CertBot Renewal Issue (Connection Refused)

Thank you Mike! Very informative.

So I ran the dry run, and I'm receiving "No simulated renewals were attempted.

I'm assuming I need to restart my dedicated server before I can run the dry run?

1 Like

I need to back up a little. Are you running Certbot on your dedicated server?

If not, what machine do you run Certbot on - and what machine was Certify the Web run on? If different than server, how do you transfer certs from these to your server?

And, what did you mean by DELETE the old certificate? Was that just using the certbot delete command - or something else?

Certbot is running on the dedicated server, yes.
Old certificate was deleted using the delete command on certbot, yes.

1 Like

Ok - whew. You did not have to delete the cert. I had forgotten you said you did that.

I am surprised that renew said there were no certs to try. I think at least it should have tried to renew the cert you got prior to the one deleted. In crt.sh it showed you had several from earlier this year. Were those from Certbot?

What was the certbot command you used to create the original cert?

1 Like

That's exactly what I've been trying to figure out T__T I can't recall what command I used because frankly I assumed Certify the Web (CTW going forward) was doing the job. Heh. Aggressively googling to figure it out, but the issue now is that I have a new certificate but it needs to be... linked? Not sure what the right term is.

1 Like

Well, I am afraid I may just make further mess by trying to walk you through migrating from Certbot to CTW. I am not at all familiar with CTW and I may suggest something problematic without knowing.

That said, to use CTW instead of Certbot forward, you at least need to adjust your Apache config to refer to the certificates CTW created. There will be lines for

SSLCertificateFile
SSLCertificateKeyFile

These will be pointing to the /etc/letsencrypt/ folders. Change them to location where the CTW certs are.

There will be other lines in the Apache config with Managed by Certbot. These need review as well but may be ok - I am not sure.

BUT, repeat, BUT, you still have a fundamental problem of your server not listening on port 80. I know you think it works but it does not. That is the base problem you are having and you should try to resolve that. Using CTW is just a work-around for that fundamental failure.

I think someone other than me would be better to help you diagnose and repair that problem - once you accept it is one.

2 Likes

Thanks Mike, so I'm looking at my apache SSL configurations and see the old directories for my certbot .PEM files. However, when I navigate to %PROGRAMDATA%\live to find my CTW certificate, I only see one file with an extension .pfx. Do you know if CTW stores pem files locally? If so I'm not sure why its not in the folder

  • Chain
  • KeyFile
  • Certificate
1 Like

I'm not 100% certain, but I think CTW stores the certs directly into the Windows Certificate Store.
There may be a way to set it to also create PEM files for you.
Otherwise, you may have to export the PFX file and then create the PEM files yourself.

UPDATE:
Features - Certify The Web - simple free certificates for IIS and more, powered by Let's Encrypt and other ACME CAs
Shows:

2 Likes

To add to Rudy's comment, see their Deployment Tasks docs on how to do that

Deploy to Apache, nginx, Generic Server, Certificate Export#
Export the certificate to local or remote locations (including SSH/SFTP) as PEM format with Key file and optional chain file.
2 Likes

Copy, so I see this

image

I was able to export the following:

  • .crt file for certificate
  • .key file for key
  • .pem file for chain

Updated my httpd-ssl configurations, so I would assume I just need to restart apache service and should be good to go yea? It's saved right now, but I don't think it would propagate till then?

1 Like

Can you automate the process?

1 Like

@ninjatuna Yes, go ahead and try a restart (*1):

sudo apachectl -k graceful

For just checking the syntax of your changes:

sudo apachectl -t

(*1) You might want to wait until a quiet time. You previously deleted the certs that the running Apache is using. Apache (must be) still serving the deleted certs from a cache unless you had made a copy away from /etc/letsencrypt and were using those. If from cache, once you restart you are committed to getting your new certs working.

1 Like

Yea I'll definitely restart when I do a patch for the game server I'm hosting.

Also, I'm on Windows Server 2019 so.. unless I'm dumb, those sudo commands would be for Linux not windows yea?

3 Likes

Yeah!
Replace sudo with open an administrative command prompt first - LOL
Even then, I'm not sure all pre-compiled versions of Apache for Windows come with apachectl - so YMMV.

2 Likes

Oh right re: Windows - I forgot. Just note a graceful restart should be enough but I am sure Rudy will correct me if I am wrong :slight_smile:

2 Likes

Alright just an update: we're all set!

Solution was:
Delete old cert from certbot
Regenerate new cert with Certify the Web
Restart apache

Underlying issue on port is still not resolved, but at least the certificate is now renewed.

Thanks everyone for your feedback!!

3 Likes

@ninjatuna I am glad it is working - thanks for the update.

2 Likes