Certificate not renewing


#1

Hello, The certificate expired. So I tried to renew the certificate but just work. i feel lost. I am still in the learning stages.

Please fill out the fields below so we can help you better.

My domain is: stuffiwillbuy.com

I ran this command: ========================================
[root@host letsencrypt]# ./letsencrypt-auto renew
it did not work so then tried
[root@host letsencrypt]# ./letsencrypt-auto renew --force-renewal
I also tried
./letsencrypt-auto --text --agree-tos --email lodha.swetha@gmail.com certonly --renew-by-default --webroot --webroot-path /home/willbuy/public_html/ -d stuffiwillbuy.com -d www.stuffiwillbuy.com

It produced this output:========================================

[root@host letsencrypt]# ./letsencrypt-auto renew --force-renewal
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/stuffiwillbuy.com-0001.conf

Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for stuffiwillbuy.com
Waiting for verification…
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0028_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0028_csr-certbot.pem


new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/stuffiwillbuy.com-0001/fullchain.pem


Processing /etc/letsencrypt/renewal/stuffiwillbuy.com.conf

Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for stuffiwillbuy.com
http-01 challenge for www.stuffiwillbuy.com
Waiting for verification…
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0032_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0032_csr-certbot.pem


new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/stuffiwillbuy.com/fullchain.pem

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/stuffiwillbuy.com-0001/fullchain.pem (success)
/etc/letsencrypt/live/stuffiwillbuy.com/fullchain.pem (success)

My operating system is (include version):========================================

CENTOS 6.8 x86_64 standard

My web server is (include version): ========================================
Server Version: Apache/2.4.23 (cPanel) OpenSSL/1.0.1e-fips mod_bwlimited/1.4
Server MPM: prefork

I can login to a root shell on my machine (yes or no, or I don’t know): ========================================
Yes, I can login as root shell

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): ========================================
cPanel - WHM 60.0 (build 28)
cPanel has autoSSL which is enabled.

Please help. Thank you and hope you all have a happy new year.


#2

Your logs state “new certificate deployed without reload” … did you reload your apache web server after the renewals???

sudo service apache2 restart

You must reload for the new certificates to take effect.


#3

I’m a little confused here - in that you are trying to use command line tools, when you have AutoSSL installed in cpanel.

If you have AusoSSL installed, I assume you have also enabled it for Let’s Encrypt. If not, go to command line as root and run

/scripts/install_lets_encrypt_autossl_provider

Once that is done, go into your WHM - Home >> SSL/TLS >> Manage AutoSSL. Check that Let’s Encrypt is enabled.

Once you have that, go to the “Manage Users” tab ( within Manage AutoSSL) and select the user / domain in question and press the “check” button.
go back to the “logs” tab, and (if it hasn’t all worked) copy the log and paste it in pastebin.com for us to see.


#4

yes, i restarted apache and also rebooted the server.

I have enabled AutoSSL via cPanel.


#5

Hi Thanks,

I just checked the log

I got the below error

Log for the AutoSSL run for “willbuy”: Monday, January 2, 2017 9:02:46 PM GMT+05-30 (Let’s Encrypt™)
3:32:46 PM This system has AutoSSL set to use “Let’s Encrypt™”.
3:32:46 PM Checking websites for “willbuy” …
3:32:46 PM The website “stuffiwillbuy.com”, owned by “willbuy”, has a faulty SSL certificate (OPENSSL_VERIFY:0:10:CERT_HAS_EXPIRED NOT_ALL_DOMAINS ALMOST_EXPIRED AUTOSSL_READY_FOR_RENEWAL). AutoSSL will attempt to replace this certificate.
3:32:46 PM The system will attempt to renew SSL certificates for the following websites:
3:32:46 PM stuffiwillbuy.com (stuffiwillbuy.com www.stuffiwillbuy.com mail.stuffiwillbuy.com)
3:32:48 PM WARN (XID t8gpdn) The system failed to create the directory “/home/willbuy/public_html/.well-known/acme-challenge” because of an error: Permission denied
3:32:48 PM The system has completed the AutoSSL check for “willbuy”.
3:32:48 PM The system has finished checking 1 user.


#6

The command line stuff you were using ( letsencrypt-auto renew ) is not compatible with AutoSSL though - so I’d suggest not using “letsencrypt-auto renew” and just using AutoSSL ( as that will automatically do everything for you).

What does the log from AutoSSL show ?

Our posts overlapped … reading yout log above …

What are the permissions on /home/willbuy/public_html/ ? or probably /home/willbuy/public_html/.well-known ? My guess is it was created as user “root” vis letsencrypt - and hence messing up cpanel - the well-known folder hould be owned by the user ( willbuy in this case )


#8

when i started with letsencrypt AutoSSL was not available with cpanel then. So I manually installed it.

using ./letsencrypt-auto --text --agree-tos --email lodha.swetha@gmail.com certonly --renew-by-default --webroot --webroot-path /home/willbuy/public_html/ -d stuffiwillbuy.com -d www.stuffiwillbuy.com


#9

That’s perfectly understandable ( you may want to edit your email in the above though )

Now that AutoSSL is available though, you may as well use it. The alternative is to remove it and use just the command line version, I personally think that will be more complex for you long term though.

The problem is the two will conflict - so you really decide to use one, or the other and not both.

When you ran “./letsencrypt-auto” with the webroot path of /home/willbuy/public_html/ as root - it will have created (as owner root) the /home/willbuy/public_html/.well-known folder Hence why I was asking above what the permissions were on that - as that’s the error stopping AutoSSL running.


#10

Below is the .well-known dir permission

drwxr-xr-x 2 root root 4096 Jan 2 10:50 .well-known


#11

I’d suggest running the command

chown -R willbuy. /home/willbuy/public_html/.well-known

which will change the ownership of the /home/willbuy/public_html/.well-known folder and everything below it to the user willbuy. Then try running AutoSSL again.


#12

Thank you. :slight_smile: It worked!


#13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.