Cant seem to renew Cert


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: staging.maxtool.com

I ran this command: certbot certonly --force-renewal

It produced this output:

Waiting for verification…
Cleaning up challenges
Failed authorization procedure. staging.maxtool.com (http-01): urn:acme:error:unwn/acme-challenge/Uj386Z0j7a4LQlWXV-tAGSzyT2Cc5UQJ1UdH4–l3l8: "<!doctype html>

var BASE_URL = 'https://staging.maxtool.com/'; var require"

IMPORTANT NOTES:

My web server is (include version): Nginx V 1.14.0

The operating system my web server runs on is (include version): Linux CentOS7

My hosting provider, if applicable, is: RackSpace

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Magneto 2.2.4 so no control panel have access to PuTTY


#2

You’ve got something sitting in front of nginx - what is it?

What’s the contents of /etc/letsencrypt/renewal/staging.maxtool.com.conf ?


#3

@_az

renew_before_expiry = 30 days

version = 0.22.0
archive_dir = /etc/letsencrypt/archive/staging.static.maxtool.com
cert = /etc/letsencrypt/live/staging.static.maxtool.com/cert.pem
privkey = /etc/letsencrypt/live/staging.static.maxtool.com/privkey.pem
chain = /etc/letsencrypt/live/staging.static.maxtool.com/chain.pem
fullchain = /etc/letsencrypt/live/staging.static.maxtool.com/fullchain.pem

Options used in the renewal process

[renewalparams]
authenticator = manual
installer = None
account = 7523dac81cf47efec41be87cd658e15b
pref_challs = dns-01,
manual_public_ip_logging_ok = True


#4

I believe it would be Varnish that is sitting in front of Ngnix


#5

Varnish can’t do HTTPS - you’ve got something sitting in front of Varnish as well. We need to know what it is so we know what to deploy the certificate to.

sudo ss -tlnp | grep ":443"

That’s not the file I asked for - does the file I ask for not exist?

Can you show:

sudo certbot certificates

#6

@_az

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Revocation status for /etc/letsencrypt/live/staging.maxtool.com/cert.pem is unknown

Found the following certs:
Certificate Name: staging.maxtool.com
Domains: staging.maxtool.com staging.admin.maxtool.com staging.factoryauthorizedoutlet.com
Expiry Date: 2018-06-11 14:05:35+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/staging.maxtool.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/staging.maxtool.com/privkey.pem
Certificate Name: staging.media.maxtool.com
Domains: staging.media.maxtool.com
Expiry Date: 2018-09-12 19:12:09+00:00 (VALID: 68 days)
Certificate Path: /etc/letsencrypt/live/staging.media.maxtool.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/staging.media.maxtool.com/privkey.pem
Certificate Name: staging.factoryauthorizedoutlet.com
Domains: staging.factoryauthorizedoutlet.com
Expiry Date: 2018-09-12 19:13:33+00:00 (VALID: 68 days)
Certificate Path: /etc/letsencrypt/live/staging.factoryauthorizedoutlet.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/staging.factoryauthorizedoutlet.com/privkey.pem
Certificate Name: staging.duromaxpower.com
Domains: staging.duromaxpower.com
Expiry Date: 2018-09-12 19:13:02+00:00 (VALID: 68 days)
Certificate Path: /etc/letsencrypt/live/staging.duromaxpower.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/staging.duromaxpower.com/privkey.pem


#7

I actually did not do the initial set up… I’m picking up after some one who is no longer maintaining the website.


#8

I’ll send over this right now.


#9

Sure. Could you show me how /etc/letsencrypt/renewal/staging.maxtool.com.conf is configured? You provided the contents for a different file a couple of posts back.

It’s possible you could try:

certbot renew --cert-name staging.maxtool.com -a nginx

but there’s a few unknowns at the moment that could prevent it from succeeding.


#10

This is from the grep

LISTEN 0 128 :443 :* users:((“nginx”,pid=45560,fd=7),(“nginx”,pid=45559,fd=7),(“nginx”,pid=45558,fd=7),(“nginx”,pid=45557,fd=7),(“nginx”,pid=45556,fd=7),(“nginx”,pid=45555,fd=7),(“nginx”,pid=45554,fd=7),(“nginx”,pid=45553,fd=7),(“nginx”,pid=45552,fd=7),(“nginx”,pid=45551,fd=7),(“nginx”,pid=45550,fd=7),(“nginx”,pid=45549,fd=7),(“nginx”,pid=45548,fd=7),(“nginx”,pid=45547,fd=7),(“nginx”,pid=45546,fd=7),(“nginx”,pid=45544,fd=7),(“nginx”,pid=45543,fd=7),(“nginx”,pid=45542,fd=7),(“nginx”,pid=45541,fd=7),(“nginx”,pid=45540,fd=7),(“nginx”,pid=45539,fd=7),(“nginx”,pid=45538,fd=7),(“nginx”,pid=45537,fd=7),(“nginx”,pid=45536,fd=7),(“nginx”,pid=45535,fd=7))


#11

Here is the cert.pem file

-----BEGIN CERTIFICATE-----
MIIFSTCCBDGgAwIBAgISA899v6qn7Qd3CoEmqisr3ms0MA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODAzMTMxNDA1MzVaFw0x
ODA2MTExNDA1MzVaMB4xHDAaBgNVBAMTE3N0YWdpbmcubWF4dG9vbC5jb20wggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDhpew8K9r0VoDi32zrxKd3bIgV
4bK7xGZTgHE8LGoCT39eILG7LzMK7hJFn5Cf19EDbOmbcCQ9jf+QNUdaHBmFojTZ
3oez6ABVZzo74QS/lUPtfTu1Atm+z50SbzHJoayPN6OhQSs9z5/fl5POs1lobOMz
dJCcdUEh1w0xcrWpSddLOjIqipOexG1FOe+v3KOwXfnyuxPNrQOp05MRQyjmreGS
czX0ajYJkr6VPwFbxTILwkKqWPR7Zd74bIyo0DcfhvJbAP1DtlCEqL1alh4wl5bV
8vkfgnbg7nC9TTL+66qPqoMFLYHnsoTO/9vzcgIZ/Tjf/q7S6/v05tkLxzNxAgMB
AAGjggJTMIICTzAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
CCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFC7yZk/cakcemPe7HBKK
+0umlJ1GMB8GA1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyhMG8GCCsGAQUF
BwEBBGMwYTAuBggrBgEFBQcwAYYiaHR0cDovL29jc3AuaW50LXgzLmxldHNlbmNy
eXB0Lm9yZzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNy
eXB0Lm9yZy8wXgYDVR0RBFcwVYIZc3RhZ2luZy5hZG1pbi5tYXh0b29sLmNvbYIj
c3RhZ2luZy5mYWN0b3J5YXV0aG9yaXplZG91dGxldC5jb22CE3N0YWdpbmcubWF4
dG9vbC5jb20wgf4GA1UdIASB9jCB8zAIBgZngQwBAgEwgeYGCysGAQQBgt8TAQEB
MIHWMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCBqwYI
KwYBBQUHAgIwgZ4MgZtUaGlzIENlcnRpZmljYXRlIG1heSBvbmx5IGJlIHJlbGll
ZCB1cG9uIGJ5IFJlbHlpbmcgUGFydGllcyBhbmQgb25seSBpbiBhY2NvcmRhbmNl
IHdpdGggdGhlIENlcnRpZmljYXRlIFBvbGljeSBmb3VuZCBhdCBodHRwczovL2xl
dHNlbmNyeXB0Lm9yZy9yZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEAnLrF
OkHcdiAkH8wOmYTDcRi1V6JrBST2Sz1LVV+QIdy2RlmvHBGAPPZzxRTeavK+x4ur
FYv5euXEMad4kq1Y9FQMp+yqXkPK5TjyBhITO41Irfgm+r4qTCytD5GP187m3dLo
84UTo3y+6Paiz60NSiJt+AFC8DpxIJOrU3Kl/Rtz0mrhzsALF27CT0zdOPF5YSHb
55RtJ3phAs4fGzRdtUAbEYVQDca7jwmVxRCAJ7cGVvBf2bPLmDjUj+2Vzkl4lhWB
5gAGG73wL0dommPdVQXkfbfMWok/HLU12zzflIh6bVMXLsiPns/7+aJkaQcyb1sm
7btyi2zU2kN42Y24Ow==
-----END CERTIFICATE-----


#12

@_az

You are right it came back with this:

[root@922168-MagentoStaging staging.maxtool.com]# certbot renew --cert-name staging.maxtool.com -a nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/staging.maxtool.com.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator nginx, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
Attempting to renew cert (staging.maxtool.com) from /etc/letsencrypt/renewal/staging.maxtool.com.conf produced an unexpected error: None of the preferred challenges are supported by the selected plugin. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/staging.maxtool.com/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/staging.maxtool.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)
[root@922168-MagentoStaging staging.maxtool.com]#


#13

Basically it sounds to me like your previous administrator set all of your certificates up using manual DNS validation using Cloudflare. That approach makes auto-renewal impossible.

You can try see if this works (a slight amendment to the previous command):

certbot renew --cert-name staging.maxtool.com \
-a nginx --preferred-challenges http --dry-run

but if that doesn’t work, you will need to either repeat the same commands the previous admin used and perform manual validation, e.g.:

certbot certonly -d staging.maxtool.com -d staging.admin.maxtool.com \
-d staging.factoryauthorizedoutlet.com -a manual --preferred-challenges dns

or set up a better (automatic) renewal regime, replacing the old one.


#14

@_az

I have to head out of the office, I’ll try this tomorrow morning. Thanks for the direction. You are a HERO!

Best Regards,
Jack


#15

After some changes and running this line: " certbot certificates " I’m getting the following:

Found the following certs:
Certificate Name: staging.maxtool.com
Domains: staging.maxtool.com staging.admin.maxtool.com
Expiry Date: 2018-10-04 16:01:54+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/staging.maxtool.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/staging.maxtool.com/privkey.pem
Certificate Name: staging.media.maxtool.com
Domains: staging.media.maxtool.com
Expiry Date: 2018-09-12 19:12:09+00:00 (VALID: 68 days)
Certificate Path: /etc/letsencrypt/live/staging.media.maxtool.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/staging.media.maxtool.com/privkey.pem
Certificate Name: staging.factoryauthorizedoutlet.com
Domains: staging.factoryauthorizedoutlet.com
Expiry Date: 2018-09-12 19:13:33+00:00 (VALID: 68 days)
Certificate Path: /etc/letsencrypt/live/staging.factoryauthorizedoutlet.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/staging.factoryauthorizedoutlet.com/privkey.pem
Certificate Name: staging.duromaxpower.com
Domains: staging.duromaxpower.com
Expiry Date: 2018-09-12 19:13:02+00:00 (VALID: 68 days)
Certificate Path: /etc/letsencrypt/live/staging.duromaxpower.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/staging.duromaxpower.com/privkey.pem

Seems like the certificate was renews however site has not updated with the SSL at the moment, Can I get some advice?


#16

Is your web server configured to point at /etc/letsencrypt/live/staging.maxtool.com/fullchain.pem? Did you restart the server program after the renewal?

If you use certonly, Certbot doesn’t restart the web server for you after a renewal, unless you explicitly add a --deploy-hook script that performs this action.


#17

I’ll give that a shot.


#18

@schoen

Hi! I restarted nginix, however the SSL is still pointing to the old cert.

Best Regards,
Jack


#19

Where is the certificate configured in your nginx configuration? Can you post the relevant nginx configuration file?


#20

Here is what I see:

ssl_certificate /etc/letsencrypt/live/staging.maxtool.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/staging.maxtool.com/privkey.pem;
server_name staging.maxtool.com www.maxtool.com assets.maxtool.com;

and for staging.factoryauthorizedoutlet here is what i see so we can compare.

ssl_certificate /etc/letsencrypt/live/staging.factoryauthorizedoutlet.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/staging.factoryauthorizedoutlet.com/privkey.pem; # managed by Certbot
server_name staging.factoryauthorizedoutlet.com www.factoryauthorizedoutlet.com assets.factoryauthorizedoutlet.com;