Can't renew certificate

priestesspoppy · May 22, 2021, 2:34pm

My domain is: samuele.site

I ran this command: I run numerous command and every single one seems to work, but my domain is still labeled as insecure.

sudo certbot certonly --manual --agree-tos --preferred-challenges dns -d samuele.site -d *.samuele.site
sudo certbot certonly --standalone --agree-tos --preferred-challenges http -d domain-name.com

BUT the certbot renew command produces this output

It produced this output: The following certs are not due for renewal yet:
/etc/letsencrypt/live/samuele.site-0001/fullchain.pem expires on 2021-08-20 (skipped)
No renewals were attempted.

Additionally, the following renewal configurations were invalid:
  /etc/letsencrypt/renewal/samuele.site.conf (parsefail)

My web server is (include version): Apache 2

The operating system my web server runs on is (include version): Ubuntu 20

My hosting provider, if applicable, is: rhosting.it

I can login to a root shell on my machine (yes or no, or I don't know): yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.40.0

Osiris · May 22, 2021, 2:57pm

So you've got your certificate. And your site is still labeled as insecure. Perhaps a superfluous question, but did you actually install the certificate into your website?

And a follow-up question: do you actually require the use of the wildcard certificate? Because if you don't, things probably would have been much easier than manually fiddle with your DNS entries. For example, simply running certbot --apache would probably suffice, which would take care of authentication and installation of the certificate (unless your Apache is not properly configured).

priestesspoppy · May 22, 2021, 3:09pm

yes I did

So i should just try that command?

Osiris · May 22, 2021, 3:14pm

Uch.. Looking at your site more closely, there is an OLD certificate installed currently. You might have lead with that. Now I thought this was your first attempt to get a certificate in the first place.

Let's not issue any more certificates, you've already issued A LOT of unecessary certificates these past few days.

Please paste the output of the command

certbot certificates

And please answer the question about the wildcard certificate

priestesspoppy · May 22, 2021, 3:23pm

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/samuele.site.conf produced an unexpected error: expected /etc/letsencrypt/live/samuele.site/cert.pem to be a symlink. Skipping.

Found the following certs:
Certificate Name: samuele.site-0001
Domains: samuele.site *.samuele.site
Expiry Date: 2021-08-20 13:25:04+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/samuele.site-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/samuele.site-0001/privkey.pem

The following renewal configurations were invalid:
/etc/letsencrypt/renewal/samuele.site.conf

no i don't

Osiris · May 22, 2021, 4:00pm

This error should not happen. Did you manually change files in /etc/letsencrypt/ by any chance?

Please post the output of:

ls -l /etc/letsencrypt/live/samuele.site/

priestesspoppy · May 22, 2021, 4:16pm

I did when revoking certificate since it was not working

root@vps:/# ls -l /etc/letsencrypt/live/samuele.site/
ls: cannot access '/etc/letsencrypt/live/samuele.site/': No such file or directory

Osiris · May 22, 2021, 4:18pm

Why did you try to revoke the certificate?

It seems you've not used the certbot delete option, but manually deleted the files.. Did you also remove the /archive/ directory? Please post the output of:

ls -l /etc/letsencrypt/archive/samuele.site/

priestesspoppy · May 22, 2021, 6:07pm

No I didn't

root@vps:/# ls -l /etc/letsencrypt/archive/samuele.site/
total 32
-rw-r--r-- 1 root root 1834 Feb 16 12:36 cert1.pem
-rw-r--r-- 1 root root 1858 Feb 16 12:41 cert2.pem
-rw-r--r-- 1 root root 1586 Feb 16 12:36 chain1.pem
-rw-r--r-- 1 root root 1586 Feb 16 12:41 chain2.pem
-rw-r--r-- 1 root root 3420 Feb 16 12:36 fullchain1.pem
-rw-r--r-- 1 root root 3444 Feb 16 12:41 fullchain2.pem
-rw------- 1 root root 1704 Feb 16 12:36 privkey1.pem
-rw------- 1 root root 1704 Feb 16 12:41 privkey2.pem

Osiris · May 22, 2021, 6:11pm

Hmm, 16 February, that's of no use unfortunately..

As you've already deleted the /live/ directory and there are only expired certificates left, please delete the files still laying around of that expired certificate:

rm -r /etc/letsencrypt/archive/samuele.site/
rm /etc/letsencrypt/renewal/samuele.site.conf

After that, you can try to get a proper certificate with:

certbot --apache

priestesspoppy · May 22, 2021, 6:50pm

deleted everything, when i run certbot --apache this happens:

root@vps:/# certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Error while running apache2ctl configtest.
Action 'configtest' failed.
The Apache error log may have more information.

AH00526: Syntax error on line 33 of /etc/apache2/sites-enabled/000-default-le-ssl.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/samuele.site/fullchain.pem' does not exist or is empty

The apache plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError("Error while running apache2ctl configtest.\nAction 'configtest' failed.\nThe Apache error log may have more information.\n\nAH00526: Syntax error on line 33 of /etc/apache2/sites-enabled/000-default-le-ssl.conf:\nSSLCertificateFile: file '/etc/letsencrypt/live/samuele.site/fullchain.pem' does not exist or is empty\n")

Osiris · May 22, 2021, 6:56pm

Why did you delete everything? That's not the advice I gave.. You've deleted a perfectly fine certificate we could have used as backup. Unless by "deleted everything" you mean just the two commands I gave above. In that case, I didn't say anything

Anyway, the error is to be expected: Apache is still referring to the older certificate of which you've deleted the /live/ directory.

At this stage I would like to urge you NOT to make rash decisions. Please think things through first. Learn the consequences of certain steps first. Always make a backup. Please learn how to manage a server properly.

That said, it seems your previous certificate was managed by the apache certbot plugin to begin with. Before we do anything stupid, please give the output of the following command:

apachectl -S

So we can make sure we're not about to delete something essential in the next step.

priestesspoppy · May 22, 2021, 7:48pm

root@vps:/# apachectl -S
AH00526: Syntax error on line 33 of /etc/apache2/sites-enabled/000-default-le-ssl.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/samuele.site/fullchain.pem' does not exist or is empty
Action '-S' failed.
The Apache error log may have more information.

sorry, I won't from now, this has been a rough week

Osiris · May 22, 2021, 8:28pm

Hmpf.. It won't even do that as the certificate file is missing. Please delete the le-ssl.conf file, as it's causing more trouble than it's worth:

rm /etc/apache2/sites-enabled/000-default-le-ssl.conf

Afterwards you should be able to run certbot --apache

Note that the HTTP to HTTPS redirect is still in place, so users won't be able to access your site temporarily.. However, they get an error now for the certificate anyway..

priestesspoppy · May 22, 2021, 8:45pm

Thank you for everything. Now everything works fine.

Osiris · May 22, 2021, 8:46pm

Your site seems to be missing the HTTP to HTTPS redirect. Did certbot ask anything about that? I didn't check before (assumptions......), but it seems it was never there?

priestesspoppy · May 22, 2021, 8:58pm

When I created the certificate it said 1 or 2 for redirect, I clicked 2 (redirect) and it said it was already active

Osiris · May 22, 2021, 9:00pm

Interesting.. As it's not redirecting at all.. Please post the output of:

apachectl -S

(It should work this time..)

priestesspoppy · May 22, 2021, 9:15pm

root@vps:~# apachectl -S
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:443 samuele.site (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
*:80 is a NameVirtualHost
default server 127.0.1.1 (/etc/apache2/sites-enabled/000-default-le-ssl.conf:39)
port 80 namevhost 127.0.1.1 (/etc/apache2/sites-enabled/000-default-le-ssl.conf:39)
port 80 namevhost 127.0.1.1 (/etc/apache2/sites-enabled/000-default.conf:1)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

Osiris · May 22, 2021, 9:18pm

That's weird. Only one configuration file should be present. Could you give us the contents of both files 000-default.conf and 000-default-le-ssl.conf?