Cron Renewal of Certs Not Working

Help
41

crontab -l
no crontab for root
root@genesis:/etc/letsencrypt/renewal#

1 Like
42

Let's have a look at these files:

And as a comparison/contrast:

6 Likes
44

What about?:

And also:
certbot certificates

6 Likes
45

Here are the files

root@genesis:/etc/letsencrypt/renewal 
# cat kibana.allenintech.com.conf 
#renew_before_expiry = 30 days
version = 1.32.1
archive_dir = /etc/letsencrypt/archive/kibana.allenintech.com
cert = /etc/letsencrypt/live/kibana.allenintech.com/cert.pem
privkey = /etc/letsencrypt/live/kibana.allenintech.com/privkey.pem
chain = /etc/letsencrypt/live/kibana.allenintech.com/chain.pem
fullchain = /etc/letsencrypt/live/kibana.allenintech.com/fullchain.pem

#Options used in the renewal process
[renewalparams]
authenticator = standalone
account = 167f86e1432ceed045ef851b5bae590f
server = https://acme-v02.api.letsencrypt.org/directory
key_type = rsa
root@genesis:/etc/letsencrypt/renewal#

root@genesis:/etc/letsencrypt/renewal
# cat www.elasticsearch.allenintech.com.conf 
#renew_before_expiry = 30 days
version = 1.26.0
archive_dir = /etc/letsencrypt/archive/www.elasticsearch.allenintech.com
cert = /etc/letsencrypt/live/www.elasticsearch.allenintech.com/cert.pem
privkey = /etc/letsencrypt/live/www.elasticsearch.allenintech.com/privkey.pem
chain = /etc/letsencrypt/live/www.elasticsearch.allenintech.com/chain.pem
fullchain = /etc/letsencrypt/live/www.elasticsearch.allenintech.com/fullchain.pem

#Options used in the renewal process
[renewalparams]
authenticator = standalone
account = 167f86e1432ceed045ef851b5bae590f
server = https://acme-v02.api.letsencrypt.org/directory
key_type = rsa

root@genesis:/etc/letsencrypt/renewal
# cat www.kibana.allenintech.com.conf 
#renew_before_expiry = 30 days
version = 1.32.1
archive_dir = /etc/letsencrypt/archive/www.kibana.allenintech.com
cert = /etc/letsencrypt/live/www.kibana.allenintech.com/cert.pem
privkey = /etc/letsencrypt/live/www.kibana.allenintech.com/privkey.pem
chain = /etc/letsencrypt/live/www.kibana.allenintech.com/chain.pem
fullchain = /etc/letsencrypt/live/www.kibana.allenintech.com/fullchain.pem

#Options used in the renewal process
[renewalparams]
authenticator = apache
account = 167f86e1432ceed045ef851b5bae590f
server = https://acme-v02.api.letsencrypt.org/directory
key_type = rsa
installer = apache
46

See the problem?

6 Likes
47

So it is a cron job. as stated by OP in the initial post.

6 Likes
48

The authenticator should be apache?

1 Like
49

The authenticators?

50

I should correct authenticator standalone to apache?

51

also installer = apache

54

I would.
But your Apache configuration must be working properly [for that to succeed].

The certs should already be installed; So, that's not really necessary.

What shows?:

6 Likes
55

OK
I'll update standalone to apache and rerun dry-run

2 Likes
56

Nicely done, @rg305!

So can we get the cron working. I go up the thread and pick up your other suggestions.

root@genesis:/etc/letsencrypt/renewal# PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/allenintech.com-0002.conf

Simulating renewal of an existing certificate for allenintech.com

Processing /etc/letsencrypt/renewal/kibana.allenintech.com.conf

Simulating renewal of an existing certificate for kibana.allenintech.com

Processing /etc/letsencrypt/renewal/nextcloud.allenintech.com-0001.conf

Simulating renewal of an existing certificate for nextcloud.allenintech.com and www.nextcloud.allenintech.com

Processing /etc/letsencrypt/renewal/www.elasticsearch.allenintech.com.conf

Simulating renewal of an existing certificate for www.elasticsearch.allenintech.com and elasticsearch.allenintech.com

Processing /etc/letsencrypt/renewal/www.kibana.allenintech.com.conf

Simulating renewal of an existing certificate for kibana.allenintech.com and www.kibana.allenintech.com

Congratulations, all simulated renewals succeeded:
/etc/letsencrypt/live/allenintech.com-0002/fullchain.pem (success)
/etc/letsencrypt/live/kibana.allenintech.com/fullchain.pem (success)
/etc/letsencrypt/live/nextcloud.allenintech.com-0001/fullchain.pem (success)
/etc/letsencrypt/live/www.elasticsearch.allenintech.com/fullchain.pem (success)
/etc/letsencrypt/live/www.kibana.allenintech.com/fullchain.pem (success)

root@genesis:/etc/letsencrypt/renewal#

1 Like
57

certbot certificates

show Invalid: expired for the following
Certificate Name: www.elasticsearch.allenintech.com
Serial Number: 39dfcb8b2a052f8f17b6f0801817f91c334
Key Type: RSA
Domains: www.elasticsearch.allenintech.com elasticsearch.allenintech.com
Expiry Date: 2022-07-14 14:20:05+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/www.elasticsearch.allenintech.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.elasticsearch.allenintech.com/privkey.pem

58

We need to check on the certs.

6 Likes
59

Every thing

Found the following certs:
Certificate Name: allenintech.com-0002
Serial Number: 3cc7e965a9bb2c90f99bda2cd7550641575
Key Type: RSA
Domains: allenintech.com
Expiry Date: 2023-01-31 02:06:17+00:00 (VALID: 46 days)
Certificate Path: /etc/letsencrypt/live/allenintech.com-0002/fullchain.pem
Private Key Path: /etc/letsencrypt/live/allenintech.com-0002/privkey.pem
Certificate Name: kibana.allenintech.com
Serial Number: 41020bd0c3f3656f0d60f727216fdc71af1
Key Type: RSA
Domains: kibana.allenintech.com
Expiry Date: 2023-03-14 09:37:40+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/kibana.allenintech.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/kibana.allenintech.com/privkey.pem
Certificate Name: nextcloud.allenintech.com-0001
Serial Number: 40c846a65d7c037d6ffb13f9ca935f17587
Key Type: RSA
Domains: nextcloud.allenintech.com www.nextcloud.allenintech.com
Expiry Date: 2023-01-31 05:07:46+00:00 (VALID: 47 days)
Certificate Path: /etc/letsencrypt/live/nextcloud.allenintech.com-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/nextcloud.allenintech.com-0001/privkey.pem
Certificate Name: www.elasticsearch.allenintech.com
Serial Number: 39dfcb8b2a052f8f17b6f0801817f91c334
Key Type: RSA
Domains: www.elasticsearch.allenintech.com elasticsearch.allenintech.com
Expiry Date: 2022-07-14 14:20:05+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/www.elasticsearch.allenintech.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.elasticsearch.allenintech.com/privkey.pem
Certificate Name: www.kibana.allenintech.com
Serial Number: 486d45a41d62df4114aafbc0d1cff5c8e58
Key Type: RSA
Domains: kibana.allenintech.com www.kibana.allenintech.com
Expiry Date: 2023-03-13 23:52:07+00:00 (VALID: 88 days)
Certificate Path: /etc/letsencrypt/live/www.kibana.allenintech.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.kibana.allenintech.com/privkey.pem

1 Like
61

This is concerning:

Certificate Name: www.elasticsearch.allenintech.com
Domains: www.elasticsearch.allenintech.com elasticsearch.allenintech.com
Expiry Date: 2022-07-14 14:20:05+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/www.elasticsearch.allenintech.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.elasticsearch.allenintech.com/privkey.pem

Let's try and renew it:
[PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin certbot renew

6 Likes
62

It renewed

root@genesis:/etc/letsencrypt/renewal# PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/allenintech.com-0002.conf

Certificate not yet due for renewal

Processing /etc/letsencrypt/renewal/kibana.allenintech.com.conf

Certificate not yet due for renewal

Processing /etc/letsencrypt/renewal/nextcloud.allenintech.com-0001.conf

Certificate not yet due for renewal

Processing /etc/letsencrypt/renewal/www.elasticsearch.allenintech.com.conf

Renewing an existing certificate for www.elasticsearch.allenintech.com and elasticsearch.allenintech.com

Processing /etc/letsencrypt/renewal/www.kibana.allenintech.com.conf

Certificate not yet due for renewal

The following certificates are not due for renewal yet:
/etc/letsencrypt/live/allenintech.com-0002/fullchain.pem expires on 2023-01-31 (skipped)
/etc/letsencrypt/live/kibana.allenintech.com/fullchain.pem expires on 2023-03-14 (skipped)
/etc/letsencrypt/live/nextcloud.allenintech.com-0001/fullchain.pem expires on 2023-01-31 (skipped)
/etc/letsencrypt/live/www.kibana.allenintech.com/fullchain.pem expires on 2023-03-13 (skipped)
Congratulations, all renewals succeeded:
/etc/letsencrypt/live/www.elasticsearch.allenintech.com/fullchain.pem (success)

root@genesis:/etc/letsencrypt/renewal#

1 Like
63

systemctl list-timers is voluminous.

I see under UNIT snap.certbot.renew.timer
I see under ACTIVATES snap.certbot.renew.service

1 Like
64

We can help you fix the symlinks. But we are going to have to step back and re-evaluate your configuration.
There are priorities and we need to all be on the same page.
From what I have seen your cron is ready to ask for a new cert. But it wont do it until it is time to renew.
Let's re-visit this in the morning, my friend.

7 Likes