Digital Ocean Auto Renew Failures

Ok let me preface this with a i have no idea what I'm doing sorry. so if offering advise please treat me like a person who has a decent understanding of using a computing, but not of managing servers so this is a huge learning experience for me. I apologize in advance for my stupidity

My domain is: Infinitabathrooms.co.uk

I ran this command: sudo certbot renew -v --dry-run

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/infinitabathrooms.co.uk-0001.conf

Certificate is due for renewal, auto-renewing...
Plugins selected: Authenticator dns-digitalocean, Installer None
Simulating renewal of an existing certificate for infinitabathrooms.co.uk and *.infinitabathrooms.co.uk
Performing the following challenges:
dns-01 challenge for infinitabathrooms.co.uk
dns-01 challenge for infinitabathrooms.co.uk
Cleaning up challenges
Failed to renew certificate infinitabathrooms.co.uk-0001 with error: Error finding domain using the DigitalOcean API: Unable to authenticate you (Did you provide a valid API token?)

Processing /etc/letsencrypt/renewal/infinitabathrooms.co.uk-0002.conf

Certificate not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator dns-digitalocean, Installer None
Simulating renewal of an existing certificate for infinitabathrooms.co.uk and www.infinitabathrooms.co.uk
Performing the following challenges:
dns-01 challenge for infinitabathrooms.co.uk
dns-01 challenge for www.infinitabathrooms.co.uk
Cleaning up challenges
Failed to renew certificate infinitabathrooms.co.uk-0002 with error: File not found: /home/infinita/.secrets/certbot/digitalocean.ini

Processing /etc/letsencrypt/renewal/infinitabathrooms.co.uk-0003.conf

Certificate is due for renewal, auto-renewing...
Plugins selected: Authenticator dns-digitalocean, Installer None
Simulating renewal of an existing certificate for *.infinitabathrooms.co.uk
Performing the following challenges:
dns-01 challenge for infinitabathrooms.co.uk
Cleaning up challenges
Failed to renew certificate infinitabathrooms.co.uk-0003 with error: Error finding domain using the DigitalOcean API: Unable to authenticate you (Did you provide a valid API token?)

Processing /etc/letsencrypt/renewal/infinitabathrooms.co.uk.conf

Certificate not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Simulating renewal of an existing certificate for infinitabathrooms.co.uk and 3 more domains
Performing the following challenges:
http-01 challenge for infinitabathrooms.co.uk
http-01 challenge for merchant.infinitabathrooms.co.uk
http-01 challenge for www.infinitabathrooms.co.uk
http-01 challenge for www.merchant.infinitabathrooms.co.uk
Waiting for verification...
Cleaning up challenges

Processing /etc/letsencrypt/renewal/merchant.infinitabathrooms.co.uk.conf

Certificate not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator dns-digitalocean, Installer None
Simulating renewal of an existing certificate for infinitabathrooms.co.uk and merchant.infinitabathrooms.co.uk
Performing the following challenges:
dns-01 challenge for infinitabathrooms.co.uk
dns-01 challenge for merchant.infinitabathrooms.co.uk
Cleaning up challenges
Failed to renew certificate merchant.infinitabathrooms.co.uk with error: Error finding domain using the DigitalOcean API: Unable to authenticate you (Did you provide a valid API token?)

Processing /etc/letsencrypt/renewal/www.infinitabathrooms.co.uk.conf

Certificate not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Simulating renewal of an existing certificate for www.infinitabathrooms.co.uk
Performing the following challenges:
http-01 challenge for www.infinitabathrooms.co.uk
Waiting for verification...
Cleaning up challenges

The following simulated renewals succeeded:
/etc/letsencrypt/live/infinitabathrooms.co.uk/fullchain.pem (success)
/etc/letsencrypt/live/www.infinitabathrooms.co.uk/fullchain.pem (success)

The following simulated renewals failed:
/etc/letsencrypt/live/infinitabathrooms.co.uk-0001/fullchain.pem (failure)
/etc/letsencrypt/live/infinitabathrooms.co.uk-0002/fullchain.pem (failure)
/etc/letsencrypt/live/infinitabathrooms.co.uk-0003/fullchain.pem (failure)
/etc/letsencrypt/live/merchant.infinitabathrooms.co.uk/fullchain.pem (failure)

4 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):
Server version: Apache/2.4.41 (Ubuntu)
Server built: 2024-04-10T17:46:26

The operating system my web server runs on is (include version): DISTRIB_DESCRIPTION="Ubuntu 20.04.1 LTS"

My hosting provider, if applicable, is: Digital Ocean

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.10.0

Hello @MichaelJohn83, welcome to the Let's Encrypt community.

Here is the history that indicates on May 31, 2024 20:37 UTC "Staging environment maintenance"
and at May 31, 2024 21:22 UTC "Elevated Rate of 503 Service Busy Responses" so it happened in those time blocks I would just retry again.

Here is a list of issued certificates crt.sh | Infinitabathrooms.co.uk, the latest being 2024-05-31. Presently it would appear that this certificate is being served crt.sh | 13241570050
Shown here:

1. https://decoder.link/sslchecker/infinitabathrooms.co.uk/443
2. Hardenize Report: infinitabathrooms.co.uk
3. SSL Server Test: infinitabathrooms.co.uk (Powered by Qualys SSL Labs)

I am guessing your issue has been resolved, correct?

This may look worse than it actually is. You have created 6 different Certbot cert profiles. Each of these profiles has a different set of domain names. The profile with the name infinitabathrooms.co.uk (bolded in above list) has 4 domain names in it and is the one used by your Apache server for those names. That cert passes the dry-run test and was renewed in the production system just 2 days ago. Which is to say that one cert and profile looks fine.

To figure out what to do with the other 5 cert profiles we need to know more about your intent.

Do you use certs anywhere other than Apache? Like a mail server or a private network?

And, do you need the wildcard certs?

Because if you don't we can walk you through deleting them so you don't get those errors and don't waste Let's Encrypt resources trying to renew certs you don't need.

For reference, the cert Apache is using has these 4 names (the bolded profile above)

image1920×615 45.1 KB

Thanks for both of your replies,

The server is running a multisite using WordPress and woo commerce, currently looking at the first reply it seems that the main infinitabathrooms.co.uk is no longer giving an error in regards to the cert but the sub domains are failing, Not sure if it matters but there are 10 subdomains being used.

There is no virtual private networks being run and as far as i was aware its just the websites, Although looking at the DNS Records there does seem to be some reference to a 3rd party mail service (mailgun), although I'm unsure if this functionality is being used. Another thing i need to look into yey!

The DNS Records list the 4 you have identified as well as

*.infinitabathrooms.co.uk
www.merchant.infinitabathrooms.co.uk
merchant.infinitabathrooms.co.uk

What are the subdomains that are failing?

And, did you delete the cert profiles that you no longer need? Many looked like they were created in error. If you did, can you show a fresh output of this

sudo certbot certificates

The subdomains that are failing are
Privacy error (infinitabathrooms.co.uk)
Privacy error (infinitabathrooms.co.uk)
Privacy error (infinitabathrooms.co.uk)
Privacy error (infinitabathrooms.co.uk)
Privacy error (infinitabathrooms.co.uk)
Homepage - MRA Marketing (infinitabathrooms.co.uk)
Privacy error (infinitabathrooms.co.uk)

they are all returning NET::ERR_CERT_COMMON_NAME_INVALID

I did not delete the certs because I'm not really sure what i need to delete, and i really don't want to delete the wrong thing.

Regards

You had a wildcard cert issued Mar2 which would have covered those subdomains. But, it was not renewed probably because of below error. In general something has gone wrong with your DigitalOcean plugin and its security config.

Your Apache should be using the expired cert giving a different error than you describe (cert name mismatch). So, something seems wrong in your Apache too

Can you show output of these two commands

sudo certbot certificates
sudo apache2ctl -t -D DUMP_VHOSTS

And the contents of this file:

/etc/letsencrypt/renewal/infinitabathrooms.co.uk-0001.conf

It will take some time to sort through your various problems. But above info will be helpful to whoever chooses to help.

The output of the requires commands/files is detailed below.

The only thing that i have done to the server other than trying to renew the certs was a reset of the root password. Not sure if this would have cause any of the problems but thought it would be worth mentioning just in case.

root@infinitabathrooms:~# sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
  Certificate Name: infinitabathrooms.co.uk-0001
    Serial Number: 4b4d35b496d1c0fbf8211cb4ef903a4e231
    Key Type: RSA
    Domains: infinitabathrooms.co.uk *.infinitabathrooms.co.uk
    Expiry Date: 2024-05-31 18:25:25+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/infinitabathrooms.co.uk-0001/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/infinitabathrooms.co.uk-0001/privkey.pem
  Certificate Name: infinitabathrooms.co.uk-0002
    Serial Number: 4e9c8e52214fa5d187f879e12592f3ab33e
    Key Type: RSA
    Domains: infinitabathrooms.co.uk www.infinitabathrooms.co.uk
    Expiry Date: 2024-08-02 03:36:23+00:00 (VALID: 58 days)
    Certificate Path: /etc/letsencrypt/live/infinitabathrooms.co.uk-0002/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/infinitabathrooms.co.uk-0002/privkey.pem
  Certificate Name: infinitabathrooms.co.uk-0003
    Serial Number: 36b6aaafa2e744a1f9b156ec0ddd4a17ba7
    Key Type: RSA
    Domains: *.infinitabathrooms.co.uk
    Expiry Date: 2024-05-31 18:25:29+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/infinitabathrooms.co.uk-0003/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/infinitabathrooms.co.uk-0003/privkey.pem
  Certificate Name: infinitabathrooms.co.uk
    Serial Number: 4c0ebcbc872755fb384615209d1a48415e8
    Key Type: ECDSA
    Domains: infinitabathrooms.co.uk merchant.infinitabathrooms.co.uk www.infinitabathrooms.co.uk www.merchant.infinitabathrooms.co.uk
    Expiry Date: 2024-08-29 09:02:41+00:00 (VALID: 86 days)
    Certificate Path: /etc/letsencrypt/live/infinitabathrooms.co.uk/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/infinitabathrooms.co.uk/privkey.pem
  Certificate Name: merchant.infinitabathrooms.co.uk
    Serial Number: 3d7ccfd1b8f7e9d4aba066f6e0f798b1e60
    Key Type: RSA
    Domains: infinitabathrooms.co.uk merchant.infinitabathrooms.co.uk
    Expiry Date: 2024-07-31 03:31:40+00:00 (VALID: 56 days)
    Certificate Path: /etc/letsencrypt/live/merchant.infinitabathrooms.co.uk/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/merchant.infinitabathrooms.co.uk/privkey.pem
  Certificate Name: www.infinitabathrooms.co.uk
    Serial Number: 3ad7ef6d4425010b6bc818baeb813a03836
    Key Type: RSA
    Domains: www.infinitabathrooms.co.uk
    Expiry Date: 2024-07-31 03:31:44+00:00 (VALID: 56 days)
    Certificate Path: /etc/letsencrypt/live/www.infinitabathrooms.co.uk/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.infinitabathrooms.co.uk/privkey.pem

root@infinitabathrooms:~# sudo apache2ctl -t -D DUMP_VHOSTS

VirtualHost configuration:
*:443                  is a NameVirtualHost
         default server infinitabathrooms.co.uk (/etc/apache2/sites-enabled/infinitabathrooms.co.uk-le-ssl.conf:2)
         port 443 namevhost infinitabathrooms.co.uk (/etc/apache2/sites-enabled/infinitabathrooms.co.uk-le-ssl.conf:2)
                 alias www.infinitabathrooms.co.uk
         port 443 namevhost merchant.infinitabathrooms.co.uk (/etc/apache2/sites-enabled/merchant.infinitabathrooms.co.uk-le-ssl.conf:2)
                 alias www.merchant.infinitabathrooms.co.uk
*:80                   is a NameVirtualHost
         default server infinitabathrooms.co.uk (/etc/apache2/sites-enabled/infinitabathrooms.co.uk.conf:1)
         port 80 namevhost infinitabathrooms.co.uk (/etc/apache2/sites-enabled/infinitabathrooms.co.uk.conf:1)
                 alias www.infinitabathrooms.co.uk
         port 80 namevhost merchant.infinitabathrooms.co.uk (/etc/apache2/sites-enabled/merchant.infinitabathrooms.co.uk.conf:1)
                 alias www.merchant.infinitabathrooms.co.uk

root@infinitabathrooms:~#
cat /etc/letsencrypt/renewal/infinitabathrooms.co.uk-0001.conf

# renew_before_expiry = 30 days
version = 2.9.0
archive_dir = /etc/letsencrypt/archive/infinitabathrooms.co.uk-0001
cert = /etc/letsencrypt/live/infinitabathrooms.co.uk-0001/cert.pem
privkey = /etc/letsencrypt/live/infinitabathrooms.co.uk-0001/privkey.pem
chain = /etc/letsencrypt/live/infinitabathrooms.co.uk-0001/chain.pem
fullchain = /etc/letsencrypt/live/infinitabathrooms.co.uk-0001/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = f5a986f41b8e47297507bbad3cc8bd9d
server = https://acme-v02.api.letsencrypt.org/directory
authenticator = dns-digitalocean
dns_digitalocean_credentials = /home/infinita/certbot-creds.ini
key_type = rsa

Thanks for all that.

I don't see those subdomains listed in your Apache config. Were you just relying on them to use the default VirtualHost?

Because normally we would see any subdomains you wanted listed as a ServerName or ServerAlias for one of the VirtualHosts. Or, even a wildcard name.

Can you show the contents of this file?

/etc/apache2/sites-enabled/infinitabathrooms.co.uk-le-ssl.conf

Hi Mike,

now your starting to ask me questions i cannot answer, but i am always happy to learn i have included output of the file you requested. Digging into the question regarding the subdomain it seems that WordPress may have been handling them. Not sure how all that works but there seems to be a Multisite Json API plugin within the wordpress plugins.

No idea how that works in regards to security certificates but that sounds like another issue all together.

root@infinitabathrooms:~#
cat /etc/apache2/sites-enabled/infinitabathrooms.co.uk-le-ssl.conf

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName infinitabathrooms.co.uk
    ServerAlias www.infinitabathrooms.co.uk
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/infinitabathrooms.co.uk/public
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
<Directory /var/www/infinitabathrooms.co.uk>
Options Indexes FollowSymLinks
Allow from All
  AllowOverride All
</Directory>

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/infinitabathrooms.co.uk/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/infinitabathrooms.co.uk/privkey.pem
</VirtualHost>
</IfModule>

I don't know what to suggest about your subdomains.

Your Apache doesn't include any configuration for them. And, your default VirtualHost is using the cert that has just the 4 domain names in it.

I think you should ask about these subdomains to your Wordpress support. I don't know how those other subdomains should integrate with all your other components. Especially when you are not sure either

At one time you had a wildcard cert that could handle those subdomains. But, your Digital Ocean security config is no longer working so that cert was not renewed. But, it doesn't help to renew just the cert if you don't also have the matching setup in Wordpress and Apache.

Yea i get that, ill try the WordPress support see what assistance i can get there, before the subdomain issue you mentioned deleting some files to fix the errors could you let me know where those files were located so i can look at fixing the errors that were coming up during renewal

okay reading about multisite/subdomain setup with wordpress it seems to require the wildcard DNS records, so i think fixing the issues i have with the wildcard cert should fix the issues with the sub sites

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.