Sorry about my lack of knowledge in all things certs.
I’ve been trying to renew a cert that expires in about 15 days. A previous colleague created the cert initially just under 3 months ago. The strange thing is when I try to renew the cert, the expiry date is still the old expiry date 2020-09-24 when I need it to renew completely to a date 3 months later.
On another note i did try certbot-auto renew which didn’t work so I used the command listed below instead to try renewing.
My domain is: devbankamp.com.au
I ran this command: /usr/local/bin/certbot-auto certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns-01 --agree-tos -d *.devbankamp.com.au -d devbankamp.com.au
It produced this output: Only have output in a screenshot now sadly. In summary,
Cert due for renewal, renewing an existing cert. Congratulations, key file saved at devbankamp.com.au/privkey.pem. Cert will expire on 2020-09-24…
My web server is (include version):
The operating system my web server runs on is (include version): Redhat 7
I can login to a root shell on my machine (yes or no, or I don’t know): Yes
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 1.7.0
According to https://crt.sh/?q=devbankamp.com.au, there have been 6 certificates issued since then. They come in pairs (precertificate and certificate) of you’re wondering why there appear to be 12. I noticed that you used certonly. Based on the message you “success” received with the old certificate date, I am suspecting that either:
there are missing/broken/outdated symlinks so your old certificate is “stuck”
the permissions are wrong and your new private key and certificate could not actually be written
I’m assuming that the output you’ve posted is live and not from an old log entry…
Ah. It’s always my favorite thing (massive sarcasm) when default error pages provided by hosting services result in a 200 for an error page being served.
I would like to point out: certonly --manual --preferred-challenges dns-01 | -d *.devbankamp.com.au
Skipping over the manual wildcard/DNS auth request... (for now) If the cert was renewed, then the web server just needs to be reloaded/restarted.
So was the cert actually renewed?
Care to share that screenshot?
That sounds like it just "reapplied" the current cert - not actually renewed anything.
sorry was just grabbing lunch and all. I may have broken some symlinks somehow in the past. And i’ve had quite a few attempts at renewing which might explain the many certs flying around. To give some more context, i generate the certs on this server then apply it on many other windows servers.
Haha loving the banter here though
[root@ip-10-162-30-120 bnk_admin]# sudo /usr/local/bin/certbot-auto certificates
WARNING: unable to check for updates.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/devbankamp.com.au-0001.conf produced an unexpected error: expected /etc/letsencrypt/live/devbankamp.com.au-0001/cert.pem to be a symlink. Skipping.
OCSP check failed for /etc/letsencrypt/live/devbankamp.com.au/cert.pem (are we offline?)
Traceback (most recent call last):
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/ocsp.py”, line 188, in _check_ocsp_cryptography
timeout=timeout)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/requests/api.py”, line 119, in post
return request(‘post’, url, data=data, json=json, **kwargs)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/requests/api.py”, line 61, in request
return session.request(method=method, url=url, **kwargs)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/requests/sessions.py”, line 530, in request
resp = self.send(prep, **send_kwargs)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/requests/sessions.py”, line 643, in send
r = adapter.send(request, **kwargs)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/requests/adapters.py”, line 504, in send
raise ConnectTimeout(e, request=request)
ConnectTimeout: HTTPConnectionPool(host=‘ocsp.int-x3.letsencrypt.org’, port=80): Max retries exceeded with url: / (Caused by ConnectTimeoutError(<urllib3.connection.HTTPConnection object at 0x7ff716966350>, ‘Connection to ocsp.int-x3.letsencrypt.org timed out. (connect timeout=10)’))
Found the following certs:
Certificate Name: devbankamp.com.au
Serial Number: 3290486b96d1d26172e0f3bee47da1e6610
Domains: *.devbankamp.com.au devbankamp.com.au
Expiry Date: 2020-09-24 02:45:32+00:00 (VALID: 15 days)
Certificate Path: /etc/letsencrypt/live/devbankamp.com.au/fullchain.pem
Private Key Path: /etc/letsencrypt/live/devbankamp.com.au/privkey.pem
The following renewal configurations were invalid:
/etc/letsencrypt/renewal/devbankamp.com.au-0001.conf
Now the output of the following command on the other hand may help:
It’s always my favorite thing (massive sarcasm) when default error pages provided by hosting services result in a 200 for an error page being served.
You got me on that one.
