Cannot renew, not writeable?

bennyandthejets82 · July 16, 2019, 1:59pm

I ran this command:
certbot renew --pre-hook "service nginx stop" --post-hook "service nginx start"

It produced this output:
The following error was encountered:

[Errno 13] Permission denied: ‘/var/log/letsencrypt’

Either run as root, or set --config-dir, --work-dir, and --logs-dir to writeable paths.

I Ran The Same Command as root user:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/benrothman.org.conf

Cert not yet due for renewal

The following certs are not due for renewal yet:

/etc/letsencrypt/live/benrothman.org/fullchain.pem expires on 2019-09-11 (skipped)

No renewals were attempted.

No hooks were run.

It looks like certbot is saying that nothing needs to be renewed, but obviously the certificate does need to be renewed because when I go to the site the certificate is invalid because it expired. Do I force it somehow?

Phil · July 16, 2019, 2:38pm

Hi @bennyandthejets82,

That seems odd that certbot doesn’t think you should renew.

$ echo | openssl s_client -connect benrothman.org:443 -servername benrothman.org 2>/dev/null| openssl x509 -noout -startdate -enddate
notBefore=Apr 14 23:01:20 2019 GMT
notAfter=Jul 13 23:01:20 2019 GMT

[edited: potentially risky cleanup command renewed]

JuergenAuer · July 16, 2019, 2:59pm

Hi @bennyandthejets82

checking your domain there is a new certificate - https://check-your-website.server-daten.de/?q=benrothman.org#ct-logs

Issuer	not before	not after	Domain names
Let's Encrypt Authority X3	2019-06-13	2019-09-11	benrothman.org, www.benrothman.org
2 entries
Let's Encrypt Authority X3	2019-04-14	2019-07-13	benrothman.org, www.benrothman.org
2 entries
Let's Encrypt Authority X3	2019-02-13	2019-05-14	benrothman.org, www.benrothman.org
2 entries

So Certbot doesn't see something to do.

But you don't use that certificate, instead you use the older, expired:

CN=benrothman.org
	15.04.2019
	14.07.2019
2 days expired	
benrothman.org, www.benrothman.org - 2 entries

So first action: Restart your nginx. If that doesn't help, try

sudo certbot -d benrothman.org -d www.benrothman.org --reinstall -i nginx

to see if Certbot is able to install the certificate.

If that doesn't help, share your nginx config:

nginx -T

What's your certbot version?

certbot --version

schoen · July 16, 2019, 5:05pm

I would never recommend deleting existing certificates this way. For one thing, you're likely to break your nginx configuration and prevent nginx from starting at all. For another thing, without deleting /etc/letsencrypt/archive as well, you can get into an inconsistent state.

When a certificate has been renewed but isn't being used by the web server, the problem is generally with the web server configuration rather than with the certificate.

Phil · July 16, 2019, 6:10pm

That’s a good point, thank you @schoen.

bennyandthejets82 · July 17, 2019, 12:21am

@JuergenAuer wow it works now and it was as simple as restarting nginx… I though because I included that in the post-hook that I would not have to, but I ran service nginx reload and then service nginx restart and it works now, haha

@Phil @schoen thx but it was actually just as easy as restarting nginx… I though it was done but apparently not because when I did it again the certificate started to work.

thx everyone

schoen · July 17, 2019, 12:23am

If you use that --post-hook or if you use -i nginx — and if the fact that you did so is saved in the renewal configuration file in /etc/letsencrypt/renewal — then you should get your nginx restarted automatically whenever Certbot renews the certificate. But if not (for example, if you originally used certbot certonly), then maybe not!

system · August 16, 2019, 12:23am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.