Certs no longer renewing

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:edgepay.io

I ran this command:

It produced this output:

My web server is (include version):
Bitnami Drupal 8.5.6-0
The operating system my web server runs on is (include version):
Ubuntu 16.04.5 LTS (GNU/Linux 4.4.0-1072-aws x86_64)
My hosting provider, if applicable, is: Amazon Web services
I can login to a root shell on my machine (yes or no, or I don’t know):Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):certbot 0.31.0

So for about a year the Let’s Encrypt service has been working to renew our certificates.
Now, however, it can no longer renew our certificates. The last time was 09/05/2019.
No error messages.

Hi @wmaclean,

There might be error messages in the log files in /var/log/letsencrypt.

Alternatively, could you show the output of these commands?

sudo certbot certificates

sudo certbot renew

Saving debug log to /var/log/letsencrypt/letsencrypt.log

No certs found.

Saving debug log to /var/log/letsencrypt/letsencrypt.log

No renewals were attempted.

bitnami@ip-172-26-6-188:~$ sudo cat /var/log/letsencrypt/letsencrypt.log
2019-11-10 11:16:59,703:DEBUG:certbot.main:certbot version: 0.31.0
2019-11-10 11:16:59,704:DEBUG:certbot.main:Arguments: ['-q']
2019-11-10 11:16:59,705:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-11-10 11:16:59,723:DEBUG:certbot.log:Root logging level set at 30
2019-11-10 11:16:59,724:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-11-10 11:16:59,728:DEBUG:certbot.renewal:no renewal failures
2019-11-10 15:21:59,589:DEBUG:certbot.main:certbot version: 0.31.0
2019-11-10 15:21:59,590:DEBUG:certbot.main:Arguments: ['-q']
2019-11-10 15:21:59,590:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-11-10 15:21:59,600:DEBUG:certbot.log:Root logging level set at 30
2019-11-10 15:21:59,601:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-11-10 15:21:59,602:DEBUG:certbot.renewal:no renewal failures
2019-11-11 10:48:19,973:DEBUG:certbot.main:certbot version: 0.31.0
2019-11-11 10:48:19,973:DEBUG:certbot.main:Arguments: ['-q']
2019-11-11 10:48:19,974:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-11-11 10:48:19,984:DEBUG:certbot.log:Root logging level set at 30
2019-11-11 10:48:19,985:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-11-11 10:48:19,986:DEBUG:certbot.renewal:no renewal failures
2019-11-11 17:46:59,568:DEBUG:certbot.main:certbot version: 0.31.0
2019-11-11 17:46:59,569:DEBUG:certbot.main:Arguments: ['-q']
2019-11-11 17:46:59,570:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-11-11 17:46:59,580:DEBUG:certbot.log:Root logging level set at 30
2019-11-11 17:46:59,580:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-11-11 17:46:59,581:DEBUG:certbot.renewal:no renewal failures
2019-11-12 08:02:59,776:DEBUG:certbot.main:certbot version: 0.31.0
2019-11-12 08:02:59,777:DEBUG:certbot.main:Arguments: ['-q']
2019-11-12 08:02:59,777:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-11-12 08:02:59,790:DEBUG:certbot.log:Root logging level set at 30
2019-11-12 08:02:59,791:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-11-12 08:02:59,794:DEBUG:certbot.renewal:no renewal failures
2019-11-12 23:03:59,624:DEBUG:certbot.main:certbot version: 0.31.0
2019-11-12 23:03:59,625:DEBUG:certbot.main:Arguments: ['-q']
2019-11-12 23:03:59,626:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-11-12 23:03:59,636:DEBUG:certbot.log:Root logging level set at 30
2019-11-12 23:03:59,637:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-11-12 23:03:59,639:DEBUG:certbot.renewal:no renewal failures
2019-11-13 09:22:59,848:DEBUG:certbot.main:certbot version: 0.31.0
2019-11-13 09:22:59,849:DEBUG:certbot.main:Arguments: ['-q']
2019-11-13 09:22:59,849:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-11-13 09:22:59,866:DEBUG:certbot.log:Root logging level set at 30
2019-11-13 09:22:59,866:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-11-13 09:22:59,873:DEBUG:certbot.renewal:no renewal failures
2019-11-13 22:54:19,851:DEBUG:certbot.main:certbot version: 0.31.0
2019-11-13 22:54:19,852:DEBUG:certbot.main:Arguments: ['-q']
2019-11-13 22:54:19,852:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-11-13 22:54:19,862:DEBUG:certbot.log:Root logging level set at 30
2019-11-13 22:54:19,863:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-11-13 22:54:19,863:DEBUG:certbot.renewal:no renewal failures
2019-11-14 00:47:59,298:DEBUG:certbot.main:certbot version: 0.31.0
2019-11-14 00:47:59,299:DEBUG:certbot.main:Arguments: ['-q']
2019-11-14 00:47:59,300:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-11-14 00:47:59,309:DEBUG:certbot.log:Root logging level set at 30
2019-11-14 00:47:59,310:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-11-14 00:47:59,311:DEBUG:certbot.renewal:no renewal failures
2019-11-14 14:13:39,222:DEBUG:certbot.main:certbot version: 0.31.0
2019-11-14 14:13:39,223:DEBUG:certbot.main:Arguments: ['-q']
2019-11-14 14:13:39,223:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-11-14 14:13:39,234:DEBUG:certbot.log:Root logging level set at 30
2019-11-14 14:13:39,235:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-11-14 14:13:39,240:DEBUG:certbot.renewal:no renewal failures
2019-11-15 07:39:59,880:DEBUG:certbot.main:certbot version: 0.31.0
2019-11-15 07:39:59,881:DEBUG:certbot.main:Arguments: ['-q']
2019-11-15 07:39:59,881:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-11-15 07:39:59,899:DEBUG:certbot.log:Root logging level set at 30
2019-11-15 07:39:59,900:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-11-15 07:39:59,904:DEBUG:certbot.renewal:no renewal failures
2019-11-15 17:08:19,770:DEBUG:certbot.main:certbot version: 0.31.0
2019-11-15 17:08:19,771:DEBUG:certbot.main:Arguments: ['-q']
2019-11-15 17:08:19,771:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-11-15 17:08:19,781:DEBUG:certbot.log:Root logging level set at 30
2019-11-15 17:08:19,784:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-11-15 17:08:19,785:DEBUG:certbot.renewal:no renewal failures
2019-11-15 18:53:24,364:DEBUG:certbot.main:certbot version: 0.31.0
2019-11-15 18:53:24,365:DEBUG:certbot.main:Arguments:
2019-11-15 18:53:24,365:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-11-15 18:53:24,373:DEBUG:certbot.log:Root logging level set at 20
2019-11-15 18:53:24,374:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-11-15 18:54:11,164:DEBUG:certbot.main:certbot version: 0.31.0
2019-11-15 18:54:11,165:DEBUG:certbot.main:Arguments:
2019-11-15 18:54:11,165:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-11-15 18:54:11,173:DEBUG:certbot.log:Root logging level set at 20
2019-11-15 18:54:11,174:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-11-15 18:54:11,175:DEBUG:certbot.renewal:no renewal failures

Hmmm! Is it possible that someone deleted or renamed your certificates, or simply moved them to a different location on the server?

no, they are still here:
bitnami@ip-172-26-6-188:~$ ls -l /opt/bitnami/apache2/conf/
total 304
drwxr-xr-x 2 bitnami root 4096 Jan 19 2019 bitnami
-rw-r–r-- 1 bitnami root 289 Aug 15 2018 deflate.conf
drwxr-xr-x 2 bitnami root 4096 Aug 15 2018 extra
-rw-r–r-- 1 bitnami root 20149 Aug 15 2018 httpd.conf
-rw-r–r-- 1 bitnami root 13077 Jul 30 2018 magic
-rw-r–r-- 1 bitnami root 60847 Jul 30 2018 mime.types
-rw-r–r-- 1 bitnami root 7413 Aug 2 2012 modsecurity.conf
drwxr-xr-x 3 bitnami root 4096 Aug 15 2018 original
-rw-r–r-- 1 bitnami root 17447 Aug 15 2018 pagespeed.conf
-rw-r–r-- 1 bitnami root 141034 Aug 15 2018 pagespeed_libraries.conf
-rw-r–r-- 1 bitnami root 199 Aug 15 2018 php-fpm-apache.conf
-rw-r–r-- 1 bitnami root 1834 Nov 15 2018 privkey.pem
lrwxrwxrwx 1 root root 37 Jan 19 2019 server.crt -> /etc/lego/certificates/edgepay.io.crt
-rw-r–r-- 1 root root 1164 Nov 15 2018 server.crt-orig
-rw-r–r-- 1 root root 985 Nov 15 2018 server.csr
lrwxrwxrwx 1 root root 37 Jan 19 2019 server.key -> /etc/lego/certificates/edgepay.io.key
-rw-r–r-- 1 root root 1675 Nov 15 2018 server.key-orig
-rw-r–r-- 1 bitnami root 203 Aug 15 2018 ssi.conf

or here:
bitnami@ip-172-26-6-188:~$ sudo ls -l /etc/lego/certificates/
total 32
-rw------- 1 root root 3612 Sep 5 11:12 developers.edgepay.io.crt
-rw------- 1 root root 1648 Sep 5 11:12 developers.edgepay.io.issuer.crt
-rw------- 1 root root 242 Sep 5 11:12 developers.edgepay.io.json
-rw------- 1 root root 1679 Sep 5 11:12 developers.edgepay.io.key
-rw------- 1 root root 3571 Sep 5 11:12 edgepay.io.crt
-rw------- 1 root root 1648 Sep 5 11:12 edgepay.io.issuer.crt
-rw------- 1 root root 231 Sep 5 11:12 edgepay.io.json
-rw------- 1 root root 1675 Sep 5 11:12 edgepay.io.key

Oh! I thought you were using Certbot for these because you answered the question about the Certbot version successfully, and you do have Certbot installed on your system. But those certificates were obtained with lego rather than with Certbot.

Are you familiar with lego? Do you know how to ask it to renew your certificates?

I used a script set to run with a cron job, here is one of the commands:
sudo /usr/local/bin/lego --http --email="XXXXXX@gettrx.com" --domains=“edgepay.io” --domains=“www.edgepay.io” --path="/etc/lego" renew

but no error message, and no new cert

I’m not very familiar with lego; is it possible that you could make it more verbose with -v? Is there a command to make lego show which certificates you have or when they’re going to expire?

here is what I found:
NAME:
lego renew - Renew a certificate

USAGE:
lego renew [command options] [arguments…]

OPTIONS:
–days value The number of days left on a certificate to renew it. (default: 15)
–reuse-key Used to indicate you want to reuse your current private key for the new certificate.
–no-bundle Do not create a certificate bundle by adding the issuers certificate to the new certificate.
–must-staple Include the OCSP must staple TLS extension in the CSR and generated certificate. Only works if the CSR is generated by lego.

if it waits until 15 days to renew, then I will have to check back next week.

So today the cron job successfully updated the certificate. 16 days before the old one expires.
Not sure why we got ‘warning emails’ at 20 days.

Perhaps adding to your cron:
--days 30
would allow it to renew before the 20 days left emails go out.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.