Certificate not renewed

sanjay2916 · May 13, 2020, 9:56am

Hi,

my certificate was not renewed and I am seeing below info in logs:

2020-05-13 09:44:41,993:DEBUG:certbot.plugins.selection:Requested authenticator <certbot.cli._Default object at 0x7fb55a1c3278> and installer <certbot.cli._Default object at 0x7fb55a1c3278>
2020-05-13 09:44:42,016:INFO:certbot.renewal:Cert not yet due for renewal

it should renew certificate before 30 days and my certificate going to expire on june1st 2020(19days left) but it not renewing and not seeing any errors in logs

My domain is: commcarehq.org,www.commcarehq.org

I ran this command: certbot -q renew --post-hook ‘/etc/init.d/nginx reload’

It produced this output: it executed successfully

My web server is (include version): nginx/1.17.3

The operating system my web server runs on is (include version): ubuntu 18.04

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don’t know): yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.31.0

rg305 · May 13, 2020, 10:10am

Try it without the -q
Maybe we can see more of the problem.

_az · May 13, 2020, 10:14am

There was a certificate for commcarehq.org,rec-mobile.sante.gov.bf,www.commcarehq.org renewed some ~2 hours ago.

That is the same set of domains that is currently deployed to your website.

I would guess that the issue is that nginx was not reloaded after the actual renewal.

Did you try a manual nginx reload? Failing that, can you check which ssl_certificate_file path is set in your nginx config?

mnordhoff · May 13, 2020, 10:17am

What does 'sudo certbot certificates" show?

JuergenAuer · May 13, 2020, 10:17am

Hi @sanjay2916

you have created one new certificate - see https://check-your-website.server-daten.de/?q=commcarehq.org#ct-logs

Issuer	not before	not after	Domain names	LE-Duplicate
Let's Encrypt Authority X3	2020-05-13	2020-08-11	commcarehq.org, rec-mobile.sante.gov.bf, www.commcarehq.org - 3 entries	duplicate nr. 1
Let's Encrypt Authority X3	2020-03-03	2020-06-01	commcarehq.org, rec-mobile.sante.gov.bf, www.commcarehq.org - 3 entries
Let's Encrypt Authority X3	2020-03-03	2020-06-01	commcarehq.org, rec-mobile.sante.gov.bf, www.commcarehq.org - 3 entries
Let's Encrypt Authority X3	2020-03-03	2020-06-01	commcarehq.org, rec-mobile.sante.gov.bf, www.commcarehq.org - 3 entries

So your new certificate isn't used. May be your server reload didn't work.

PS: Too late

sanjay2916 · May 13, 2020, 10:18am

it is pointed to diffrent path

production_nginx_combined.crt -> /etc/letsencrypt/live/www.commcarehq.org/fullchain.pem

actual path is /etc/letsencrypt/live/www.commcarehq.org-0001 and we are using softlink to our domain for ssl certificate and during the renewal time its increasing the number with 0001

JuergenAuer · May 13, 2020, 10:25am

Then change the path and restart your nginx. Job done.

And don't use -q in your renew command, that hides informations.

sanjay2916 · May 13, 2020, 10:31am

/etc/letsencrypt/live/www.commcarehq.org/fullchain.pem -> …/…/archive/www.commcarehq.org-0001/fullchain10.pem

this is pointed correctly but it not renewed

mnordhoff · May 13, 2020, 10:34am

What is the output of these commands:

sudo certbot certificates

sudo ls -al /etc/letsencrypt/{archive,live,renewal}

cat /etc/letsencrypt/renewal/www.commcarehq.org.conf

cat /etc/letsencrypt/renewal/www.commcarehq.org-0001.conf

Not quite -- the links in /etc/letsencrypt/live/www.commcarehq.org/ must point to ../../archive/www.commcarehq.org/. If they point elsewhere, like ../../archive/www.commcarehq.org-0001/, renewal will go awry.

sanjay2916 · May 13, 2020, 10:35am

root@proxy1-production:/etc/letsencrypt/live/www.commcarehq.org# cd
root@proxy1-production:~# sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: www.commcarehq.org-0001
Domains: www.commcarehq.org commcarehq.org rec-mobile.sante.gov.bf
Expiry Date: 2020-08-11 08:36:47+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/www.commcarehq.org-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.commcarehq.org-0001/privkey.pem

root@proxy1-production:~# sudo ls -al /etc/letsencrypt/{archive,live,renewal}
/etc/letsencrypt/archive:
total 20
drwx------ 5 root root 4096 Mar 4 06:24 .
drwxr-xr-x 9 root root 4096 May 13 10:34 …
drwxr-xr-x 2 root root 4096 Mar 4 06:24 www.commcarehq.org
drwxr-xr-x 2 root root 4096 May 13 09:36 www.commcarehq.org-0001
drwxr-xr-x 2 root root 4096 Mar 3 18:01 www.commcarehq.org-04-03.bkp

/etc/letsencrypt/live:
total 24
drwx------ 5 root root 4096 Mar 4 06:21 .
drwxr-xr-x 9 root root 4096 May 13 10:34 …
-rw-r–r-- 1 root root 740 Jan 1 2019 README
drwxr-xr-x 7 root root 4096 Mar 4 06:21 backups
drwxr-xr-x 2 root root 4096 Mar 4 06:20 www.commcarehq.org
drwxr-xr-x 2 root root 4096 May 13 09:36 www.commcarehq.org-0001

/etc/letsencrypt/renewal:
total 20
drwxr-xr-x 2 root root 4096 May 13 09:36 .
drwxr-xr-x 9 root root 4096 May 13 10:34 …
-rw-r–r-- 1 root root 736 May 13 09:36 www.commcarehq.org-0001.conf
-rw-r–r-- 1 root root 609 Mar 4 06:25 www.commcarehq.org-0001.conf-4-03.bkp
-rw-r–r-- 1 root root 702 Dec 28 12:06 www.commcarehq.org.conf.bkp
root@proxy1-production:~# cat /etc/letsencrypt/renewal/www.commcarehq.org.conf
cat: /etc/letsencrypt/renewal/www.commcarehq.org.conf: No such file or directory
root@proxy1-production:~# cat /etc/letsencrypt/renewal/www.commcarehq.org-0001.conf

renew_before_expiry = 30 days

version = 0.31.0
archive_dir = /etc/letsencrypt/archive/www.commcarehq.org-0001
cert = /etc/letsencrypt/live/www.commcarehq.org-0001/cert.pem
privkey = /etc/letsencrypt/live/www.commcarehq.org-0001/privkey.pem
chain = /etc/letsencrypt/live/www.commcarehq.org-0001/chain.pem
fullchain = /etc/letsencrypt/live/www.commcarehq.org-0001/fullchain.pem

Options used in the renewal process

[renewalparams]
server = https://acme-v02.api.letsencrypt.org/directory
account = 111fbfabc5b07774a0299798ce34479e
authenticator = webroot
webroot_path = /var/www/letsencrypt,
[[webroot_map]]
commcarehq.org = /var/www/letsencrypt
rec-mobile.sante.gov.bf = /var/www/letsencrypt
www.commcarehq.org = /var/www/letsencrypt
root@proxy1-production:~#

JuergenAuer · May 13, 2020, 10:36am

You have a new certificate, renew isn't the problem.

The installation is the problem.

PS: So you have to change your nginx configuration.

sanjay2916 · May 13, 2020, 10:37am

what I can do for automatic renew for next time

mnordhoff · May 13, 2020, 10:37am

Thank you.

I’m sorry, but I made a mistake. Can you also post the output of:

sudo ls -alR /etc/letsencrypt/{archive,live,renewal}

I forgot the recursive option.

sanjay2916 · May 13, 2020, 10:37am

sudo ls -alR /etc/letsencrypt/{archive,live,renewal}
/etc/letsencrypt/archive:
total 20
drwx------ 5 root root 4096 Mar 4 06:24 .
drwxr-xr-x 9 root root 4096 May 13 10:34 …
drwxr-xr-x 2 root root 4096 Mar 4 06:24 www.commcarehq.org
drwxr-xr-x 2 root root 4096 May 13 09:36 www.commcarehq.org-0001
drwxr-xr-x 2 root root 4096 Mar 3 18:01 www.commcarehq.org-04-03.bkp

/etc/letsencrypt/archive/www.commcarehq.org:
total 168
drwxr-xr-x 2 root root 4096 Mar 4 06:24 .
drwx------ 5 root root 4096 Mar 4 06:24 …
-rw-r–r-- 1 root root 1939 Mar 4 06:24 cert1.pem
-rw-r–r-- 1 root root 1976 Mar 4 06:24 cert10.pem
-rw-r–r-- 1 root root 1944 Mar 4 06:24 cert2.pem
-rw-r–r-- 1 root root 1944 Mar 4 06:24 cert3.pem
-rw-r–r-- 1 root root 1944 Mar 4 06:24 cert4.pem
-rw-r–r-- 1 root root 1939 Mar 4 06:24 cert5.pem
-rw-r–r-- 1 root root 1939 Mar 4 06:24 cert6.pem
-rw-r–r-- 1 root root 1939 Mar 4 06:24 cert7.pem
-rw-r–r-- 1 root root 1972 Mar 4 06:24 cert8.pem
-rw-r–r-- 1 root root 1976 Mar 4 06:24 cert9.pem
-rw-r–r-- 1 root root 1647 Mar 4 06:24 chain1.pem
-rw-r–r-- 1 root root 1647 Mar 4 06:24 chain10.pem
-rw-r–r-- 1 root root 1647 Mar 4 06:24 chain2.pem
-rw-r–r-- 1 root root 1647 Mar 4 06:24 chain3.pem
-rw-r–r-- 1 root root 1647 Mar 4 06:24 chain4.pem
-rw-r–r-- 1 root root 1647 Mar 4 06:24 chain5.pem
-rw-r–r-- 1 root root 1647 Mar 4 06:24 chain6.pem
-rw-r–r-- 1 root root 1647 Mar 4 06:24 chain7.pem
-rw-r–r-- 1 root root 1647 Mar 4 06:24 chain8.pem
-rw-r–r-- 1 root root 1647 Mar 4 06:24 chain9.pem
-rw-r–r-- 1 root root 3586 Mar 4 06:24 fullchain1.pem
-rw-r–r-- 1 root root 3623 Mar 4 06:24 fullchain10.pem
-rw-r–r-- 1 root root 3591 Mar 4 06:24 fullchain2.pem
-rw-r–r-- 1 root root 3591 Mar 4 06:24 fullchain3.pem
-rw-r–r-- 1 root root 3591 Mar 4 06:24 fullchain4.pem
-rw-r–r-- 1 root root 3586 Mar 4 06:24 fullchain5.pem
-rw-r–r-- 1 root root 3586 Mar 4 06:24 fullchain6.pem
-rw-r–r-- 1 root root 3586 Mar 4 06:24 fullchain7.pem
-rw-r–r-- 1 root root 3619 Mar 4 06:24 fullchain8.pem
-rw-r–r-- 1 root root 3623 Mar 4 06:24 fullchain9.pem
-rw-r–r-- 1 root root 1704 Mar 4 06:24 privkey1.pem
-rw-r–r-- 1 root root 1704 Mar 4 06:24 privkey10.pem
-rw-r–r-- 1 root root 1708 Mar 4 06:24 privkey2.pem
-rw-r–r-- 1 root root 1704 Mar 4 06:24 privkey3.pem
-rw-r–r-- 1 root root 1704 Mar 4 06:24 privkey4.pem
-rw-r–r-- 1 root root 1704 Mar 4 06:24 privkey5.pem
-rw-r–r-- 1 root root 1704 Mar 4 06:24 privkey6.pem
-rw-r–r-- 1 root root 1704 Mar 4 06:24 privkey7.pem
-rw-r–r-- 1 root root 1708 Mar 4 06:24 privkey8.pem
-rw-r–r-- 1 root root 1704 Mar 4 06:24 privkey9.pem

/etc/letsencrypt/archive/www.commcarehq.org-0001:
total 184
drwxr-xr-x 2 root root 4096 May 13 09:36 .
drwx------ 5 root root 4096 Mar 4 06:24 …
-rw-r–r-- 1 root root 1939 Jan 1 2019 cert1.pem
-rw-r–r-- 1 root root 1976 Mar 3 18:03 cert10.pem
-rw-r–r-- 1 root root 1972 May 13 09:36 cert11.pem
-rw-r–r-- 1 root root 1944 Mar 3 2019 cert2.pem
-rw-r–r-- 1 root root 1944 May 2 2019 cert3.pem
-rw-r–r-- 1 root root 1944 Jul 1 2019 cert4.pem
-rw-r–r-- 1 root root 1939 Aug 30 2019 cert5.pem
-rw-r–r-- 1 root root 1939 Oct 29 2019 cert6.pem
-rw-r–r-- 1 root root 1939 Dec 28 12:05 cert7.pem
-rw-r–r-- 1 root root 1972 Jan 16 15:47 cert8.pem
-rw-r–r-- 1 root root 1976 Mar 3 18:01 cert9.pem
-rw-r–r-- 1 root root 1647 Jan 1 2019 chain1.pem
-rw-r–r-- 1 root root 1647 Mar 3 18:03 chain10.pem
-rw-r–r-- 1 root root 1647 May 13 09:36 chain11.pem
-rw-r–r-- 1 root root 1647 Mar 3 2019 chain2.pem
-rw-r–r-- 1 root root 1647 May 2 2019 chain3.pem
-rw-r–r-- 1 root root 1647 Jul 1 2019 chain4.pem
-rw-r–r-- 1 root root 1647 Aug 30 2019 chain5.pem
-rw-r–r-- 1 root root 1647 Oct 29 2019 chain6.pem
-rw-r–r-- 1 root root 1647 Dec 28 12:05 chain7.pem
-rw-r–r-- 1 root root 1647 Jan 16 15:47 chain8.pem
-rw-r–r-- 1 root root 1647 Mar 3 18:01 chain9.pem
-rw-r–r-- 1 root root 3586 Jan 1 2019 fullchain1.pem
-rw-r–r-- 1 root root 3623 Mar 3 18:03 fullchain10.pem
-rw-r–r-- 1 root root 3619 May 13 09:36 fullchain11.pem
-rw-r–r-- 1 root root 3591 Mar 3 2019 fullchain2.pem
-rw-r–r-- 1 root root 3591 May 2 2019 fullchain3.pem
-rw-r–r-- 1 root root 3591 Jul 1 2019 fullchain4.pem
-rw-r–r-- 1 root root 3586 Aug 30 2019 fullchain5.pem
-rw-r–r-- 1 root root 3586 Oct 29 2019 fullchain6.pem
-rw-r–r-- 1 root root 3586 Dec 28 12:05 fullchain7.pem
-rw-r–r-- 1 root root 3619 Jan 16 15:47 fullchain8.pem
-rw-r–r-- 1 root root 3623 Mar 3 18:01 fullchain9.pem
-rw-r–r-- 1 root root 1704 Jan 1 2019 privkey1.pem
-rw-r–r-- 1 root root 1704 Mar 3 18:03 privkey10.pem
-rw-r–r-- 1 root root 1708 May 13 09:36 privkey11.pem
-rw-r–r-- 1 root root 1708 Mar 3 2019 privkey2.pem
-rw-r–r-- 1 root root 1704 May 2 2019 privkey3.pem
-rw-r–r-- 1 root root 1704 Jul 1 2019 privkey4.pem
-rw-r–r-- 1 root root 1704 Aug 30 2019 privkey5.pem
-rw-r–r-- 1 root root 1704 Oct 29 2019 privkey6.pem
-rw-r–r-- 1 root root 1704 Dec 28 12:05 privkey7.pem
-rw-r–r-- 1 root root 1708 Jan 16 15:47 privkey8.pem
-rw-r–r-- 1 root root 1704 Mar 3 18:01 privkey9.pem

/etc/letsencrypt/archive/www.commcarehq.org-04-03.bkp:
total 124
drwxr-xr-x 2 root root 4096 Mar 3 18:01 .
drwx------ 5 root root 4096 Mar 4 06:24 …
-rw-r–r-- 1 root root 1939 Jan 1 2019 cert1.pem
-rw-r–r-- 1 root root 1939 Mar 3 2019 cert2.pem
-rw-r–r-- 1 root root 1939 May 2 2019 cert3.pem
-rw-r–r-- 1 root root 1939 Jul 1 2019 cert4.pem
-rw-r–r-- 1 root root 1939 Aug 30 2019 cert5.pem
-rw-r–r-- 1 root root 1939 Oct 29 2019 cert6.pem
-rw-r–r-- 1 root root 1939 Dec 28 12:06 cert7.pem
-rw-r–r-- 1 root root 1647 Jan 1 2019 chain1.pem
-rw-r–r-- 1 root root 1647 Mar 3 2019 chain2.pem
-rw-r–r-- 1 root root 1647 May 2 2019 chain3.pem
-rw-r–r-- 1 root root 1647 Jul 1 2019 chain4.pem
-rw-r–r-- 1 root root 1647 Aug 30 2019 chain5.pem
-rw-r–r-- 1 root root 1647 Oct 29 2019 chain6.pem
-rw-r–r-- 1 root root 1647 Dec 28 12:06 chain7.pem
-rw-r–r-- 1 root root 3586 Jan 1 2019 fullchain1.pem
-rw-r–r-- 1 root root 3586 Mar 3 2019 fullchain2.pem
-rw-r–r-- 1 root root 3586 May 2 2019 fullchain3.pem
-rw-r–r-- 1 root root 3586 Jul 1 2019 fullchain4.pem
-rw-r–r-- 1 root root 3586 Aug 30 2019 fullchain5.pem
-rw-r–r-- 1 root root 3586 Oct 29 2019 fullchain6.pem
-rw-r–r-- 1 root root 3586 Dec 28 12:06 fullchain7.pem
-rw-r–r-- 1 root root 1704 Jan 1 2019 privkey1.pem
-rw------- 1 root root 1708 Mar 3 18:01 privkey10.pem
-rw-r–r-- 1 root root 1704 Mar 3 2019 privkey2.pem
-rw-r–r-- 1 root root 1708 May 2 2019 privkey3.pem
-rw-r–r-- 1 root root 1704 Jul 1 2019 privkey4.pem
-rw-r–r-- 1 root root 1704 Aug 30 2019 privkey5.pem
-rw-r–r-- 1 root root 1708 Oct 29 2019 privkey6.pem
-rw-r–r-- 1 root root 1708 Dec 28 12:06 privkey7.pem

/etc/letsencrypt/live:
total 24
drwx------ 5 root root 4096 Mar 4 06:21 .
drwxr-xr-x 9 root root 4096 May 13 10:34 …
-rw-r–r-- 1 root root 740 Jan 1 2019 README
drwxr-xr-x 7 root root 4096 Mar 4 06:21 backups
drwxr-xr-x 2 root root 4096 Mar 4 06:20 www.commcarehq.org
drwxr-xr-x 2 root root 4096 May 13 09:36 www.commcarehq.org-0001

/etc/letsencrypt/live/backups:
total 28
drwxr-xr-x 7 root root 4096 Mar 4 06:21 .
drwx------ 5 root root 4096 Mar 4 06:21 …
drwxr-xr-x 2 root root 4096 Mar 3 18:01 www.commcarehq.org-04-03
drwxr-xr-x 2 root root 4096 Mar 4 06:17 www.commcarehq.org-04-03-2020
drwxr-xr-x 2 root root 4096 Dec 28 12:06 www.commcarehq.org-16-01-2020
drwxr-xr-x 2 root root 4096 Mar 3 17:56 www.commcarehq.org-2020-03-03.bkp
drwxr-xr-x 2 root root 4096 Jan 16 15:51 www.commcarehq.org-original

/etc/letsencrypt/live/backups/www.commcarehq.org-04-03:
total 12
drwxr-xr-x 2 root root 4096 Mar 3 18:01 .
drwxr-xr-x 7 root root 4096 Mar 4 06:21 …
-rw-r–r-- 1 root root 692 Jan 1 2019 README
lrwxrwxrwx 1 root root 47 Mar 3 18:01 cert.pem -> …/…/archive/www.commcarehq.org-0001/cert9.pem
lrwxrwxrwx 1 root root 48 Mar 3 18:01 chain.pem -> …/…/archive/www.commcarehq.org-0001/chain9.pem
lrwxrwxrwx 1 root root 52 Mar 3 18:01 fullchain.pem -> …/…/archive/www.commcarehq.org-0001/fullchain9.pem
lrwxrwxrwx 1 root root 50 Mar 3 18:01 privkey.pem -> …/…/archive/www.commcarehq.org-0001/privkey9.pem

/etc/letsencrypt/live/backups/www.commcarehq.org-04-03-2020:
total 12
drwxr-xr-x 2 root root 4096 Mar 4 06:17 .
drwxr-xr-x 7 root root 4096 Mar 4 06:21 …
-rw-r–r-- 1 root root 692 Mar 4 06:17 README
lrwxrwxrwx 1 root root 47 Mar 4 06:17 cert.pem -> …/…/archive/www.commcarehq.org-0001/cert9.pem
lrwxrwxrwx 1 root root 48 Mar 4 06:17 chain.pem -> …/…/archive/www.commcarehq.org-0001/chain9.pem
lrwxrwxrwx 1 root root 52 Mar 4 06:17 fullchain.pem -> …/…/archive/www.commcarehq.org-0001/fullchain9.pem
lrwxrwxrwx 1 root root 50 Mar 4 06:17 privkey.pem -> …/…/archive/www.commcarehq.org-0001/privkey9.pem

/etc/letsencrypt/live/backups/www.commcarehq.org-16-01-2020:
total 12
drwxr-xr-x 2 root root 4096 Dec 28 12:06 .
drwxr-xr-x 7 root root 4096 Mar 4 06:21 …
-rw-r–r-- 1 root root 692 Jan 1 2019 README
lrwxrwxrwx 1 root root 42 Dec 28 12:06 cert.pem -> …/…/archive/www.commcarehq.org/cert7.pem
lrwxrwxrwx 1 root root 43 Dec 28 12:06 chain.pem -> …/…/archive/www.commcarehq.org/chain7.pem
lrwxrwxrwx 1 root root 47 Dec 28 12:06 fullchain.pem -> …/…/archive/www.commcarehq.org/fullchain7.pem
lrwxrwxrwx 1 root root 45 Dec 28 12:06 privkey.pem -> …/…/archive/www.commcarehq.org/privkey7.pem

/etc/letsencrypt/live/backups/www.commcarehq.org-2020-03-03.bkp:
total 12
drwxr-xr-x 2 root root 4096 Mar 3 17:56 .
drwxr-xr-x 7 root root 4096 Mar 4 06:21 …
-rw-r–r-- 1 root root 692 Mar 3 17:56 README
lrwxrwxrwx 1 root root 47 Mar 3 17:56 cert.pem -> …/…/archive/www.commcarehq.org-0001/cert8.pem
lrwxrwxrwx 1 root root 48 Mar 3 17:56 chain.pem -> …/…/archive/www.commcarehq.org-0001/chain8.pem
lrwxrwxrwx 1 root root 52 Mar 3 17:56 fullchain.pem -> …/…/archive/www.commcarehq.org-0001/fullchain8.pem
lrwxrwxrwx 1 root root 50 Mar 3 17:56 privkey.pem -> …/…/archive/www.commcarehq.org-0001/privkey8.pem

/etc/letsencrypt/live/backups/www.commcarehq.org-original:
total 12
drwxr-xr-x 2 root root 4096 Jan 16 15:51 .
drwxr-xr-x 7 root root 4096 Mar 4 06:21 …
-rw-r–r-- 1 root root 692 Jan 16 15:51 README
lrwxrwxrwx 1 root root 42 Jan 16 15:51 cert.pem -> …/…/archive/www.commcarehq.org/cert7.pem
lrwxrwxrwx 1 root root 43 Jan 16 15:51 chain.pem -> …/…/archive/www.commcarehq.org/chain7.pem
lrwxrwxrwx 1 root root 47 Jan 16 15:51 fullchain.pem -> …/…/archive/www.commcarehq.org/fullchain7.pem
lrwxrwxrwx 1 root root 45 Jan 16 15:51 privkey.pem -> …/…/archive/www.commcarehq.org/privkey7.pem

/etc/letsencrypt/live/www.commcarehq.org:
total 12
drwxr-xr-x 2 root root 4096 Mar 4 06:20 .
drwx------ 5 root root 4096 Mar 4 06:21 …
-rw-r–r-- 1 root root 692 Mar 4 06:20 README
lrwxrwxrwx 1 root root 48 Mar 4 06:20 cert.pem -> …/…/archive/www.commcarehq.org-0001/cert10.pem
lrwxrwxrwx 1 root root 49 Mar 4 06:20 chain.pem -> …/…/archive/www.commcarehq.org-0001/chain10.pem
lrwxrwxrwx 1 root root 53 Mar 4 06:20 fullchain.pem -> …/…/archive/www.commcarehq.org-0001/fullchain10.pem
lrwxrwxrwx 1 root root 51 Mar 4 06:20 privkey.pem -> …/…/archive/www.commcarehq.org-0001/privkey10.pem

/etc/letsencrypt/live/www.commcarehq.org-0001:
total 12
drwxr-xr-x 2 root root 4096 May 13 09:36 .
drwx------ 5 root root 4096 Mar 4 06:21 …
-rw-r–r-- 1 root root 692 Mar 3 17:57 README
lrwxrwxrwx 1 root root 48 May 13 09:36 cert.pem -> …/…/archive/www.commcarehq.org-0001/cert11.pem
lrwxrwxrwx 1 root root 49 May 13 09:36 chain.pem -> …/…/archive/www.commcarehq.org-0001/chain11.pem
lrwxrwxrwx 1 root root 53 May 13 09:36 fullchain.pem -> …/…/archive/www.commcarehq.org-0001/fullchain11.pem
lrwxrwxrwx 1 root root 51 May 13 09:36 privkey.pem -> …/…/archive/www.commcarehq.org-0001/privkey11.pem

/etc/letsencrypt/renewal:
total 20
drwxr-xr-x 2 root root 4096 May 13 09:36 .
drwxr-xr-x 9 root root 4096 May 13 10:34 …
-rw-r–r-- 1 root root 736 May 13 09:36 www.commcarehq.org-0001.conf
-rw-r–r-- 1 root root 609 Mar 4 06:25 www.commcarehq.org-0001.conf-4-03.bkp
-rw-r–r-- 1 root root 702 Dec 28 12:06 www.commcarehq.org.conf.bkp

mnordhoff · May 13, 2020, 10:45am

sanjay2916:

/etc/letsencrypt/live/www.commcarehq.org:
total 12
drwxr-xr-x 2 root root 4096 Mar 4 06:20 .
drwx------ 5 root root 4096 Mar 4 06:21 …
-rw-r–r-- 1 root root 692 Mar 4 06:20 README
lrwxrwxrwx 1 root root 48 Mar 4 06:20 cert.pem -> …/…/archive/www.commcarehq.org-0001/cert10.pem
lrwxrwxrwx 1 root root 49 Mar 4 06:20 chain.pem -> …/…/archive/www.commcarehq.org-0001/chain10.pem
lrwxrwxrwx 1 root root 53 Mar 4 06:20 fullchain.pem -> …/…/archive/www.commcarehq.org-0001/fullchain10.pem
lrwxrwxrwx 1 root root 51 Mar 4 06:20 privkey.pem -> …/…/archive/www.commcarehq.org-0001/privkey10.pem

/etc/letsencrypt/live/www.commcarehq.org-0001:
total 12
drwxr-xr-x 2 root root 4096 May 13 09:36 .
drwx------ 5 root root 4096 Mar 4 06:21 …
-rw-r–r-- 1 root root 692 Mar 3 17:57 README
lrwxrwxrwx 1 root root 48 May 13 09:36 cert.pem -> …/…/archive/www.commcarehq.org-0001/cert11.pem
lrwxrwxrwx 1 root root 49 May 13 09:36 chain.pem -> …/…/archive/www.commcarehq.org-0001/chain11.pem
lrwxrwxrwx 1 root root 53 May 13 09:36 fullchain.pem -> …/…/archive/www.commcarehq.org-0001/fullchain11.pem
lrwxrwxrwx 1 root root 51 May 13 09:36 privkey.pem -> …/…/archive/www.commcarehq.org-0001/privkey11.pem

Okay. As you can see, when Certbot renews the certificate, it saves the files in /etc/letsencrypt/archive/ with new names -- for example, cert1.pem is replaced with cert2.pem, and so forth.

Certbot then automatically updates the symlinks in /etc/letsencrypt/live/ to point to the new files.

Certbot did that in /etc/letsencrypt/live/www.commcarehq.org-0001/.

However, you're manually maintaining /etc/letsencrypt/live/www.commcarehq.org/, and its symlinks are now out-of-date.

The most correct option would be to configure your web server (and/or other software) to use /etc/letsencrypt/live/www.commcarehq.org-0001/ instead of /etc/letsencrypt/live/www.commcarehq.org/.

Another option would be to update the symlinks -- if you changed them to have e.g. /etc/letsencrypt/live/www.commcarehq.org/cert.pem point to ../commcarehq.org-0001/cert.pem, it would automatically work in the future.

But maintaining manually created stuff in /etc/letsencrypt/ could create problems in the future.

(Note: The forum software changed .. to … in your posts.)

Edit: Corrected the first quote in this post. I quoted the right section of your post, the forum software ate it, and then when I tried to fix it I quoted the wrong thing.

sanjay2916 · May 13, 2020, 10:52am

Can we make it configuration file to renewal /etc/letsencrypt/live/commcarehq.org directory intead of /etc/letsencrypt/live/www.commcarehq.org-0001

sanjay2916 · May 13, 2020, 11:11am

I have done some changes on staging env which looks good,will it work for auto renewal for next time

root@proxy0-staging:/etc/letsencrypt/live# sudo ls -alR /etc/letsencrypt/{archive,live,renewal}
/etc/letsencrypt/archive:
total 24
drwx------ 6 root root 4096 May 13 11:01 .
drwxr-xr-x 9 root root 4096 May 13 11:06 …
drwxr-xr-x 2 root root 4096 Dec 19 10:46 sanjay.commcarehq.org
drwxr-xr-x 2 root root 4096 May 6 09:28 staging.commcarehq.org
drwxr-xr-x 2 root root 4096 Dec 20 18:52 staging.commcarehq.org-0001
drwxr-xr-x 2 root root 4096 Mar 4 06:47 staging.commcarehq.org-13-05

/etc/letsencrypt/archive/sanjay.commcarehq.org:
total 40
drwxr-xr-x 2 root root 4096 Dec 19 10:46 .
drwx------ 6 root root 4096 May 13 11:01 …
-rw-r–r-- 1 root root 1927 Dec 19 10:43 cert1.pem
-rw-r–r-- 1 root root 1964 Dec 19 10:46 cert2.pem
-rw-r–r-- 1 root root 1647 Dec 19 10:43 chain1.pem
-rw-r–r-- 1 root root 1647 Dec 19 10:46 chain2.pem
-rw-r–r-- 1 root root 3574 Dec 19 10:43 fullchain1.pem
-rw-r–r-- 1 root root 3611 Dec 19 10:46 fullchain2.pem
-rw------- 1 root root 1704 Dec 19 10:43 privkey1.pem
-rw------- 1 root root 1704 Dec 19 10:46 privkey2.pem

/etc/letsencrypt/archive/staging.commcarehq.org:
total 184
drwxr-xr-x 2 root root 4096 May 6 09:28 .
drwx------ 6 root root 4096 May 13 11:01 …
-rw-r–r-- 1 root root 1931 Jan 13 12:21 cert1.pem
-rw-r–r-- 1 root root 1927 Mar 4 06:48 cert10.pem
-rw-r–r-- 1 root root 1931 May 6 09:28 cert11.pem
-rw-r–r-- 1 root root 1927 Mar 3 15:28 cert2.pem
-rw-r–r-- 1 root root 1931 Mar 3 15:41 cert3.pem
-rw-r–r-- 1 root root 1927 Mar 3 15:54 cert4.pem
-rw-r–r-- 1 root root 1927 Mar 3 15:56 cert5.pem
-rw-r–r-- 1 root root 1927 Mar 3 15:57 cert6.pem
-rw-r–r-- 1 root root 1931 Mar 3 18:18 cert7.pem
-rw-r–r-- 1 root root 1931 Mar 4 06:42 cert8.pem
-rw-r–r-- 1 root root 1931 Mar 4 06:47 cert9.pem
-rw-r–r-- 1 root root 1647 Jan 13 12:21 chain1.pem
-rw-r–r-- 1 root root 1647 Mar 4 06:48 chain10.pem
-rw-r–r-- 1 root root 1647 May 6 09:28 chain11.pem
-rw-r–r-- 1 root root 1647 Mar 3 15:28 chain2.pem
-rw-r–r-- 1 root root 1647 Mar 3 15:41 chain3.pem
-rw-r–r-- 1 root root 1647 Mar 3 15:54 chain4.pem
-rw-r–r-- 1 root root 1647 Mar 3 15:56 chain5.pem
-rw-r–r-- 1 root root 1647 Mar 3 15:57 chain6.pem
-rw-r–r-- 1 root root 1647 Mar 3 18:18 chain7.pem
-rw-r–r-- 1 root root 1647 Mar 4 06:42 chain8.pem
-rw-r–r-- 1 root root 1647 Mar 4 06:47 chain9.pem
-rw-r–r-- 1 root root 3578 Jan 13 12:21 fullchain1.pem
-rw-r–r-- 1 root root 3574 Mar 4 06:48 fullchain10.pem
-rw-r–r-- 1 root root 3578 May 6 09:28 fullchain11.pem
-rw-r–r-- 1 root root 3574 Mar 3 15:28 fullchain2.pem
-rw-r–r-- 1 root root 3578 Mar 3 15:41 fullchain3.pem
-rw-r–r-- 1 root root 3574 Mar 3 15:54 fullchain4.pem
-rw-r–r-- 1 root root 3574 Mar 3 15:56 fullchain5.pem
-rw-r–r-- 1 root root 3574 Mar 3 15:57 fullchain6.pem
-rw-r–r-- 1 root root 3578 Mar 3 18:18 fullchain7.pem
-rw-r–r-- 1 root root 3578 Mar 4 06:42 fullchain8.pem
-rw-r–r-- 1 root root 3578 Mar 4 06:47 fullchain9.pem
-rw------- 1 root root 1704 Jan 13 12:21 privkey1.pem
-rw------- 1 root root 1708 Mar 4 06:48 privkey10.pem
-rw------- 1 root root 1704 May 6 09:28 privkey11.pem
-rw------- 1 root root 1704 Mar 3 15:28 privkey2.pem
-rw------- 1 root root 1704 Mar 3 15:41 privkey3.pem
-rw------- 1 root root 1704 Mar 3 15:54 privkey4.pem
-rw------- 1 root root 1708 Mar 3 15:56 privkey5.pem
-rw------- 1 root root 1704 Mar 3 15:57 privkey6.pem
-rw------- 1 root root 1704 Mar 3 18:18 privkey7.pem
-rw------- 1 root root 1704 Mar 4 06:42 privkey8.pem
-rw------- 1 root root 1704 Mar 4 06:47 privkey9.pem

/etc/letsencrypt/archive/staging.commcarehq.org-0001:
total 40
drwxr-xr-x 2 root root 4096 Dec 20 18:52 .
drwx------ 6 root root 4096 May 13 11:01 …
-rw-r–r-- 1 root root 1931 Dec 19 16:22 cert1.pem
-rw-r–r-- 1 root root 1960 Dec 20 18:52 cert2.pem
-rw-r–r-- 1 root root 1647 Dec 19 16:22 chain1.pem
-rw-r–r-- 1 root root 1647 Dec 20 18:52 chain2.pem
-rw-r–r-- 1 root root 3578 Dec 19 16:22 fullchain1.pem
-rw-r–r-- 1 root root 3607 Dec 20 18:52 fullchain2.pem
-rw------- 1 root root 1704 Dec 19 16:22 privkey1.pem
-rw------- 1 root root 1704 Dec 20 18:52 privkey2.pem

/etc/letsencrypt/archive/staging.commcarehq.org-13-05:
total 92
drwxr-xr-x 2 root root 4096 Mar 4 06:47 .
drwx------ 6 root root 4096 May 13 11:01 …
-rw-r–r-- 1 root root 1931 May 29 2019 cert1.pem
-rw-r–r-- 1 root root 1931 Jul 29 2019 cert2.pem
-rw-r–r-- 1 root root 1927 Sep 27 2019 cert3.pem
-rw-r–r-- 1 root root 1927 Nov 26 00:41 cert4.pem
-rw-r–r-- 1 root root 1960 Dec 19 10:58 cert5.pem
-rw-r–r-- 1 root root 1647 May 29 2019 chain1.pem
-rw-r–r-- 1 root root 1647 Jul 29 2019 chain2.pem
-rw-r–r-- 1 root root 1647 Sep 27 2019 chain3.pem
-rw-r–r-- 1 root root 1647 Nov 26 00:41 chain4.pem
-rw-r–r-- 1 root root 1647 Dec 19 10:58 chain5.pem
-rw-r–r-- 1 root root 3578 May 29 2019 fullchain1.pem
-rw-r–r-- 1 root root 3578 Jul 29 2019 fullchain2.pem
-rw-r–r-- 1 root root 3574 Sep 27 2019 fullchain3.pem
-rw-r–r-- 1 root root 3574 Nov 26 00:41 fullchain4.pem
-rw-r–r-- 1 root root 3607 Dec 19 10:58 fullchain5.pem
-rw------- 1 root root 1700 May 29 2019 privkey1.pem
-rw------- 1 root root 1704 Mar 4 06:47 privkey10.pem
-rw------- 1 root root 1708 Jul 29 2019 privkey2.pem
-rw------- 1 root root 1704 Sep 27 2019 privkey3.pem
-rw------- 1 root root 1704 Nov 26 00:41 privkey4.pem
-rw------- 1 root root 1704 Dec 19 10:58 privkey5.pem

/etc/letsencrypt/live:
total 16
drwx------ 3 root root 4096 May 13 11:09 .
drwxr-xr-x 9 root root 4096 May 13 11:06 …
-rw-r–r-- 1 root root 740 May 29 2019 README
drwxr-xr-x 2 root root 4096 May 13 11:03 staging.commcarehq.org

/etc/letsencrypt/live/staging.commcarehq.org:
total 12
drwxr-xr-x 2 root root 4096 May 13 11:03 .
drwx------ 3 root root 4096 May 13 11:09 …
-rw-r–r-- 1 root root 692 May 13 10:55 README
lrwxrwxrwx 1 root root 47 May 13 11:02 cert.pem -> …/…/archive/staging.commcarehq.org/cert11.pem
lrwxrwxrwx 1 root root 48 May 13 11:03 chain.pem -> …/…/archive/staging.commcarehq.org/chain11.pem
lrwxrwxrwx 1 root root 52 May 13 11:03 fullchain.pem -> …/…/archive/staging.commcarehq.org/fullchain11.pem
lrwxrwxrwx 1 root root 50 May 13 11:03 privkey.pem -> …/…/archive/staging.commcarehq.org/privkey11.pem

/etc/letsencrypt/renewal:
total 16
drwxr-xr-x 2 root root 4096 May 13 10:56 .
drwxr-xr-x 9 root root 4096 May 13 11:06 …
-rw-r–r-- 1 root root 650 May 13 10:56 staging.commcarehq.org.conf
-rw-r–r-- 1 root root 567 Dec 19 10:58 staging.commcarehq.org.conf-04-03

system · June 12, 2020, 11:11am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.