Error renewing SSL

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: http://online.cdiu.university/

I ran this command: certbot renew

It produced this output:
root@online:/var/www/moodle/.well-known/acme-challenge# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/online.cdiu.university-0001.conf

Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 65, in _reconstitute
renewal_candidate = storage.RenewableCert(full_path, config)
File "/usr/lib/python3/dist-packages/certbot/storage.py", line 465, in init
self._check_symlinks()
File "/usr/lib/python3/dist-packages/certbot/storage.py", line 522, in _check_symlinks
raise errors.CertStorageError(
certbot.errors.CertStorageError: expected /etc/letsencrypt/live/online.cdiu.university-0001/cert.pem to be a symlink
Renewal configuration file /etc/letsencrypt/renewal/online.cdiu.university-0001.conf is broken. Skipping.

Processing /etc/letsencrypt/renewal/online.cdiu.university.conf

Cert is due for renewal, auto-renewing...
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.')
Attempting to renew cert (online.cdiu.university) from /etc/letsencrypt/renewal/online.cdiu.university.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.'). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/online.cdiu.university/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/online.cdiu.university/fullchain.pem (failure)

Additionally, the following renewal configurations were invalid:
/etc/letsencrypt/renewal/online.cdiu.university-0001.conf (parsefail)

1 renew failure(s), 1 parse failure(s)

My web server is (include version): root@online:/var/www/moodle/.well-known/acme-challenge# nginx -v
nginx version: nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04.1 LTS
Release: 20.04
Codename: focal

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): It is a OVH VP Ubuntu server

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.40.0

1 Like
2

Welcome to the Let's Encrypt Community :slightly_smiling_face:

Please run the following then try again:

certbot update_symlinks

You cannot use certbot renew with the manual authenticator without supplying "hook" scripts to setup and cleanup the challenges. You should be able to use the certbot command that you used last time to renew your certificate. Please note that renewing a certificate is fundamentally no different than acquiring a new certificate.

1 Like
3

root@online:~# certbot update_symlinks
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Expected /etc/letsencrypt/live/online.cdiu.university-0001/cert.pem to be a symlink

1 Like
4

For some reason it will not update the cert note the date:

root@online:/etc/letsencrypt/archive# cd
root@online:~# certbot certonly --manual -d 'online.cdiu.university'
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/online.cdiu.university/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/online.cdiu.university/privkey.pem
    Your cert will expire on 2021-01-06. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew all of your certificates, run
    "certbot renew"

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

root@online:~# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/online.cdiu.university-0001.conf

Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 65, in _reconstitute
renewal_candidate = storage.RenewableCert(full_path, config)
File "/usr/lib/python3/dist-packages/certbot/storage.py", line 465, in init
self._check_symlinks()
File "/usr/lib/python3/dist-packages/certbot/storage.py", line 522, in _check_symlinks
raise errors.CertStorageError(
certbot.errors.CertStorageError: expected /etc/letsencrypt/live/online.cdiu.university-0001/cert.pem to be a symlink
Renewal configuration file /etc/letsencrypt/renewal/online.cdiu.university-0001.conf is broken. Skipping.

Processing /etc/letsencrypt/renewal/online.cdiu.university.conf

Cert is due for renewal, auto-renewing...
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.')
Attempting to renew cert (online.cdiu.university) from /etc/letsencrypt/renewal/online.cdiu.university.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.'). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/online.cdiu.university/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/online.cdiu.university/fullchain.pem (failure)

Additionally, the following renewal configurations were invalid:
/etc/letsencrypt/renewal/online.cdiu.university-0001.conf (parsefail)

1 renew failure(s), 1 parse failure(s)
You have new mail in /var/mail/root

1 Like
5

That's because the certificate symlink in live has been replaced with a certificate file.

Let's clean up the mess...

To begin, what says this?

certbot certificates

6

root@online:~# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/online.cdiu.university-0001.conf produced an unexpected error: expected /etc/letsencrypt/live/online.cdiu.university-0001/cert.pem to be a symlink. Skipping.

Found the following certs:
Certificate Name: online.cdiu.university
Domains: online.cdiu.university
Expiry Date: 2021-01-06 11:43:03+00:00 (VALID: 5 days)
Certificate Path: /etc/letsencrypt/live/online.cdiu.university/fullchain.pem
Private Key Path: /etc/letsencrypt/live/online.cdiu.university/privkey.pem

The following renewal configurations were invalid:
/etc/letsencrypt/renewal/online.cdiu.university-0001.conf

1 Like
7

Just for reference, the new certificates have definitely been created (and are sitting in the archive directory).

Complete Certificate History
8

Only the one certificate then?

9

Yes only one;
I don't understand why the expiration date is still showing January 6

1 Like
10

It's the hard-coded certificate in live. We will fix that imminently.

11

You're very close to hitting the duplicate rate limit, so we need to exercise caution here.

12

Ok thank you;
Please tell me what not to do so I wont mess up the certificate.

1 Like
13

Let's check something:

ls -l /etc/letsencrypt/live/online.cdiu.university-0001/

14

root@online:~# ls -l /etc/letsencrypt/live/online.cdiu.university-0001/
ls: cannot access '/etc/letsencrypt/live/online.cdiu.university-0001/': No such file or directory

1 Like
15

Hmm... maybe without the slash:

ls -l /etc/letsencrypt/live/online.cdiu.university-0001

16

Looks like there are on another location:
root@online:~# ls -l /etc/letsencrypt/live/online.cdiu.university
total 4
-rw-r--r-- 1 root root 692 Oct 8 12:43 README
lrwxrwxrwx 1 root root 51 Jan 1 00:59 cert.pem -> ../../archive/online.cdiu.university-0001/cert1.pem
lrwxrwxrwx 1 root root 52 Jan 1 00:59 chain.pem -> ../../archive/online.cdiu.university-0001/chain1.pem
lrwxrwxrwx 1 root root 56 Jan 1 00:59 fullchain.pem -> ../../archive/online.cdiu.university-0001/fullchain1.pem
lrwxrwxrwx 1 root root 54 Jan 1 00:59 privkey.pem -> ../../archive/online.cdiu.university-0001/privkey1.pem

1 Like
17

I think I'm getting the picture now... :grin:

Looks like the folder got renamed at a point. This really confused certbot.

18

Let's do a sanity check:

nginx -T

1 Like
19

root@online:~# nginx -T
nginx: [warn] conflicting server name "online.cdiu.university" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "www.online.cdiu.university" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name ".online.cdiu.university" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "online.cdiu.university" on [::]:80, ignored
nginx: [warn] conflicting server name "www.online.cdiu.university" on [::]:80, ignored
nginx: [warn] conflicting server name ".online.cdiu.university" on [::]:80, ignored
nginx: [warn] conflicting server name "online.cdiu.university" on 0.0.0.0:443, ignored
nginx: [warn] conflicting server name "www.online.cdiu.university" on 0.0.0.0:443, ignored
nginx: [warn] conflicting server name "online.cdiu.university" on [::]:443, ignored
nginx: [warn] conflicting server name "www.online.cdiu.university" on [::]:443, ignored
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

configuration file /etc/nginx/nginx.conf:

....
....
...
....
ssl_certificate /etc/letsencrypt/live/online.cdiu.university/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/online.cdiu.university/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/online.cdiu.university/chain.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
....
.....
...

2 Likes
20

Certainly a bit of a civil war going on in there.

The important part for now is that the configuration seems to point to the non-0001 folder.

2 Likes