Cannot renew, not writeable?

I ran this command:
certbot renew --pre-hook "service nginx stop" --post-hook "service nginx start"

It produced this output:
The following error was encountered:

[Errno 13] Permission denied: ‘/var/log/letsencrypt’

Either run as root, or set --config-dir, --work-dir, and --logs-dir to writeable paths.

I Ran The Same Command as root user:
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/benrothman.org.conf


Cert not yet due for renewal


The following certs are not due for renewal yet:

/etc/letsencrypt/live/benrothman.org/fullchain.pem expires on 2019-09-11 (skipped)

No renewals were attempted.

No hooks were run.


It looks like certbot is saying that nothing needs to be renewed, but obviously the certificate does need to be renewed because when I go to the site the certificate is invalid because it expired. Do I force it somehow?

Hi @bennyandthejets82,

That seems odd that certbot doesn’t think you should renew.

$ echo | openssl s_client -connect benrothman.org:443 -servername benrothman.org 2>/dev/null| openssl x509 -noout -startdate -enddate
notBefore=Apr 14 23:01:20 2019 GMT
notAfter=Jul 13 23:01:20 2019 GMT

[edited: potentially risky cleanup command renewed]

1 Like

Hi @bennyandthejets82

checking your domain there is a new certificate - https://check-your-website.server-daten.de/?q=benrothman.org#ct-logs

Issuer not before not after Domain names LE-Duplicate next LE
Let’s Encrypt Authority X3 2019-06-13 2019-09-11 benrothman.org, www.benrothman.org
2 entries
Let’s Encrypt Authority X3 2019-04-14 2019-07-13 benrothman.org, www.benrothman.org
2 entries
Let’s Encrypt Authority X3 2019-02-13 2019-05-14 benrothman.org, www.benrothman.org
2 entries

So Certbot doesn’t see something to do.

But you don’t use that certificate, instead you use the older, expired:

CN=benrothman.org
	15.04.2019
	14.07.2019
2 days expired	
benrothman.org, www.benrothman.org - 2 entries

So first action: Restart your nginx. If that doesn’t help, try

sudo certbot -d benrothman.org -d www.benrothman.org --reinstall -i nginx

to see if Certbot is able to install the certificate.

If that doesn’t help, share your nginx config:

nginx -T

What’s your certbot version?

certbot --version
3 Likes

I would never recommend deleting existing certificates this way. For one thing, you’re likely to break your nginx configuration and prevent nginx from starting at all. For another thing, without deleting /etc/letsencrypt/archive as well, you can get into an inconsistent state.

When a certificate has been renewed but isn’t being used by the web server, the problem is generally with the web server configuration rather than with the certificate.

2 Likes

That’s a good point, thank you @schoen.

1 Like

@JuergenAuer wow it works now and it was as simple as restarting nginx… I though because I included that in the post-hook that I would not have to, but I ran service nginx reload and then service nginx restart and it works now, haha

@Phil_LE @schoen thx but it was actually just as easy as restarting nginx… I though it was done but apparently not because when I did it again the certificate started to work.

thx everyone

1 Like

If you use that --post-hook or if you use -i nginx — and if the fact that you did so is saved in the renewal configuration file in /etc/letsencrypt/renewal — then you should get your nginx restarted automatically whenever Certbot renews the certificate. But if not (for example, if you originally used certbot certonly), then maybe not!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.