Certificate renewal is breaking our site by changing the certname to name-0001, name-0002 etc…

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: conspyre.tv

I ran this command in the sudo user's crontab:

0 1 * * * nohup php /var/www/html/AVideo/plugin/YPTSocket/serverCertbot.php &

That PHP script execs one shell command:

exec('certbot renew');

It produced this output:

(I have no idea its buried in log files from two weeks ago when the cert renewed)

My web server is (include version): Apache + nginx as a reverse proxy for RTMP, not important

The operating system my web server runs on is (include version): Ubuntu 22.04.1 LTS and again that's probably not important

My hosting provider, if applicable, is: seriously N/A

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 1.21.0

THE PROBLEM IS:

When it renewed my cert, it appended a -0001 to the name, and I presume next time around, will append a -0002, etc…

That means that every time the cert auto renews it's going to break my site, which needs to have that cert's pathname coded into several places.

How to get certbot to do the right thing & re-use the name?

2

Thie usually happens because somebody incorrectly modified the symlinks inside the /etc/letsencrypt/live directory or the /etc/letsencrypt/renewal/*.conf files.

Fixing it is a matter of repairing the damage.

First step is to see what's going on:

sudo ls -laR /etc/letsencrypt/{live,archive}
cat /etc/letsencrypt/renewal/conspyre.tv.conf
2 Likes
3 
sudo ls -laR /etc/letsencrypt/{live,archive}
/etc/letsencrypt/archive:
total 24
drwx------ 6 root root 4096 Oct 21 15:41 .
drwxr-xr-x 9 root root 4096 Oct 21 17:25 ..
drwxr-xr-x 2 root root 4096 Jul 14 16:51 conspyre.tv
drwxr-xr-x 2 root root 4096 Oct 18 00:09 conspyre.tv-0001
drwxr-xr-x 2 root root 4096 Oct 21 15:41 conspyre.tv-0002
drwxr-xr-x 2 root root 4096 Oct 21 17:25 v2.conspyre.tv

/etc/letsencrypt/archive/conspyre.tv:
total 48
drwxr-xr-x 2 root root 4096 Jul 14 16:51 .
drwx------ 6 root root 4096 Oct 21 15:41 ..
-rw-r--r-- 1 root root 1854 Jun 20 12:08 cert1.pem
-rw-r--r-- 1 root root 1887 Jul 14 16:51 cert2.pem
-rw-r--r-- 1 root root 3749 Jun 20 12:08 chain1.pem
-rw-r--r-- 1 root root 3749 Jul 14 16:51 chain2.pem
-rw-r--r-- 1 root root 5603 Jun 20 12:08 fullchain1.pem
-rw-r--r-- 1 root root 5636 Jul 14 16:51 fullchain2.pem
-rw------- 1 root root 1704 Jun 20 12:08 privkey1.pem
-rw------- 1 root root 1704 Jul 14 16:51 privkey2.pem

/etc/letsencrypt/archive/conspyre.tv-0001:
total 68
drwxr-xr-x 2 root root 4096 Oct 18 00:09 .
drwx------ 6 root root 4096 Oct 21 15:41 ..
-rw-r--r-- 1 root root 1858 Jul 14 21:25 cert1.pem
-rw-r--r-- 1 root root 1858 Oct 13 13:14 cert2.pem
-rw-r--r-- 1 root root 1899 Oct 18 00:09 cert3.pem
-rw-r--r-- 1 root root 3749 Jul 14 21:25 chain1.pem
-rw-r--r-- 1 root root 3749 Oct 13 13:14 chain2.pem
-rw-r--r-- 1 root root 3749 Oct 18 00:09 chain3.pem
-rw-r--r-- 1 root root 5607 Jul 14 21:25 fullchain1.pem
-rw-r--r-- 1 root root 5607 Oct 13 13:14 fullchain2.pem
-rw-r--r-- 1 root root 5648 Oct 18 00:09 fullchain3.pem
-rw------- 1 root root 1704 Jul 14 21:25 privkey1.pem
-rw------- 1 root root 1704 Oct 13 13:14 privkey2.pem
-rw------- 1 root root 1704 Oct 18 00:09 privkey3.pem

/etc/letsencrypt/archive/conspyre.tv-0002:
total 28
drwxr-xr-x 2 root root 4096 Oct 21 15:41 .
drwx------ 6 root root 4096 Oct 21 15:41 ..
-rw-r--r-- 1 root root 1834 Oct 21 15:41 cert1.pem
-rw-r--r-- 1 root root 3749 Oct 21 15:41 chain1.pem
-rw-r--r-- 1 root root 5583 Oct 21 15:41 fullchain1.pem
-rw------- 1 root root 1704 Oct 21 15:41 privkey1.pem

/etc/letsencrypt/archive/v2.conspyre.tv:
total 48
drwxr-xr-x 2 root root 4096 Oct 21 17:25 .
drwx------ 6 root root 4096 Oct 21 15:41 ..
-rw-r--r-- 1 root root 1842 Jun 17 10:03 cert1.pem
-rw-r--r-- 1 root root 1842 Oct 21 17:25 cert2.pem
-rw-r--r-- 1 root root 3749 Jun 17 10:03 chain1.pem
-rw-r--r-- 1 root root 3749 Oct 21 17:25 chain2.pem
-rw-r--r-- 1 root root 5591 Jun 17 10:03 fullchain1.pem
-rw-r--r-- 1 root root 5591 Oct 21 17:25 fullchain2.pem
-rw------- 1 root root 1704 Jun 17 10:03 privkey1.pem
-rw------- 1 root root 1704 Oct 21 17:25 privkey2.pem

/etc/letsencrypt/live:
total 1368
drwx------ 6 root root    4096 Oct 21 15:41 .
drwxr-xr-x 9 root root    4096 Oct 21 17:25 ..
drwxr-xr-x 2 root root    4096 Jul 14 16:51 conspyre.tv
drwxr-xr-x 2 root root    4096 Oct 18 00:09 conspyre.tv-0001
drwxr-xr-x 2 root root    4096 Oct 21 15:41 conspyre.tv-0002
-rw------- 1 root root 1367751 Oct 21 01:00 nohup.out
-rw-r--r-- 1 root root     740 Jun 17 10:03 README
drwxr-xr-x 2 root root    4096 Oct 21 17:25 v2.conspyre.tv

/etc/letsencrypt/live/conspyre.tv:
total 12
drwxr-xr-x 2 root root 4096 Jul 14 16:51 .
drwx------ 6 root root 4096 Oct 21 15:41 ..
lrwxrwxrwx 1 root root   35 Jul 14 16:51 cert.pem -> ../../archive/conspyre.tv/cert2.pem
lrwxrwxrwx 1 root root   36 Jul 14 16:51 chain.pem -> ../../archive/conspyre.tv/chain2.pem
lrwxrwxrwx 1 root root   40 Jul 14 16:51 fullchain.pem -> ../../archive/conspyre.tv/fullchain2.pem
lrwxrwxrwx 1 root root   38 Jul 14 16:51 privkey.pem -> ../../archive/conspyre.tv/privkey2.pem
-rw-r--r-- 1 root root  692 Jun 20 12:08 README

/etc/letsencrypt/live/conspyre.tv-0001:
total 12
drwxr-xr-x 2 root root 4096 Oct 18 00:09 .
drwx------ 6 root root 4096 Oct 21 15:41 ..
lrwxrwxrwx 1 root root   40 Oct 18 00:09 cert.pem -> ../../archive/conspyre.tv-0001/cert3.pem
lrwxrwxrwx 1 root root   41 Oct 18 00:09 chain.pem -> ../../archive/conspyre.tv-0001/chain3.pem
lrwxrwxrwx 1 root root   45 Oct 18 00:09 fullchain.pem -> ../../archive/conspyre.tv-0001/fullchain3.pem
lrwxrwxrwx 1 root root   43 Oct 18 00:09 privkey.pem -> ../../archive/conspyre.tv-0001/privkey3.pem
-rw-r--r-- 1 root root  692 Jul 14 21:25 README

/etc/letsencrypt/live/conspyre.tv-0002:
total 12
drwxr-xr-x 2 root root 4096 Oct 21 15:41 .
drwx------ 6 root root 4096 Oct 21 15:41 ..
lrwxrwxrwx 1 root root   40 Oct 21 15:41 cert.pem -> ../../archive/conspyre.tv-0002/cert1.pem
lrwxrwxrwx 1 root root   41 Oct 21 15:41 chain.pem -> ../../archive/conspyre.tv-0002/chain1.pem
lrwxrwxrwx 1 root root   45 Oct 21 15:41 fullchain.pem -> ../../archive/conspyre.tv-0002/fullchain1.pem
lrwxrwxrwx 1 root root   43 Oct 21 15:41 privkey.pem -> ../../archive/conspyre.tv-0002/privkey1.pem
-rw-r--r-- 1 root root  692 Oct 21 15:41 README

/etc/letsencrypt/live/v2.conspyre.tv:
total 12
drwxr-xr-x 2 root root 4096 Oct 21 17:25 .
drwx------ 6 root root 4096 Oct 21 15:41 ..
lrwxrwxrwx 1 root root   38 Oct 21 17:25 cert.pem -> ../../archive/v2.conspyre.tv/cert2.pem
lrwxrwxrwx 1 root root   39 Oct 21 17:25 chain.pem -> ../../archive/v2.conspyre.tv/chain2.pem
lrwxrwxrwx 1 root root   43 Oct 21 17:25 fullchain.pem -> ../../archive/v2.conspyre.tv/fullchain2.pem
lrwxrwxrwx 1 root root   41 Oct 21 17:25 privkey.pem -> ../../archive/v2.conspyre.tv/privkey2.pem
-rw-r--r-- 1 root root  692 Jun 17 10:03 READMEsudo ls -laR /etc/letsencrypt/{live,archive}
/etc/letsencrypt/archive:
total 24
drwx------ 6 root root 4096 Oct 21 15:41 .
drwxr-xr-x 9 root root 4096 Oct 21 17:25 ..
drwxr-xr-x 2 root root 4096 Jul 14 16:51 conspyre.tv
drwxr-xr-x 2 root root 4096 Oct 18 00:09 conspyre.tv-0001
drwxr-xr-x 2 root root 4096 Oct 21 15:41 conspyre.tv-0002
drwxr-xr-x 2 root root 4096 Oct 21 17:25 v2.conspyre.tv

/etc/letsencrypt/archive/conspyre.tv:
total 48
drwxr-xr-x 2 root root 4096 Jul 14 16:51 .
drwx------ 6 root root 4096 Oct 21 15:41 ..
-rw-r--r-- 1 root root 1854 Jun 20 12:08 cert1.pem
-rw-r--r-- 1 root root 1887 Jul 14 16:51 cert2.pem
-rw-r--r-- 1 root root 3749 Jun 20 12:08 chain1.pem
-rw-r--r-- 1 root root 3749 Jul 14 16:51 chain2.pem
-rw-r--r-- 1 root root 5603 Jun 20 12:08 fullchain1.pem
-rw-r--r-- 1 root root 5636 Jul 14 16:51 fullchain2.pem
-rw------- 1 root root 1704 Jun 20 12:08 privkey1.pem
-rw------- 1 root root 1704 Jul 14 16:51 privkey2.pem

/etc/letsencrypt/archive/conspyre.tv-0001:
total 68
drwxr-xr-x 2 root root 4096 Oct 18 00:09 .
drwx------ 6 root root 4096 Oct 21 15:41 ..
-rw-r--r-- 1 root root 1858 Jul 14 21:25 cert1.pem
-rw-r--r-- 1 root root 1858 Oct 13 13:14 cert2.pem
-rw-r--r-- 1 root root 1899 Oct 18 00:09 cert3.pem
-rw-r--r-- 1 root root 3749 Jul 14 21:25 chain1.pem
-rw-r--r-- 1 root root 3749 Oct 13 13:14 chain2.pem
-rw-r--r-- 1 root root 3749 Oct 18 00:09 chain3.pem
-rw-r--r-- 1 root root 5607 Jul 14 21:25 fullchain1.pem
-rw-r--r-- 1 root root 5607 Oct 13 13:14 fullchain2.pem
-rw-r--r-- 1 root root 5648 Oct 18 00:09 fullchain3.pem
-rw------- 1 root root 1704 Jul 14 21:25 privkey1.pem
-rw------- 1 root root 1704 Oct 13 13:14 privkey2.pem
-rw------- 1 root root 1704 Oct 18 00:09 privkey3.pem

/etc/letsencrypt/archive/conspyre.tv-0002:
total 28
drwxr-xr-x 2 root root 4096 Oct 21 15:41 .
drwx------ 6 root root 4096 Oct 21 15:41 ..
-rw-r--r-- 1 root root 1834 Oct 21 15:41 cert1.pem
-rw-r--r-- 1 root root 3749 Oct 21 15:41 chain1.pem
-rw-r--r-- 1 root root 5583 Oct 21 15:41 fullchain1.pem
-rw------- 1 root root 1704 Oct 21 15:41 privkey1.pem

/etc/letsencrypt/archive/v2.conspyre.tv:
total 48
drwxr-xr-x 2 root root 4096 Oct 21 17:25 .
drwx------ 6 root root 4096 Oct 21 15:41 ..
-rw-r--r-- 1 root root 1842 Jun 17 10:03 cert1.pem
-rw-r--r-- 1 root root 1842 Oct 21 17:25 cert2.pem
-rw-r--r-- 1 root root 3749 Jun 17 10:03 chain1.pem
-rw-r--r-- 1 root root 3749 Oct 21 17:25 chain2.pem
-rw-r--r-- 1 root root 5591 Jun 17 10:03 fullchain1.pem
-rw-r--r-- 1 root root 5591 Oct 21 17:25 fullchain2.pem
-rw------- 1 root root 1704 Jun 17 10:03 privkey1.pem
-rw------- 1 root root 1704 Oct 21 17:25 privkey2.pem

/etc/letsencrypt/live:
total 1368
drwx------ 6 root root    4096 Oct 21 15:41 .
drwxr-xr-x 9 root root    4096 Oct 21 17:25 ..
drwxr-xr-x 2 root root    4096 Jul 14 16:51 conspyre.tv
drwxr-xr-x 2 root root    4096 Oct 18 00:09 conspyre.tv-0001
drwxr-xr-x 2 root root    4096 Oct 21 15:41 conspyre.tv-0002
-rw------- 1 root root 1367751 Oct 21 01:00 nohup.out
-rw-r--r-- 1 root root     740 Jun 17 10:03 README
drwxr-xr-x 2 root root    4096 Oct 21 17:25 v2.conspyre.tv

/etc/letsencrypt/live/conspyre.tv:
total 12
drwxr-xr-x 2 root root 4096 Jul 14 16:51 .
drwx------ 6 root root 4096 Oct 21 15:41 ..
lrwxrwxrwx 1 root root   35 Jul 14 16:51 cert.pem -> ../../archive/conspyre.tv/cert2.pem
lrwxrwxrwx 1 root root   36 Jul 14 16:51 chain.pem -> ../../archive/conspyre.tv/chain2.pem
lrwxrwxrwx 1 root root   40 Jul 14 16:51 fullchain.pem -> ../../archive/conspyre.tv/fullchain2.pem
lrwxrwxrwx 1 root root   38 Jul 14 16:51 privkey.pem -> ../../archive/conspyre.tv/privkey2.pem
-rw-r--r-- 1 root root  692 Jun 20 12:08 README

/etc/letsencrypt/live/conspyre.tv-0001:
total 12
drwxr-xr-x 2 root root 4096 Oct 18 00:09 .
drwx------ 6 root root 4096 Oct 21 15:41 ..
lrwxrwxrwx 1 root root   40 Oct 18 00:09 cert.pem -> ../../archive/conspyre.tv-0001/cert3.pem
lrwxrwxrwx 1 root root   41 Oct 18 00:09 chain.pem -> ../../archive/conspyre.tv-0001/chain3.pem
lrwxrwxrwx 1 root root   45 Oct 18 00:09 fullchain.pem -> ../../archive/conspyre.tv-0001/fullchain3.pem
lrwxrwxrwx 1 root root   43 Oct 18 00:09 privkey.pem -> ../../archive/conspyre.tv-0001/privkey3.pem
-rw-r--r-- 1 root root  692 Jul 14 21:25 README

/etc/letsencrypt/live/conspyre.tv-0002:
total 12
drwxr-xr-x 2 root root 4096 Oct 21 15:41 .
drwx------ 6 root root 4096 Oct 21 15:41 ..
lrwxrwxrwx 1 root root   40 Oct 21 15:41 cert.pem -> ../../archive/conspyre.tv-0002/cert1.pem
lrwxrwxrwx 1 root root   41 Oct 21 15:41 chain.pem -> ../../archive/conspyre.tv-0002/chain1.pem
lrwxrwxrwx 1 root root   45 Oct 21 15:41 fullchain.pem -> ../../archive/conspyre.tv-0002/fullchain1.pem
lrwxrwxrwx 1 root root   43 Oct 21 15:41 privkey.pem -> ../../archive/conspyre.tv-0002/privkey1.pem
-rw-r--r-- 1 root root  692 Oct 21 15:41 README

/etc/letsencrypt/live/v2.conspyre.tv:
total 12
drwxr-xr-x 2 root root 4096 Oct 21 17:25 .
drwx------ 6 root root 4096 Oct 21 15:41 ..
lrwxrwxrwx 1 root root   38 Oct 21 17:25 cert.pem -> ../../archive/v2.conspyre.tv/cert2.pem
lrwxrwxrwx 1 root root   39 Oct 21 17:25 chain.pem -> ../../archive/v2.conspyre.tv/chain2.pem
lrwxrwxrwx 1 root root   43 Oct 21 17:25 fullchain.pem -> ../../archive/v2.conspyre.tv/fullchain2.pem
lrwxrwxrwx 1 root root   41 Oct 21 17:25 privkey.pem -> ../../archive/v2.conspyre.tv/privkey2.pem
-rw-r--r-- 1 root root  692 Jun 17 10:03 README

and

cat /etc/letsencrypt/renewal/conspyre.tv.conf
# renew_before_expiry = 30 days
version = 1.29.0
archive_dir = /etc/letsencrypt/archive/conspyre.tv
cert = /etc/letsencrypt/live/conspyre.tv/cert.pem
privkey = /etc/letsencrypt/live/conspyre.tv/privkey.pem
chain = /etc/letsencrypt/live/conspyre.tv/chain.pem
fullchain = /etc/letsencrypt/live/conspyre.tv/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = 3e29488345ce07a2174f903bb4e202f7
authenticator = apache
installer = apache
server = https://acme-v02.api.letsencrypt.org/directory
key_type = rsa
4

Thanks. I don't see an issue with the symlinks.

What happens when you try renew that original cert, does it error?

sudo certbot renew --cert-name conspyre.tv
2 Likes
5

This is troubling. It is failing to renew adserver.conspyre.tv.

sudo certbot renew --cert-name conspyre.tv
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/conspyre.tv.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for conspyre.tv and 2 more domains

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
  Domain: adserver.conspyre.tv
  Type:   unauthorized
  Detail: 147.135.112.159: Invalid response from https://adserver.conspyre.tv/.well-known/acme-challenge/fLQ8WO49F02riN2ndxvtQrN_EZzh-f3khR_Xkow7Msc: 404

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Failed to renew certificate conspyre.tv with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/conspyre.tv/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

However adserver.conspyre.tv is hosted on a different machine. That machine gets its own SSL certificate. This machine should not be getting a certificate for adserver. Checking certbot, I don't see why it should be doing that.

sudo certbot
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate and install certificates?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Apache Web Server plugin (apache)
2: Nginx Web Server plugin (nginx)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: conspyre.info
2: conspyre.tv
3: www.conspyre.info
4: www.conspyre.tv
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
6

I guess that conspyre.tv-0002 succeeds though?

certbot renew --cert-name conspyre.tv-0002 --dry-run

What's the difference in the .conf file between conspyre.tv-0002 and conspyre.tv?

2 Likes
7

There shouldn't be much, if any. Certbot failed about two weeks ago because of a Cloudflare routing issue, and after fixing it the cert generated with the -0001 name.

I reconfigured my web server's apps to use the new cert, then realized I needed to renew nginx.

Renewing nginx today created the -0002. My engineer told me today something cryptic "we don't issue a new cert for nginx we reuse the one from apache" - but the instructions he wrote previously have an explicit step to get the nginx cert - and those instructions fail. But this is an aside, I think.

8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.