Change account on a existing system - update the certificates

My domain is: wohnungsmarkt-aschaffenburg.de - wohnungsmarkt-bamberg.de and 6 more

I ran this command:

It produced this output:

My web server is (include version): Ubuntu 16.04.5

The operating system my web server runs on is (include version): GNU/Linux 4.4.0-042

My hosting provider, if applicable, is: Server4you

I can login to a root shell on my machine (yes or no, or I don’t know): I think yes, over putty?

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): ftp/phpmyadmin?

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.26.1

Hi,
I have the following “problem”:

  • I have 8 domains on the server.
  • 1 ssl is not expired, the rest are expired
  • Certbot is on the server (with a cronjob under cron.d - but this doesn’t work)
  • I want to open an new account (I havn’t done already) on Letsenscrypt to have my own account (the actuel account isn’t mine)
  • I want the right installation of the certbot and a cronjob that works to haven’t the problem of the expired certificats

What is the right/best way to get these without have doubled or deleted things on the server.

Thank for your help.

Adrian

Hi @abUrs

checking your first domain ( https://check-your-website.server-daten.de/?q=wohnungsmarkt-aschaffenburg.de ) there are a lot of certificates visible:

CRT-Id Issuer not before not after Domain names LE-Duplicate next LE
1218507390 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-02-19 23:08:44 2019-05-20 23:08:44 wohnungsmarkt-aschaffenburg.de
1 entries
975188878 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2018-11-25 12:11:33 2019-02-23 12:11:33 wohnungsmarkt-aschaffenburg.de
1 entries
523019562 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2018-06-12 21:20:29 2018-09-10 21:20:29 wohnungsmarkt-aschaffenburg.de
1 entries
397344107 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2018-04-13 21:51:26 2018-07-12 21:51:26 wohnungsmarkt-aschaffenburg.de
1 entries
328777518 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2018-02-12 22:16:26 2018-05-13 22:16:26 wohnungsmarkt-aschaffenburg.de
1 entries
278392368 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2017-12-14 17:36:33 2018-03-14 17:36:33 wohnungsmarkt-aschaffenburg.de
1 entries
267014535 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2017-11-29 22:47:17 2018-02-27 22:47:17 wohnungsmarkt-aschaffenburg.de
1 entries

Looks like you have a very old configuration. Perhaps you have used tls-sni-01 validation, that’s not longer supported (stopped 2019-03~15).

So first step: Check, if it is possible to update your Certbot.

Then check

manage your account with Let's Encrypt:
    register        Create a Let's Encrypt ACME account
    unregister      Deactivate a Let's Encrypt ACME account
    update_account  Update a Let's Encrypt ACME account

You should be able to unregister the old account, then create a new. I don’t know if 0.26 supports these commands, so first update your Certbot.

The not working config may be result of this too old configuration.

But the CT-list shows, that you use a wrong certificate.

You should create a certificate with both domain names - www and non-www with the -d option.

Hi Jürgen,

thank you for your answer. It worked.

I updated the certbot
I created the certificates (www and non-www)

Two questions:

  • under etc/letsenscrypt/renewal - some .conf are from today with the newest version of Certbot 0.31. others are “old” with the version of Certbot 0.26. - but all certificates are working - why aren’t all of them changed? Is this a problem?
  • I have this under etc/cron.d - this hasn’t worked, because the certificates expired. What is wrong with this ?

/etc/cron.d/certbot: crontab entries for the certbot package

Upstream recommends attempting renewal twice a day

Eventually, this will be an opportunity to validate certificates

haven’t been revoked, etc. Renewal will only occur if expiration

is within 30 days.

Important Note! This cronjob will NOT be executed if you are

running systemd as your init system. If you are running systemd,

the cronjob.timer function takes precedence over this cronjob. For

more details, see the systemd.timer manpage, or use systemctl show

certbot.timer.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

0 */12 * * * root test -x /usr/bin/certbot -a ! -d /run/systemd/system && perl -e ‘sleep int(rand(43200))’ && certbot -q renew

Happy to read that it had worked.

I don't know. Check, if the next renew works. If yes, ignore it.

It may have not worked because of your too old configuration. If the client tries to use tls-sni-01 validation, that can't work.

So the same: Check your certificates if the next renew works.

Use

certbot certificates

to see, how long they are valid.

Ok, I’ll take a look in 90 days.

Thanks for your time.

No, not in 90 days, that's too late.

Check your certificates with

certbot certificates

to find your oldest certificate.

Certbot should renew that if it is less then 30 days valid. That should work.

A typical installation should always have a "backup time" of 30 or 20 days to check, if there are errors.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.