Certbot does not store a new certificate upon renewal


#1

My domain is: marcusriemer.de

I ran this command: certbot certonly --text -d marcusriemer.de --standalone and

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
/usr/lib/python3.6/site-packages/josepy/jwa.py:107: CryptographyDeprecationWarning: signer and verifier have been deprecated. Please use sign and verify instead.
  signer = key.signer(self.padding, self.hash)
Performing the following challenges:
tls-sni-01 challenge for marcusriemer.de
Waiting for verification...
Cleaning up challenges
archive directory exists for marcusriemer.de-0001

But if I check the certficate using openssl x509 -noout -dates -in /etc/letsencrypt/archive/marcusriemer.de-0001/fullchain1.pem the “new” certificate is still expired.

The operating system my web server runs on is (include version): Arch Linux

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

If I run certbot certificates I get the following output (I only redacted some domain variants):

Certificate Name: marcusriemer.de
    Domains: marcusriemer.de 
    Expiry Date: 2018-04-30 06:36:29+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/marcusriemer.de/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/marcusriemer.de/privkey.pem

Running certbot renew tells me everything is alright but does not produce a new certificate:

Processing /etc/letsencrypt/renewal/marcusriemer.de.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
/usr/lib/python3.6/site-packages/josepy/jwa.py:107: CryptographyDeprecationWarning: signer and verifier have been deprecated. Please use sign and verify instead.
  signer = key.signer(self.padding, self.hash)
Performing the following challenges:
tls-sni-01 challenge for marcusriemer.de
Waiting for verification...
Cleaning up challenges

-------------------------------------------------------------------------------
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/marcusriemer.de/fullchain.pem
-------------------------------------------------------------------------------

I then attempted to retrieve a certificate manually using the certbot certonly --text -d marcusriemer.de --standalone command mentioned above (which ran without errors, as stated above). But after checking the created certificate using openssl x509 -noout -dates -in /etc/letsencrypt/archive/marcusriemer.de-0001/fullchain1.pem all I get is this:

notBefore=Jan 30 06:36:29 2018 GMT
notAfter=Apr 30 06:36:29 2018 GMT

#2

Hi @MarcusRiemer,

Seems your /etc/letsencrypt/ structure is a bit messed :frowning:

Could you please show the output of the following commands?.

ls -l /etc/letsencrypt/archive/marcusriemer.de-0001/
ls -l /etc/letsencrypt/archive/marcusriemer.de/

ls -l /etc/letsencrypt/live/marcusriemer.de-0001/
ls -l /etc/letsencrypt/live/marcusriemer.de/

cat /etc/letsencrypt/renewal/marcusriemer.de-0001.conf
cat /etc/letsencrypt/renewal/marcusriemer.de.conf

Cheers,
sahsanu


#3

Ah, you are up to something there … I ran your commands and the output is as follows:

+ ls -l /etc/letsencrypt/archive/marcusriemer.de-0001/
total 16
-rw-r--r-- 1 root root 1834 Jan 30 07:36 cert1.pem
-rw-r--r-- 1 root root 1647 Jan 30 07:36 chain1.pem
-rw-r--r-- 1 root root 3481 Jan 30 07:36 fullchain1.pem
-rw-r--r-- 1 root root 1708 Jan 30 07:36 privkey1.pem
+ ls -l /etc/letsencrypt/archive/marcusriemer.de/
total 176
-rw-r--r-- 1 root root 1858 Nov 14 11:58 cert10.pem
-rw-r--r-- 1 root root 1858 Jan 27 13:10 cert11.pem
-rw-r--r-- 1 root root 1854 Feb 13  2016 cert1.pem
-rw-r--r-- 1 root root 2191 Apr 30 07:57 cert2.pem
-rw-r--r-- 1 root root 1862 Jun 24  2016 cert3.pem
-rw-r--r-- 1 root root 1862 Sep  4  2016 cert4.pem
-rw-r--r-- 1 root root 1862 Nov 18  2016 cert5.pem
-rw-r--r-- 1 root root 1862 Jan 24  2017 cert6.pem
-rw-r--r-- 1 root root 1862 Apr 17  2017 cert7.pem
-rw-r--r-- 1 root root 1858 Jun 27  2017 cert8.pem
-rw-r--r-- 1 root root 1858 Sep  5  2017 cert9.pem
-rw-r--r-- 1 root root 1647 Nov 14 11:58 chain10.pem
-rw-r--r-- 1 root root 1647 Jan 27 13:10 chain11.pem
-rw-r--r-- 1 root root 1675 Feb 13  2016 chain1.pem
-rw-r--r-- 1 root root 1647 Apr 30 07:57 chain2.pem
-rw-r--r-- 1 root root 1647 Jun 24  2016 chain3.pem
-rw-r--r-- 1 root root 1647 Sep  4  2016 chain4.pem
-rw-r--r-- 1 root root 1647 Nov 18  2016 chain5.pem
-rw-r--r-- 1 root root 1647 Jan 24  2017 chain6.pem
-rw-r--r-- 1 root root 1647 Apr 17  2017 chain7.pem
-rw-r--r-- 1 root root 1647 Jun 27  2017 chain8.pem
-rw-r--r-- 1 root root 1647 Sep  5  2017 chain9.pem
-rw-r--r-- 1 root root 3505 Nov 14 11:58 fullchain10.pem
-rw-r--r-- 1 root root 3505 Jan 27 13:10 fullchain11.pem
-rw-r--r-- 1 root root 3529 Feb 13  2016 fullchain1.pem
-rw-r--r-- 1 root root 3838 Apr 30 07:57 fullchain2.pem
-rw-r--r-- 1 root root 3509 Jun 24  2016 fullchain3.pem
-rw-r--r-- 1 root root 3509 Sep  4  2016 fullchain4.pem
-rw-r--r-- 1 root root 3509 Nov 18  2016 fullchain5.pem
-rw-r--r-- 1 root root 3509 Jan 24  2017 fullchain6.pem
-rw-r--r-- 1 root root 3509 Apr 17  2017 fullchain7.pem
-rw-r--r-- 1 root root 3505 Jun 27  2017 fullchain8.pem
-rw-r--r-- 1 root root 3505 Sep  5  2017 fullchain9.pem
-rw-r--r-- 1 root root 1704 Nov 14 11:58 privkey10.pem
-rw-r--r-- 1 root root 1704 Jan 27 13:10 privkey11.pem
-rw-r--r-- 1 root root 1704 Feb 13  2016 privkey1.pem
-rw-r--r-- 1 root root 1704 Apr 30 07:57 privkey2.pem
-rw-r--r-- 1 root root 1708 Jun 24  2016 privkey3.pem
-rw-r--r-- 1 root root 1704 Sep  4  2016 privkey4.pem
-rw-r--r-- 1 root root 1704 Nov 18  2016 privkey5.pem
-rw-r--r-- 1 root root 1704 Jan 24  2017 privkey6.pem
-rw-r--r-- 1 root root 1708 Apr 17  2017 privkey7.pem
-rw-r--r-- 1 root root 1704 Jun 27  2017 privkey8.pem
-rw-r--r-- 1 root root 1704 Sep  5  2017 privkey9.pem
+ ls -l /etc/letsencrypt/live/marcusriemer.de-0001/
ls: cannot access '/etc/letsencrypt/live/marcusriemer.de-0001/': No such file or directory
+ ls -l /etc/letsencrypt/live/marcusriemer.de/
total 4
lrwxrwxrwx 1 root root  44 Apr 30 07:57 cert.pem -> ../../archive/marcusriemer.de-0001/cert1.pem
lrwxrwxrwx 1 root root  45 Apr 30 07:57 chain.pem -> ../../archive/marcusriemer.de-0001/chain1.pem
lrwxrwxrwx 1 root root  49 Apr 30 07:57 fullchain.pem -> ../../archive/marcusriemer.de-0001/fullchain1.pem
lrwxrwxrwx 1 root root  47 Apr 30 07:57 privkey.pem -> ../../archive/marcusriemer.de-0001/privkey1.pem
-rw-r--r-- 1 root root 543 Jan 30 07:36 README
+ cat /etc/letsencrypt/renewal/marcusriemer.de-0001.conf
+ cat /etc/letsencrypt/renewal/marcusriemer.de.conf
# renew_before_expiry = 30 days
cert = /etc/letsencrypt/live/marcusriemer.de/cert.pem
privkey = /etc/letsencrypt/live/marcusriemer.de/privkey.pem
chain = /etc/letsencrypt/live/marcusriemer.de/chain.pem
fullchain = /etc/letsencrypt/live/marcusriemer.de/fullchain.pem
version = 0.23.0
archive_dir = /etc/letsencrypt/archive/marcusriemer.de

# Options and defaults used in the renewal process
[renewalparams]
installer = None
authenticator = standalone
account = 2ef41f53b5fd8ab84dbe1d7f93cabe6c

It seems that the actual marcusriemer.de live variant points to ../../archive/marcusriemer.de-0001 for whatever reason. Maybe I did this by accident as a side effect when checking whether I could directly retrieve a new certificate?

I don’t really care about the old certificates at this point. Is there an easy way to simply “start over” and remove all those certificates and the configuration using certbot? I do have backups of everything in case something goes south, but for the moment I would like to have the page up and running as fast as possible again.


#4

There is no need to start over again, just a couple of changes:

As you have backups… are you sure right? :wink:

cd /etc/letsencrypt/live/marcusriemer.de/
rm *.pem
ln -s ../../archive/marcusriemer.de/cert2.pem cert.pem
ln -s ../../archive/marcusriemer.de/chain2.pem chain.pem
ln -s ../../archive/marcusriemer.de/fullchain2.pem fullchain.pem
ln -s ../../archive/marcusriemer.de/privkey2.pem privkey.pem

I’m using ../../archive/marcusriemer.de/*2.pem because seems these files are the last generated… a bit strange but seems so.

Then you could remove the other archived files starting from *3.pem to *11.pem.

for i in $(seq 3 11);do rm -f "/etc/letsencrypt/archive/marcusriemer.de/*${i}.pem"; done

And you should be good, just restart your web server and lets see what happens :wink:

Cheers,
sahsanu


#5

You are a wizard, thanks a lot! Everything seems to be back to normal now.


#6

You are welcome. I’m glad you get it working again :wink:


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.