Copied my certs. Want to setup auto renewal


#1

Hi All

I can see theres an archive and also a conf file for the domain.

I created the conf file for my domain , this was the domain that I copied my certs over for. I then incorrectly copied the certs from /live into /archive

When I ran a dry run renewal, it causes a traceback :wink: presumably because /archive is symlinks

Can someone explain how I go about adding my copied certs into the auto renewal process?

Thanks!


#2

To better understand what actually happened during the copy…
Maybe you can output these into a file and upload it here (or via service like paste.bin):
ls -lR /etc/letsencrypt/archive/
ls -lR /etc/letsencrypt/live/


#3

Certainly


root@openhab2:~# ls -lR /etc/letsencrypt/archive/
/etc/letsencrypt/archive/:
total 12
drwxr-xr-x 2 root root 4096 Feb 15 16:27 automate.nsautomate.com.au
drwxr-xr-x 2 root root 4096 Jan  6 19:42 oh2.ddns.net
drwxr-xr-x 2 root root 4096 Feb 15 16:07 unifi.nsautomate.com.au

/etc/letsencrypt/archive/automate.nsautomate.com.au:
total 16
-rw-r--r-- 1 root root 1944 Feb 15 16:27 cert.pem
-rw-r--r-- 1 root root 1647 Feb 15 16:27 chain.pem
-rw-r--r-- 1 root root 3591 Feb 15 16:27 fullchain.pem
-rw-r--r-- 1 root root 1704 Feb 15 16:27 privkey.pem

/etc/letsencrypt/archive/oh2.ddns.net:
total 48
-rw-r--r-- 1 root root 2143 Aug 28 16:00 cert1.pem
-rw-r--r-- 1 root root 2147 Nov  7 15:39 cert2.pem
-rw-r--r-- 1 root root 1903 Jan  6 19:42 cert3.pem
-rw-r--r-- 1 root root 1647 Aug 28 16:00 chain1.pem
-rw-r--r-- 1 root root 1647 Nov  7 15:39 chain2.pem
-rw-r--r-- 1 root root 1647 Jan  6 19:42 chain3.pem
-rw-r--r-- 1 root root 3790 Aug 28 16:00 fullchain1.pem
-rw-r--r-- 1 root root 3794 Nov  7 15:39 fullchain2.pem
-rw-r--r-- 1 root root 3550 Jan  6 19:42 fullchain3.pem
-rw-r--r-- 1 root root 1708 Aug 28 16:00 privkey1.pem
-rw-r--r-- 1 root root 1704 Nov  7 15:39 privkey2.pem
-rw-r--r-- 1 root root 1704 Jan  6 19:42 privkey3.pem

/etc/letsencrypt/archive/unifi.nsautomate.com.au:
total 16
-rw-r--r-- 1 root root 1935 Feb 15 16:07 cert1.pem
-rw-r--r-- 1 root root 1647 Feb 15 16:07 chain1.pem
-rw-r--r-- 1 root root 3582 Feb 15 16:07 fullchain1.pem
-rw-r--r-- 1 root root 1704 Feb 15 16:07 privkey1.pem
root@openhab2:~# ls -lR /etc/letsencrypt/live/
/etc/letsencrypt/live/:
total 16
drwxr-xr-x 2 root root 4096 Feb 15 12:32 automate.nsautomate.com.au
drwxr-xr-x 2 root root 4096 Jan  6 19:42 oh2.ddns.net
-rw-r--r-- 1 root root  740 Feb 15 16:07 README
drwxr-xr-x 2 root root 4096 Feb 15 16:07 unifi.nsautomate.com.au

/etc/letsencrypt/live/automate.nsautomate.com.au:
total 16
-rw-r--r-- 1 root root 1944 Feb 15 12:32 cert.pem
-rw-r--r-- 1 root root 1647 Feb 15 12:32 chain.pem
-rw-r--r-- 1 root root 3591 Feb 15 12:32 fullchain.pem
-rw-r--r-- 1 root root 1704 Feb 15 12:32 privkey.pem

/etc/letsencrypt/live/oh2.ddns.net:
total 4
lrwxrwxrwx 1 root root  36 Jan  6 19:42 cert.pem -> ../../archive/oh2.ddns.net/cert3.pem
lrwxrwxrwx 1 root root  37 Jan  6 19:42 chain.pem -> ../../archive/oh2.ddns.net/chain3.pem
lrwxrwxrwx 1 root root  41 Jan  6 19:42 fullchain.pem -> ../../archive/oh2.ddns.net/fullchain3.pem
lrwxrwxrwx 1 root root  39 Jan  6 19:42 privkey.pem -> ../../archive/oh2.ddns.net/privkey3.pem
-rw-r--r-- 1 root root 682 Aug 28 16:00 README

/etc/letsencrypt/live/unifi.nsautomate.com.au:
total 4
lrwxrwxrwx 1 root root  47 Feb 15 16:07 cert.pem -> ../../archive/unifi.nsautomate.com.au/cert1.pem
lrwxrwxrwx 1 root root  48 Feb 15 16:07 chain.pem -> ../../archive/unifi.nsautomate.com.au/chain1.pem
lrwxrwxrwx 1 root root  52 Feb 15 16:07 fullchain.pem -> ../../archive/unifi.nsautomate.com.au/fullchain1.pem
lrwxrwxrwx 1 root root  50 Feb 15 16:07 privkey.pem -> ../../archive/unifi.nsautomate.com.au/privkey1.pem
-rw-r--r-- 1 root root 692 Feb 15 16:07 README
root@openhab2:~#


#4

The files in this folder should all be symlinks:

Since live and archive are NOT same date and time:
[you may have to validate which certs are valid (or just assume the on in archive is good)]

To continue using the ARCHIVE cert:
You can fix the symlinks with:
cd /etc/letsencrypt/live/automate.nsautomate.com.au
rm *.pem
ln -s ../../archive/automate.nsautomate.com.au/cert.pem cert.pem
ln -s ../../archive/automate.nsautomate.com.au/chain.pem chain.pem
ln -s ../../archive/automate.nsautomate.com.au/fullchain.pem fullchain.pem
ln -s ../../archive/automate.nsautomate.com.au/privkey.pem privkey.pem

To continue using the LIVE cert:
You can fix the symlinks with:
[just one extra step - cp the live over the archive]
cd /etc/letsencrypt/live/automate.nsautomate.com.au
cp *.pem ../../archive/automate.nsautomate.com.au
rm *.pem
ln -s ../../archive/automate.nsautomate.com.au/cert.pem cert.pem
ln -s ../../archive/automate.nsautomate.com.au/chain.pem chain.pem
ln -s ../../archive/automate.nsautomate.com.au/fullchain.pem fullchain.pem
ln -s ../../archive/automate.nsautomate.com.au/privkey.pem privkey.pem


#5

You may also need to rename the archive files from foo.pem to foo1.pem. If I remember correctly, Certbot throws an exception if the number is missing.


#6

Thanks, is this the error you speak of?


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/automate.nsautomate.com.au.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Attempting to renew cert (automate.nsautomate.com.au) from /etc/letsencrypt/renewal/automate.nsautomate.com.au.conf produced an unexpected error: '<' not supported between instances of 'NoneType' and 'NoneType'. Skipping.

So, that would mean I would need this?

To continue using the LIVE cert:
You can fix the symlinks with:
[just one extra step - cp the live over the archive]
cd /etc/letsencrypt/live/automate.nsautomate.com.au
cp *.pem ../../archive/automate.nsautomate.com.au
rm *.pem
ln -s ../../archive/automate.nsautomate.com.au/cert.pem cert1.pem
ln -s ../../archive/automate.nsautomate.com.au/chain.pem chain1.pem
ln -s ../../archive/automate.nsautomate.com.au/fullchain.pem fullchain1.pem
ln -s ../../archive/automate.nsautomate.com.au/privkey.pem privkey1.pem

Or, do I just go into the archive file and mv the file to cert1.pem for example?


#7

The archive files need the 1s.
The symlinks don’t use the 1s.

so…
cd /etc/letsencrypt/live/automate.nsautomate.com.au
mv cert.pem cert1.pem
mv chain.pem chain1.pem
mv fullchain.pem fullchain1.pem
mv privkey.pem privkey1.pem
cp *.pem ../../archive/automate.nsautomate.com.au
rm *.pem
ln -s ../../archive/automate.nsautomate.com.au/cert1.pem cert.pem
ln -s ../../archive/automate.nsautomate.com.au/chain1.pem chain.pem
ln -s ../../archive/automate.nsautomate.com.au/fullchain1.pem fullchain.pem
ln -s ../../archive/automate.nsautomate.com.au/privkey1.pem privkey.pem

then (when all is said and done)
ls -l /etc/letsencrypt/live/automate.nsautomate.com.au/
should show (something close to this):

lrwxrwxrwx 1 root root 50 Feb 15 21:02 cert.pem -> ../../archive/automate.nsautomate.com.au/cert1.pem
lrwxrwxrwx 1 root root 51 Feb 15 21:02 chain.pem -> ../../archive/automate.nsautomate.com.au/chain1.pem
lrwxrwxrwx 1 root root 55 Feb 15 21:02 fullchain.pem -> ../../archive/automate.nsautomate.com.au/fullchain1.pem
lrwxrwxrwx 1 root root 53 Feb 15 29:02 privkey.pem -> ../../archive/automate.nsautomate.com.au/privkey1.pem

#8

Thank you so much gents!

I think thats done it :slight_smile:


root@openhab2:/etc/letsencrypt/live/automate.nsautomate.com.au# ls -l /etc/letsencrypt/live/automate.nsautomate.com.au/
total 0
lrwxrwxrwx 1 root root 50 Feb 16 13:35 cert.pem -> ../../archive/automate.nsautomate.com.au/cert1.pem
lrwxrwxrwx 1 root root 51 Feb 16 13:35 chain.pem -> ../../archive/automate.nsautomate.com.au/chain1.pem
lrwxrwxrwx 1 root root 55 Feb 16 13:35 fullchain.pem -> ../../archive/automate.nsautomate.com.au/fullchain1.pem
lrwxrwxrwx 1 root root 53 Feb 16 13:35 privkey.pem -> ../../archive/automate.nsautomate.com.au/privkey1.pem
root@openhab2:/etc/letsencrypt/live/automate.nsautomate.com.au#

Ill do a dry run renewal now to check all is well!


#9

That is the next (maybe final) step :slight_smile:

Also check
cerbot certificates
[one last time]


#10

Just passed :slight_smile:

I have this in crontab, so i should be set for renewals! :slight_smile:

0 0 * * 5 cd /etc/letsencrypt; certbot renew
~

ALL Valid/checked and working!

Thanks so much guys, what an awesome forum. Greatly appreciated


#11

I think it may be better like:
0 0 * * 5 cd /etc/letsencrypt && ./certbot renew
[presuming that which certbot returns: /etc/letsencrypt/certbot]
[otherwise, adjust accordingly]

But be sure there isn’t one already in systemd:
systemctl list-timers | grep -i cert

[if one is found there: cat /lib/systemd/system/certbot.service | grep -i ExecStart]


closed #12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.