Cert is expiring and don't know how to renew

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: dat45.com

I ran this command:

It produced this output:

My web server is (include version): Debian 10

The operating system my web server runs on is (include version): Debian

My hosting provider, if applicable, is: racknerd.com

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

I read the FAQ but it does not give a procedure to

  • renew cert
  • set up automatic renewal

I received email from LetsEncrypt that says cert expires in 17 days.

Any help in renewing and setting up auto renew is MUCH appreciated.

Thanks,
xrack

1 Like
2

Hi @xrack, and welcome to the LE community forum :slight_smile:

How did you get the last cert?
What ACME client are you using?

3 Likes
3

Hi rg305,
Thank you for reply.
Racknerd is my VPS provider AND my Domain registrant.

As I recall, they set up the cert for me initially but refuse to assit me now.
I am pretty confused about that.

Boy I feel dumb ... don't know the answer to your question about ACME agent.

Thank you.

xrack

1 Like
4

Hi @xrack !
In the questionnaire, you indicated you have root shell access.
Could you please verify that to be the case by logging in to your VPS?
This might help sort out your issue as shell access will probably be required to resolve your request. You also indicated no cpanel access.
My reasoning is based on the following:

PORT    STATE    SERVICE
22/tcp  filtered ssh - (might prohibit you from logging in- might be on another port)
80/tcp  filtered http - (will cause issues for Let's Encrypt to validate your site)
443/tcp filtered https - (Will leave your site inaccessible from the outside world)

Please advise.

4 Likes
5

Thank you so much for reply and sticking with me.

Sorry for delay in getting back to you .... fingers would not type the correct PW. LOL
I have just now logged into the sever thru SSH.
I have root access.

OK here is a mistake that I made in a previous post of mine.

I installed an application; JitsiMeet
It is a open source vid conf server.

In the installation process of that app, nginx was installed.

Also, during installation, certificate was gotten from LetsEncrypt.

So sorry I did not report this correctly the first time. Daaaa

Thank you.
xrack

3 Likes
6

nginx
OK so I am not an expert on nginx (others here are)

Do you have an ACME client installed? if so which one?
try sharing the output from:

which certbot  
OR
certbot certificates

At least we can find out if certbot is installed. Ultimately there are lots of ACME clients and we need to know if you have one installed, and if so which one is it and what version it is,

2 Likes
7

Looking at the Jitsi Meet script:
https://github.com/jitsi/jitsi-meet/blob/master/resources/install-letsencrypt-cert.sh

It seems like it installs certbot and sets up a cronjob at /etc/cron.weekly/letsencrypt-renew which should log to /var/log/le-renew.log

Can you see if you have a /var/log/le-renew.log file on your server, and what it contains?

3 Likes
8

Thanks Matthew! Good catch!

2 Likes
9

Thanks so much friends.

I am slugging thru this....

The contents of;
/etc/cron-weekly/letsencrypt-renew is;

#!/bin/bash
/usr/bin/certbot renew >> /var/log/le-renew.log
service nginx reload

There are several files in /var/log/letsencrypt

I tried to upload them but GZ files are not permitted by forum software.
So I unzipped the one with the most recent date.

The latest log file dated today has following contents;

2022-08-12 10:30:09,243:DEBUG:certbot.main:certbot version: 0.31.0
2022-08-12 10:30:09,245:DEBUG:certbot.main:Arguments: ['-q']
2022-08-12 10:30:09,245:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2022-08-12 10:30:09,353:DEBUG:certbot.log:Root logging level set at 30
2022-08-12 10:30:09,353:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2022-08-12 10:30:09,444:DEBUG:certbot.plugins.selection:Requested authenticator <certbot.cli._Default object at 0x7efc4311f7f0> and installer <certbot.cli._Default object at 0x7efc4311f7f0>
2022-08-12 10:30:09,535:INFO:certbot.renewal:Cert not yet due for renewal
2022-08-12 10:30:09,566:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2022-08-12 10:30:09,566:DEBUG:certbot.renewal:no renewal failures
2022-08-12 12:21:04,711:DEBUG:certbot.main:certbot version: 0.31.0
2022-08-12 12:21:04,712:DEBUG:certbot.main:Arguments: ['-q']
2022-08-12 12:21:04,712:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2022-08-12 12:21:04,724:DEBUG:certbot.log:Root logging level set at 30
2022-08-12 12:21:04,724:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2022-08-12 12:21:04,737:DEBUG:certbot.plugins.selection:Requested authenticator <certbot.cli._Default object at 0x7f32b82a67f0> and installer <certbot.cli._Default object at 0x7f32b82a67f0>
2022-08-12 12:21:04,748:INFO:certbot.renewal:Cert not yet due for renewal
2022-08-12 12:21:04,749:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2022-08-12 12:21:04,749:DEBUG:certbot.renewal:no renewal failures
2022-09-02 13:27:02,673:DEBUG:certbot.main:certbot version: 0.31.0
2022-09-02 13:27:02,675:DEBUG:certbot.main:Arguments: ['-q']
2022-09-02 13:27:02,676:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2022-09-02 13:27:02,755:DEBUG:certbot.log:Root logging level set at 30
2022-09-02 13:27:02,755:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2022-09-02 13:27:02,823:DEBUG:certbot.plugins.selection:Requested authenticator <certbot.cli._Default object at 0x7ff5bb0687f0> and installer <certbot.cli._Default object at 0x7ff5bb0687f0>
2022-09-02 13:27:02,872:DEBUG:certbot.storage:Should renew, less than 30 days before certificate expiry 2022-09-19 18:07:21 UTC.
2022-09-02 13:27:02,872:INFO:certbot.renewal:Cert is due for renewal, auto-renewing...
2022-09-02 13:27:02,872:INFO:certbot.renewal:Non-interactive renewal: random delay of 151 seconds

Hope this helps.

Thanks again !
xrack

1 Like
10

I'm afraid not, the log file stops at the point the most relevant info should appear.. Is there anything more beyond the current last line?

4 Likes
11

Gosh ....

I use WinSCP to browse files.
I took a snapshot (image) of the directory.
It is attached.

2022-09-02 15_38_36-_var_log_letsencrypt_snapshot_WinSCP
2022-09-02 15_38_36-_var_log_letsencrypt_snapshot_WinSCP1158×277 68.8 KB

The LetsEncrypt renew script;
letsencrypt-renew

Has the contents;
#!/bin/bash
/usr/bin/certbot renew >> /var/log/le-renew.log
service nginx reload

But there is no le-renew.log in the /var/log directory.

Would it make sense to manually run;

/usr/bin/certbot renew >> /var/log/le-renew.log
service nginx reload

???

Thanks so much,
xrack

1 Like
12

Yes, you can run /usr/bin/certbot renew (you don't need the >> /var/log/le-renew.log part) and it should print output to your screen showing the status. That will help us figure out what is going wrong. If there were no errors and it renews a cert, you can service nginx reload and show us that information too.

3 Likes
13

Thanks for reply .... so many folks assisting me :slight_smile:

I attached a screen shot of the result of running;
/usr/bin/certbot renew

Running_Certbot_renew_manually
Running_Certbot_renew_manually992×341 76.4 KB

Hmmmmmm ... it says not due until Dec 2022,
but LetsEncrypt says only 17 more days.

I did not restart nginx since renewal did not happen.

Thanks all,
xrack

14

It seems you have renewed your certificate today at 17:25:06 UTC. Probably after you've received the expiration email from Let's Encrypt.

Depending on HOW Certbot was instructed to get the certificate, it might or might NOT reload your nginx after renewal. You might need to do this manually this time. If reloading nginx was indeed the solution, you might want to automate that after certificate renewal. Please see User Guide — Certbot 1.29.0 documentation and especially the part about renewal hooks.

2 Likes
15

Thank you again.

What told you that it has been renewed today?

Now .....
/var/log/letsencrypt/letsencrype.log appeared a few minutes ago and has data;

2022-09-02 17:05:58,008:DEBUG:certbot.main:certbot version: 0.31.0
2022-09-02 17:05:58,009:DEBUG:certbot.main:Arguments:
2022-09-02 17:05:58,010:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2022-09-02 17:05:58,021:DEBUG:certbot.log:Root logging level set at 20
2022-09-02 17:05:58,021:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2022-09-02 17:05:58,033:DEBUG:certbot.plugins.selection:Requested authenticator <certbot.cli._Default object at 0x7ff971972c18> and installer <certbot.cli._Default object at 0x7ff971972c18>
2022-09-02 17:05:58,041:INFO:certbot.renewal:Cert not yet due for renewal
2022-09-02 17:05:58,042:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2022-09-02 17:05:58,043:DEBUG:certbot.renewal:no renewal failures

Thanks !
xrack

1 Like
16

You can see all issued certs for your domain on certificate transparancy log monitors such as crt.sh: crt.sh | dat45.com

This corresponds with your Certbot output saying your current cert is valid until 1 December.

Please see my edit in my post above about reloading the webserver.

3 Likes
17

Thanks so much to all.
I guess I am all set for now.
Also, it seems like renewal is automatic.
Hope I have this all right !

Again, many thanks to all,
xrack

3 Likes
18

Check:
crontab -l
systemctl list-timers | grep certbot

[not sure which way Debian does it]

3 Likes
19

Hi rg305 !

Here is what I get;

root@dat45:~# systemctl list-timers | grep certbot
Sat 2022-09-03 20:27:34 EDT 9h left Sat 2022-09-03 10:24:19 EDT 3min 37s ago certbot.timer certbot.service
root@dat45:~#

Does this look good?

Many thanks.
xrack

1 Like
20

That's what mine looks like

3 Likes