Certificate renewal

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
I ran this command:
certbot renew
It produced this output:
Processing /etc/letsencrypt/renewal/kreator2.ch.conf
My web server is (include version):
Server version: Apache/2.4.56 (Debian)

The operating system my web server runs on is (include version):
Debian GNU/Linux 11 (bullseye)
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 1.12.0
The issue:
I received an email from you: Let's Encrypt certificate expiration notice for domain "kreator.ch" (and 1 more)
However running certbot I get (see above)

Processing /etc/letsencrypt/renewal/kreator2.ch.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

It mentions kreator2.ch while I'd like to renew the certificate for kreator.ch


Where did the certificate for kreator.ch go then? :man_shrugging:t2:

Please show the output of sudo certbot certificates


The cerificate for kreator.ch has been transfered from to the server related to this domain name on IP
In /etc/letsencrypt/live I have 2 folders: kreator.ch and kreator2.ch, the latter used for an another domain.
However in /etc/letsencrypt/renewal I have only kreator2.ch.conf

I just moved //etc/letsencrypt/renewal/kreator.ch.conf to the new server.
Here its content:

# renew_before_expiry = 30 days
version = 2.6.0
archive_dir = /etc/letsencrypt/archive/kreator.ch
cert = /etc/letsencrypt/live/kreator.ch/cert.pem
privkey = /etc/letsencrypt/live/kreator.ch/privkey.pem
chain = /etc/letsencrypt/live/kreator.ch/chain.pem
fullchain = /etc/letsencrypt/live/kreator.ch/fullchain.pem

# Options used in the renewal process
account = fcf5514765aa25d428e161ffbef0c64a
authenticator = apache
installer = apache
server = https://acme-v02.api.letsencrypt.org/directory
key_type = rsa

Running certbot renew I now get the following message:

The following certificates could not be renewed:
  /etc/letsencrypt/live/kreator.ch/fullchain.pem (failure)

However this file exists:
fullchain.pem -> /etc/letsencrypt/archive/kreator.ch/fullchain10.pem

Please show the entire output.

1 Like

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/kreator.ch.conf

Attempting to parse the version 2.6.0 renewal configuration file found at /etc/letsencrypt/renewal/kreator.ch.conf with version 1.12.0 of Certbot. This might not work.
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Failed to renew certificate kreator.ch with error: Account at /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/fcf5514765aa25d428e161ffbef0c64a does not exist

Processing /etc/letsencrypt/renewal/kreator2.ch.conf

Cert not yet due for renewal

The following certificates are not due for renewal yet:
/etc/letsencrypt/live/kreator2.ch/fullchain.pem expires on 2024-01-08 (skipped)
All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/kreator.ch/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

I'm not 100 % sure, but it looks like you didn't migrate the account(s) over?

Or there's something wrong with the old v01 account which cannot be found on the current, v02 production server.

1 Like

So what's the solution ?
Can I regenerate the certificate from scrtach ?

You could try to comment out the:

account = fcf5514765aa25d428e161ffbef0c64a

part of the renewal configuration file, i.e., change it to:

#account = fcf5514765aa25d428e161ffbef0c64a

And see if Certbot picks up the 'default' account for the renewal.

Assuming you don't need fancy stuff like the ECDSA-only white-list, which is bound to accounts.

1 Like

With account commented ->
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/kreator.ch.conf

Cert not yet due for renewal

Processing /etc/letsencrypt/renewal/kreator2.ch.conf

Cert not yet due for renewal

The following certificates are not due for renewal yet:
/etc/letsencrypt/live/kreator.ch/fullchain.pem expires on 2024-02-05 (skipped)
/etc/letsencrypt/live/kreator2.ch/fullchain.pem expires on 2024-01-08 (skipped)
No renewals were attempted.

Which is not correct.
The certificate for kreator.ch is valid until: lundi 27 novembre 2023 à 09:13:44

According to what? Certbot seems to have a renewed certificate.

Also, the webserver at kreator.ch is sending the certificate which is valid till Feb 5 11:03:38 2024 GMT.


Try clearing the browsers cache. My webbrowser sees the renewed certificate.

You can also directly see the certificates served with commands like openssl s_client -connect kreator.ch:443 | openssl x509 -noout -text

1 Like

You are right.
It takes a while for the certifcate to be refreshed in browser.
Issue closed.
Just for my understanding:
What of is the version = 2.6.0 indicated in /etc/letsencrypt/renewal/kreator.ch.conf ?
My certbot version is certbot 2.7.4

1 Like

It's the Certbot version that generated the renewal configuration file. If somehow the Certbot version was downgraded beyond the version listed in the renewal configuration file (i.e.: the current Certbot version would be LOWER than the one in the renewal file), there could be problems with compatibility. E.g., version 1.5.0 has introduced a fancy feature requiring a specific option in the renewal configuration file and if somehow Certbot was downgraded to 1.4.0, that older version wouldn't understand the later introduced renewal configuration file option. Which could lead to problems with your cert.
TL;DR: it's just there to warn the user if somehow Certbots version was downgraded.


Shall I do something ?
Or I leave like it is ?

With regard to the "version = 2.6.0"? You can leave that just as it is.


Did you also move the corresponding /live/ and /archive/ files?


Yes I did as mentioned previously.
I only missed bringing kreator.conf.ch to /etc/letsencrypt/renewal
By the way the issue has been solved in the meantime.
Thanks anyway

1 Like