Error while renewing the certificate

Please fill out the fields below so we can help you better.

My domain is: vaibhavsingh97.me

I ran this command: sudo certbot renew --dry-run

It produced this output:

root@personal-website:~# sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/vaibhavsingh97.me-0001.conf
-------------------------------------------------------------------------------
Cert not due for renewal, but simulating renewal for dry run
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for vaibhavsingh97.me
Waiting for verification...
Cleaning up challenges

-------------------------------------------------------------------------------
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/vaibhavsingh97.me-0001/fullchain.pem
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/vaibhavsingh97.me-0002.conf
-------------------------------------------------------------------------------
Cert not due for renewal, but simulating renewal for dry run
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for vaibhavsingh97.me
Waiting for verification...
Cleaning up challenges

-------------------------------------------------------------------------------
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/vaibhavsingh97.me-0002/fullchain.pem
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/vaibhavsingh97.me.conf
-------------------------------------------------------------------------------
expected /etc/letsencrypt/live/vaibhavsingh97.me/cert.pem to be a symlink
Renewal configuration file /etc/letsencrypt/renewal/vaibhavsingh97.me.conf is broken. Skipping.
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/vaibhavsingh97.me-0001/fullchain.pem (success)
  /etc/letsencrypt/live/vaibhavsingh97.me-0002/fullchain.pem (success)

Additionally, the following renewal configuration files were invalid: 
  /etc/letsencrypt/renewal/vaibhavsingh97.me.conf (parsefail)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
0 renew failure(s), 1 parse failure(s)

IMPORTANT NOTES:
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.

My web server is (include version):

nginx version: nginx/1.10.3 (Ubuntu)
built with OpenSSL 1.0.2g  1 Mar 2016
TLS SNI support enabled

The operating system my web server runs on is (include version):
4.4.0-83-generic #106-Ubuntu SMP Mon Jun 26 17:54:43 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

My hosting provider, if applicable, is: Digitalocean

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

the answer is in the message - i believe your symlinks are broken

why do you have 3 certificates for the same domain? or is it one common name with different SANs under it?

I have checked https://crt.sh/?q=vaibhavsingh97.me and they are the same domain for 3 certificates

This can lead to issues further down the track such as hitting rate limits, confusion etc.

I suggest that you review this

If you run certbot certificates you should be able to clean out your certs.

Andrei

Hi! I know and i messed up. Can you please guide me?
Also Issuing: cetbot --nginx
gives me error

root@personal-website:~# certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: vaibhavsingh97.me
2: www.vaibhavsingh97.me
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):1
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for vaibhavsingh97.me
nginx: [emerg] SSL_CTX_load_verify_locations("/etc/letsencrypt/live/vaibhavsingh97.me/chain.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/vaibhavsingh97.me/chain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib)
Cleaning up challenges
nginx restart failed:

hi @vaibhavsingh97

Please stop running commands without thinking about what you are trying to achieve

You have issued another two certificates which you don’t need to

One of your certificate chains is broken and unfortunately the broken one i think is the one you are using with your nginx

A) Run Certbot certificates

This will give you a list of all the certificates that certbot currently manages (there should be 3)

B) I can see you have 3 chains

/etc/letsencrypt/renewal/vaibhavsingh97.me.conf <-broken
/etc/letsencrypt/renewal/vaibhavsingh97.me-0002.conf <- good
/etc/letsencrypt/renewal/vaibhavsingh97.me-0001.conf <- good

C) run cerbot delete

Have a careful read of: Certbot - Subdomain Removed From Web Server but Certificate Not Removed From Certbot Management

D) What you want to do is at the end of C only have one chain (either vaibhavsingh97.me-0002 or vaibhavsingh97.me-0001.conf)

E) run certbot update_symlink and this should fix things

update_symlinks Recreate symlinks in your /etc/letsencrypt/live/
directory

F) If this doesn’t work then delete the third chain and start again. It looks like you have no issues passing the challenges.

Andrei

Thanks Andrei
It’s not working so i deleted the /etc/letsencrypt/renewal/vaibhavsingh97.me.conf and regenerating new conf but i am not able to do so

root@personal-website:~# sudo certbot certonly --webroot --webroot-path=/var/www/html -d vaibhavsingh97.me -d www.vaibhavsingh97.me
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for vaibhavsingh97.me
http-01 challenge for www.vaibhavsingh97.me
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. www.vaibhavsingh97.me (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://vaibhavsingh97.me/.well-known/acme-challenge/b7UG_QQ0NW2bTMUz7agft3TkfSTc0DdUWmvvjfBSHcc: Timeout

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.vaibhavsingh97.me
   Type:   connection
   Detail: Fetching
   https://vaibhavsingh97.me/.well-known/acme-challenge/b7UG_QQ0NW2bTMUz7agft3TkfSTc0DdUWmvvjfBSHcc:
   Timeout

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.
root@personal-website:~# sudo certbot certonly --webroot --webroot-path=/var/www/html -d vaibhavsingh97.me -d www.vaibhavsingh97.me
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for vaibhavsingh97.me
http-01 challenge for www.vaibhavsingh97.me
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. www.vaibhavsingh97.me (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://vaibhavsingh97.me/.well-known/acme-challenge/fn26NE67uxoy6XwXwypFerPXsYCso-WWrVnBolQKvEI: Timeout

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.vaibhavsingh97.me
   Type:   connection
   Detail: Fetching
   https://vaibhavsingh97.me/.well-known/acme-challenge/fn26NE67uxoy6XwXwypFerPXsYCso-WWrVnBolQKvEI:
   Timeout

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

hi @vaibhavsingh97

whats not working

Andrei

After updating symlinks, i am issuing this command

sudo certbot certonly --webroot --webroot-path=/var/www/html -d vaibhavsingh97.me -d www.vaibhavsingh97.me Saving debug log to /var/log/letsencrypt/letsencrypt.log

to get new certificate but it’s giving error

Failed authorization procedure. www.vaibhavsingh97.me (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://vaibhavsingh97.me/.well-known/acme-challenge/fn26NE67uxoy6XwXwypFerPXsYCso-WWrVnBolQKvEI: Timeout

YOU DON"T NEED TO ISSUE A NEW CERTIFICATE

issuing multiple certificates is how you got in to this mess in the first place (so why are you trying to do it again). you have a perfectly valid certificate chain you can use

please follow my instructions carefully - updating the symlinks should fix the problem you are facing

alternatively feel free to fix it in a way that makes sense to you but note that I will not be providing further assistance

sorry to be blunt but I am not sure why you are trying to make this harder that it needs to be

Andrei

I am really sorry for creating mess.
As of now what i did:

  1. I deleted as i though instead of creating mess i should start from beginning

    /etc/letsencrypt/renewal/vaibhavsingh97.me.conf
    /etc/letsencrypt/renewal/vaibhavsingh97.me-0002.conf
    /etc/letsencrypt/renewal/vaibhavsingh97.me-0001.conf

  2. Now on certbot update_symlink issuing this coomand gives me this output

    root@personal-website:~# certbot update_symlinks
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    log: https://paste2.org/ncPC75V2
    What should i do now?

Regards
vaibhav

please past the output of certbot certificates

Andrei

root@personal-website:~# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
No certs found.
-------------------------------------------------------------------------------

Ok so I think maybe my instructions weren’t understood

F) was only supposed to be used ONLY if E (updating symlinks) didn’t work

I did want to fix it a particular way to avoid this issue.

You have a redirect from HTTP to HTTPS however as you don’t have a certificate you can’t pass the challenge

READ CAREFULLY:

remove the HTTP to HTTPS redirection from your web server.

confirm this works by browsing to http://vaibhavsingh97.me/ - you should get your site instead of the error

Once you have your site available over HTTP run the certbot command again and it should work

Install the certificate

Enable HTTP to HTTPS redirection again

Andrei

1 Like

Thanks Andrie it worked

Regards
Vaibahv

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.