Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
Please see commands to renew my Certificate. Note that it seems that the Certificate went through but when I check the browser it still maintains the old termination date.
[ec2-user@ip-172-31-29-18 ~]$ sudo certbot certonly --apache -d allcountyguitar.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Certificate not yet due for renewal
You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/allcountyguitar.com-0001.conf)
What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Keep the existing certificate for now
2: Renew & replace the certificate (may be subject to CA rate limits)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate for allcountyguitar.com
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/allcountyguitar.com-0001/fullchain.pem
Key is saved at: /etc/letsencrypt/live/allcountyguitar.com-0001/privkey.pem
This certificate expires on 2024-10-04.
These files will be updated when the certificate renews.
My web server is (include version):
Server version: Apache/2.4.59 (Amazon)
Server built: Apr 22 2024 13:10:00
The operating system my web server runs on is (include version): Amazon Linux AMI 2018.03
My hosting provider, if applicable, is: AWS
I can login to a root shell on my machine (yes or no, or I don't know): No
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.6.0
You're using certonly which means Certbot does not automatically install the certificate into Apache.
Also, if issuing wasn't an issue the first place, replacing a perfectly fine certificate with a new one is NOT the solution. Please don't do that.
Also also, the fact you have a "allcountyguitar.com-0001" certificate name, suggests you have multiple and possibly duplicate certificates. Please show the output of the command sudo certbot certificates.
Also also also, looking at crt.sh | allcountyguitar.com you've been getting 2 certificates for some time: one for the apex domain and another one for the www subdomain. Usually one simply combines both hostnames into a single certificate.
Thank you for your prompt response, greatly appreciated! I do have multiple virtual servers on my instance but the only one I am currently needing to clarify is "www.allcountyguitar,com" and "allcountyguitar.com" - here is the command you suggested:
The easy one is your www.allcountyguitar.com. You can see in the certificate list that there is a cert with only this name in it. It does not expire until Sep 9 so would not be due for renewal yet.
But, you have two certs for allcountyguitar.com. One is the cert you just got (an ECDSA cert) which has only that name in it.
Your earlier cert for that domain was linked with enetapplication.com Your Apache is still referencing this cert that has both these names in it and which expires July 11.
Alas, your enetapplication domain no longer looks active. And, it uses a different IP address than just allcountyguitar.com. Which is probably why a renewal for that cert failed and a new profile (the -0001) was created.
Your easiest option is probably to modify your Apache config to use the folder name for the new cert that has just allcountyguitar.com in it. Then reload Apache. Once it is confirmed to use the new cert you can delete the old one. The only disadvantage to this is, going forward, your cert file path will have -0001 in it which people sometimes don't like.
The other option is to reissue the original cert dropping enetapplication from it. Then, delete the cert (the -0001 cert) you just got.
Let us know if you need any help with that.
Deleting a cert is done with
sudo certbot delete --cert-name X
Where X is the name shown in the certbot certificates list
I am so impressed by the responsiveness! "enetapplication" is not active and is a remnant that needs to be removed anyway along with others, but the main is to get allcountyguitar.com recertified prior to expiry. Any additional guidance you can provide would be most appreciated and welcomed.
Short answer, 'no' - I set all these up many years ago and haven't needed to adjust anything. I believe this might be pushing the 'support' boundaries however if you could assist with:
a) where the config files for virtual directories might be - here is where the php files are:
/var/www/html-allcountyguitar
b) specifically what needs to be adjusted within the config file - e.g. remove "xxx" replace with "zzz"
c) other aspects such as restarting services, etc.
Anything in the above regard would be appreciated however this forum already has moved me in the correct direction. Many thanks!
As an aside, your Amazon Linux 1 is no longer supported by AWS so you should look to upgrade that. You will need to become more familiar with Apache when you do that.
You can find your Apache config files various ways. One is to show us output of this
sudo httpd -t -D DUMP_VHOSTS
We can describe the 2 (or 3) lines that need changing in the VirtualHost
<VirtualHost *:443>
DocumentRoot /var/www/html-allcountyguitar
ServerName allcountyguitar.com
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/allcountyguitar.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/allcountyguitar.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
<VirtualHost *:443>
DocumentRoot /var/www/html-allcountyguitar
ServerName www.allcountyguitar.com
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/www.allcountyguitar.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.allcountyguitar.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
And thanks for the reminder of my Amazon Linux 1 server, I know Eol...sigh...but I'm ready to "retire" this part of the business...literally yesterday I turned 70! Digression aside, I sincerely appreciate this support. EFF is an organization we have always supported but we'll 'up' our support after this positive experience.
best,
Brian
btw here is the dump for the Linux command, in case there is something else of note I missed:
[ec2-user@ip-172-31-29-18 ~]$ sudo httpd -t -D DUMP_VHOSTS
VirtualHost configuration:
*:443 is a NameVirtualHost
default server enetapplication.com (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost enetapplication.com (/etc/httpd/conf.d/ssl.conf:56)
alias enetapplication.com
port 443 namevhost allcountyguitar.com (/etc/httpd/conf.d/ssl.conf:223)
port 443 namevhost www.allcountyguitar.com (/etc/httpd/conf.d/ssl.conf:231)
port 443 namevhost brianguitar.com (/etc/httpd/conf.d/ssl.conf:253)
port 443 namevhost www.brianguitar.com (/etc/httpd/conf.d/ssl.conf:261)
port 443 namevhost windsurfnow.com (/etc/httpd/conf.d/ssl.conf:273)
port 443 namevhost www.windsurfnow.com (/etc/httpd/conf.d/ssl.conf:281)
*:80 is a NameVirtualHost
default server enetapplication.com (/etc/httpd/conf.d/le-redirect-enetapplication.com:443.conf:1)
port 80 namevhost enetapplication.com (/etc/httpd/conf.d/le-redirect-enetapplication.com:443.conf:1)
alias enetapplication.com
port 80 namevhost allcountyguitar.com (/etc/httpd/conf/httpd.conf:356)
port 80 namevhost www.allcountyguitar.com (/etc/httpd/conf/httpd.conf:363)
port 80 namevhost brianguitar.com (/etc/httpd/conf/httpd.conf:373)
port 80 namevhost www.brianguitar.com (/etc/httpd/conf/httpd.conf:380)
port 80 namevhost windsurfnow.com (/etc/httpd/conf/httpd.conf:398)
port 80 namevhost www.windsurfnow.com (/etc/httpd/conf/httpd.conf:405)
@MikeMcQ With regard to TLS configuration, wouldn't it be helpful if OP removed the certonly part of the command?
Once the vhosts are cleaned up that is.. Looks like almost every hostname has its own vhost and all in the same file(s). No aliases what so ever and a very curiously file named le-redirect-enetapplication.com:443.conf
Let me know what command you use to reload as we should add a --deploy-hook to your certbot renewal profile. If you are not sure of the proper command I think this works for AL1
sudo systemctl reload httpd
Let me know the command in any case. We also need to delete your unused cert once we confirm this works.
There is a fair amount of improvement that could be made. But, now that we know it is an expiring app on an EOL distro it doesn't seem worth the trouble.
As for dropping certonly in favor of just --apache ... sure that was another way. That seemed more complicated and of limited value. We would have had to review the certbot renewal profile to confirm they had been using that. And, also review their VirtualHosts to ensure no changes had been made to prevent compatibility. After all, something got them in a funny state and I would not want to guess. The --apache plugin is potentially more disruptive given it can make permanent changes to the config.
Perfect! Adjusted the config file, saved, and restarted httpd using this:
[ec2-user@ip-172-31-29-18 ~]$ sudo service httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
The browser is now indicating the new validity date for 'allcountyguitar.com'. I will still need to clean up those domains that are no longer active, however, the immediate problem has been resolved!
THANK YOU@MikeMcQ and @Osiris for making this a relatively painless process for me frankly I am blown away by the responsiveness and camaraderie that you displayed in this thread.
[ec2-user@ip-172-31-29-18 ~]$ sudo certbot reconfigure --cert-name allcountyguitar.com-0001 --deploy-hook 'sudo service httpd reload'
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You are attempting to set a --deploy-hook. Would you like Certbot to run deploy
hooks when it performs a dry run with the new settings? This will run all
relevant deploy hooks, including directory hooks, unless --no-directory-hooks is
set. This will use the current active certificate, and not the temporary test
certificate acquired during the dry run.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(R)un deploy hooks/(D)o not run deploy hooks: r
Simulating renewal of an existing certificate for allcountyguitar.com
Hook 'deploy-hook' ran with output:
Reloading httpd: [ OK ]
Successfully updated configuration.
Changes will apply when the certificate renews.
Yes, worked fine! Here is the latest 'dump' after running:
[ec2-user@ip-172-31-29-18 ~]$ sudo httpd -t -D DUMP_VHOSTS
VirtualHost configuration:
*:443 is a NameVirtualHost
default server enetapplication.com (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost enetapplication.com (/etc/httpd/conf.d/ssl.conf:56)
alias enetapplication.com
port 443 namevhost allcountyguitar.com (/etc/httpd/conf.d/ssl.conf:223)
port 443 namevhost www.allcountyguitar.com (/etc/httpd/conf.d/ssl.conf:231)
port 443 namevhost brianguitar.com (/etc/httpd/conf.d/ssl.conf:253)
port 443 namevhost www.brianguitar.com (/etc/httpd/conf.d/ssl.conf:261)
port 443 namevhost windsurfnow.com (/etc/httpd/conf.d/ssl.conf:273)
port 443 namevhost www.windsurfnow.com (/etc/httpd/conf.d/ssl.conf:281)
*:80 is a NameVirtualHost
default server enetapplication.com (/etc/httpd/conf.d/le-redirect-enetapplication.com:443.conf:1)
port 80 namevhost enetapplication.com (/etc/httpd/conf.d/le-redirect-enetapplication.com:443.conf:1)
alias enetapplication.com
port 80 namevhost allcountyguitar.com (/etc/httpd/conf/httpd.conf:356)
port 80 namevhost www.allcountyguitar.com (/etc/httpd/conf/httpd.conf:363)
port 80 namevhost brianguitar.com (/etc/httpd/conf/httpd.conf:373)
port 80 namevhost www.brianguitar.com (/etc/httpd/conf/httpd.conf:380)
port 80 namevhost windsurfnow.com (/etc/httpd/conf/httpd.conf:398)
port 80 namevhost www.windsurfnow.com (/etc/httpd/conf/httpd.conf:405)
You really should do something about the other certs in the list. None of them are working from the public internet. And, their certs expire in 4 days. Your system will continue to frequently fail renewing them. That can actually get you temporarily rate-limited which could interfere with AllCounty's cert renewal.
The failing domains are the enet, brian, and windsurf domains. Those all have different IP addresses than AllCounty so that's probably a big reason why.
But, you can't delete the certs until you first remove the references to those files from Apache. You can leave their VirtualHost for port 80 as a placeholder if you wish. But, you must delete the entire port 443 VirtualHost block which contains the ServerName and/or Alias you want to remove. Don't delete any lines before and after the obsoleted VirtualHost block.
Once you remove the VirtualHost, restart Apache and check its dump_vhost list to make sure it does not show in the "443" section.
Then, using enet as an example, you'd delete the cert with:
I am sure the EFF, who develop Certbot, appreciate the support. The ISRG, who do Let's Encrypt (and run this forum) would appreciate it too Donate - Let's Encrypt
No donation is required for support or product use. But they both appreciate it.
