Certbot-auto always renews certificate


#1

Please fill out the fields below so we can help you better.

My domain is: hopefully not relevant. If it turns out it’s needed, I’ll provide it (yes, I’m paranoid, I know)

I ran this command:
certbot-auto renew --pre-hook “service apache2 stop” --post-hook “service apache2 start” --dry-run

It produced this output:

Requesting root privileges to run certbot...
  /home/username/.local/share/letsencrypt/bin/letsencrypt renew --pre-hook service apache2 stop --post-hook service apache2 start --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/subdomain.domainname.conf
-------------------------------------------------------------------------------
Running pre-hook command: service apache2 stop
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for subdomain.domain
Waiting for verification...
Cleaning up challenges
Generating key (4096 bits): /etc/letsencrypt/keys/0011_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0011_csr-certbot.pem
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/subdomain.domain/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)

My operating system is (include version):
raspbian

My web server is (include version):
apache2

My hosting provider, if applicable, is:
n/a

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

Now for my problem: I’m glad I came across certbot-auto. For once in my life I managed to have an SSL secure server. But: Everytime certbot-auto renew runs, the certificate get’s renewed. For one, that’s not how I understand it is supposed to work (it should check the existing certificates expiry date and only actually renew at 30 days or under, right?) and b) it’s a bit annoying to have to accept a new certificate twice a week.

I read and read, but I can’t find what’s wrong with my setup. Can someone help me out here?


#2

Well, if that’s the exact command you ran… --dry-run makes it test what would happen if the cert was close to expiry, but doesn’t actually renew it even if it really is. You should remove that flag from the actual renewal command that you run from cron.


#3

Yeah, my bad. The cron job I’m running twice a week is:
certbot-auto renew --quiet --pre-hook “service apache2 stop” --post-hook “service apache2 start”


#4

and is the cron running correctly ? or does that obtain a certificate every time ?


#5

What do you need to “accept”? Renewals should be completely transparant to the end-user.

And I would suggest removing the --quiet flag for a few times to check the renewal output of cron. Cron should mail its output to the server maintainer, if appropriate set up of course.


#6

I removed --quiet, but there is no mail transport installed on the machine, so I’m not likely to get an email. Would adding
>> /var/log/letsencrypt/LE.log
do the trick?

What I meant was, every time the certificate renews (which to me means: there is a new one), Thunderbird (or, Lightning and Card Book respectively), DavDroid, Nextcloud all complain about the certificate and I have to accept permanent exceptions. That works fine, untii certbot runs again a few days later, and the same thing happens.
That’s, by the way, how I know that the cron job ran. :wink:


#7

You shouldn’t have to make an exception for Let’s Encrypt certificates. Otherwise a self-signed certificate would suffice and there’s no need for LE :stuck_out_tongue_winking_eye: Sounds like a configuration issue, do you use fullchain.pem or chain.pem anywhere or just cert.pem?

And of course the certbot log file would give more useful information, yes :slight_smile:


#8

If it wasn’t obvious yet: I don’t truly know what I’m doing, so everything is possible :wink:

I initially installed the certificate using the --apache flag, that’s all I remember, so I honestly can’t say what’s being used. I’ll post the exact popup messages I get from Thunderbird & co after the next run of the cronjob, as well as the log.


#9

Ok, so today I ran:
certbot-auto renew --pre-hook "service apache2 stop" --post-hook "service apache2 start" > /home/username/logs/certbot.log

and got this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log Running pre-hook command: service apache2 stop Renewing an existing certificate Performing the following challenges: tls-sni-01 challenge for domainname Waiting for verification... Cleaning up challenges Generating key (4096 bits): /etc/letsencrypt/keys/0014_key-certbot.pem Creating CSR: /etc/letsencrypt/csr/0014_csr-certbot.pem Running post-hook command: service apache2 start

As soon as this ran, I got a pop-up from my NextCloud-client.

Cannot connect securely to 192.xxx.xxx.xxx:
The host name did not match any of the valid hosts for this certificate
with Certificate domainname
Organization:
Unit:
Country:
Fingerprint (MD5): XXX
Fingerprint (SHA1): XXX

Effective Date: Fr. Feb. 10 09:25:00 2017 GMT
Expiration Date: Do. Mai 11 09:25:00 2017 GMT
Issuer: Let’s Encrypt Authority X3
Organization: Let’s Encrypt
Unit:
Country: US

I can tick “Trust this certificate anyway” and that will make this window disappear.

The log created reads:

Requesting root privileges to run certbot...
  /home/username/.local/share/letsencrypt/bin/letsencrypt renew --pre-hook service apache2 stop --post-hook service apache2 start

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/domainname
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/domainname/fullchain.pem
-------------------------------------------------------------------------------

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/domainname/fullchain.pem (success)

Hope this helps


#10

Are you correctly using the full chain ?

see https://help.nextcloud.com/t/web-browsers-accept-my-nextclouds-ssl-certs-nextcloud-clients-dont/7870

if you provide your domain name we can check for you.


#11

Well, there’s 2 ssl relevant .confs in /etc/apache2/sites-available. And both show
SSLCertificateFile /etc/letsencrypt/live/domainname/fullchain.pem

Can I safely deduct from that, I AM using the full chain?


#12

I think that error means the nextcloud client is configured to connect directly to the server’s IP address rather than the domain which the cert is valid for.


#13

That’s actually true. Since the NC-client is running on a local machine, I figured I go the direct route. Ok, so let’s say I fix that in NC and Thunderbird and whereever else… the initial problem, that every run of certbot-auto creates a new certificate, is not affected by this.You can even see today’s date in the popup from NC… how do I fix that?


#14

I don’t know if that’s indeed a certbot-auto bug, because I don’t use that. It seems so and that should be fixed.
But as a workaround, I can suggest you to create a script that checks the certificate lifetime using openssl and only starts certbot afterwards.

Here is what you could use:

#!/bin/bash

openssl x509 -checkend 950400 -in /etc/letsencrypt/live/your.tld/fullchain.pem > /dev/null

if [ $? != 0 ]; then
	# certificate will be invalid in 11 days, renew it
	certbot-auto renew --pre-hook "service apache2 stop" --post-hook "service apache2 start" > /home/username/logs/certbot.log
fi

Save this as update_cert.sh, make it executable and run that in cron.
It checks if the given certificate is still valid in 11 days and runs certbot-auto only if it isn’t.


#15

Yeah, that seems to work, thanks. But, I can hardly be the only one suffering from this, can I? Or has everyone else correctly configured their applications to point at the URL and thusly never noticed the issue? :slight_smile:


#16

Hmm, I wonder if you have renew-by-default in a configuration file somewhere.


#17

That’s
/etc/letsencrypt/renewal/domainname.conf
right?

Well, here’s what’s in it:

renew_before_expiry = 14 days
version = 0.11.1
cert = /etc/letsencrypt/live/domainname/cert.pem
privkey = /etc/letsencrypt/live/domainname/privkey.pem
chain = /etc/letsencrypt/live/domainname/chain.pem
fullchain = /etc/letsencrypt/live/domainname/fullchain.pem
archive_dir = /etc/letsencrypt/archive/domainname

Options used in the renewal process

[renewalparams]
authenticator = apache
installer = apache
rsa_key_size = 4096
account = #
post_hook = service apache2 start
pre_hook = service apache2 stop


#18

There’s also cli.ini.


#19

That’s

rsa-key-size = 4096
text = True
redirect = True
renew-by-default = True
agree-tos = True
email = someone@somewhere.xyz


#20

Well well well, look at that. One guess which line is quilty :wink: