Certbot renew - Your connection is not private

NET::ERR_CERT_DATE_INVALID
Subject: democracystraightup.org

Issuer: R3

Expires on: Sep 25, 2022

Current date: Nov 7, 2022

My domain is: https://democracystraightup.org/

I ran this command: entrypoint: "/bin/sh -c 'while :; do certbot --force-renew; sleep 12h; done'"

It produced this output: Certbot doesn't know how to automatically configure the web server on this system. However, it can still get a certificate for you. Please run "certbot certonly" to do so. You'll need to manually configure your web server to use the resulting certificate.

My web server is (include version): nginx

The operating system my web server runs on is (include version): ubuntu 14

My hosting provider, if applicable, is: aws

I can login to a root shell on my machine (yes or no, or I don't know): yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

/var/log/letsencrypt/letsencrypt.log

output:

022-11-07 16:30:45,466:DEBUG:certbot._internal.main:certbot version: 1.28.0
2022-11-07 16:30:45,467:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/local/bin/certbot
2022-11-07 16:30:45,467:DEBUG:certbot._internal.main:Arguments:
2022-11-07 16:30:45,467:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#n>
2022-11-07 16:30:45,500:DEBUG:certbot._internal.log:Root logging level set at 30
2022-11-07 16:30:45,506:DEBUG:certbot._internal.display.obj:Notifying user: Processing /etc/letsencrypt/renewal/democracystraightup>
2022-11-07 16:30:45,532:DEBUG:certbot._internal.plugins.selection:Requested authenticator <certbot._internal.cli.cli_utils._Default>
2022-11-07 16:30:45,570:DEBUG:certbot._internal.storage:Should renew, less than 30 days before certificate expiry 2022-09-25 19:14:>
2022-11-07 16:30:45,570:INFO:certbot._internal.renewal:Certificate is due for renewal, auto-renewing...
2022-11-07 16:30:45,570:INFO:certbot._internal.renewal:Non-interactive renewal: random delay of 25.579089865156615 seconds

curl -Ii https://acme-v02.api.letsencrypt.org/directory

HTTP/2 200
server: nginx
date: Mon, 07 Nov 2022 16:35:17 GMT
content-type: application/json
content-length: 659
cache-control: public, max-age=0, no-cache
replay-nonce: A5FEgymGAbJG0KdOh7r7Goyh-aV0Ak0osM8uAN-eXOmhwKg
x-frame-options: DENY
strict-transport-security: max-age=604800

Why would you ever do that?

What don't you understand about that message?

And where is the rest of the log?
I can't see if it completes or fails...

3 Likes

certbot:
image: certbot/certbot:latest
command: certonly --webroot --webroot-path=/var/www/certbot --email democracy.straight.up@gmail.com --agree-tos --no-eff-email >
volumes:
- ./certbot/conf:/etc/letsencrypt
- ./certbot/data/:/var/www/certbot
- ./certbot/logs/:/var/log/letsencrypt
entrypoint: "/bin/sh -c 'while :; do certbot certonly --force-renew; sleep 12h; done'"
working_dir: /var/www/html
depends_on:
- db

/var/log/letsencrypt/letsencrypt.log

output:
2022-11-07 16:59:48,878:DEBUG:certbot._internal.main:certbot version: 1.28.0
2022-11-07 16:59:48,878:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/local/bin/certbot
2022-11-07 16:59:48,879:DEBUG:certbot._internal.main:Arguments: ['--force-renew']
2022-11-07 16:59:48,879:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#n>
2022-11-07 16:59:48,904:DEBUG:certbot._internal.log:Root logging level set at 30
2022-11-07 16:59:48,904:DEBUG:certbot._internal.plugins.selection:Requested authenticator None and installer None
2022-11-07 16:59:48,911:DEBUG:certbot._internal.plugins.selection:Multiple candidate plugins: * standalone
Description: Spin up a temporary webserver
Interfaces: Authenticator, Plugin
Entry point: standalone = certbot._internal.plugins.standalone:Authenticator
Initialized: <certbot._internal.plugins.standalone.Authenticator object at 0x7f64bc744670>
Prep: True

  • webroot
    Description: Place files in webroot directory
    Interfaces: Authenticator, Plugin
    Entry point: webroot = certbot._internal.plugins.webroot:Authenticator
    Initialized: <certbot._internal.plugins.webroot.Authenticator object at 0x7f64bc744400>
    Prep: True
    2022-11-07 16:59:48,913:DEBUG:certbot._internal.log:Exiting abnormally:
    Traceback (most recent call last):
    File "/usr/local/bin/certbot", line 33, in
    sys.exit(load_entry_point('certbot', 'console_scripts', 'certbot')())
    File "/opt/certbot/src/certbot/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
    File "/opt/certbot/src/certbot/certbot/_internal/main.py", line 1744, in main
    return config.func(config, plugins)
    File "/opt/certbot/src/certbot/certbot/_internal/main.py", line 1572, in certonly
    installer, auth = plug_sel.choose_configurator_plugins(config, plugins, "certonly")
    File "/opt/certbot/src/certbot/certbot/_internal/plugins/selection.py", line 251, in choose_configurator_plugins
    authenticator = pick_authenticator(config, req_auth, plugins)
    File "/opt/certbot/src/certbot/certbot/_internal/plugins/selection.py", line 46, in pick_authenticator
    return pick_plugin(
    File "/opt/certbot/src/certbot/certbot/_internal/plugins/selection.py", line 125, in pick_plugin
    plugin_ep1 = choose_plugin(list(prepared.values()), question)
    File "/opt/certbot/src/certbot/certbot/_internal/plugins/selection.py", line 156, in choose_plugin
    code, index = display_util.menu(question, opts, force_interactive=True)
    File "/opt/certbot/src/certbot/certbot/display/util.py", line 103, in menu
    return obj.get_display().menu(message, choices, default=default, cli_flag=cli_flag,
    File "/opt/certbot/src/certbot/certbot/_internal/display/obj.py", line 131, in menu
    code, selection = self._get_valid_int_ans(len(choices))
    File "/opt/certbot/src/certbot/certbot/_internal/display/obj.py", line 396, in _get_valid_int_ans
    ans = util.input_with_timeout(input_msg)
    File "/opt/certbot/src/certbot/certbot/_internal/display/util.py", line 68, in input_with_timeout
    raise EOFError
    EOFError
    2022-11-07 16:59:48,914:ERROR:certbot._internal.log:An unexpected error occurred:
    2022-11-07 16:59:48,915:ERROR:certbot._internal.log:EOFError

Please remove the "--force-renew" from that line.

Please show:
certbot certificates

And the matching renewal config files.

4 Likes

Especially in a loop! @ceewa30 Please don't use options like --force-renewal if you don't know what it actually does..

5 Likes

ok, earlier code was entrypoint: "/bin/sh -c 'while :; do certbot renew; sleep 12h; done'"
while browsing for renew the certificate i found the code run certbot certonly --force-renew, i thought it will force to renew the certificate

Forcing something almost never works, this option is useful in just a few situations, this one not being one of them.

4 Likes

certbot:
image: certbot/certbot:latest
command: certonly --webroot --webroot-path=/var/www/certbot --email democracy.straight.up@gmail.com --agree-tos --no-eff-email >
volumes:

  • ./certbot/conf:/etc/letsencrypt
  • ./certbot/data/:/var/www/certbot
  • ./certbot/logs/:/var/log/letsencrypt
    entrypoint: "/bin/sh -c 'while :; do certbot renew; sleep 12h; done'"
    working_dir: /var/www/html
    depends_on:
  • db

/var/log/letsencrypt/letsencrypt.log

output:
022-11-07 20:04:49,246:DEBUG:certbot._internal.main:certbot version: 1.28.0
2022-11-07 20:04:49,246:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/local/bin/certbot
2022-11-07 20:04:49,246:DEBUG:certbot._internal.main:Arguments:
2022-11-07 20:04:49,247:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#n>
2022-11-07 20:04:49,269:DEBUG:certbot._internal.log:Root logging level set at 30
2022-11-07 20:04:49,270:DEBUG:certbot._internal.display.obj:Notifying user: Processing /etc/letsencrypt/renewal/democracystraightup>
2022-11-07 20:04:49,290:DEBUG:certbot._internal.plugins.selection:Requested authenticator <certbot._internal.cli.cli_utils._Default>
2022-11-07 20:04:49,310:DEBUG:certbot._internal.storage:Should renew, less than 30 days before certificate expiry 2022-09-25 19:14:>
2022-11-07 20:04:49,311:INFO:certbot._internal.renewal:Certificate is due for renewal, auto-renewing...
2022-11-07 20:04:49,311:INFO:certbot._internal.renewal:Non-interactive renewal: random delay of 183.797682502649 seconds

This is was the log

There should be more. Certbot was in the process of automatic renewal and was entering a random delay (to prevent thousands of clients renewing at 00:00 daily). So perhaps you just have to be patient. The delay mentioned was about 184 seconds (but random), so the random delay is probably in the order of minutes, not hours.

4 Likes

still my certbot certificate :

2022-11-08 18:54:24,760:DEBUG:certbot._internal.main:certbot version: 1.28.0
2022-11-08 18:54:24,760:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/local/bin/certbot
2022-11-08 18:54:24,760:DEBUG:certbot._internal.main:Arguments:
2022-11-08 18:54:24,760:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#n>
2022-11-08 18:54:24,785:DEBUG:certbot._internal.log:Root logging level set at 30
2022-11-08 18:54:24,786:DEBUG:certbot._internal.display.obj:Notifying user: Processing /etc/letsencrypt/renewal/democracystraightup>
2022-11-08 18:54:24,808:DEBUG:certbot._internal.plugins.selection:Requested authenticator <certbot._internal.cli.cli_utils._Default>
2022-11-08 18:54:24,828:DEBUG:certbot._internal.storage:Should renew, less than 30 days before certificate expiry 2022-09-25 19:14:>
2022-11-08 18:54:24,828:INFO:certbot._internal.renewal:Certificate is due for renewal, auto-renewing...
2022-11-08 18:54:24,828:INFO:certbot._internal.renewal:Non-interactive renewal: random delay of 199.88099423312755 seconds

Failed to renew certificate democracystraightup.org with error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see Failed Validation Limit - Let's Encrypt

certbot_1 | Renewing an existing certificate for democracystraightup.org and www.democracystraightup.org
certbot_1 | Saving debug log to /var/log/letsencrypt/letsencrypt.log
certbot_1 | Failed to renew certificate democracystraightup.org with error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see Failed Validation Limit - Let's Encrypt
certbot_1 |
certbot_1 | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
certbot_1 | All renewals failed. The following certificates could not be renewed:
certbot_1 | /etc/letsencrypt/live/democracystraightup.org/fullchain.pem (failure)
certbot_1 | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
certbot_1 | 1 renew failure(s), 0 parse failure(s)
certbot_1 | Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

For testing purposes you should use the staging environment.

2 Likes

i have used --staging

certonly --reinstall --webroot --webroot-path=/var/www/certbot --email --staging democracy.straight.up@gmail.com --agree-tos --no-eff-email -d www.democracystraightup.org

/certbot/logs/lensencrypt.log

2022-11-14 20:25:32,794:DEBUG:certbot._internal.main:certbot version: 1.28.0
2022-11-14 20:25:32,794:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/local/bin/certbot
2022-11-14 20:25:32,794:DEBUG:certbot._internal.main:Arguments: ['--reinstall', '--webroot', '--webroot-path=/var/www/certbot', '-->
2022-11-14 20:25:32,794:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#n>
2022-11-14 20:25:32,860:DEBUG:certbot._internal.log:Root logging level set at 30
2022-11-14 20:25:32,862:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer None
2022-11-14 20:25:32,865:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: Authenticator, Plugin
Entry point: webroot = certbot._internal.plugins.webroot:Authenticator
Initialized: <certbot._internal.plugins.webroot.Authenticator object at 0x7fe1c4bf7700>
Prep: True
2022-11-14 20:25:32,866:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot._internal.plugins.webroot.Authent>
2022-11-14 20:25:32,866:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator webroot, Installer None
2022-11-14 20:25:32,890:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, cont>
2022-11-14 20:25:32,891:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2022-11-14 20:25:32,894:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2022-11-14 20:25:33,041:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 659
2022-11-14 20:25:33,042:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 14 Nov 2022 20:25:33 GMT
Content-Type: application/json
Content-Length: 659
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"8us4lfPlZgE": "Adding random entries to the directory",
"keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf",
"website": "https://letsencrypt.org"
},
"newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
"revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2022-11-14 20:25:33,072:DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): stg-r3.o.lencr.org:80
2022-11-14 20:25:33,153:DEBUG:urllib3.connectionpool:http://stg-r3.o.lencr.org:80 "POST / HTTP/1.1" 200 543
2022-11-14 20:25:33,154:DEBUG:certbot.ocsp:OCSP response for certificate /etc/letsencrypt/archive/www.democracystraightup.org/cert1>
2022-11-14 20:25:33,154:DEBUG:certbot.ocsp:OCSP certificate status for /etc/letsencrypt/archive/www.democracystraightup.org/cert1.p>
2022-11-14 20:25:33,157:DEBUG:certbot._internal.display.obj:Notifying user: Certificate not yet due for renewal
2022-11-14 20:25:33,158:INFO:certbot._internal.main:Keeping the existing certificate
2022-11-14 20:25:33,158:DEBUG:certbot._internal.display.obj:Notifying user: Certificate not yet due for renewal; no action taken.

www.democracystraightup.org
Issued by: (STAGING) Artificial Apricot R3
Expires: Sunday, February 12, 2023 at 11:53:04 AM Eastern Standard Time

“(STAGING) Pretend Pear X1” certificate is not trusted

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.democracystraightup.org

I ran this command: certonly --reinstall --webroot --webroot-path=/var/www/certbot --email --staging democracy.straight.up@gmail.com --agree-tos --no-eff-email -d www.democracystraightup.org

It produced this output: Certificate is generated

My web server is (include version): nginx

The operating system my web server runs on is (include version): ubuntu

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

In browser while loading i'm getting following error

Your connection is not private

Attackers might be trying to steal your information from democracystraightup.org (for example, passwords, messages, or credit cards). Learn more

NET::ERR_CERT_AUTHORITY_INVALID

when i check with advance tab

www.democracystraightup.org
Issued by: (STAGING) Artificial Apricot R3
Expires: Sunday, February 12, 2023 at 11:53:04 AM Eastern Standard Time

“(STAGING) Pretend Pear X1” certificate is not trusted

You only have Port 22 Open, Ports 80 (HTTP) and 443 (HTTPS) are Closed.

$ nmap democracystraightup.org
Starting Nmap 7.80 ( https://nmap.org ) at 2022-11-14 21:07 UTC
Nmap scan report for democracystraightup.org (52.45.15.71)
Host is up (0.080s latency).
rDNS record for 52.45.15.71: ec2-52-45-15-71.compute-1.amazonaws.com
Not shown: 997 filtered ports
PORT    STATE  SERVICE
22/tcp  open   ssh
80/tcp  closed http
443/tcp closed https

Nmap done: 1 IP address (1 host up) scanned in 6.48 seconds

$ nmap www.democracystraightup.org
Starting Nmap 7.80 ( https://nmap.org ) at 2022-11-14 21:07 UTC
Nmap scan report for www.democracystraightup.org (52.45.15.71)
Host is up (0.077s latency).
rDNS record for 52.45.15.71: ec2-52-45-15-71.compute-1.amazonaws.com
Not shown: 997 filtered ports
PORT    STATE  SERVICE
22/tcp  open   ssh
80/tcp  closed http
443/tcp closed https

Nmap done: 1 IP address (1 host up) scanned in 6.53 seconds

Best Practice - Keep Port 80 Open

1 Like

nmap democracystraightup.org
Starting Nmap 7.80 ( https://nmap.org ) at 2022-11-14 21:12 UTC
Nmap scan report for democracystraightup.org (52.45.15.71)
Host is up (0.00060s latency).
rDNS record for 52.45.15.71: ec2-52-45-15-71.compute-1.amazonaws.com
Not shown: 997 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https

Nmap done: 1 IP address (1 host up) scanned in 4.77 seconds

This generates certificates from the Staging Environment - Let's Encrypt. Get rid of this flag if you want a trusted certificate.

3 Likes

Looks like it could be a firewall issue that you have.

4 Likes

certonly --reinstall --webroot --webroot-path=/var/www/certbot --email democracy.straight.up@gmail.com --agree-tos --no-eff-email -d www.democracystraightup.org

i have the same issue