Failed to renew expired certificate

Help
1

Hi,

domain: siminchikkunarayku.pe
The certificate already expired and I am trying to renew with certbot renew, but fails at urn:acme:error:rateLimited
I checked already https://crt.sh/?q=siminchikkunarayku.pe , but I am not sure what to look for. Looks to me rate limit is misleading.

Cerbot version is 0.19 running in ubuntu 16.04 with an Apache.

How should I proceed?

Output from cerbot renew

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/siminchikkunarayku.pe.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for siminchikkunarayku.pe
Enabled Apache ssl module
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (siminchikkunarayku.pe) from /etc/letsencrypt/renewal/siminchikkunarayku.pe.conf produced an unexpected error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new cert :: too many certificates already issued for exact set of domains: siminchikkunarayku.pe: see https://letsencrypt.org/docs/rate-limits/. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/siminchikkunarayku.pe/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/siminchikkunarayku.pe/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

2

Hi @Reynaldo,

The crt.sh log that you linked to shows that you’ve successfully renewed your certificate six times in the last four days, including once today (!). (In that log, dates are calculated based on the UTC time zone.)

Do you not have access to the newly-issued certificates that resulted from all of these successful renewals?

3

Ah I see, but then they are not being saved. And the certbot tool complains of rate limit.

Attempting to renew cert (siminchikkunarayku.pe) from /etc/letsencrypt/renewal/siminchikkunarayku.pe.conf produced an unexpected error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new cert :: too many certificates already issued for exact set of domains: siminchikkunarayku.pe: see https://letsencrypt.org/docs/rate-limits/. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/siminchikkunarayku.pe/fullchain.pem (failure)

4

Are you sure they’re not being saved?

Could you paste the output of these commands?

certbot certificates
ls -al /etc/letsencrypt/archive/siminchikkunarayku.pe/
ls -al /etc/letsencrypt/live/siminchikkunarayku.pe/
cat /etc/letsencrypt/renewal/siminchikkunarayku.pe.conf

5

sudo ls -l /etc/letsencrypt/live/siminchikkunarayku.pe
total 4
lrwxrwxrwx 1 root root 50 Oct 5 23:48 cert.pem -> …/…/archive/siminchikkunarayku.pe-0001/cert1.pem
lrwxrwxrwx 1 root root 51 Oct 5 23:48 chain.pem -> …/…/archive/siminchikkunarayku.pe-0001/chain1.pem
lrwxrwxrwx 1 root root 55 Oct 5 23:48 fullchain.pem -> …/…/archive/siminchikkunarayku.pe-0001/fullchain1.pem
lrwxrwxrwx 1 root root 53 Oct 5 23:48 privkey.pem -> …/…/archive/siminchikkunarayku.pe-0001/privkey1.pem
-rw-r–r-- 1 root root 543 Oct 5 23:48 README

6

Then…

ls -al /etc/letsencrypt/archive/siminchikkunarayku.pe/
ls -al /etc/letsencrypt/archive/siminchikkunarayku.pe-0001/

7

sudo ls -al /etc/letsencrypt/archive/siminchikkunarayku.pe-0001
total 24
drwxr-xr-x 2 root root 4096 Oct 5 23:48 .
drwx------ 3 root root 4096 Oct 5 23:48 …
-rw-r–r-- 1 root root 1814 Oct 5 23:48 cert1.pem
-rw-r–r-- 1 root root 1647 Oct 5 23:48 chain1.pem
-rw-r–r-- 1 root root 3461 Oct 5 23:48 fullchain1.pem
-rw-r–r-- 1 root root 1704 Oct 5 23:48 privkey1.pem

8

sudo ls -al /etc/letsencrypt/archive/
total 12
drwx------ 3 root root 4096 Oct 5 23:48 .
drwxr-xr-x 9 root root 4096 Jan 19 19:12 …
drwxr-xr-x 2 root root 4096 Oct 5 23:48 siminchikkunarayku.pe-0001

9

There really isn’t a /etc/letsencrypt/archive/siminchikkunarayku.pe/ directory?

10

No, only siminchikkunarayku.pe-0001

11

Well… It’s just a matter of fixing what’s happened to Certbot’s configuration files.

Do you want to do it today? It might be a little simpler to wait until January 23 or so when you can just issue a new certificate (though you’d have to stop it from repeating what it’s doing now first).

12

Yes, if possible, this has been not working for some days already.

13

Yeah.

Please post:

sudo ls -lt /etc/letsencrypt/keys/

Note: It’s a directory full of private keys. Don’t give people your private key files! But a list of filenames isn’t very sensitive.

14

sudo ls -lt /etc/letsencrypt/keys/
[sudo] password for quechua:
total 416
-rw------- 1 root root 1708 Jan 19 16:51 0103_key-certbot.pem
-rw------- 1 root root 1704 Jan 19 16:50 0102_key-certbot.pem
-rw------- 1 root root 1704 Jan 19 16:09 0101_key-certbot.pem
-rw------- 1 root root 1708 Jan 19 16:08 0100_key-certbot.pem
-rw------- 1 root root 1704 Jan 19 16:07 0099_key-certbot.pem
-rw------- 1 root root 1708 Jan 19 15:59 0098_key-certbot.pem
-rw------- 1 root root 1704 Jan 19 12:17 0097_key-certbot.pem
-rw------- 1 root root 1704 Jan 19 00:10 0096_key-certbot.pem
-rw------- 1 root root 1704 Jan 18 12:02 0095_key-certbot.pem
-rw------- 1 root root 1704 Jan 18 00:47 0094_key-certbot.pem
-rw------- 1 root root 1708 Jan 17 23:09 0093_key-certbot.pem
-rw------- 1 root root 1704 Jan 17 23:08 0092_key-certbot.pem
-rw------- 1 root root 1708 Jan 17 22:32 0091_key-certbot.pem
-rw------- 1 root root 1708 Jan 17 22:31 0090_key-certbot.pem
-rw------- 1 root root 1704 Jan 17 21:59 0089_key-certbot.pem
-rw------- 1 root root 1704 Jan 17 21:28 0088_key-certbot.pem
-rw------- 1 root root 1708 Jan 17 12:13 0087_key-certbot.pem
-rw------- 1 root root 1704 Jan 17 00:31 0086_key-certbot.pem
-rw------- 1 root root 1704 Jan 16 12:51 0085_key-certbot.pem
-rw------- 1 root root 1704 Jan 16 00:29 0084_key-certbot.pem
-rw------- 1 root root 1704 Jan 15 12:12 0083_key-certbot.pem
-rw------- 1 root root 1704 Jan 15 00:58 0082_key-certbot.pem
-rw------- 1 root root 1704 Jan 14 12:25 0081_key-certbot.pem
-rw------- 1 root root 1704 Jan 14 00:33 0080_key-certbot.pem
-rw------- 1 root root 1704 Jan 13 12:50 0079_key-certbot.pem
-rw------- 1 root root 1704 Jan 11 00:44 0078_key-certbot.pem
-rw------- 1 root root 1704 Jan 10 12:57 0077_key-certbot.pem
-rw------- 1 root root 1704 Jan 10 00:53 0076_key-certbot.pem
-rw------- 1 root root 1704 Jan 9 16:50 0075_key-certbot.pem
-rw------- 1 root root 1704 Jan 9 16:43 0074_key-certbot.pem
-rw------- 1 root root 1704 Jan 9 12:38 0073_key-certbot.pem
-rw------- 1 root root 1704 Jan 9 00:03 0072_key-certbot.pem
-rw------- 1 root root 1704 Jan 8 12:08 0071_key-certbot.pem
-rw------- 1 root root 1708 Jan 8 00:52 0070_key-certbot.pem
-rw------- 1 root root 1704 Jan 7 12:52 0069_key-certbot.pem
-rw------- 1 root root 1704 Jan 7 00:37 0068_key-certbot.pem
-rw------- 1 root root 1704 Jan 6 12:08 0067_key-certbot.pem
-rw------- 1 root root 1704 Jan 6 00:14 0066_key-certbot.pem
-rw------- 1 root root 1708 Jan 5 12:37 0065_key-certbot.pem
-rw------- 1 root root 1704 Jan 5 00:28 0064_key-certbot.pem
-rw------- 1 root root 1704 Jan 4 12:02 0063_key-certbot.pem
-rw------- 1 root root 1704 Jan 4 00:09 0062_key-certbot.pem
-rw------- 1 root root 1704 Jan 3 12:47 0061_key-certbot.pem
-rw------- 1 root root 1704 Jan 3 00:45 0060_key-certbot.pem
-rw------- 1 root root 1704 Jan 2 12:55 0059_key-certbot.pem
-rw------- 1 root root 1704 Jan 2 00:28 0058_key-certbot.pem
-rw------- 1 root root 1704 Jan 1 12:57 0057_key-certbot.pem
-rw------- 1 root root 1704 Jan 1 00:42 0056_key-certbot.pem
-rw------- 1 root root 1708 Dec 31 12:48 0055_key-certbot.pem
-rw------- 1 root root 1704 Dec 31 00:38 0054_key-certbot.pem
-rw------- 1 root root 1708 Dec 30 12:49 0053_key-certbot.pem
-rw------- 1 root root 1704 Dec 30 00:00 0052_key-certbot.pem
-rw------- 1 root root 1704 Dec 29 12:38 0051_key-certbot.pem
-rw------- 1 root root 1704 Dec 29 00:48 0050_key-certbot.pem
-rw------- 1 root root 1704 Dec 28 12:21 0049_key-certbot.pem
-rw------- 1 root root 1704 Dec 28 00:30 0048_key-certbot.pem
-rw------- 1 root root 1704 Dec 27 12:26 0047_key-certbot.pem
-rw------- 1 root root 1704 Dec 27 00:01 0046_key-certbot.pem
-rw------- 1 root root 1704 Dec 26 12:34 0045_key-certbot.pem
-rw------- 1 root root 1704 Dec 26 00:04 0044_key-certbot.pem
-rw------- 1 root root 1704 Dec 25 12:28 0043_key-certbot.pem
-rw------- 1 root root 1708 Dec 25 00:49 0042_key-certbot.pem
-rw------- 1 root root 1704 Dec 24 12:04 0041_key-certbot.pem
-rw------- 1 root root 1704 Dec 24 00:50 0040_key-certbot.pem
-rw------- 1 root root 1704 Dec 23 12:38 0039_key-certbot.pem
-rw------- 1 root root 1700 Dec 23 00:09 0038_key-certbot.pem
-rw------- 1 root root 1704 Dec 22 12:51 0037_key-certbot.pem
-rw------- 1 root root 1704 Dec 22 00:43 0036_key-certbot.pem
-rw------- 1 root root 1708 Dec 21 12:50 0035_key-certbot.pem
-rw------- 1 root root 1704 Dec 21 00:39 0034_key-certbot.pem
-rw------- 1 root root 1704 Dec 20 12:34 0033_key-certbot.pem
-rw------- 1 root root 1704 Dec 20 00:26 0032_key-certbot.pem
-rw------- 1 root root 1708 Dec 19 12:27 0031_key-certbot.pem
-rw------- 1 root root 1704 Dec 19 00:07 0030_key-certbot.pem
-rw------- 1 root root 1704 Dec 18 12:16 0029_key-certbot.pem
-rw------- 1 root root 1708 Dec 18 00:20 0028_key-certbot.pem
-rw------- 1 root root 1704 Dec 17 12:34 0027_key-certbot.pem
-rw------- 1 root root 1704 Dec 17 00:11 0026_key-certbot.pem
-rw------- 1 root root 1704 Dec 16 12:56 0025_key-certbot.pem
-rw------- 1 root root 1704 Dec 16 00:04 0024_key-certbot.pem
-rw------- 1 root root 1708 Dec 15 12:37 0023_key-certbot.pem
-rw------- 1 root root 1704 Dec 15 00:23 0022_key-certbot.pem
-rw------- 1 root root 1708 Dec 14 12:04 0021_key-certbot.pem
-rw------- 1 root root 1708 Dec 14 00:55 0020_key-certbot.pem
-rw------- 1 root root 1704 Dec 13 12:15 0019_key-certbot.pem
-rw------- 1 root root 1704 Dec 13 00:30 0018_key-certbot.pem
-rw------- 1 root root 1704 Dec 12 12:40 0017_key-certbot.pem
-rw------- 1 root root 1708 Dec 12 00:57 0016_key-certbot.pem
-rw------- 1 root root 1704 Dec 11 12:49 0015_key-certbot.pem
-rw------- 1 root root 1704 Dec 11 00:24 0014_key-certbot.pem
-rw------- 1 root root 1708 Dec 10 12:51 0013_key-certbot.pem
-rw------- 1 root root 1704 Dec 10 00:29 0012_key-certbot.pem
-rw------- 1 root root 1704 Dec 9 12:48 0011_key-certbot.pem
-rw------- 1 root root 1704 Dec 9 00:19 0010_key-certbot.pem
-rw------- 1 root root 1708 Dec 8 12:58 0009_key-certbot.pem
-rw------- 1 root root 1708 Dec 8 00:59 0008_key-certbot.pem
-rw------- 1 root root 1704 Dec 7 12:30 0007_key-certbot.pem
-rw------- 1 root root 1704 Dec 7 00:04 0006_key-certbot.pem
-rw------- 1 root root 1708 Dec 6 12:31 0005_key-certbot.pem
-rw------- 1 root root 1704 Dec 6 00:33 0004_key-certbot.pem
-rw------- 1 root root 1704 Dec 5 12:20 0003_key-certbot.pem
-rw------- 1 root root 1704 Dec 5 00:07 0002_key-certbot.pem
-rw------- 1 root root 1704 Oct 5 23:48 0001_key-certbot.pem
-rw------- 1 root root 1704 Oct 5 23:46 0000_key-certbot.pem

15

Okay...

/etc/letsencrypt/keys/ contains your private keys, and all Let's Encrypt certificates are in public logs. As long as the keys aren't lost, you can download the certificates, fix the files, and put everything back together again.

Going by the timestamps, this key:

is for this certificate:

Let's see...

Go to your home directory or something, then:

mkdir -m 755 siminchikkunarayku.pe
cd siminchikkunarayku.pe

Download the certificate:

curl -o cert1.pem https://crt.sh/?d=306294887

and the intermediate:

curl -o chain1.pem https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt

and create the "fullchain" file:

cat cert1.pem chain1.pem >fullchain1.pem

and copy the private key (as root):

sudo cp -ai /etc/letsencrypt/keys/0094_key-certbot.pem privkey1.pem

You should be able to double check the private key and certificate match like this:

openssl x509 -modulus -noout -in cert1.pem | sha256sum
sudo openssl rsa -modulus -noout -in privkey1.pem | sha256sum

If the hashes are the same, they match.

Make sure the permissions on the other files are reasonable:

chmod 644 cert1.pem chain1.pem fullchain1.pem

Make sure the directory and files are owned by root:

sudo chown root:root cert1.pem chain1.pem fullchain1.pem
cd ..
sudo chown root:root siminchikkunarayku.pe

Move it to /etc/letsencrypt/archive:

sudo mv -i siminchikkunarayku.pe /etc/letsencrypt/archive/

And fix the symlinks in the /etc/letsencrypt/live directory:

sudo ln -fs ../../archive/siminchikkunarayku.pe/cert1.pem /etc/letsencrypt/live/siminchikkunarayku.pe/cert.pem
sudo ln -fs ../../archive/siminchikkunarayku.pe/chain1.pem /etc/letsencrypt/live/siminchikkunarayku.pe/chain.pem
sudo ln -fs ../../archive/siminchikkunarayku.pe/fullchain1.pem /etc/letsencrypt/live/siminchikkunarayku.pe/fullchain.pem
sudo ln -fs ../../archive/siminchikkunarayku.pe/privkey1.pem /etc/letsencrypt/live/siminchikkunarayku.pe/privkey.pem

If I got that right, everything should be okay now. And Certbot should renew correctly in about 59 days.

16

it went all smooth, thanks!

Can I continue using ubuntu repo’s certbot?
I had downloaded certbot-auto and try it once too.

A cron job is still needed for auto renewal?

17

That's hard to say... :confused:

As things are now, you're using Certbot 0.19.0 and TLS-SNI-01 validation. Renewal will eventually stop working.

If the PPA is upgraded to Certbot 0.21.0 in the next couple months, you won't have to switch to certbot-auto.

That probably didn't do any harm, but you could examine /etc/letsencrypt/renewal/siminchikkunarayku.pe.conf to check if it was created with 0.19.0 or 0.21.0.

The Certbot PPA package includes a systemd timer to automatically renew.

If you use certbot-auto, you need to deactivate the certbot package's timer (by uninstalling the package, or disabling the timer with systemctl), and set up a timer or cron job to run certbot-auto renew.

18

renew_before_expiry = 30 days

version = 0.17.0
archive_dir = /etc/letsencrypt/archive/siminchikkunarayku.pe
cert = /etc/letsencrypt/live/siminchikkunarayku.pe/cert.pem
privkey = /etc/letsencrypt/live/siminchikkunarayku.pe/privkey.pem
chain = /etc/letsencrypt/live/siminchikkunarayku.pe/chain.pem
fullchain = /etc/letsencrypt/live/siminchikkunarayku.pe/fullchain.pem

Options used in the renewal process

[renewalparams]
authenticator = apache
installer = apache
account = ae6c152b0093048b4482f3323a5937a5

19

Can I touch this file manually , or can the tool update this?

20

You probably don’t need to make any manual changes to it.