Certificate Renewal Not Updating on webpage

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: https://dee723.duckdns.org

I ran this command: ./certbot-auto renew --quiet --no-self-upgrade --preferred-challenges tls-sni-01

It produced this output: Success

My web server is (include version): Home Assistant 0.49.1

The operating system my web server runs on is (include version): Raspberry Pi 3 Raspbian not sure of version

My hosting provider, if applicable, is: myself

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Hello for the last year I have used Let’s Encrypt with my Home Assistant home automation’s I have never had a problem with the Certificate updating. Mid January I got my Email to update, SO I opened the ports 80 and 443 and ran the command, It seemed to work but I checked my web page and it didn’t update. I must have done it too many times I ran ./certbot-auto renew --no-self-upgrade --preferred-challenges tls-sni-01 and seen it fail do to to many tries so I waited. I tried today with
./certbot-auto renew --no-self-upgrade --preferred-challenges tls-sni-01
and it said Success so I thought all was OK but I wasn’t. I have tried on 2 differant browsers also 2 other computers that I have never used to login to the web page.

Thank you

Hi @Dee,

Did you restart your Home Assistant?.

@sahsanu yes I did restart

Could you please show the output of these commands (as root)?.

certbot-auto certificates

netstat -ptan | grep LISTEN

And what are the values of ssl_certificate and ssl_key directives in your configuration.yaml file?.

@sahsanu OK I’m a little new to all this so i need a little help.

  1. not sure how to get the certbot-auto certificates output
  2. when I check netstat -ptan | grep LISTEN do I need to have the ports forward 80 and 443
  3. not sure what you mean by the values of the ssl_certificate and ssl_key
    maybe this /etc/letsencrypt/…/…/…ect.

Run ./certbot-auto certificates in the same directory that you were in when you ran ./certbot-auto renew.

I guess @sahsanu is wondering what it looks like under "normal" conditions. It will tell you what software is listening to what ports directly on your web server (but not anything about port forwarding that might be happening on other devices like a router).

See

Apparently, it refers to a file in .homeassistant subdirectory of your home directory, which is used to configure HomeAssistant's behavior.

1 Like

Thank you @schoen, those were exactly the reasons :wink:

OK sorry about that. I just found what the problem may be when I ran the
netstat -ptan | grep LISTEN
I got this

root@raspberrypi:/home/pi/letsencrypt# netstat -ptan | grep LISTEN
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 774/smbd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 717/sshd
tcp 0 0 0.0.0.0:8123 0.0.0.0:* LISTEN 718/python3
tcp 0 0 0.0.0.0:1883 0.0.0.0:* LISTEN 728/mosquitto
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 774/smbd
tcp6 0 0 :::139 :::* LISTEN 774/smbd
tcp6 0 0 :::22 :::* LISTEN 717/sshd
tcp6 0 0 :::1883 :::* LISTEN 728/mosquitto
tcp6 0 0 :::445 :::* LISTEN 774/smbd

shouldn’t there be a :443

Also ./certbot-auto certificates returned
Found the following certs:
Certificate Name: dee723.duckdns.org
Domains: dee723.duckdns.org
Expiry Date: 2018-02-02 23:49:28+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/dee723.duckdns.org/fullchain.pem
Private Key Path: /etc/letsencrypt/live/dee723.duckdns.org/privkey.pem

Hi @Dee,

No. when you run ./certbot-auto renew --quiet --no-self-upgrade --preferred-challenges tls-sni-01 it starts a web server to provide the challenge to Let's Encrypt and when done it drops it.

So, right now you have your home assistant listening on port 8123 in your Raspberry and you have configured your router to forward packets from port 443 in the WAN interface of your router to port 8123 in your Raspberry, as you are using this command to renew your certs ./certbot-auto renew --quiet --no-self-upgrade --preferred-challenges tls-sni-01 I'm wondering how can it works, did you change the forward rules in your router before issuing that command to forward port 443 in your router to port 443 in your Raspberry?.

You have issued 7 certificates in the last days so... where are these certificates?:

CRT ID     DOMAIN (CN)         VALID FROM             VALID TO               EXPIRES IN  SANs
318505201  dee723.duckdns.org  2018-Feb-01 16:44 UTC  2018-May-02 16:44 UTC  88 days     dee723.duckdns.org
318468061  dee723.duckdns.org  2018-Feb-01 15:36 UTC  2018-May-02 15:36 UTC  88 days     dee723.duckdns.org
313309339  dee723.duckdns.org  2018-Jan-25 21:12 UTC  2018-Apr-25 21:12 UTC  81 days     dee723.duckdns.org
313146945  dee723.duckdns.org  2018-Jan-25 16:05 UTC  2018-Apr-25 16:05 UTC  81 days     dee723.duckdns.org
313129722  dee723.duckdns.org  2018-Jan-25 15:32 UTC  2018-Apr-25 15:32 UTC  81 days     dee723.duckdns.org
313097032  dee723.duckdns.org  2018-Jan-25 14:23 UTC  2018-Apr-25 14:23 UTC  81 days     dee723.duckdns.org
313085281  dee723.duckdns.org  2018-Jan-25 13:56 UTC  2018-Apr-25 13:56 UTC  81 days     dee723.duckdns.org

Let's try to find them, please, show the entire output of these commands (when pasting the output here in the forum, select the pasted test and press the button which have this icon </> it will be easier to read the pasted output):

ls -lR /etc/letsencrypt/

cat /etc/letsencrypt/renewal/dee723.duckdns.org.conf

And if you can, try to renew your cert but this time remove the --quiet parameter and show us the output too:

./certbot-auto renew --no-self-upgrade --preferred-challenges tls-sni-01

Cheers,
sahsanu

@sahsanu I do have to change the port forwarding when I update the certs. And I get a Success, but I will try it again in a little while and post the output. I have updated the certs. for over a year with no problems. I thought I was doing it wrong but didn’t know because I always had --quite in the string. Thanks

1 Like

@sahsanu OK here are the outputs

 ls -lR /etc/letsencrypt/

/etc/letsencrypt/:
total 28
drwxrwxrwx 3 root root 4096 Jan  5  2017 accounts
drwxrwxrwx 3 root root 4096 Jan  5  2017 archive
drwxrwxrwx 2 root root 4096 Nov  4 20:49 csr
drwxrwxrwx 2 root root 4096 Nov  4 20:49 keys
drwxrwxrwx 3 root root 4096 Jan  5  2017 live
drwxrwxrwx 2 root root 4096 Nov  4 20:49 renewal
drwxr-xr-x 5 root root 4096 Feb  2 23:58 renewal-hooks

/etc/letsencrypt/accounts:
total 4
drwxrwxrwx 3 root root 4096 Jan  5  2017 acme-v01.api.letsencrypt.org

/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org:
total 4
drwxrwxrwx 3 root root 4096 Jan  5  2017 directory

/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory:
total 4
drwxrwxrwx 2 root root 4096 Jan  5  2017 44d3bbab30e1375a2785e5201fdef808

/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/44d3bbab30e1375a2785e5201fdef808:
total 12
-rwxrwxrwx 1 root root   71 Jan  5  2017 meta.json
-rwxrwxrwx 1 root root 1632 Jan  5  2017 private_key.json
-rwxrwxrwx 1 root root  748 Jan  5  2017 regr.json

/etc/letsencrypt/archive:
total 4
drwxrwxrwx 2 root root 4096 Nov  4 20:49 dee723.duckdns.org

/etc/letsencrypt/archive/dee723.duckdns.org:
total 96
-rwxrwxrwx 1 root root 1805 Jan  5  2017 cert1.pem
-rwxrwxrwx 1 root root 1805 Jan  8  2017 cert2.pem
-rwxrwxrwx 1 root root 1805 Apr  3  2017 cert3.pem
-rw-r--r-- 1 root root 1805 Jun 14  2017 cert4.pem
-rw-r--r-- 1 root root 1805 Aug 25 14:59 cert5.pem
-rw-r--r-- 1 root root 1805 Nov  4 20:49 cert6.pem
-rwxrwxrwx 1 root root 1647 Jan  5  2017 chain1.pem
-rwxrwxrwx 1 root root 1647 Jan  8  2017 chain2.pem
-rwxrwxrwx 1 root root 1647 Apr  3  2017 chain3.pem
-rw-r--r-- 1 root root 1647 Jun 14  2017 chain4.pem
-rw-r--r-- 1 root root 1647 Aug 25 14:59 chain5.pem
-rw-r--r-- 1 root root 1647 Nov  4 20:49 chain6.pem
-rwxrwxrwx 1 root root 3452 Jan  5  2017 fullchain1.pem
-rwxrwxrwx 1 root root 3452 Jan  8  2017 fullchain2.pem
-rwxrwxrwx 1 root root 3452 Apr  3  2017 fullchain3.pem
-rw-r--r-- 1 root root 3452 Jun 14  2017 fullchain4.pem
-rw-r--r-- 1 root root 3452 Aug 25 14:59 fullchain5.pem
-rw-r--r-- 1 root root 3452 Nov  4 20:49 fullchain6.pem
-rwxrwxrwx 1 root root 1704 Jan  5  2017 privkey1.pem
-rwxrwxrwx 1 root root 1704 Jan  8  2017 privkey2.pem
-rwxrwxrwx 1 root root 1708 Apr  3  2017 privkey3.pem
-rw-r--r-- 1 root root 1700 Jun 14  2017 privkey4.pem
-rw-r--r-- 1 root root 1704 Aug 25 14:59 privkey5.pem
-rw-r--r-- 1 root root 1704 Nov  4 20:49 privkey6.pem

/etc/letsencrypt/csr:
total 24
-rwxrwxrwx 1 root root 968 Jan  5  2017 0000_csr-certbot.pem
-rwxrwxrwx 1 root root 968 Jan  8  2017 0001_csr-certbot.pem
-rwxrwxrwx 1 root root 968 Apr  3  2017 0002_csr-certbot.pem
-rw-r--r-- 1 root root 968 Jun 14  2017 0003_csr-certbot.pem
-rw-r--r-- 1 root root 968 Aug 25 14:59 0004_csr-certbot.pem
-rw-r--r-- 1 root root 968 Nov  4 20:49 0005_csr-certbot.pem

/etc/letsencrypt/keys:
total 24
-rwxrwxrwx 1 root root 1704 Jan  5  2017 0000_key-certbot.pem
-rwxrwxrwx 1 root root 1704 Jan  8  2017 0001_key-certbot.pem
-rwxrwxrwx 1 root root 1708 Apr  3  2017 0002_key-certbot.pem
-rw------- 1 root root 1700 Jun 14  2017 0003_key-certbot.pem
-rw------- 1 root root 1704 Aug 25 14:59 0004_key-certbot.pem
-rw------- 1 root root 1704 Nov  4 20:49 0005_key-certbot.pem

/etc/letsencrypt/live:
total 4
drwxrwxrwx 2 root root 4096 Nov  4 20:49 dee723.duckdns.org

/etc/letsencrypt/live/dee723.duckdns.org:
total 0
lrwxrwxrwx 1 root root 42 Nov  4 20:49 cert.pem -> ../../archive/dee723.duckdns.org/cert6.pem
lrwxrwxrwx 1 root root 43 Nov  4 20:49 chain.pem -> ../../archive/dee723.duckdns.org/chain6.pem
lrwxrwxrwx 1 root root 47 Nov  4 20:49 fullchain.pem -> ../../archive/dee723.duckdns.org/fullchain6.pem
lrwxrwxrwx 1 root root 45 Nov  4 20:49 privkey.pem -> ../../archive/dee723.duckdns.org/privkey6.pem

/etc/letsencrypt/renewal:
total 4
-rw-r--r-- 1 root root 436 Nov  4 20:49 dee723.duckdns.org.conf

/etc/letsencrypt/renewal-hooks:
total 12
drwxr-xr-x 2 root root 4096 Feb  2 23:58 deploy
drwxr-xr-x 2 root root 4096 Feb  2 23:58 post
drwxr-xr-x 2 root root 4096 Feb  2 23:58 pre

/etc/letsencrypt/renewal-hooks/deploy:
total 0

/etc/letsencrypt/renewal-hooks/post:
total 0

/etc/letsencrypt/renewal-hooks/pre:
total 0

=============== END ===================

 cat /etc/letsencrypt/renewal/dee723.duckdns.org.conf
# renew_before_expiry = 30 days
version = 0.9.3
cert = /etc/letsencrypt/live/dee723.duckdns.org/cert.pem
privkey = /etc/letsencrypt/live/dee723.duckdns.org/privkey.pem
chain = /etc/letsencrypt/live/dee723.duckdns.org/chain.pem
fullchain = /etc/letsencrypt/live/dee723.duckdns.org/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = standalone
installer = None
account = 44d3bbab30e1375a2785e5201fdef808

======================= END ================

pi@raspberrypi:~/letsencrypt $ ./certbot-auto renew --no-self-upgrade --preferred-challenges tls-sni-01
Requesting to rerun ./certbot-auto with root privileges...
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/dee723.duckdns.org.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for dee723.duckdns.org
Waiting for verification...
Cleaning up challenges

-------------------------------------------------------------------------------
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/dee723.duckdns.org/fullchain.pem
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/dee723.duckdns.org/fullchain.pem (success)
-------------------------------------------------------------------------------

======================== END ==================

OK I hope that helps Thanks

Hi @Dee,

I can’t see any obvious error in your conf files but it is strange that certbot-auto renew say it issued your cert but it is not writing the new cert and key nor updating the symlink files in live dir… really strange.

Just a test, change to user root, execute again the renew command and post the output:

sudo su -
cd ~pi/letsencrypt/
./certbot-auto renew --no-self-upgrade --preferred-challenges tls-sni-01

Also, aftert the renew, lets check whether certbot-auto is modifying the symlinks:

ls -l /etc/letsencrypt/live/dee723.duckdns.org/

As I said, it is really strange.

Cheers,
sahsanu

@sahsanu OK

 -------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/dee723.duckdns.org.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for dee723.duckdns.org
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0006_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0006_csr-certbot.pem

-------------------------------------------------------------------------------
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/dee723.duckdns.org/fullchain.pem
-------------------------------------------------------------------------------

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/dee723.duckdns.org/fullchain.pem (success)

And

     ls -l /etc/letsencrypt/live/dee723.duckdns.org/

total 0
lrwxrwxrwx 1 root root 42 Feb 3 12:43 cert.pem -> …/…/archive/dee723.duckdns.org/cert7.pem
lrwxrwxrwx 1 root root 43 Feb 3 12:43 chain.pem -> …/…/archive/dee723.duckdns.org/chain7.pem
lrwxrwxrwx 1 root root 47 Feb 3 12:43 fullchain.pem -> …/…/archive/dee723.duckdns.org/fullchain7.pem
lrwxrwxrwx 1 root root 45 Feb 3 12:43 privkey.pem -> …/…/archive/dee723.duckdns.org/privkey7.pem

@sahsanu How many times a day can I try and renew before it fails (tried too many times) and how long do I have to wait to try again.

That is really good, now the certs are finally saved, could you please restart your home assistant?.

There is a limit of 5 duplicated certs per 7 days so don’t try again, anyway now seems the cert is saved so no need to renew it again in a near future, now lets see if your home assistant is loading the new cert.

@sahsanu No still the same, my certs expired yesterday, I tried restarted HA and RPI. could something be blocking them from seeing there updated

Show me the output of this command (as root):

openssl x509 -in /etc/letsencrypt/live/dee723.duckdns.org/cert.pem -noout -text | grep -E '(DNS:|Before:)'

It should show the new cert with new expire date… I hope so ;). If it shows the new cert then the problem is in your Home Assistant configuration, show the output of this command:

grep -eri '(ssl_certificate|ssl_key)' /home/pi/.homeassistant/*

With above command I want to see what is the path used in HA for your cert and key, I’m guessing the configuration.yaml file is located here /home/pi/.homeassistant/ but is just a guess…

@sahsanu OK only thing is my Home Assistant is under Home not pi. But got the same output

root@raspberrypi:/home/pi# openssl x509 -in /etc/letsencrypt/live/dee723.duckdns.org/cert.pem -noout -text | grep -E '(DNS:|Before:)'
            Not Before: Nov  4 23:49:28 2017 GMT
                DNS:dee723.duckdns.org



root@raspberrypi:/home/pi# grep -eri '(ssl_certificate|ssl_key)' /home/pi/.homeassistant/*
grep: (ssl_certificate|ssl_key): No such file or directory
grep: /home/pi/.homeassistant/*: No such file or directory

I can't believe it :frowning:

certbot created the certs in your /etc/letsencrypt/ ... or it seems so... show the output of

ls -l /etc/letsencrypt/archive/dee723.duckdns.org/

If your home assistant is on other dir than /home/pi/.homeassistant/* change it on the command, if it is in /home/.homeassistant/* then:

grep -eri '(ssl_certificate|ssl_key)' /home/.homeassistant/*

But sincerely I'm running out of ideas...