Can't renew certificate

My domain is:

I ran this command: I run numerous command and every single one seems to work, but my domain is still labeled as insecure.

sudo certbot certonly --manual --agree-tos --preferred-challenges dns -d -d *
sudo certbot certonly --standalone --agree-tos --preferred-challenges http -d

BUT the certbot renew command produces this output

It produced this output: The following certs are not due for renewal yet:
/etc/letsencrypt/live/ expires on 2021-08-20 (skipped)
No renewals were attempted.

Additionally, the following renewal configurations were invalid:
  /etc/letsencrypt/renewal/ (parsefail)

My web server is (include version): Apache 2

The operating system my web server runs on is (include version): Ubuntu 20

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.40.0

So you've got your certificate. And your site is still labeled as insecure. Perhaps a superfluous question, but did you actually install the certificate into your website?

And a follow-up question: do you actually require the use of the wildcard certificate? Because if you don't, things probably would have been much easier than manually fiddle with your DNS entries. For example, simply running certbot --apache would probably suffice, which would take care of authentication and installation of the certificate (unless your Apache is not properly configured).

yes I did

So i should just try that command?

Uch.. Looking at your site more closely, there is an OLD certificate installed currently. You might have lead with that. Now I thought this was your first attempt to get a certificate in the first place.

Let's not issue any more certificates, you've already issued A LOT of unecessary certificates these past few days.

Please paste the output of the command

certbot certificates

And please answer the question about the wildcard certificate :slight_smile:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/ produced an unexpected error: expected /etc/letsencrypt/live/ to be a symlink. Skipping.

Found the following certs:
Certificate Name:
Domains: *
Expiry Date: 2021-08-20 13:25:04+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/
Private Key Path: /etc/letsencrypt/live/

The following renewal configurations were invalid:

no i don't

This error should not happen. Did you manually change files in /etc/letsencrypt/ by any chance?

Please post the output of:

ls -l /etc/letsencrypt/live/

I did when revoking certificate since it was not working

root@vps:/# ls -l /etc/letsencrypt/live/
ls: cannot access '/etc/letsencrypt/live/': No such file or directory

Why did you try to revoke the certificate?

It seems you've not used the certbot delete option, but manually deleted the files.. Did you also remove the /archive/ directory? Please post the output of:

ls -l /etc/letsencrypt/archive/

No I didn't

root@vps:/# ls -l /etc/letsencrypt/archive/
total 32
-rw-r--r-- 1 root root 1834 Feb 16 12:36 cert1.pem
-rw-r--r-- 1 root root 1858 Feb 16 12:41 cert2.pem
-rw-r--r-- 1 root root 1586 Feb 16 12:36 chain1.pem
-rw-r--r-- 1 root root 1586 Feb 16 12:41 chain2.pem
-rw-r--r-- 1 root root 3420 Feb 16 12:36 fullchain1.pem
-rw-r--r-- 1 root root 3444 Feb 16 12:41 fullchain2.pem
-rw------- 1 root root 1704 Feb 16 12:36 privkey1.pem
-rw------- 1 root root 1704 Feb 16 12:41 privkey2.pem

Hmm, 16 February, that's of no use unfortunately..

As you've already deleted the /live/ directory and there are only expired certificates left, please delete the files still laying around of that expired certificate:

rm -r /etc/letsencrypt/archive/
rm /etc/letsencrypt/renewal/

After that, you can try to get a proper certificate with:

certbot --apache

deleted everything, when i run certbot --apache this happens:

root@vps:/# certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Error while running apache2ctl configtest.
Action 'configtest' failed.
The Apache error log may have more information.

AH00526: Syntax error on line 33 of /etc/apache2/sites-enabled/000-default-le-ssl.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/' does not exist or is empty

The apache plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError("Error while running apache2ctl configtest.\nAction 'configtest' failed.\nThe Apache error log may have more information.\n\nAH00526: Syntax error on line 33 of /etc/apache2/sites-enabled/000-default-le-ssl.conf:\nSSLCertificateFile: file '/etc/letsencrypt/live/' does not exist or is empty\n")

Why did you delete everything? That's not the advice I gave.. You've deleted a perfectly fine certificate we could have used as backup. Unless by "deleted everything" you mean just the two commands I gave above. In that case, I didn't say anything :slight_smile:

Anyway, the error is to be expected: Apache is still referring to the older certificate of which you've deleted the /live/ directory.

At this stage I would like to urge you NOT to make rash decisions. Please think things through first. Learn the consequences of certain steps first. Always make a backup. Please learn how to manage a server properly.

That said, it seems your previous certificate was managed by the apache certbot plugin to begin with. Before we do anything stupid, please give the output of the following command:

apachectl -S

So we can make sure we're not about to delete something essential in the next step.

root@vps:/# apachectl -S
AH00526: Syntax error on line 33 of /etc/apache2/sites-enabled/000-default-le-ssl.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/' does not exist or is empty
Action '-S' failed.
The Apache error log may have more information.

sorry, I won't from now, this has been a rough week

Hmpf.. It won't even do that as the certificate file is missing. Please delete the le-ssl.conf file, as it's causing more trouble than it's worth:

rm /etc/apache2/sites-enabled/000-default-le-ssl.conf

Afterwards you should be able to run certbot --apache

Note that the HTTP to HTTPS redirect is still in place, so users won't be able to access your site temporarily.. However, they get an error now for the certificate anyway..

Thank you for everything. Now everything works fine. :slight_smile:

Your site seems to be missing the HTTP to HTTPS redirect. Did certbot ask anything about that? I didn't check before (assumptions......), but it seems it was never there?

When I created the certificate it said 1 or 2 for redirect, I clicked 2 (redirect) and it said it was already active

Interesting.. As it's not redirecting at all.. Please post the output of:

apachectl -S

(It should work this time..)

root@vps:~# apachectl -S
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:443 (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
*:80 is a NameVirtualHost
default server (/etc/apache2/sites-enabled/000-default-le-ssl.conf:39)
port 80 namevhost (/etc/apache2/sites-enabled/000-default-le-ssl.conf:39)
port 80 namevhost (/etc/apache2/sites-enabled/000-default.conf:1)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
PidFile: "/var/run/apache2/"
User: name="www-data" id=33
Group: name="www-data" id=33

That's weird. Only one configuration file should be present. Could you give us the contents of both files 000-default.conf and 000-default-le-ssl.conf?