Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
I ran this command: ./certbot-auto renew --quiet --no-self-upgrade --preferred-challenges tls-sni-01
It produced this output: Success
My web server is (include version): Home Assistant 0.49.1
The operating system my web server runs on is (include version): Raspberry Pi 3 Raspbian not sure of version
My hosting provider, if applicable, is: myself
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no
Hello for the last year I have used Let’s Encrypt with my Home Assistant home automation’s I have never had a problem with the Certificate updating. Mid January I got my Email to update, SO I opened the ports 80 and 443 and ran the command, It seemed to work but I checked my web page and it didn’t update. I must have done it too many times I ran ./certbot-auto renew --no-self-upgrade --preferred-challenges tls-sni-01 and seen it fail do to to many tries so I waited. I tried today with
./certbot-auto renew --no-self-upgrade --preferred-challenges tls-sni-01
and it said Success so I thought all was OK but I wasn’t. I have tried on 2 differant browsers also 2 other computers that I have never used to login to the web page.
Run ./certbot-auto certificates in the same directory that you were in when you ran ./certbot-auto renew.
I guess @sahsanu is wondering what it looks like under "normal" conditions. It will tell you what software is listening to what ports directly on your web server (but not anything about port forwarding that might be happening on other devices like a router).
See
Apparently, it refers to a file in .homeassistant subdirectory of your home directory, which is used to configure HomeAssistant's behavior.
No. when you run ./certbot-auto renew --quiet --no-self-upgrade --preferred-challenges tls-sni-01 it starts a web server to provide the challenge to Let's Encrypt and when done it drops it.
So, right now you have your home assistant listening on port 8123 in your Raspberry and you have configured your router to forward packets from port 443 in the WAN interface of your router to port 8123 in your Raspberry, as you are using this command to renew your certs ./certbot-auto renew --quiet --no-self-upgrade --preferred-challenges tls-sni-01 I'm wondering how can it works, did you change the forward rules in your router before issuing that command to forward port 443 in your router to port 443 in your Raspberry?.
You have issued 7 certificates in the last days so... where are these certificates?:
CRT ID DOMAIN (CN) VALID FROM VALID TO EXPIRES IN SANs
318505201 dee723.duckdns.org 2018-Feb-01 16:44 UTC 2018-May-02 16:44 UTC 88 days dee723.duckdns.org
318468061 dee723.duckdns.org 2018-Feb-01 15:36 UTC 2018-May-02 15:36 UTC 88 days dee723.duckdns.org
313309339 dee723.duckdns.org 2018-Jan-25 21:12 UTC 2018-Apr-25 21:12 UTC 81 days dee723.duckdns.org
313146945 dee723.duckdns.org 2018-Jan-25 16:05 UTC 2018-Apr-25 16:05 UTC 81 days dee723.duckdns.org
313129722 dee723.duckdns.org 2018-Jan-25 15:32 UTC 2018-Apr-25 15:32 UTC 81 days dee723.duckdns.org
313097032 dee723.duckdns.org 2018-Jan-25 14:23 UTC 2018-Apr-25 14:23 UTC 81 days dee723.duckdns.org
313085281 dee723.duckdns.org 2018-Jan-25 13:56 UTC 2018-Apr-25 13:56 UTC 81 days dee723.duckdns.org
Let's try to find them, please, show the entire output of these commands (when pasting the output here in the forum, select the pasted test and press the button which have this icon </> it will be easier to read the pasted output):
@sahsanu I do have to change the port forwarding when I update the certs. And I get a Success, but I will try it again in a little while and post the output. I have updated the certs. for over a year with no problems. I thought I was doing it wrong but didn’t know because I always had --quite in the string. Thanks
ls -lR /etc/letsencrypt/
/etc/letsencrypt/:
total 28
drwxrwxrwx 3 root root 4096 Jan 5 2017 accounts
drwxrwxrwx 3 root root 4096 Jan 5 2017 archive
drwxrwxrwx 2 root root 4096 Nov 4 20:49 csr
drwxrwxrwx 2 root root 4096 Nov 4 20:49 keys
drwxrwxrwx 3 root root 4096 Jan 5 2017 live
drwxrwxrwx 2 root root 4096 Nov 4 20:49 renewal
drwxr-xr-x 5 root root 4096 Feb 2 23:58 renewal-hooks
/etc/letsencrypt/accounts:
total 4
drwxrwxrwx 3 root root 4096 Jan 5 2017 acme-v01.api.letsencrypt.org
/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org:
total 4
drwxrwxrwx 3 root root 4096 Jan 5 2017 directory
/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory:
total 4
drwxrwxrwx 2 root root 4096 Jan 5 2017 44d3bbab30e1375a2785e5201fdef808
/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/44d3bbab30e1375a2785e5201fdef808:
total 12
-rwxrwxrwx 1 root root 71 Jan 5 2017 meta.json
-rwxrwxrwx 1 root root 1632 Jan 5 2017 private_key.json
-rwxrwxrwx 1 root root 748 Jan 5 2017 regr.json
/etc/letsencrypt/archive:
total 4
drwxrwxrwx 2 root root 4096 Nov 4 20:49 dee723.duckdns.org
/etc/letsencrypt/archive/dee723.duckdns.org:
total 96
-rwxrwxrwx 1 root root 1805 Jan 5 2017 cert1.pem
-rwxrwxrwx 1 root root 1805 Jan 8 2017 cert2.pem
-rwxrwxrwx 1 root root 1805 Apr 3 2017 cert3.pem
-rw-r--r-- 1 root root 1805 Jun 14 2017 cert4.pem
-rw-r--r-- 1 root root 1805 Aug 25 14:59 cert5.pem
-rw-r--r-- 1 root root 1805 Nov 4 20:49 cert6.pem
-rwxrwxrwx 1 root root 1647 Jan 5 2017 chain1.pem
-rwxrwxrwx 1 root root 1647 Jan 8 2017 chain2.pem
-rwxrwxrwx 1 root root 1647 Apr 3 2017 chain3.pem
-rw-r--r-- 1 root root 1647 Jun 14 2017 chain4.pem
-rw-r--r-- 1 root root 1647 Aug 25 14:59 chain5.pem
-rw-r--r-- 1 root root 1647 Nov 4 20:49 chain6.pem
-rwxrwxrwx 1 root root 3452 Jan 5 2017 fullchain1.pem
-rwxrwxrwx 1 root root 3452 Jan 8 2017 fullchain2.pem
-rwxrwxrwx 1 root root 3452 Apr 3 2017 fullchain3.pem
-rw-r--r-- 1 root root 3452 Jun 14 2017 fullchain4.pem
-rw-r--r-- 1 root root 3452 Aug 25 14:59 fullchain5.pem
-rw-r--r-- 1 root root 3452 Nov 4 20:49 fullchain6.pem
-rwxrwxrwx 1 root root 1704 Jan 5 2017 privkey1.pem
-rwxrwxrwx 1 root root 1704 Jan 8 2017 privkey2.pem
-rwxrwxrwx 1 root root 1708 Apr 3 2017 privkey3.pem
-rw-r--r-- 1 root root 1700 Jun 14 2017 privkey4.pem
-rw-r--r-- 1 root root 1704 Aug 25 14:59 privkey5.pem
-rw-r--r-- 1 root root 1704 Nov 4 20:49 privkey6.pem
/etc/letsencrypt/csr:
total 24
-rwxrwxrwx 1 root root 968 Jan 5 2017 0000_csr-certbot.pem
-rwxrwxrwx 1 root root 968 Jan 8 2017 0001_csr-certbot.pem
-rwxrwxrwx 1 root root 968 Apr 3 2017 0002_csr-certbot.pem
-rw-r--r-- 1 root root 968 Jun 14 2017 0003_csr-certbot.pem
-rw-r--r-- 1 root root 968 Aug 25 14:59 0004_csr-certbot.pem
-rw-r--r-- 1 root root 968 Nov 4 20:49 0005_csr-certbot.pem
/etc/letsencrypt/keys:
total 24
-rwxrwxrwx 1 root root 1704 Jan 5 2017 0000_key-certbot.pem
-rwxrwxrwx 1 root root 1704 Jan 8 2017 0001_key-certbot.pem
-rwxrwxrwx 1 root root 1708 Apr 3 2017 0002_key-certbot.pem
-rw------- 1 root root 1700 Jun 14 2017 0003_key-certbot.pem
-rw------- 1 root root 1704 Aug 25 14:59 0004_key-certbot.pem
-rw------- 1 root root 1704 Nov 4 20:49 0005_key-certbot.pem
/etc/letsencrypt/live:
total 4
drwxrwxrwx 2 root root 4096 Nov 4 20:49 dee723.duckdns.org
/etc/letsencrypt/live/dee723.duckdns.org:
total 0
lrwxrwxrwx 1 root root 42 Nov 4 20:49 cert.pem -> ../../archive/dee723.duckdns.org/cert6.pem
lrwxrwxrwx 1 root root 43 Nov 4 20:49 chain.pem -> ../../archive/dee723.duckdns.org/chain6.pem
lrwxrwxrwx 1 root root 47 Nov 4 20:49 fullchain.pem -> ../../archive/dee723.duckdns.org/fullchain6.pem
lrwxrwxrwx 1 root root 45 Nov 4 20:49 privkey.pem -> ../../archive/dee723.duckdns.org/privkey6.pem
/etc/letsencrypt/renewal:
total 4
-rw-r--r-- 1 root root 436 Nov 4 20:49 dee723.duckdns.org.conf
/etc/letsencrypt/renewal-hooks:
total 12
drwxr-xr-x 2 root root 4096 Feb 2 23:58 deploy
drwxr-xr-x 2 root root 4096 Feb 2 23:58 post
drwxr-xr-x 2 root root 4096 Feb 2 23:58 pre
/etc/letsencrypt/renewal-hooks/deploy:
total 0
/etc/letsencrypt/renewal-hooks/post:
total 0
/etc/letsencrypt/renewal-hooks/pre:
total 0
=============== END ===================
cat /etc/letsencrypt/renewal/dee723.duckdns.org.conf
# renew_before_expiry = 30 days
version = 0.9.3
cert = /etc/letsencrypt/live/dee723.duckdns.org/cert.pem
privkey = /etc/letsencrypt/live/dee723.duckdns.org/privkey.pem
chain = /etc/letsencrypt/live/dee723.duckdns.org/chain.pem
fullchain = /etc/letsencrypt/live/dee723.duckdns.org/fullchain.pem
# Options used in the renewal process
[renewalparams]
authenticator = standalone
installer = None
account = 44d3bbab30e1375a2785e5201fdef808
======================= END ================
pi@raspberrypi:~/letsencrypt $ ./certbot-auto renew --no-self-upgrade --preferred-challenges tls-sni-01
Requesting to rerun ./certbot-auto with root privileges...
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/dee723.duckdns.org.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for dee723.duckdns.org
Waiting for verification...
Cleaning up challenges
-------------------------------------------------------------------------------
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/dee723.duckdns.org/fullchain.pem
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/dee723.duckdns.org/fullchain.pem (success)
-------------------------------------------------------------------------------
I can’t see any obvious error in your conf files but it is strange that certbot-auto renew say it issued your cert but it is not writing the new cert and key nor updating the symlink files in live dir… really strange.
Just a test, change to user root, execute again the renew command and post the output:
sudo su -
cd ~pi/letsencrypt/
./certbot-auto renew --no-self-upgrade --preferred-challenges tls-sni-01
Also, aftert the renew, lets check whether certbot-auto is modifying the symlinks:
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/dee723.duckdns.org.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for dee723.duckdns.org
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0006_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0006_csr-certbot.pem
-------------------------------------------------------------------------------
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/dee723.duckdns.org/fullchain.pem
-------------------------------------------------------------------------------
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/dee723.duckdns.org/fullchain.pem (success)
And
ls -l /etc/letsencrypt/live/dee723.duckdns.org/
total 0
lrwxrwxrwx 1 root root 42 Feb 3 12:43 cert.pem -> …/…/archive/dee723.duckdns.org/cert7.pem
lrwxrwxrwx 1 root root 43 Feb 3 12:43 chain.pem -> …/…/archive/dee723.duckdns.org/chain7.pem
lrwxrwxrwx 1 root root 47 Feb 3 12:43 fullchain.pem -> …/…/archive/dee723.duckdns.org/fullchain7.pem
lrwxrwxrwx 1 root root 45 Feb 3 12:43 privkey.pem -> …/…/archive/dee723.duckdns.org/privkey7.pem
There is a limit of 5 duplicated certs per 7 days so don’t try again, anyway now seems the cert is saved so no need to renew it again in a near future, now lets see if your home assistant is loading the new cert.
It should show the new cert with new expire date… I hope so ;). If it shows the new cert then the problem is in your Home Assistant configuration, show the output of this command:
With above command I want to see what is the path used in HA for your cert and key, I’m guessing the configuration.yaml file is located here /home/pi/.homeassistant/ but is just a guess…
@sahsanu OK only thing is my Home Assistant is under Home not pi. But got the same output
root@raspberrypi:/home/pi# openssl x509 -in /etc/letsencrypt/live/dee723.duckdns.org/cert.pem -noout -text | grep -E '(DNS:|Before:)'
Not Before: Nov 4 23:49:28 2017 GMT
DNS:dee723.duckdns.org
root@raspberrypi:/home/pi# grep -eri '(ssl_certificate|ssl_key)' /home/pi/.homeassistant/*
grep: (ssl_certificate|ssl_key): No such file or directory
grep: /home/pi/.homeassistant/*: No such file or directory