Certbot renewal with niginx aws ... 90% there


#1

It appears that this update missed getting the ln step for privkey.key correct. Manually linking to the new cert artifacts corrected this.

console output below.
[ec2-user@ip-172-31-16-18 ~]$ sudo ./certbot-auto --nginx --debug
Bootstrapping dependencies for Amazon… (you can skip this with --no-bootstrap)
yum is /usr/bin/yum
Loaded plugins: priorities, update-motd, upgrade-helper
amzn-main | 2.1 kB 00:00
amzn-updates | 2.5 kB 00:00
Package gcc-4.8.5-1.22.amzn1.noarch already installed and latest version
Package augeas-libs-1.0.0-5.7.amzn1.x86_64 already installed and latest version
Package 1:openssl-1.0.2k-8.107.amzn1.x86_64 already installed and latest version
Package 1:openssl-devel-1.0.2k-8.107.amzn1.x86_64 already installed and latest version
Package libffi-devel-3.0.13-16.5.amzn1.x86_64 already installed and latest version
Package system-rpm-config-9.0.3-42.28.amzn1.noarch already installed and latest version
Package ca-certificates-2017.2.14-65.0.1.17.amzn1.noarch already installed and latest version
Package python27-virtualenv-15.1.0-1.14.amzn1.noarch already installed and latest version
Package python27-pip-9.0.3-1.26.amzn1.noarch already installed and latest version
Resolving Dependencies
–> Running transaction check
—> Package python27.x86_64 0:2.7.13-2.122.amzn1 will be updated
—> Package python27.x86_64 0:2.7.14-1.123.amzn1 will be an update
–> Processing Dependency: python27-libs(x86-64) = 2.7.14-1.123.amzn1 for package: python27-2.7.14-1.123.amzn1.x86_64
—> Package python27-devel.x86_64 0:2.7.13-2.122.amzn1 will be updated
—> Package python27-devel.x86_64 0:2.7.14-1.123.amzn1 will be an update
—> Package python27-tools.x86_64 0:2.7.13-2.122.amzn1 will be updated
—> Package python27-tools.x86_64 0:2.7.14-1.123.amzn1 will be an update
–> Running transaction check
—> Package python27-libs.x86_64 0:2.7.13-2.122.amzn1 will be updated
—> Package python27-libs.x86_64 0:2.7.14-1.123.amzn1 will be an update
–> Finished Dependency Resolution

Dependencies Resolved

================================================================================
Package Arch Version Repository Size

Updating:
python27 x86_64 2.7.14-1.123.amzn1 amzn-updates 103 k
python27-devel x86_64 2.7.14-1.123.amzn1 amzn-updates 525 k
python27-tools x86_64 2.7.14-1.123.amzn1 amzn-updates 712 k
Updating for dependencies:
python27-libs x86_64 2.7.14-1.123.amzn1 amzn-updates 6.8 M

Transaction Summary

Upgrade 3 Packages (+1 Dependent package)

Total download size: 8.1 M
Is this ok [y/d/N]: y
Downloading packages:
(1/4): python27-2.7.14-1.123.amzn1.x86_64.rpm | 103 kB 00:00
(2/4): python27-devel-2.7.14-1.123.amzn1.x86_64.rpm | 525 kB 00:00
(3/4): python27-tools-2.7.14-1.123.amzn1.x86_64.rpm | 712 kB 00:00
(4/4): python27-libs-2.7.14-1.123.amzn1.x86_64.rpm | 6.8 MB 00:00

Total 29 MB/s | 8.1 MB 00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Updating : python27-libs-2.7.14-1.123.amzn1.x86_64 1/8
Updating : python27-2.7.14-1.123.amzn1.x86_64 2/8
Updating : python27-devel-2.7.14-1.123.amzn1.x86_64 3/8
Updating : python27-tools-2.7.14-1.123.amzn1.x86_64 4/8
Cleanup : python27-devel-2.7.13-2.122.amzn1.x86_64 5/8
Cleanup : python27-tools-2.7.13-2.122.amzn1.x86_64 6/8
Cleanup : python27-libs-2.7.13-2.122.amzn1.x86_64 7/8
Cleanup : python27-2.7.13-2.122.amzn1.x86_64 8/8
Verifying : python27-devel-2.7.14-1.123.amzn1.x86_64 1/8
Verifying : python27-tools-2.7.14-1.123.amzn1.x86_64 2/8
Verifying : python27-2.7.14-1.123.amzn1.x86_64 3/8
Verifying : python27-libs-2.7.14-1.123.amzn1.x86_64 4/8
Verifying : python27-devel-2.7.13-2.122.amzn1.x86_64 5/8
Verifying : python27-tools-2.7.13-2.122.amzn1.x86_64 6/8
Verifying : python27-libs-2.7.13-2.122.amzn1.x86_64 7/8
Verifying : python27-2.7.13-2.122.amzn1.x86_64 8/8

Updated:
python27.x86_64 0:2.7.14-1.123.amzn1
python27-devel.x86_64 0:2.7.14-1.123.amzn1
python27-tools.x86_64 0:2.7.14-1.123.amzn1

Dependency Updated:
python27-libs.x86_64 0:2.7.14-1.123.amzn1

Complete!
Upgrading certbot-auto 0.19.0 to 0.24.0…
Replacing certbot-auto…
Creating virtual environment…
Installing Python packages…
Installation succeeded.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?

1: dump.enmotus.com

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): 1
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for dump.enmotus.com
Waiting for verification…
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/nginx.conf
nginx: [emerg] SSL_CTX_use_PrivateKey_file("/etc/letsencrypt/live/dump.enmotus.com/privkey.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
Rolling back to previous server configuration…
nginx: [emerg] SSL_CTX_use_PrivateKey_file("/etc/letsencrypt/live/dump.enmotus.com/privkey.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
Encountered exception during recovery
nginx restart failed:

Traceback (most recent call last):
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/error_handler.py”, line 103, in _call_registered
self.funcs-1
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/client.py”, line 567, in _rollback_and_restart
self.installer.restart()
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot_nginx/configurator.py”, line 846, in restart
nginx_restart(self.conf(‘ctl’), self.nginx_conf)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot_nginx/configurator.py”, line 1106, in nginx_restart
“nginx restart failed:\n%s\n%s” % (out.read(), err.read()))
MisconfigurationError: nginx restart failed:

Exiting abnormally:
Traceback (most recent call last):
File “/opt/eff.org/certbot/venv/bin/letsencrypt”, line 11, in
sys.exit(main())
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py”, line 1315, in main
return config.func(config, plugins)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py”, line 1087, in run
_install_cert(config, le_client, domains, new_lineage)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py”, line 762, in _install_cert
path_provider.cert_path, path_provider.chain_path, path_provider.fullchain_path)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/client.py”, line 467, in deploy_certificate
self.installer.restart()
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot_nginx/configurator.py”, line 846, in restart
nginx_restart(self.conf(‘ctl’), self.nginx_conf)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot_nginx/configurator.py”, line 1106, in nginx_restart
“nginx restart failed:\n%s\n%s” % (out.read(), err.read()))
MisconfigurationError: nginx restart failed:

Please see the logfiles in /var/log/letsencrypt for more details.

IMPORTANT NOTES:

  • An error occurred and we failed to restore your config and restart
    your server. Please post to
    https://community.letsencrypt.org/c/server-config with details
    about your configuration and this error you received.
  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/dump.enmotus.com/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/dump.enmotus.com/privkey.pem
    Your cert will expire on 2018-08-02. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot-auto
    again with the “certonly” option. To non-interactively renew all
    of your certificates, run “certbot-auto renew”
    [ec2-user@ip-172-31-16-18 ~]$ sudo service nginx restartnginx: [emerg] SSL_CTX_use_PrivateKey_file("/etc/letsencrypt/live/dump.enmotus.com/privkey.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
    nginx: configuration file /etc/nginx/nginx.conf test failed
    [ec2-user@ip-172-31-16-18 ~]$
    [ec2-user@ip-172-31-16-18 ~]$ sudo ls -l /etc/letsencrypt/live/dump.enmotus.com
    total 12
    lrwxrwxrwx 1 root root 51 May 4 21:08 cert.pem -> /etc/letsencrypt/archive/dump.enmotus.com/cert7.pem
    lrwxrwxrwx 1 root root 52 May 4 21:08 chain.pem -> /etc/letsencrypt/archive/dump.enmotus.com/chain7.pem
    -rw-r–r-- 1 root root 1287 Sep 15 2017 fullchain.crt-20170915
    lrwxrwxrwx 1 root root 56 May 4 21:08 fullchain.pem -> /etc/letsencrypt/archive/dump.enmotus.com/fullchain7.pem
    lrwxrwxrwx 1 root root 54 Feb 8 00:52 privkey.key -> /etc/letsencrypt/archive/dump.enmotus.com/privkey6.pem
    -rw-r–r-- 1 root root 1708 Sep 16 2017 privkey.key-20170916
    lrwxrwxrwx 1 root root 54 May 4 21:08 privkey.pem -> /etc/letsencrypt/archive/dump.enmotus.com/privkey7.pem
    -rw-r–r-- 1 root root 543 May 25 2017 README
    [ec2-user@ip-172-31-16-18 ~]$

#2

privkey.key isn’t a file created or automatically maintained by Certbot. privkey.pem is.

Can you change the Nginx configuration to use privkey.pem instead?


#3

Yes, that works, thank you.


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.