Cert Renewal Fails


#1

Hi,

I followed this article to setup certbot and gitlab pages. I am now trying to renew my certificate with certbot, but when I run the renew command I get

○ → sudo certbot renew --force-renew -v
Root logging level set at 10
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------

No renewals were attempted.
-------------------------------------------------------------------------------
no renewal failures


 alex-home in ~
○ → cd letsencrypt/

 alex-home in ~/letsencrypt
○ → ls
config  logs  work

 alex-home in ~/letsencrypt
○ → ls config/
accounts  archive  csr  keys  live  renewal  renewal-hooks


 alex-home in ~/letsencrypt
○ → ls config/renewal
unexpectedeof.net-0001.conf  unexpectedeof.net.conf

I don’t see anything raising an error in the logs

alex-home in ~/letsencrypt
○ → sudo cat /var/log/letsencrypt/letsencrypt.log

2019-03-14 18:36:42,612:DEBUG:certbot.main:certbot version: 0.23.0
2019-03-14 18:36:42,612:DEBUG:certbot.main:Arguments: []
2019-03-14 18:36:42,612:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-03-14 18:36:42,617:DEBUG:certbot.log:Root logging level set at 20
2019-03-14 18:36:42,617:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-03-14 18:36:42,618:DEBUG:certbot.renewal:no renewal failures
2019-03-14 18:36:47,598:DEBUG:certbot.main:certbot version: 0.23.0
2019-03-14 18:36:47,599:DEBUG:certbot.main:Arguments: ['--force-renew']
2019-03-14 18:36:47,599:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-03-14 18:36:47,604:DEBUG:certbot.log:Root logging level set at 20
2019-03-14 18:36:47,604:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-03-14 18:36:47,604:DEBUG:certbot.renewal:no renewal failures

My domain is:
https://unexpectedeof.net

I ran this command:
sudo certbot renew

It produced this output:
No renewals were attempted.

My hosting provider, if applicable, is:
gitlab pages

I can login to a root shell on my machine (yes or no, or I don’t know):
no

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
○ → certbot --version
certbot 0.23.0


#2

It’s renewing all the certificates… in the default configuration location, probably /etc/letsencrypt/.

If you created the certificates with this command:

certbot certonly -a manual -d yoursite.com --config-dir ~/letsencrypt/config --work-dir ~/letsencrypt/work --logs-dir ~/letsencrypt/logs

You have to renew with the same --config-dir (and, presumably, the other options).

certbot renew --config-dir ~/letsencrypt/config --work-dir ~/letsencrypt/work --logs-dir ~/letsencrypt/logs

However, you’ll run into a different issue: Manually managed certificates aren’t renewed by the renew command. You have to renew them by rerunning the command you used to create the certificate originally, or a similar one.


#3

Is that also the case if you specify other directories? I always thought that only is the case when deliberately choosing the manual plugin without hooks.


#4

Hi @AlexanderHagerman

you have a certificate which is critical:

CN=unexpectedeof.net
	23.12.2018
	23.03.2019
expires in 8 days	unexpectedeof.net - 1 entry

But your ip addresses are curious:

Host T IP-Address is auth. ∑ Queries ∑ Timeout
unexpectedeof.net A 35.185.44.232 yes 1 0
A 217.70.184.38 yes 1 0
AAAA yes
www.unexpectedeof.net A 35.185.44.232 yes 1 0
AAAA yes

The non-www version has two different addresses. And a really big problem: Checking /.well-known/acme-challenge there are different answers:

K http://unexpectedeof.net/ 217.70.184.38, Status 200
http://unexpectedeof.net/ 35.185.44.232, Status 301
configuration problem - different ip addresses with different status
K https://unexpectedeof.net/ 217.70.184.38, Status -14
https://unexpectedeof.net/ 35.185.44.232, Status 200
configuration problem - different ip addresses with different status
K http://unexpectedeof.net/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 217.70.184.38, Status 200
http://unexpectedeof.net/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 35.185.44.232, Status 301
configuration problem - different ip addresses with different status

The 217.* sends a 200, the 35.* a redirect 301.

217.* shows something like

This domain name has been registered with Gandi.net View the WHOIS data for unexpectedeof.net to see the domain’s public registration information. unexpectedeof.net is registered Want your own domain name? Learn more about the domain name extensions we manage Find a domain name similar to unexpectedeof.net Gandi.net Register Domain Names Transfer Domain Names SSL Certificates Web Hosting Cloud News Help

So renew may not work, if Letsencrypt picks the 217.* ip address.


Your certbot: What says

certbot certificates

Did you reinstall something? Or a certbot-auto?


#5

Hi @JuergenAuer when I created the certificate the first time I didn’t do a wild card and then I wanted to cover multiple subdomain routes, so I created a wild card cert. Looks like I messed something up in there and need to fix the a record in the dns manager. Thank you for calling that out to me. I’ll also checkout the tools topic I saw posted on my first visit to the board yesterday.

From the other answers it looks like I’ll need to use renew with the custom directory, or run the creation command again since I used the manual flag. I’ll dig into that a bit more, and confirm some of the commands from long term .bash_history.


#6

Rerunning the certbot certonly manual was the solution here. Thank you for the help.