Certbot renewed, but didn't stitch the new cert into the tangle of symbolic links?


#1

Poor me I’m confused. Certbot appears to be renewing my certs
but then failing to stitch them into the fabric of
symbolic links correctly. At least that’s my impression.

I’m hoping that somebody will say: “Silly boy, you
just need to …”; you know like “dude, you missed this
bit of the documenation!”

Here’s what I hope is a simple view of the situation I observe
after renewing some certs. Let’s look at just one cert, and
just one aspect of that, the privkey.

The good news is that after the renewal I have a nice certificate:

bash-3.2$ ./my-certbot certificates
Saving debug log to /Users/bhyde/example/ws/alpha/prod/cfp/letsencrypt-tools/letsencrypt/log/letsencrypt.log

  -------------------------------------------------------------------------------
  Found the following certs:
    Certificate Name: ...
    Certificate Name: ...
    ...
    Certificate Name: devel.example.io-0002
      Domains: devel.example.io
      Expiry Date: 2018-11-19 16:19:00+00:00 (VALID: 89 days)
      Certificate Path: /Users/b.../letsencrypt-tools/letsencrypt/live/devel.example.io-0002/fullchain.pem
      Private Key Path: /Users/b.../letsencrypt/live/devel.example.io-0002/privkey.pem
    Certificate Name: ...
  -------------------------------------------------------------------------------

But the bad news is that the live privkey is pointing to the old privkey.

A further mystery is why I have three privkeys; but only to devel.example.io-XXXX directories.

  bash-3.2$ find letsencrypt -ls | grep '/devel.*privkey.*.pem' | sed 's/^.*lets/lets/'
  letsencrypt/archive/devel.example.io-0001/privkey1.pem
  letsencrypt/archive/devel.example.io-0002/privkey1.pem
  letsencrypt/archive/devel.example.io-0002/privkey2.pem
  letsencrypt/archive/devel.example.io-0002/privkey3.pem
  letsencrypt/archive/devel.example.io/privkey1.pem
  letsencrypt/archive/devel.example.io/privkey2.pem
  letsencrypt/archive/devel.example.io/privkey3.pem
  letsencrypt/live/devel.example.io-0001/privkey.pem -> ../../archive/devel.example.io-0001/privkey1.pem
  letsencrypt/live/devel.example.io-0002/privkey.pem -> ../../archive/devel.example.io-0002/privkey3.pem
  letsencrypt/live/devel.example.io/privkey.pem -> ../../archive/devel.example.io/privkey1.pem

WDYT?


#2

Hi,

What’s the command you use to renew the certificate?

Thank you


#3

Oh, when I first ran the certificates command certbot mentioned a lot of

Renewal configuration file /Users/b.../letsencrypt-tools/letsencrypt/renewal/devel.example.io-0001.conf produced an unexpected error: expected ... to be a symlink. Skipping.

So I removed those .conf files.


#4

My script for doing the renewals contains like this to do the actual renew; otherwise it’s mostly looping over things, handling args, etc.

./my-certbot certonly           --dns-route53 --domains $host

and the my-certbot script is

#!/bin/sh
d=$(dirname $0)
export PYENV_VERSION=certbot-dns-challenge
exec certbot $cmd \
  --config-dir=$d/letsencrypt\
  --work-dir=$d/letsencrypt/work \
  --logs-dir=$d/letsencrypt/log \
  "$@"

#5

Hi,

What’s the program you are using?

Is it certbot or certbot-auto?
(If it is, you should run certbot renew / certbot-auto renew)

Thank you


#6

Ah

./my-certbot --help
...
obtain, install, and renew certificates:
    (default) run   Obtain & install a certificate in your current webserver
    certonly        Obtain or renew a certificate, but do not install it
    renew           Renew all previously obtained certificates that are near
...

silly me.


#7

From here…

That means you should run ./my-certbot renew

Else it will always create a new certificate each time you ‘renew’

Thank you


#8

Switching to renew (forced) got got me N fresh’n certs, but the live link didn’t change.

bash-3.2$ find letsencrypt -ls | grep '/devel.*privkey.*.pem' | sed 's/^.*lets/lets/'
letsencrypt/archive/devel.example.io-0001/privkey1.pem
letsencrypt/archive/devel.example.io-0002/privkey1.pem
letsencrypt/archive/devel.example.io-0002/privkey2.pem
letsencrypt/archive/devel.example.io-0002/privkey3.pem
letsencrypt/archive/devel.example.io-0002/privkey4.pem
letsencrypt/archive/devel.example.io/privkey1.pem
letsencrypt/archive/devel.example.io/privkey2.pem
letsencrypt/archive/devel.example.io/privkey3.pem
letsencrypt/live/devel.example.io-0001/privkey.pem -> ../../archive/devel.example.io-0001/privkey1.pem
letsencrypt/live/devel.example.io-0002/privkey.pem -> ../../archive/devel.example.io-0002/privkey4.pem
letsencrypt/live/devel.example.io/privkey.pem -> ../../archive/devel.example.io/privkey1.pem
bash-3.2$ 

I’m betting that the use of certonly is why I have a -0001 and a -0002; and the update is taking place in -0002 while live is linked (somehow) to -0001. I sure do seem to be accumulating a lot of privkey#.pem.

Any suggestions for how to clean this up?

Thanks - ben


#9

That’s probably why the updates aren’t happening where you expect. Certbot never updates certificate lineages whose renewal configuration files have been deleted because as far as it’s concerned, those certificates are no longer managed by Certbot at all.

One option is to change your web server configuration to point at the -0002 version, which you’ve observed is updating properly.


#10

The updates not happening were I expect predates removing the files that certbot informed me were malformed.

I think it’s clear that the issue was using certonly rather than renew.

I’m currently starting over from scratch :frowning:


#11

certonly is a supported way to renew, but you have to specify exactly the same names with -d that were present in the previous cert.


#12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.