Certificate renewal

UbikMZ · November 7, 2023, 10:36am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
kreator.ch
I ran this command:
certbot renew
It produced this output:
Processing /etc/letsencrypt/renewal/kreator2.ch.conf
My web server is (include version):
Server version: Apache/2.4.56 (Debian)

The operating system my web server runs on is (include version):
Debian GNU/Linux 11 (bullseye)
My hosting provider, if applicable, is:
Hostinger
I can login to a root shell on my machine (yes or no, or I don't know):
Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 1.12.0
The issue:
========
I received an email from you: Let's Encrypt certificate expiration notice for domain "kreator.ch" (and 1 more)
However running certbot I get (see above)

Processing /etc/letsencrypt/renewal/kreator2.ch.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal
-------

It mentions kreator2.ch while I'd like to renew the certificate for kreator.ch

Regards

Osiris · November 7, 2023, 10:41am

Where did the certificate for kreator.ch go then?

Please show the output of sudo certbot certificates

UbikMZ · November 7, 2023, 10:50am

The cerificate for kreator.ch has been transfered from to the server related to this domain name on IP 193.203.191.198.
In /etc/letsencrypt/live I have 2 folders: kreator.ch and kreator2.ch, the latter used for an another domain.
However in /etc/letsencrypt/renewal I have only kreator2.ch.conf
Regards

UbikMZ · November 7, 2023, 11:22am

I just moved //etc/letsencrypt/renewal/kreator.ch.conf to the new server.
Here its content:
-----------------------------------

# renew_before_expiry = 30 days
version = 2.6.0
archive_dir = /etc/letsencrypt/archive/kreator.ch
cert = /etc/letsencrypt/live/kreator.ch/cert.pem
privkey = /etc/letsencrypt/live/kreator.ch/privkey.pem
chain = /etc/letsencrypt/live/kreator.ch/chain.pem
fullchain = /etc/letsencrypt/live/kreator.ch/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = fcf5514765aa25d428e161ffbef0c64a
authenticator = apache
installer = apache
server = https://acme-v02.api.letsencrypt.org/directory
key_type = rsa
---------------------------------------

Running certbot renew I now get the following message:

The following certificates could not be renewed:
  /etc/letsencrypt/live/kreator.ch/fullchain.pem (failure)

However this file exists:
fullchain.pem -> /etc/letsencrypt/archive/kreator.ch/fullchain10.pem

Osiris · November 7, 2023, 11:40am

Please show the entire output.

UbikMZ · November 7, 2023, 11:42am

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/kreator.ch.conf

Attempting to parse the version 2.6.0 renewal configuration file found at /etc/letsencrypt/renewal/kreator.ch.conf with version 1.12.0 of Certbot. This might not work.
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Failed to renew certificate kreator.ch with error: Account at /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/fcf5514765aa25d428e161ffbef0c64a does not exist

Processing /etc/letsencrypt/renewal/kreator2.ch.conf

Cert not yet due for renewal

The following certificates are not due for renewal yet:
/etc/letsencrypt/live/kreator2.ch/fullchain.pem expires on 2024-01-08 (skipped)
All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/kreator.ch/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

Osiris · November 7, 2023, 11:44am

I'm not 100 % sure, but it looks like you didn't migrate the account(s) over?

Or there's something wrong with the old v01 account which cannot be found on the current, v02 production server.

UbikMZ · November 7, 2023, 11:46am

So what's the solution ?
Can I regenerate the certificate from scrtach ?

Osiris · November 7, 2023, 12:00pm

You could try to comment out the:

account = fcf5514765aa25d428e161ffbef0c64a

part of the renewal configuration file, i.e., change it to:

#account = fcf5514765aa25d428e161ffbef0c64a

And see if Certbot picks up the 'default' account for the renewal.

Assuming you don't need fancy stuff like the ECDSA-only white-list, which is bound to accounts.

UbikMZ · November 7, 2023, 12:06pm

With account commented ->
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/kreator.ch.conf

Cert not yet due for renewal

Processing /etc/letsencrypt/renewal/kreator2.ch.conf

Cert not yet due for renewal

The following certificates are not due for renewal yet:
/etc/letsencrypt/live/kreator.ch/fullchain.pem expires on 2024-02-05 (skipped)
/etc/letsencrypt/live/kreator2.ch/fullchain.pem expires on 2024-01-08 (skipped)
No renewals were attempted.

UbikMZ · November 7, 2023, 12:08pm

Which is not correct.
The certificate for kreator.ch is valid until: lundi 27 novembre 2023 à 09:13:44

Osiris · November 7, 2023, 12:24pm

According to what? Certbot seems to have a renewed certificate.

Also, the webserver at kreator.ch is sending the certificate which is valid till Feb 5 11:03:38 2024 GMT.

UbikMZ · November 7, 2023, 12:28pm

Osiris · November 7, 2023, 12:30pm

Try clearing the browsers cache. My webbrowser sees the renewed certificate.

You can also directly see the certificates served with commands like openssl s_client -connect kreator.ch:443 | openssl x509 -noout -text

UbikMZ · November 7, 2023, 12:38pm

You are right.
It takes a while for the certifcate to be refreshed in browser.
Issue closed.
Thanks
Just for my understanding:
What of is the version = 2.6.0 indicated in /etc/letsencrypt/renewal/kreator.ch.conf ?
My certbot version is certbot 2.7.4

Osiris · November 7, 2023, 12:42pm

It's the Certbot version that generated the renewal configuration file. If somehow the Certbot version was downgraded beyond the version listed in the renewal configuration file (i.e.: the current Certbot version would be LOWER than the one in the renewal file), there could be problems with compatibility. E.g., version 1.5.0 has introduced a fancy feature requiring a specific option in the renewal configuration file and if somehow Certbot was downgraded to 1.4.0, that older version wouldn't understand the later introduced renewal configuration file option. Which could lead to problems with your cert.
TL;DR: it's just there to warn the user if somehow Certbots version was downgraded.

UbikMZ · November 7, 2023, 1:08pm

Shall I do something ?
Or I leave like it is ?

Osiris · November 7, 2023, 1:11pm

With regard to the "version = 2.6.0"? You can leave that just as it is.

rg305 · November 7, 2023, 4:21pm

Did you also move the corresponding /live/ and /archive/ files?

UbikMZ · November 7, 2023, 8:27pm

Yes I did as mentioned previously.
I only missed bringing kreator.conf.ch to /etc/letsencrypt/renewal
By the way the issue has been solved in the meantime.
Thanks anyway