Certficate suddenly failed today, while renewal says not needed

Hi, My Website https://yana.com suddenly stopped working today.

A friend of mine set up Lets Encrypt for me, so sorry if I don’t have all the details.

My domain is: https://yana.com

I ran this command: /opt/letsencrypt/letsencrypt-auto renew

It produced this output:
/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/cryptography/hazmat/primitives/constant_time.py:26: CryptographyDeprecationWarning: Support for your Python version is deprecated. The next version of cryptography will remove support. Please upgrade to a release (2.7.7+) that supports hmac.compare_digest as soon as possible.

utils.PersistentlyDeprecated2018,

/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/cryptography/hazmat/bindings/openssl/binding.py:163: CryptographyDeprecationWarning: OpenSSL version 1.0.1 is no longer supported by the OpenSSL project, please upgrade. The next version of cryptography will drop support for it.

utils.CryptographyDeprecationWarning

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/www.yana.com.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/yana.com.conf


Cert not yet due for renewal


The following certs are not due for renewal yet:

/etc/letsencrypt/live/www.yana.com/fullchain.pem expires on 2020-02-23 (skipped)

/etc/letsencrypt/live/yana.com/fullchain.pem expires on 2020-02-16 (skipped)

No renewals were attempted.


My web server is (include version):
nginx version: nginx/1.4.6 (Ubuntu)

The operating system my web server runs on is (include version):
Linux watcher 3.13.0-170-generic #220-Ubuntu

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
Says “command not found”. How to run certbot?

1 Like

Can you run “sudo /opt/letsencrypt/letsencrypt-auto certificates” and show us the output?

Can you also show us the Nginx virtual hosts for your site? They’re probably in /etc/nginx/ somewhere. Probably in /etc/nginx/sites-enabled/, /etc/nginx/sites-available/ or /etc/nginx/conf.d/.

Can you also show us the contents of the files /etc/letsencrypt/renewal/yana.com.conf and /etc/letsencrypt/renewal/www.yana.com.conf?

New certificates were issued for yana.com and www.yana.com last month. But for some reason your Nginx isn’t using them. (The current certificate on https://www.yana.com/ expires a week from now.)

By the way, if you’re running Ubuntu 14.04, you should upgrade.

1 Like

Thanks so much @mnordhoff!

New certificates were issued for yana.com and www.yana.com last month. But for some reason your Nginx isn’t using them. (The current certificate on https://www.yana.com/ expires a week from now.)

I remember now there’s a problem with my nginx not dying properly. So I restarted nginx and everything’s working fine. I think it might has to do with nginx ignoring “service nginx restart”. So I have to manually kill nginx off and restart with “service nginx start”. Any idea what could be causing that? Btw I’m on Ubuntu 3.13.0 if that matters, and nginx/1.4.6

I’m assuming normally nginx should automatically use the updated certificate, as you said. Not sure why it’s not. I’m worried if I can’t fix this, next renewal again I have to just manually kill nginx instead of getting ahead of the problem.

1 Like

A renewal hook with a forced stop and start might do the trick.

If you want your hook to run only after a successful renewal, use –deploy-hook in a command…

2 Likes

Thank you @rg305! You mean adding that option to where cerbot command is used. Do you know what file typically would have that command? Sorry for being a newbie here.

Yes, that command would be used on each renewal attempt.
[first get the command to work right (as desired) then update the crob job]

1 Like

Can you clarity/confirm that version…?
Try:
lsb_release -a
or
cat /etc/*release

1 Like

Hmm maybe I do need to upgrade?

root@watcher:/home/becca# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 14.04.6 LTS
Release: 14.04
Codename: trusty

1 Like

Although it would not hurt to upgrade now, it is still covered; so it is NOT currently a requirement.
But maybe sometime soon(ish) [next year] it will be.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.