Can't Reniew Certificate on Arch Linux

Grahf0085 · November 19, 2021, 3:33pm

I guess the cert expired even though I thought I had a systemd service set up for auto renewal.

I ran this command: certbot renew

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/play.atavismxi.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Failed to renew certificate play.atavismxi.com with error: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1129)')))

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/play.atavismxi.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):

The operating system my web server runs on is (include version): Arch Linux latest

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.21

Pastbin of log file: 2021-11-19 10:24:56,209:DEBUG:certbot._internal.main:certbot version: 1.21.020 - Pastebin.com

MikeMcQ · November 19, 2021, 4:42pm

It looks like your CA Certificate store needs updating. One of the Lets Encrypt root certificates expired the end of Sept (many threads in forum).

From another thread in this forum on Arch Linux it looks like this will update it:

sudo update-ca-trust

If that does not work post back here

Grahf0085 · November 19, 2021, 4:47pm

The certificate I was using for play.atavismxi.com expired yesterday I think. I guess my systemd service to auto update the cert didn't work......

I ran sudo update-ca-trust but no change
Tried so many different commands: https://i.postimg.cc/8P4hb5NR/Screenshot-from-2021-11-19-11-46-31.png

MikeMcQ · November 19, 2021, 4:59pm

I am not familiar enough with Arch Linux to help resolve the certificate store other than the command I showed. Hopefully someone else will help.

I did see a problem with your "certonly" command though. You used

-d domain1, domain2

with a space after the comma. Either remove the space or enclose it in quotes like:

-d "domain1, domain2"

Also, you can copy/paste info directly in these posts. It is helpful to then format it using the format menu preformatted-text option (or Ctrl-E).

Grahf0085 · November 19, 2021, 5:01pm

Someone suggested I look at this: DST Root CA X3 Expiration (September 2021) - Let's Encrypt

rg305 · November 19, 2021, 5:24pm

Try adding this to the certbot cert request command:
--no-verify-ssl

Grahf0085 · November 19, 2021, 5:31pm

Thanks for the reply.
I tried what you suggested and it started requesting certs but I don't think it worked. I can't find the certficiate.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
/usr/lib/python3.9/site-packages/urllib3/connectionpool.py:1013: InsecureRequestWarning: Unverified HTTPS request is being made to host 'acme-v02.api.letsencrypt.org'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
  warnings.warn(
Requesting a certificate for play.atavismxi.com
/usr/lib/python3.9/site-packages/urllib3/connectionpool.py:1013: InsecureRequestWarning: Unverified HTTPS request is being made to host 'acme-v02.api.letsencrypt.org'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
  warnings.warn(
/usr/lib/python3.9/site-packages/urllib3/connectionpool.py:1013: InsecureRequestWarning: Unverified HTTPS request is being made to host 'acme-v02.api.letsencrypt.org'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
  warnings.warn(
/usr/lib/python3.9/site-packages/urllib3/connectionpool.py:1013: InsecureRequestWarning: Unverified HTTPS request is being made to host 'acme-v02.api.letsencrypt.org'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
  warnings.warn(
/usr/lib/python3.9/site-packages/urllib3/connectionpool.py:1013: InsecureRequestWarning: Unverified HTTPS request is being made to host 'acme-v02.api.letsencrypt.org'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
  warnings.warn(
/usr/lib/python3.9/site-packages/urllib3/connectionpool.py:1013: InsecureRequestWarning: Unverified HTTPS request is being made to host 'acme-v02.api.letsencrypt.org'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
  warnings.warn(
/usr/lib/python3.9/site-packages/urllib3/connectionpool.py:1013: InsecureRequestWarning: Unverified HTTPS request is being made to host 'acme-v02.api.letsencrypt.org'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
  warnings.warn(
/usr/lib/python3.9/site-packages/urllib3/connectionpool.py:1013: InsecureRequestWarning: Unverified HTTPS request is being made to host 'acme-v02.api.letsencrypt.org'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
  warnings.warn(
/usr/lib/python3.9/site-packages/urllib3/connectionpool.py:1013: InsecureRequestWarning: Unverified HTTPS request is being made to host 'acme-v02.api.letsencrypt.org'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
  warnings.warn(

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: play.atavismxi.com
  Type:   connection
  Detail: Fetching http://play.atavismxi.com/.well-known/acme-challenge/mPOcDlFzQjDMYEuTvMN6l3gu7wxR-X2HA05wUVCPifA: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

rg305 · November 19, 2021, 5:40pm

Now this is a different problem.
LE can't reach your site to verify the challenge request:

You must have a working HTTP site before you can secure it (via HTTP authentication).
Please switch to the staging system while you troubleshoot this problem.
Add:
--dry-run

Grahf0085 · November 19, 2021, 6:07pm

Opened port 80 on my router to get rid of that error.
Now at

  Detail: Fetching http://play.atavismxi.com/.well-known/acme-challenge/h4uf7kMqis3I3uWHqjQZXJOieboNWJMw83teNNambQM: Connection refused

Subdomain is on netlify.com so I guess it's something to do with netlify.com

rg305 · November 19, 2021, 6:14pm

Yes, something is still failing:

curl -Ii http://play.atavismxi.com/
curl: (56) Recv failure: Connection reset by peer

Not sure what you mean by "netlify.com":
I see:

Name:    play.atavismxi.com
Address: 24.74.121.169

Name:    cpe-24-74-121-169.carolina.res.rr.com
Address: 24.74.121.169

Grahf0085 · November 19, 2021, 6:24pm

I host a website on netlify. www.atavismxi.com

Another DNS is play.atavismxi.com

Settings look like this: https://i.postimg.cc/TPsFQDZF/Screenshot-from-2021-11-19-13-23-48.png

rg305 · November 19, 2021, 6:26pm

OK now I understand what you meant.

Each FQDN is handled separately.
The "play" name is not using netlify and can be dealt with individually.
As such, the router at:
cpe-24-74-121-169.carolina.res.rr.com
needs to port forward HTTP in to a working web server.

Grahf0085 · November 19, 2021, 7:00pm

I had a cert that worked with play.atavismxi.com until today. Wish I hadn't let it expire. Can't remember how I got it setup last time.

rg305 · November 19, 2021, 7:44pm

The idea is to automate the renewals, then you don't have to even think about it anymore.

Grahf0085 · November 19, 2021, 7:55pm

I did that with a systemd service. But it never updated. I think because certbot basically stopped working for me unless I pass the no verify argument you suggested.
I can show the server I'm using where the certificates are if I can just get certificates. Is there Anyway to just get a certificate on my computer without having to setup another we server or another webpage I'll never use?

rg305 · November 19, 2021, 10:26pm

There is the DNS-01 authentication method.
Which, to automate, requires that the DNS Service Provider (DSP) for your domain all for DNS updates via API. And that your ACME client have a DNS plugin that supports that DSP.
OR
You could make the DNS changes manually (but that can't be automated).

Your statement seems contradictory.
As long as you are using anything, if only to renew the certs, it doesn't fit the "I'll never use" case.

Grahf0085 · November 19, 2021, 10:40pm

Alright I got certificates somehow. I did
sudo certbot certonly --manual --preferred-challenges dns --no-verify-ssl
after that it asked me for a domain name. I put in play.atavismxi.com
then it asked me to...

Please deploy a DNS TXT record under the name:
_acme-challenge.play.atavismxi.com.
with the following value:
hdsf84398f4fjef930ur09jfoiefjoifjaf09ajf093

I went to netlify.com, signed into my account, created a new TXT DNS record, named it _acme-challenge.play.atavismxi.com, and gave it the value certbot asked me to.

Then it finally spit out a cert.
Thank you. Sometimes it helps have a place to vent and struggle with someone.

MikeMcQ · November 20, 2021, 3:47am

Glad to see you and Rudy got that sorted. I wanted to remind you that these certificates expire in 90 days. The certbot renew usually automatically renews certs 30 days before expiry.

But, certs created with the --manual method are not automatically refreshed when running certbot renew so you must do this again every 60 days or so.

Your cert from Aug did not auto-renew in Oct and expired in Nov. I wanted to make sure you were aware of this.

Ideally you would use an automated method to do your DNS challenge. If you cannot sort that out from the docs or other examples in this forum you could create a new topic for help on that. As part of this automation you will need to update the certbot renew command to include --no-verify-ssl too unless you resolve that issue.

Grahf0085 · November 20, 2021, 9:43pm

I had a systemd service setup to auto renew my cert
certbot.service:

[Unit]
Description=Let's Encrypt renewal

[Service]
Type=oneshot
ExecStart=/usr/bin/certbot renew --quiet --agree-tos

certbot.timer:

[Unit]
Description=Twice daily renewal of Let's Encrypt's certificates

[Timer]
OnCalendar=0/12:00:00
RandomizedDelaySec=1h
Persistent=true

[Install]
WantedBy=timers.target

It didn't work though

MikeMcQ · November 20, 2021, 10:02pm

No, it did not and I understand. It did not work due to the cert expiration last time and it will not work with a --manual method going forward. I wanted to make sure you knew about the --manual method exclusion - that is all.