I’ve been using Let’s Encrypt for almost a year and it’s fantastic - so well done to all involved.
I recently dockerized everything, and everything appears to be working very well except for a small issue I’m having around using certbot to renew my certificates.
The certbot renewal request went through, but it keeps saving the renewed certificates to a new folder with -0001 appended to my domain : /etc/letsencrypt/live/humankode.com-0001
The command I’m running is in a cron job.
I’m running Ubuntu 16.04 on an Amazon EC2 instance. Everything is dockerized.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for humankode.com
http-01 challenge for www.humankode.com
Using the webroot path /data/letsencrypt for all unmatched domains.
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/humankode.com-0001/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/humankode.com-0001/privkey.pem
Your cert will expire on 2018-04-05. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Any suggestions on how to get around this, and why this is happening?
The intended way to renew your certificates is just certbot renew (ideally twice a day from a cron job or systemd timer). If you specify the whole issuance command again, you do have a risk of getting the -0001 if you specify a list of domain names that's in any way different from the list of domain names covered by the existing certificate (whether by adding or removing names). Could you try running certbot certificates to see whether the coverage of your new and old certificates differs in some way?
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/humankode.com-0001.conf
-------------------------------------------------------------------------------
expected /etc/letsencrypt/live/humankode.com-0001/cert.pem to be a symlink
Renewal configuration file /etc/letsencrypt/renewal/humankode.com-0001.conf is broken. Skipping.
-------------------------------------------------------------------------------
No renewals were attempted.
Additionally, the following renewal configuration files were invalid:
/etc/letsencrypt/renewal/humankode.com-0001.conf (parsefail)
-------------------------------------------------------------------------------
0 renew failure(s), 1 parse failure(s)
Any ideas on how to proceed from here? What would be the best way to reset the button in terms of getting rid of the existing artifacts so that I can issue a new cert and test certbot renew again?
Also you’re issuing a lot of certificates. Keep the rate limits in mind and use the staging environment to experiment (certbot --staging and certbot renew --dry-run).
I deleted all the -0001 subfolders and artifacts. ls -la /docker-volumes/etc/letsencrypt/live/humankode.com
returns
drwxr-xr-x 2 root root 4096 Dec 23 20:07 .
drwxr-xr-x 3 root root 4096 Jan 6 05:38 ..
-rw-r--r-- 1 root root 1818 Dec 23 20:06 cert.pem
-rw-r--r-- 1 root root 1647 Dec 23 20:06 chain.pem
-rw-r--r-- 1 root root 3465 Dec 23 20:07 fullchain.pem
-rw-r--r-- 1 root root 1708 Dec 23 20:07 privkey.pem
-rw-r--r-- 1 root root 543 Dec 23 20:07 README
If I run the command
sudo docker run --rm -it --name certbot
-v "/docker-volumes/etc/letsencrypt:/etc/letsencrypt"
-v "/docker-volumes/var/lib/letsencrypt:/var/lib/letsencrypt"
-v "/docker-volumes/data/letsencrypt:/data/letsencrypt"
certbot/certbot
certificates
I get
-------------------------------------------------------------------------------
No certs found.
-------------------------------------------------------------------------------
Ok, I managed to solve the issue. Thanks for all the input.
I found the root of the problem.
When I initially created the certificate, I used a non-official docker certbot image to issue the initial certificates.
I used deliverous/certbot instead of the certbot/certbot image. Then, when I tried to renew the certificate, it placed the renewed certificates in a -0001 suffix folder.
I confirmed this by issuing new certificates using the --staging flag on the deliverous/certbot image, and then proceeded by attempting to renew the certificates using the certbot/certbot image, and then got the -0001 suffix folder.
I then deleted everything and issued new certificates using the certbot/certbot image, and renewed using the certbot/certbot image, and everything worked fine.
There were obviously differences in how the certificates were created with the deliverous/certbot image.
From now on, I’ll stick to the official certbot images.