainecalhoun.com.

The problem seems to be 1) the email 2) the auto-renewal is failing.

Looks like I have a Systemd Timer running:

sudo systemctl list-timers | grep certbot

snap.certbot.renew.timer snap.certbot.renew.service

ChatGPT told me to follow with: systemctl cat certbot.timer

Which gave me:

No files found for certbot.timer.

Maybe I need to set up a Systemd Timer again....

Never mind, I should be careful and not cut/paste ChatGPT. This worked:

cat snap.certbot.renew.timer

# /etc/systemd/system/snap.certbot.renew.timer
[Unit]
# Auto-generated, DO NOT EDIT
Description=Timer renew for snap application certbot.renew
Requires=var-lib-snapd-snap-certbot-3834.mount
After=var-lib-snapd-snap-certbot-3834.mount
X-Snappy=yes
[Timer]
Unit=snap.certbot.renew.service
OnCalendar=*-*-* 05:53
OnCalendar=*-*-* 21:07
[Install]
WantedBy=timers.target

ChatGPT is my copilot, ha ha.

This is interesting:

systemctl status snap.certbot.renew.service

Loaded: loaded (/etc/systemd/system/snap.certbot.renew.service; static; vendor preset: disabled)
Active: failed (Result: exit-code) since Sat 2024-11-16 05:53:09 PST; 13h ago
Process: 955431 ExecStart=/usr/bin/snap run --timer=00:00~24:00/2 certbot.renew (code=exited, status=1/FAIL>
 Main PID: 955431 (code=exited, status=1/FAILURE)
:
Nov 16 05:53:09 localhost.localdomain certbot.renew[955431]: Failed to renew certificate www.mooncraft2000.co>
Nov 16 05:53:09 localhost.localdomain certbot.renew[955431]: The error was: MisconfigurationError("Error whil>
Nov 16 05:53:09 localhost.localdomain certbot.renew[955431]: All renewals failed. The following certificates >
Nov 16 05:53:09 localhost.localdomain certbot.renew[955431]: /etc/letsencrypt/live/engineersneedart.com/ful>
Nov 16 05:53:09 localhost.localdomain certbot.renew[955431]: /etc/letsencrypt/live/kardland.com/fullchain.p>
Nov 16 05:53:09 localhost.localdomain certbot.renew[955431]: /etc/letsencrypt/live/www.mooncraft2000.com/fu>
:

Yeah, getting further. lainecalhoun.com is somehow still the gremlin somewhere in the server:

ChatGPT suggested we test one of the domains:
sudo certbot renew --cert-name www.mooncraft2000.com --dry-run

And errors ensued — with lainecalhoun.com the stickler (even though that was not the domain we were trying to renew):

:
Processing /etc/letsencrypt/renewal/www.mooncraft2000.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Error while running apachectl configtest.
AH00526: Syntax error on line 12 of /etc/httpd/conf/httpd-le-ssl.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/lainecalhoun.com/fullchain.pem' does not exist or is empty

Failed to renew certificate www.mooncraft2000.com with error: The apache plugin is not working; there may be problems with your existing configuration.

The error was: MisconfigurationError("Error while running apachectl configtest.\n\nAH00526: Syntax error on line 12 of /etc/httpd/conf/httpd-le-ssl.conf:\nSSLCertificateFile: file '/etc/letsencrypt/live/lainecalhoun.com/fullchain.pem' does not exist or is empty\n")
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All simulated renewals failed. The following certificates could not be renewed:

/etc/letsencrypt/live/www.mooncraft2000.com/fullchain.pem (failure)
:

Yeah, solved.

The Apache config on my server still had entries for an expired domain name. This was causing certbot to fail renewal.