Automatically renewal via cronjob doesn't not work - dry run without error

gijsrutten · June 14, 2019, 2:52pm

My domain is: https://support.ecomsilio.de/

The operating system my web server runs on is (include version): Cent OS 7

My hosting provider, if applicable, is: 1&1 / ionos

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

I have set a cronjob to automatically renew the certificate:

2 * * 7 /opt/letsencrypt/letsencrypt-auto renew >> /var/log/le-renew.log

The certificate does not renew so I ran

cat /var/log/le-renew.log

Output

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/support.ecomsilio.de.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/support.ecomsilio.de/fullchain.pem (failure)

I than ran a dry run

./opt/letsencrypt/letsencrypt-auto renew --dry-run

It doesn't have a problem. So I could just renew it manually but would have to do that every 3 months. It would be great if it would work automatically.

Output dry run

Requesting to rerun ./opt/letsencrypt/letsencrypt-auto with root privileges...
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/support.ecomsilio.de.conf

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate

new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/support.ecomsilio.de/fullchain.pem

** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/support.ecomsilio.de/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)

What can I do to find the error on my server?

Many thanks in advance!
Gijs

JuergenAuer · June 14, 2019, 3:13pm

Hi @gijsrutten

if your renew doesn't work, please share your config file. Check

/etc/letsencrypt/renewal

Your main configuration looks ok ( https://check-your-website.server-daten.de/?q=support.ecomsilio.de ),

Domainname	Http-Status	redirect	Sec.	G
• http://support.ecomsilio.de/
82.165.64.112	301	https://support.ecomsilio.de/	0.047	A

• https://support.ecomsilio.de/
82.165.64.112	200		0.640	B

• http://support.ecomsilio.de/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
82.165.64.112	301	https://support.ecomsilio.de/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de	0.050	A
Visible Content: 301 Moved Permanently nginx/1.12.2

• https://support.ecomsilio.de/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de	404		0.250	A
Not Found
Visible Content: {"error":"No route matches [GET] /.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de"}

so minimal webroot should work.

gijsrutten · June 14, 2019, 3:15pm

Hi @JuergenAuer

The config file:

# renew_before_expiry = 30 days
version = 0.33.1
archive_dir = /etc/letsencrypt/archive/support.ecomsilio.de
cert = /etc/letsencrypt/live/support.ecomsilio.de/cert.pem
privkey = /etc/letsencrypt/live/support.ecomsilio.de/privkey.pem
chain = /etc/letsencrypt/live/support.ecomsilio.de/chain.pem
fullchain = /etc/letsencrypt/live/support.ecomsilio.de/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = nginx
installer = nginx
account = 1560be64777ad4127b05a56eb1bfab0a
server = https://acme-v02.api.letsencrypt.org/directory
pref_challs = http-01,

Thanks,
Gijs

JuergenAuer · June 14, 2019, 3:19pm

Isn't there a better log? Looks too empty.

What says

nginx -T

gijsrutten · June 14, 2019, 3:25pm

nginx -T says:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
# For more information on configuration, see:
#   * Official English Documentation: http://nginx.org/en/docs/
#   * Official Russian Documentation: http://nginx.org/ru/docs/

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;

events {
    worker_connections 1024;
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    include /etc/nginx/conf.d/*.conf;

    server {
        listen       80 default_server;
        listen       [::]:80 default_server;
        server_name  _;
        root         /usr/share/nginx/html;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location / {
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }

# Settings for a TLS enabled server.
#
#    server {
#        listen       443 ssl http2 default_server;
#        listen       [::]:443 ssl http2 default_server;
#        server_name  _;
#        root         /usr/share/nginx/html;
#
#        ssl_certificate "/etc/pki/nginx/server.crt";
#        ssl_certificate_key "/etc/pki/nginx/private/server.key";
#        ssl_session_cache shared:SSL:1m;
#        ssl_session_timeout  10m;
#        ssl_ciphers HIGH:!aNULL:!MD5;
#        ssl_prefer_server_ciphers on;
#
#        # Load configuration files for the default server block.
#        include /etc/nginx/default.d/*.conf;
#
#        location / {
#        }
#
#        error_page 404 /404.html;
#            location = /40x.html {
#        }
#
#        error_page 500 502 503 504 /50x.html;
#            location = /50x.html {
#        }
#    }

}


# configuration file /usr/share/nginx/modules/mod-http-geoip.conf:
load_module "/usr/lib64/nginx/modules/ngx_http_geoip_module.so";

# configuration file /usr/share/nginx/modules/mod-http-image-filter.conf:
load_module "/usr/lib64/nginx/modules/ngx_http_image_filter_module.so";

# configuration file /usr/share/nginx/modules/mod-http-perl.conf:
load_module "/usr/lib64/nginx/modules/ngx_http_perl_module.so";

# configuration file /usr/share/nginx/modules/mod-http-xslt-filter.conf:
load_module "/usr/lib64/nginx/modules/ngx_http_xslt_filter_module.so";

# configuration file /usr/share/nginx/modules/mod-mail.conf:
load_module "/usr/lib64/nginx/modules/ngx_mail_module.so";

# configuration file /usr/share/nginx/modules/mod-stream.conf:
load_module "/usr/lib64/nginx/modules/ngx_stream_module.so";

# configuration file /etc/nginx/mime.types:

types {
    text/html                             html htm shtml;
    text/css                              css;
    text/xml                              xml;
    image/gif                             gif;
    image/jpeg                            jpeg jpg;
    application/javascript                js;
    application/atom+xml                  atom;
    application/rss+xml                   rss;

    text/mathml                           mml;
    text/plain                            txt;
    text/vnd.sun.j2me.app-descriptor      jad;
    text/vnd.wap.wml                      wml;
    text/x-component                      htc;

    image/png                             png;
    image/tiff                            tif tiff;
    image/vnd.wap.wbmp                    wbmp;
    image/x-icon                          ico;
    image/x-jng                           jng;
    image/x-ms-bmp                        bmp;
    image/svg+xml                         svg svgz;
    image/webp                            webp;

    application/font-woff                 woff;
    application/java-archive              jar war ear;
    application/json                      json;
    application/mac-binhex40              hqx;
    application/msword                    doc;
    application/pdf                       pdf;
    application/postscript                ps eps ai;
    application/rtf                       rtf;
    application/vnd.apple.mpegurl         m3u8;
    application/vnd.ms-excel              xls;
    application/vnd.ms-fontobject         eot;
    application/vnd.ms-powerpoint         ppt;
    application/vnd.wap.wmlc              wmlc;
    application/vnd.google-earth.kml+xml  kml;
    application/vnd.google-earth.kmz      kmz;
    application/x-7z-compressed           7z;
    application/x-cocoa                   cco;
    application/x-java-archive-diff       jardiff;
    application/x-java-jnlp-file          jnlp;
    application/x-makeself                run;
    application/x-perl                    pl pm;
    application/x-pilot                   prc pdb;
    application/x-rar-compressed          rar;
    application/x-redhat-package-manager  rpm;
    application/x-sea                     sea;
    application/x-shockwave-flash         swf;
    application/x-stuffit                 sit;
    application/x-tcl                     tcl tk;
    application/x-x509-ca-cert            der pem crt;
    application/x-xpinstall               xpi;
    application/xhtml+xml                 xhtml;
    application/xspf+xml                  xspf;
    application/zip                       zip;

    application/octet-stream              bin exe dll;
    application/octet-stream              deb;
    application/octet-stream              dmg;
    application/octet-stream              iso img;
    application/octet-stream              msi msp msm;

    application/vnd.openxmlformats-officedocument.wordprocessingml.document    docx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet          xlsx;
    application/vnd.openxmlformats-officedocument.presentationml.presentation  pptx;

    audio/midi                            mid midi kar;
    audio/mpeg                            mp3;
    audio/ogg                             ogg;
    audio/x-m4a                           m4a;
    audio/x-realaudio                     ra;

    video/3gpp                            3gpp 3gp;
    video/mp2t                            ts;
    video/mp4                             mp4;
    video/mpeg                            mpeg mpg;
    video/quicktime                       mov;
    video/webm                            webm;
    video/x-flv                           flv;
    video/x-m4v                           m4v;
    video/x-mng                           mng;
    video/x-ms-asf                        asx asf;
    video/x-ms-wmv                        wmv;
    video/x-msvideo                       avi;
}

# configuration file /etc/nginx/conf.d/zammad.conf:
#
# this is the nginx config for zammad
#

upstream zammad-railsserver {
    server 127.0.0.1:3000;
}

upstream zammad-websocket {
    server 127.0.0.1:6042;
}

server {

    # replace 'localhost' with your fqdn if you want to use zammad from remote
    server_name support.ecomsilio.de;

    root /opt/zammad/public;

    access_log /var/log/nginx/zammad.access.log;
    error_log  /var/log/nginx/zammad.error.log;

    client_max_body_size 50M;

    location ~ ^/(assets/|robots.txt|humans.txt|favicon.ico) {
        expires max;
    }

    location /ws {
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header CLIENT_IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_read_timeout 86400;
        proxy_pass http://zammad-websocket;
    }

    location / {
        proxy_set_header Host $http_host;
        proxy_set_header CLIENT_IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_read_timeout 300;
        proxy_pass http://zammad-railsserver;

        gzip on;
        gzip_types text/plain text/xml text/css image/svg+xml application/javascript application/x-javascript application/json application/xml;
        gzip_proxied any;
    }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/support.ecomsilio.de/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/support.ecomsilio.de/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}


server {
    if ($host = support.ecomsilio.de) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    server_name support.ecomsilio.de;
    return 404; # managed by Certbot


}

# configuration file /etc/letsencrypt/options-ssl-nginx.conf:
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.

ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_timeout 1440m;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;

ssl_ciphers "ECDHE-ECDxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxSS";

JuergenAuer · June 14, 2019, 3:34pm

There

is your root. So use it:

certbot run -a webroot -i nginx -w /opt/zammad/public -d support.ecomsilio.de

gijsrutten · June 14, 2019, 3:48pm

ok, that makes sense. But one (maybe stupid) question.

I installed letsencrypt via

git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt  
cd /opt/letsencrypt  
./letsencrypt-auto --nginx -d support.ecomsilio.de

Currently there is no certbot on the server. Can i simply install certbot with yum install certbot without the risk of breaking the current configuration?

Thanks a lot!

JuergenAuer · June 14, 2019, 3:54pm

Not required.

If I write certbot, use your ./letsencrypt-auto.

It's the same.

gijsrutten · June 14, 2019, 4:22pm

Thanks a lot!
Have a great weekend.

system · July 14, 2019, 4:22pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.