Cannot Renew certificates


#1

Even after running the renew command, The new certificates are not reflected.
I even tried manually stop/starting nginx.

Also I’m able to run the renew command over and over again with the same output every time.
i.e. Even after successful renewal, I’m able run renew command again.

Please help me.

My domain is: vkbansal.me

I ran this command: sudo ./certbot-auto --nginx renew

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/vkbansal.me.conf

Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for vkbansal.me
Waiting for verification…
Cleaning up challenges
Generating key (4096 bits): /etc/letsencrypt/keys/0018_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0018_csr-certbot.pem


new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/vkbansal.me/fullchain.pem

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/vkbansal.me/fullchain.pem (success)

My operating system is (include version): Ubuntu 14.04.5 LTS

My web server is (include version): nginx/1.4.6 (Ubuntu)

My hosting provider, if applicable, is: DigitalOcean

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no


#2

Hi @vkbansal,

Could you try running

openssl x509 -in /etc/letsencrypt/live/vkbansal.me/cert.pem -text -noout

to check whether that’s the renewed version or not?

If it is, maybe you accidentally set up your webserver using the archive version of the cert instead of the live version? The archive reference isn’t updated on renewal, while the live reference is.


#3

This is the output

Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
        Validity
            Not Before: Oct 13 04:32:00 2016 GMT
            Not After : Jan 11 04:32:00 2017 GMT
        Subject: CN=vkbansal.me

Also I’m using live version in nginx settings

ssl_certificate /etc/letsencrypt/live/vkbansal.me/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/vkbansal.me/privkey.pem;

#4

Interesting! Could you post the logs associated with the renewal here?


#5
2017-01-12 04:16:52,639:WARNING:certbot.renewal:Attempting to renew cert from /etc/letsencrypt/renewal/vkbansal.me.conf produced an unexpected error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new cert :: Too many certificates already issued for exact set of domains: vkbansal.me. Skipping.
2017-01-12 04:16:52,643:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
  File "/home/vkb/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/renewal.py", line 388, in handle_renewal_request
    main.obtain_cert(lineage_config, plugins, renewal_candidate)
  File "/home/vkb/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py", line 626, in obtain_cert
    action, _ = _auth_from_available(le_client, config, domains, certname, lineage)
  File "/home/vkb/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py", line 103, in _auth_from_available
    renewal.renew_cert(config, le_client, lineage)
  File "/home/vkb/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/renewal.py", line 271, in renew_cert
    new_certr, new_chain, new_key, _ = le_client.obtain_certificate(lineage.names())
  File "/home/vkb/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/client.py", line 272, in obtain_certificate
    return (self.obtain_certificate_from_csr(domains, csr, authzr=authzr)
  File "/home/vkb/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/client.py", line 243, in obtain_certificate_from_csr
    authzr)
  File "/home/vkb/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/client.py", line 318, in request_issuance
    headers={'Accept': content_type})
  File "/home/vkb/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/client.py", line 667, in post
    return self._check_response(response, content_type=content_type)
  File "/home/vkb/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/client.py", line 570, in _check_response
    raise messages.Error.from_json(jobj)
Error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new cert :: Too many certificates already issued for exact set of domains: vkbansal.me

2017-01-12 04:16:52,645:DEBUG:certbot.main:Exiting abnormally:
Traceback (most recent call last):
  File "/home/vkb/.local/share/letsencrypt/bin/letsencrypt", line 11, in <module>
    sys.exit(main())
  File "/home/vkb/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py", line 849, in main
    return config.func(config, plugins)
  File "/home/vkb/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py", line 655, in renew
    renewal.handle_renewal_request(config)
  File "/home/vkb/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/renewal.py", line 405, in handle_renewal_request
    len(renew_failures), len(parse_failures)))
Error: 1 renew failure(s), 0 parse failure(s)

#6

Hi @vkbansal, since that particular log ends with a failure due to rate limiting, I doubt it’s the same one from the time where you saw the success (“Congratulations”). Is it possible that you have an earlier log file reflecting the successful renew command?


#7

I don’t have that log file.

But this might be useful info:

In archives /etc/letsencrypt/archive/vkbansal.me

I found the following files:

cert1.pem  cert4.pem   chain2.pem  chain5.pem      fullchain3.pem  privkey1.pem  privkey4.pem
cert2.pem  cert5.pem   chain3.pem  fullchain1.pem  fullchain4.pem  privkey2.pem  privkey5.pem
cert3.pem  chain1.pem  chain4.pem  fullchain2.pem  fullchain5.pem  privkey3.pem

and using the command which you mentioned above, I was able to determine that cert2.pem is the valid one,
but the symlink in live folder points to cert1.pem.

I guess this a bug. FY1 i’m using v0.10

I’m trying to fix these manually

Update: manual fix worked for now!


#8

Huh, if the renewal process were working as intended, the symlinks would always point at the most recent version in archive (the one with the highest number). So there seems to be a problem where the link isn’t getting updated for some reason. It would be great to have logs for that. I’d speculate that the renewal always works but then the symlink never updates (and then you hit the rate limit on the server side so the renewal stopped happening).

If you can wait a week for the rate limit to reset and then try the renewal again and post the associated logfile, it would be very helpful and we might be able to track down a bug here.


#9

Here is the log

https://gist.github.com/vkbansal/a163cd6b9558ead7d954a5ed80e5e01c

I believe it worked correctly this time round


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.