'certbot -renewal' is not renewing the certificate

klevstul · October 12, 2017, 8:34am

i am having some issue with automatic renewal of a letsencrypt cert. i can’t seem to figure out what the problem is, so maybe someone here can help.

renewal
for renewal i am using:
# /usr/bin/certbot renew --post-hook "/home/klevstul/scripts/combinePemFiles.sh"

which outputs:

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/foreneno.com/fullchain.pem (skipped)
No renewals were attempted.
No hooks were run.

expired certs
however, the cert is not updated.

result:

Validity
            Not Before: Jul 13 19:59:00 2017 GMT
            Not After : Oct 11 19:59:00 2017 GMT

if anyone can point me in the right direction i will be very glad. thanks!
.
.
.

additional folder listings

# ls -latr /etc/letsencrypt/renewal/
total 24
drwxr-xr-x 8 root root 4096 Jul 13 20:59 ..
-rw-r--r-- 1 root root  562 Sep 12 00:35 foreneno.com.conf
drwxr-xr-x 2 root root 4096 Oct 12 00:01 .

# ls -latr /etc/letsencrypt/live/foreneno.com/
total 16
-rw-r--r-- 1 root     root      543 Jul 13 20:59 README
drwx--x--- 6 root     root     4096 Aug 12 18:31 ..
-r-xr-xr-x 1 klevstul klevstul 3522 Aug 12 21:45 combined.pem
lrwxrwxrwx 1 root     root       39 Sep 12 00:35 privkey.pem -> ../../archive/foreneno.com/privkey2.pem
lrwxrwxrwx 1 root     root       41 Sep 12 00:35 fullchain.pem -> ../../archive/foreneno.com/fullchain2.pem
lrwxrwxrwx 1 root     root       37 Sep 12 00:35 chain.pem -> ../../archive/foreneno.com/chain2.pem
lrwxrwxrwx 1 root     root       36 Sep 12 00:35 cert.pem -> ../../archive/foreneno.com/cert2.pem
drwxr-xr-x 2 root     root     4096 Sep 12 00:35 .

root@klevstul:/home/klevstul# ls -al /etc/letsencrypt/archive/foreneno.com/
total 40
drwxr-xr-x 2 root root 4096 Sep 12 00:35 .
drwx------ 6 root root 4096 Aug 12 18:31 ..
-r-------- 1 root root 1814 Jul 13 20:59 cert1.pem
-rw-r--r-- 1 root root 1814 Sep 12 00:35 cert2.pem
-r-------- 1 root root 1647 Jul 13 20:59 chain1.pem
-rw-r--r-- 1 root root 1647 Sep 12 00:35 chain2.pem
-r-------- 1 root root 3461 Jul 13 20:59 fullchain1.pem
-rw-r--r-- 1 root root 3461 Sep 12 00:35 fullchain2.pem
-r-------- 1 root root 1708 Jul 13 20:59 privkey1.pem
-rw-r--r-- 1 root root 1704 Sep 12 00:35 privkey2.pem

combinePemFiles .sh

# configure list of domains
domains=( foreneno.com )

# make sure script is executed as root
if [ "$EUID" -ne 0 ]; then
    echo  "please run as root"
    exit 1
fi

# create combined.pem for all domains
for domain in "${domains[@]}"; do
    echo "making 'combined.pem' for $domain"
    cat /etc/letsencrypt/live/$domain/{privkey.pem,cert.pem} > /etc/letsencrypt/live/$domain/combined.pem
done

# restart lighttpd
/etc/init.d/lighttpd restart

jared.m · October 12, 2017, 9:14am

You should run certbot certificates to show what certificates you have on this machine, but this one: https://crt.sh/?id=208580566 is valid until December. It seems it was already renewed. Are you sure you web server has been properly reloaded to use that new certificate?

klevstul · October 12, 2017, 9:27am

thanks for your reply.

this is strange. however, somehow my cert has now been updated. i have been debugging and restarting the server. maybe the cert was not properly loaded last time. if i manage to pinpoint the exact reason what caused this i will update this issue again.

# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Found the following certs:
  Certificate Name: foreneno.com
    Domains: foreneno.com www.foreneno.com
    Expiry Date: 2017-12-10 23:36:00+00:00 (VALID: 59 days)
    Certificate Path: /etc/letsencrypt/live/foreneno.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/foreneno.com/privkey.pem
-------------------------------------------------------------------------------

Sm3rT · October 12, 2017, 9:28am

@klevstul

Which OS you are using?

If you run your command manual, not with cron does that work or not?

greetz Sm3rT

klevstul · October 12, 2017, 9:32am

i am on debian. it seems like running the command manually has worked. it might very well be that the cron deamon fails.

from my cron tab:

# try to renew ssl certificates, once a day, at 05:05
5 5 * * * /usr/bin/certbot renew --post-hook "/home/klevstul/scripts/combinePemFiles.sh" >> /var/log/crond_root.log

checking my cron log, it seems to only contain the message:

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/foreneno.com/fullchain.pem (skipped)

Sm3rT · October 12, 2017, 9:41am

Do you use SELinux?

What is the output of: certbot certificates ?
What is in the logfiles? letsencrypt.log and /var/log/syslog or how its called.

If the certificate you want to renew is from this domain: foreneno.com
The output: “The following certs are not due for renewal yet” is correct, the next renew should be 12.11.2017 because letsencrypt will only renew certificates with a lifetime less than 30 days.

Greetz Sm3rT

klevstul · October 12, 2017, 10:18am

thanks again for your inputs.

not using selinux

klevstul@klevstul:~$ cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
NAME="Debian GNU/Linux"

yes, the cert is from foreneno.com… however, as mentioned above the cert is now up to date. seemed like manually running the renewal command and restarting the webserver did the trick. hence it looks like that running the command via cron was not working.

# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Found the following certs:
  Certificate Name: foreneno.com
    Domains: foreneno.com www.foreneno.com
    Expiry Date: 2017-12-10 23:36:00+00:00 (VALID: 59 days)
    Certificate Path: /etc/letsencrypt/live/foreneno.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/foreneno.com/privkey.pem
-------------------------------------------------------------------------------

i will make sure to update this issue again later if auto renewal once again fails. i will try to pinpoint was the problem is as i am not 100% why this suddenly worked after i did some debugging.

Sm3rT · October 12, 2017, 12:26pm

Sorry to say, but your manual renew doesnt make the trick. Your certificate was the hole time up to date.

Look your expiry date: 2017-12-10 23:36:00+00:00 (VALID: 59 days)
If your manual renew would have renewed the certificate, the certificate would be valid for 89 days.

Your certificate wasnt in time for renew, as i said before: Letsencrypt renews by default only certificates that have a less lifetime than 30 days. And yes, after a renew (manual or cron) you always should reload your webserver that it can load the new certificates.

Greetz Sm3rT

klevstul · October 12, 2017, 12:45pm

thanks again. good points. then somehow the certs were not loaded properly by the web server. i did try restarting the web server without any luck though. however, i manually did trigger the combinePemFiles.sh script. maybe there were some issue with this post-hook script when i ran that from cron.

mnordhoff · October 12, 2017, 1:05pm

How is Certbot installed? If it’s from a .deb, there could be a different cron job and/or systemd timer that runs “certbot renew” without your hook.

Check for e.g. /etc/cron.d/certbot and… What’s the right way to look for systemd timers?
But the files should be /lib/systemd/system/certbot.service and /lib/systemd/system/certbot.timer.

Perhaps that job renewed all your certificates, and when your cron job executed, there was nothing to do, so the hook never ran.

You can also go to /var/log/letsencrypt/ and look for a log file from 2017-09-12 00:35. It may still exist.

(Edit: Fix file path.)

jmorahan · October 12, 2017, 1:08pm

systemctl list-timers

klevstul · October 12, 2017, 7:49pm

@mnordhoff @jmorahan @Sm3rT

thanks, guys! (i believe) you have found the root cause of this problem. it was a job that renewed the certs. hence my own cron job never caused the cert renewal. just as suggested.

additional details

i installed certbot using:
apt-get install certbot

info:

root@klevstul:/home/klevstul# systemctl -all list-timers
NEXT                         LEFT          LAST                         PASSED    UNIT                         ACTIVATES
Thu 2017-10-12 20:00:50 UTC  21min left    Thu 2017-10-12 19:01:24 UTC  38min ago anacron.timer                anacron.service
Thu 2017-10-12 22:00:10 UTC  2h 20min left Thu 2017-10-12 10:05:24 UTC  9h ago    apt-daily.timer              apt-daily.service
Fri 2017-10-13 00:40:10 UTC  5h 0min left  Thu 2017-10-12 12:01:01 UTC  7h ago    certbot.timer                certbot.service
Fri 2017-10-13 06:15:19 UTC  10h left      Thu 2017-10-12 06:45:31 UTC  12h ago   apt-daily-upgrade.timer      apt-daily-upgrade.service
Fri 2017-10-13 07:03:01 UTC  11h left      Thu 2017-10-12 07:03:01 UTC  12h ago   systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service

root@klevstul:/home/klevstul# more /etc/cron.d/certbot 
# /etc/cron.d/certbot: crontab entries for the certbot package
#
# Upstream recommends attempting renewal twice a day
#
# Eventually, this will be an opportunity to validate certificates
# haven't been revoked, etc.  Renewal will only occur if expiration
# is within 30 days.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew

i’ll remove my own cronjob and just modify the above cron.d entry with:

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew --post-hook "/home/klevstul/scripts/combinePemFiles.sh"

mnordhoff · October 12, 2017, 7:56pm

@klevstul If the system is using systemd, the /etc/cron.d/certbot cron job won’t run. The systemd timer will be used instead.

You need to edit the systemd service instead, or disable it and then remove “-a \! -d /run/systemd/system” from the cron job.

https://wiki.archlinux.org/index.php/Systemd#Using_units
https://wiki.archlinux.org/index.php/Systemd#Editing_provided_units

klevstul · October 12, 2017, 7:57pm

ah, ok. once again, thank you!

just to close the loop. the fix then is:
# more /lib/systemd/system/certbot.service

[Unit]
Description=Certbot
Documentation=file:///usr/share/doc/python-certbot-doc/html/index.html
Documentation=https://letsencrypt.readthedocs.io/en/latest/
[Service]
Type=oneshot
ExecStart=/usr/bin/certbot -q renew --post-hook "/home/klevstul/scripts/combinePemFiles.sh"
PrivateTmp=true

another fix would be running the /home/klevstul/scripts/combinePemFiles.sh as a cron job, separately from running the certbot renewal. however, i prefer running it as a post-hook.

ekortright · October 17, 2017, 1:17pm

Thank you all; this was very helpful.

I had installed my own cron job, but the renew hook would never run because the certbot installer had already added its own cron job in /etc/cron.d/certbot, so my cron job would always see an up-to-date certificate.

I’m running Ubuntu 14, which does not use systemd. However, the certbot installer created systemd definitions in addition to the /etc/cron.d job, so it was hard to know what exactly was running.

In my case, I edited the /etc/cron.d/certbot job to include the renew hook, and then I could see the job running with my modification by inspecting the system log at /var/log/syslog (the job is scheduled to run twice a day).

system · November 16, 2017, 1:18pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.