Certbot not renewing cert 3 months after Jitsi install

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: cider4u.uk

I ran this command: certbot

It produced this output: No certificate found

My web server is (include version): Nginx

The operating system my web server runs on is (include version): Ubuntu 24.04.1 LTS

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don't know): YES

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No?!
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.9.0

Other info:

In the letsencrypt folder I have "accounts", "cli.api", "renewal" and "renewal-hooks". In the "accounts" folder I have an "acme-vo2.api.letencrypt.org" folder with a "directory" containing what looks like a key.
(I had not installed acme, installed it out of desperation! but no change)

I have nothing in "renewal", "deploy", "post" and "pre" folders:
root@cider4u:/etc/letsencrypt# ls
accounts cli.ini renewal renewal-hooks
root@cider4u:/etc/letsencrypt# cd accounts
root@cider4u:/etc/letsencrypt/accounts# ls
acme-v02.api.letsencrypt.org
root@cider4u:/etc/letsencrypt/accounts# cd ..
root@cider4u:/etc/letsencrypt# cd renewal
root@cider4u:/etc/letsencrypt/renewal# ls
root@cider4u:/etc/letsencrypt/renewal# cd ..
root@cider4u:/etc/letsencrypt# cd renewal-hooks
root@cider4u:/etc/letsencrypt/renewal-hooks# ls
deploy post pre
root@cider4u:/etc/letsencrypt/renewal-hooks# cd deploy
root@cider4u:/etc/letsencrypt/renewal-hooks/deploy# ls
root@cider4u:/etc/letsencrypt/renewal-hooks/deploy# cd ..
root@cider4u:/etc/letsencrypt/renewal-hooks# cd post
root@cider4u:/etc/letsencrypt/renewal-hooks/post# ls
root@cider4u:/etc/letsencrypt/renewal-hooks/post# cd ..
root@cider4u:/etc/letsencrypt/renewal-hooks# cd pre
root@cider4u:/etc/letsencrypt/renewal-hooks/pre# ls
root@cider4u:/etc/letsencrypt/renewal-hooks/pre#

I do not remember installing/running acme but read a little and something may have changed recently. I have previously run certbot to renew without problems.
FYI I have little knowledge certificates but have been using linux for over 20 yrs and can use the cli reasonably well and ssh into my server which still shows the cert and the same expiry date in 2 weeks time.
I can see there are tools I could use to diagnoes further but would like some advice in case the above information is sufficient.
PS I am 80 years old so please be gentle!
Thanks for your time

2

There also should be a /live/ and /archive/ directory where Certbot would store the certificates.

Then Certbot doesn't have any certificate configured.

Are you sure Certbot was used to get the initial certificate?

Also, I don't have any clue about nor experience with Jitsi, so I don't know the relationship between Jitsi and Certbot, if there is any.

3

Hi,

I installed Jitsi-meet via their quickstart instructions and I precied the instructions BUT did write down what happened as it just stated: "The recommended option is to choose Let's Encrypt Certificate option":

TLS Certificate

In order to have encrypted communications, you need a TLS certificate.

During installation of Jitsi Meet you can choose between different options:

  1. The recommended option is to choose Let's Encrypt Certificate option
  2. But if you want to use a different certificate you should get that certificate first and then install jitsi-meet and choose I want to use my own certificate.
  3. You could also use the self-signed certificate(Generate a new self-signed certificate) but this is not recommended for the following reasons:
  • Using a self-signed certificate will result in warnings being shown in your users browsers, because they cannot verify your server's identity.
  • Jitsi Meet mobile apps require a valid certificate signed by a trusted Certificate Authority and will not be able to connect to your server if you choose a self-signed certificate.

I have not checked again but am fairly sure that there is no "Live" or "Archive" directories under certbot, and not think I could not have used certbot to create a cert.
I need to find out how the Jitsi program created the cert as something might have changed.
From your reply I understand a letsencript cert can be created several ways, with different programs, and to renew a cert I MUST use the program it was created with is this correct?

Is there a way to make certbot (or something else) to create a new cert or must I wait for it to expire first?

I did not see any reference on the certificate info on the browser showing what S/W created it, is there a way to find this information?
The cert is still valid but only fo 12 more days.

I will go and read information on the Jitsi site forum to see if anything has changed over the last couple of years.

Thanks

4

The "MUST" is a little bit strong here, that's not an absolute requirement, but it usually works best to let the ACME client initially used to also do all the renewing.

Sure, you might be able to use Certbot to get a new certificate, but then you also would need to make sure that new certificate is somehow actually used in Jitsi. And I think experience with Jitsi is rather sparse on this Community, so we might not be able to help you with that second step. There's no need to wait for the previous cert to expire.

Not from within the certificate. Or any public information for that matter. Usually the person who initially set up the entire thing would know/remember. That said, I can imagine if software like Jitsi gets and installs the certificate fully automatically, one doesn't know the technical details.

3 Likes
5

Thanks for the info.
After posting I tried certbot force renewal and it could not do it, but good old Linix did offer to recreate a new one but said I would have to re-configure the server to use it. This is a bit of a risk as its at the limit of my knowledge.
I need to know how the Jitsi install S/W created the cert of find out what changes are needed for Nginx to use a new cert. I will try the Jitsi forum see if they can help.s
Its just a little peculiar as certbot renew did work a couple of years ago on my old install, but that could be S/W updating.
Thanks for your time

2 Likes
6

Just for information, I searched the jitsi forum, my problem was I used certbot on an original install about 3 years ago but on the Jitsi install, 3 months ago, jitsi now use an acme script to create the new cert and, it seems the cert should auto renew.

I will pursue a solution on Jitsi forum.

Thanks

4 Likes
7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.