Ceritficate is not working, how do i creat a new one?

Help
1

It looks like my ceritficate is corrupted. How can I fix this ?

My domain is:renooij.net

I ran this command: certbot renew

It produced this output:
Processing /etc/letsencrypt/renewal/renooij.net.conf

Encountered error while loading certificate or csr: [('PEM routines', '', 'no start line')]
Renewal configuration file /etc/letsencrypt/renewal/renooij.net.conf (cert: renooij.net) produced an unexpected error: [('PEM routines', '', 'no start line')]. Skipping.

My web server is (include version):
Apache version 2.4.56

The operating system my web server runs on is (include version):
Debian Linux 11

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 2.10.0

2

I agree your certs look missing or damaged. Can you show output of these commands:

ls -l /etc/letsencrypt/live/renooij.net
sudo certbot certificates

and the contents of each file in this folder. Based on your history I am expecting to see two conf files. Please mark the names of each when you post them here

/etc/letsencrypt/renewal
2 Likes
3

Thank you for your help.

cas@webserver2021:~$ sudo ls -l /etc/letsencrypt/live/renooij.net
total 4
lrwxrwxrwx 1 root root  35 Apr 25 01:36 cert.pem -> ../../archive/renooij.net/cert2.pem
lrwxrwxrwx 1 root root  36 Apr 25 01:36 chain.pem -> ../../archive/renooij.net/chain2.pem
lrwxrwxrwx 1 root root  40 Apr 25 01:36 fullchain.pem -> ../../archive/renooij.net/fullchain2.pem
lrwxrwxrwx 1 root root  38 Apr 25 01:36 privkey.pem -> ../../archive/renooij.net/privkey2.pem
-rw-r--r-- 1 root root 692 Jun 19  2023 README
cas@webserver2021:~$ sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
verifying the signature of the certificate located at /etc/letsencrypt/live/renooij.net/cert.pem has failed.                 Details: Unable to load PEM file. See https://cryptography.io/en/latest/faq/#why-can-t-i-import-my-pem-file for more details. MalformedFraming
Traceback (most recent call last):
  File "/snap/certbot/3700/lib/python3.8/site-packages/certbot/crypto_util.py", line 303, in verify_renewable_cert_sig
    chain = x509.load_pem_x509_certificate(chain_file.read(), default_backend())
ValueError: Unable to load PEM file. See https://cryptography.io/en/latest/faq/#why-can-t-i-import-my-pem-file for more details. MalformedFraming
Renewal configuration file /etc/letsencrypt/renewal/renooij.net.conf produced an unexpected error: verifying the signature of the certificate located at /etc/letsencrypt/live/renooij.net/cert.pem has failed.                 Details: Unable to load PEM file. See https://cryptography.io/en/latest/faq/#why-can-t-i-import-my-pem-file for more details. MalformedFraming. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: presensus.nl
    Serial Number: 380d5e2922eeb55048943f216614e7b39e7
    Key Type: ECDSA
    Domains: presensus.nl reanski.nl renooij.net www.presensus.nl www.reanski.nl
    Expiry Date: 2024-07-26 08:43:00+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/presensus.nl/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/presensus.nl/privkey.pem
  Certificate Name: reanski.nl
    Serial Number: 4ac411ae266f049193e62837b07a1e1bdec
    Key Type: ECDSA
    Domains: presensus.nl reanski.nl thuis.renooij.com www.presensus.nl www.reanski.nl
    Expiry Date: 2024-07-18 06:26:58+00:00 (VALID: 81 days)
    Certificate Path: /etc/letsencrypt/live/reanski.nl/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/reanski.nl/privkey.pem

The following renewal configurations were invalid:
  /etc/letsencrypt/renewal/renooij.net.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
cas@webserver2021:~$


cas@webserver2021:/etc/letsencrypt/renewal$ ls -al
total 28
drwxr-xr-x 3 root root 4096 Apr 27 11:52 .
drwxr-xr-x 9 root root 4096 Apr 27 15:58 ..
drwxr-xr-x 2 root root 4096 Jun 19  2023 archief
-rw-r--r-- 1 root root  536 Apr 27 11:43 presensus.nl.conf
-rw-r--r-- 1 root root  526 Apr 19 09:27 reanski.nl.conf
-rw-r--r-- 1 root root  531 Apr 27 11:47 renooij.net.conf
-rw-r--r-- 1 root root  539 Apr 25 01:36 renooij.net.conf.old


cas@webserver2021:/etc/letsencrypt/renewal$ cat renooij.net.conf
# renew_before_expiry = 30 days
version = 2.10.0
archive_dir = /etc/letsencrypt/archive/renooij.net
cert = /etc/letsencrypt/live/renooij.net/cert.pem
privkey = /etc/letsencrypt/live/renooij.net/privkey.pem
chain = /etc/letsencrypt/live/renooij.net/chain.pem
fullchain = /etc/letsencrypt/live/renooij.net/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = 21edafac05c8e45635dc91655d23125f
authenticator = apache
server = https://acme-v02.api.letsencrypt.org/directory
key_type = ecdsa
installer = apache

cas@webserver2021:/etc/letsencrypt/renewal$ cat reanski.nl.conf
# renew_before_expiry = 30 days
version = 2.10.0
archive_dir = /etc/letsencrypt/archive/reanski.nl
cert = /etc/letsencrypt/live/reanski.nl/cert.pem
privkey = /etc/letsencrypt/live/reanski.nl/privkey.pem
chain = /etc/letsencrypt/live/reanski.nl/chain.pem
fullchain = /etc/letsencrypt/live/reanski.nl/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = 21edafac05c8e45635dc91655d23125f
authenticator = apache
server = https://acme-v02.api.letsencrypt.org/directory
key_type = ecdsa
installer = apache
cas@webserver2021:/etc/letsencrypt/renewal$

reanski.nl is working fine, renooij.net is not

1 Like
4

Can you show this now.

2 Likes
5 
[sudo] password for cas:
total 36
-rw-r--r-- 1 root root 1480 Jun 19  2023 cert1.pem
-rw-r--r-- 1 root root 1480 Apr 25 01:36 cert2.pem
-rw-r--r-- 1 root root 3749 Jun 19  2023 chain1.pem
-rw-r--r-- 1 root root 1826 Apr 25 01:36 chain2.pem
-rw-r--r-- 1 root root 5229 Jun 19  2023 fullchain1.pem
-rw-r--r-- 1 root root 3306 Apr 25 01:36 fullchain2.pem
-rw------- 1 root root  241 Jun 19  2023 privkey1.pem
-rw------- 1 root root  241 Apr 25 01:36 privkey2.pem
cas@webserver2021:/etc/letsencrypt/renewal$

Just noticed that cert2.pem contains ascii not belonging to a key which probably accounts for the corrupted key.
Should I just delete 2. ?

1 Like
6

Maybe but don't just delete that file. What do you mean it has unknown ascii? The file length matches your older cert and the timestamp matches the symlink and your other files. Do you know how it got damaged then? I don't want to recreate it just to have it happen again.

But, yes, probably easier to delete and re-create. Your Apache is not using that cert (yet) and if it is damaged no one else could be either. So, deleting should be done like

sudo certbot delete --cert-name renooij.net

Then re-create it with

sudo certbot --apache -d renooij.net

It is possible the certbot delete will fail if it pre-checks the cert validity. In which case you need to delete manually:

  1. the conf file for it in the /renewal folder (leave the other conf files there)
  2. the /archive/renooij.net folder
  3. the /live/renooij.net folder
3 Likes
7

file length may have had to do with an inode issue I had earlier, I think that corrupted the cert.

delete and recreate did it.. now to fix the permissions, but that is another issue :slight_smile:

thanks very much, I really appreciate it!

2 Likes
8

I don't think you should keep copies/backups in this same directory.

3 Likes
9

Neither do I, that .old file was the corrupted one containing ascii coming from some other conf file. I kept it for investigative purposes, it was not intended as a backup.

But thanks for the reminder to remove it .

cheers,
Cas..

3 Likes
10

Cheers from Miami :beers:

2 Likes
11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.