Certificate expired, can't renew

I was mucking around with my website tonight (sensorbot.org), and found I had a typo in the cron job that renewed my certificate (using acme). After fixing that, the task refused to run because the certificate was expired.

I tried to fix this in a number of ways, and finally deleted the old certificate (by removing its folder in /root/.acme.sh), and regenerated a new cert using the steps 2 and 3 in this doc: GitHub - acmesh-official/acme.sh: A pure Unix shell script implementing ACME client protocol

Specifically, I ran this:

./acme.sh --issue -d sensorbot.org -w /var/www/html

and the output looked good, ending with a Cert success message and a bunch of healthy looking cert files.

I then ran this:

./acme.sh --install-cert -d sensorbot.org --cert-file /root/.acme.sh/sensorbot.org/sensorbot.org.cer --key-file /root/.acme.sh/sensorbot.org/sensorbot.org.key --fullchain-file /root/.acme.sh/sensorbot.org/fullchain.cer --reloadcmd "service apache2 force-reload"

and again got good looking output showing certs had been installed and the apache server had restarted.

In other words, everything looked right.

But in chrome, I still get a certificate expired error when I go to https://sensorbot.org. When I look at whynopadlock.com, it tells me the cert is expired, with the expiry date of the old cert.

So... something is not right. Any idea what I need to do to remedy the situation?

Thanks!

Apache/2.4.18
Ubuntu 16.04.7 LTS
root access
acme 2.8.8

1 Like

Firstly, there's no need to re-issue any more certificate, you've already got three issued today:

https://crt.sh/?q=sensorbot.org&deduplicate=y

I.e.: you've unnecessarily generated two superfluous certificates.

Further more, your --install-cert command is a little bit weird. The options --cert-file, --key-file and --fullchain-file are supposed to contain the DESTINATION of the files. But as far as I understand acme.sh, you've put the SOURCE of the files as values to those options.

Where does your Apache configuration look for the certificate files?

That said, there's also the --renew option in acme.sh:

acme.sh --renew -d sensorbot.org

should also have worked to renew the certificate in stead of manually running --issue and --install-cert again. Perhaps adding --force if it doesn't want to at first.

1 Like

Thanks for your help. You're right -- I probably don't need more copies of the certs; the duplicates are a result of having a problem that is not obvious (to me) how to resolve and trying different things. The --renew command verifies my certs are current, they're just in the wrong place.

After a lot of poking around, I've found the folder /etc/letsencrypt/archive/sensorbot.org that seems to have a historic archive of the keys I had when I was using certbot (but which no longer works on my system, hence my switch to acme). I can see how the keys were managed, with new copies sequentially numbered and the latest symlinked to a file referenced in the apache config file. I'm wondering if there's a similar acme-based system for managing the keys, or if I have to rig something equivalent myself.

Also, apache references fullchain,pem and privkey.pem. In my acme certs folder, I have ca.cer, sennsorbot.org.csr, a pair of conf files, and several 0 byte files. How do I figure out how these map onto the keys that apache needs?

To be more specific, my apache config file has this:

ServerName sensorbot.org
SSLCertificateFile /etc/letsencrypt/live/sensorbot.org/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/sensorbot.org/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf

and my acme cert folder looks like this:

drwxr-xr-x 2 root root 4096 May  2 02:25 backup
-rw-r--r-- 1 root root 1587 May  2 02:25 ca.cer
-rw-r--r-- 1 root root    0 May  2 02:28 fullchain.cer
-rw-r--r-- 1 root root    0 May  2 02:28 sensorbot.org.cer
-rw-r--r-- 1 root root  717 May  3 22:40 sensorbot.org.conf
-rw-r--r-- 1 root root  972 May  2 02:25 sensorbot.org.csr
-rw-r--r-- 1 root root  208 May  2 02:25 sensorbot.org.csr.conf
-rw-r--r-- 1 root root    0 May  2 02:28 sensorbot.org.key

Which of these files do I need to reference in the apache config file?

Thanks!

PS I tried this command, and modifying my apache config to match... but it didn't help:

./acme.sh --install-cert -d sensorbot.org --cert-file /etc/letsencrypt/live/sensorbot.org/sensorbot.org.cer --key-file /etc/letsencrypt/live/sensorbot.org/sensorbot.org.key --fullchain-file /etc/letsencrypt/live/sensorbot.org/fullchain.cer --reloadcmd "service apache2 force-reload"
ServerName sensorbot.org
SSLCertificateFile /etc/letsencrypt/live/sensorbot.org/sensorbot.org.cer
SSLCertificateKeyFile /etc/letsencrypt/live/sensorbot.org/sensorbot.org.key
Include /etc/letsencrypt/options-ssl-apache.conf

It appears the files copied by the command above were 0 bytes, and apache understandably doesn't like that.

1 Like

.pem and .cer are interchangeable as they both mean PEM encoded text files (.cer is just a naming convention for a PEM encoded certificate file). Likewise .key is just a naming convention for a PEM encoded key file.

I don't know much acme.sh but I'd say fullchain.cer is the same as your apache fullchain.pem and sensorbot.org.key is your privkey.pem - so without modifying your apache config you could symbolic link the different filenames in the apache config folder to the acme.sh files assuming the permissions were ok.

The wiki for acme.sh has the cert output going to the apache config folder, I suspect the config you have in the .acme.sh folder is a result of not specifying a destination path originally.

Without deleting your existing config you can edit /root/.acme-sh/sensorbot.org/sensorbot.org.conf to adjust individual settings

1 Like

I agree that fullchain.cer should map to fullchain.pem, but my fullchain.cer file is 0 bytes (see dir listing in my previous post) which seems problematic. Likewise, sensorbot.org.key is 0 bytes, so I am really confused about what needs to go where.

I've been trying various permutations of my non-0 byte files (ca.cer and sensorbot.org.cer) with apache and I can't get anything to work.

1 Like

Ah yes, indeed a zero byte file is no use, perhaps the process touched the files but didn't finish writing them. I think you can delete (or rename) those and run your renewal again as they should all have content. I just did a test on Ubuntu and even a failed validation has content in all the files it creates.

The zero byte thing could be a bug: Renewal of certificate overwrites current certificate with a zero byte file. · Issue #3444 · acmesh-official/acme.sh · GitHub

1 Like

Ok. I'm so very frustrated. I had certbot working for more than a year, but then it stopped and I could not upgrade some critical component given the ancient version of Linux I'm stuck with (don't remember the details any longer). Acme looked like a good replacement, and it worked until my certificate expired, and I am stuck now trying to renew it. I expected it would be straightforward... after all I just need to generate two files and point Apache at them. But I'm even getting errors trying to force renewal of the certs I issued just a couple of days ago (hoping to clobber those 0 byte files).

If there is a simple, reliable, well trodden path for getting a certificate working with Apache, I'll happily abandon ACME. I'm not a total spaz, and this shouldn't be this hard.

1 Like

Ok, well, sometimes miracles do happen.

Out of frustration, I tried certbot again, and it just worked. My https is working now.

Thanks to everyone for your help!

3 Likes