Failed to renew expired certificate

schoen · January 19, 2018, 6:33pm

The crt.sh log that you linked to shows that you’ve successfully renewed your certificate six times in the last four days, including once today (!). (In that log, dates are calculated based on the UTC time zone.)

Do you not have access to the newly-issued certificates that resulted from all of these successful renewals?

Reynaldo · January 19, 2018, 7:11pm

Ah I see, but then they are not being saved. And the certbot tool complains of rate limit.

Attempting to renew cert (siminchikkunarayku.pe) from /etc/letsencrypt/renewal/siminchikkunarayku.pe.conf produced an unexpected error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new cert :: too many certificates already issued for exact set of domains: siminchikkunarayku.pe: see https://letsencrypt.org/docs/rate-limits/. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/siminchikkunarayku.pe/fullchain.pem (failure)

mnordhoff · January 19, 2018, 7:15pm

Are you sure they’re not being saved?

Could you paste the output of these commands?

certbot certificates
ls -al /etc/letsencrypt/archive/siminchikkunarayku.pe/
ls -al /etc/letsencrypt/live/siminchikkunarayku.pe/
cat /etc/letsencrypt/renewal/siminchikkunarayku.pe.conf

Reynaldo · January 19, 2018, 7:16pm

sudo ls -l /etc/letsencrypt/live/siminchikkunarayku.pe
total 4
lrwxrwxrwx 1 root root 50 Oct 5 23:48 cert.pem -> …/…/archive/siminchikkunarayku.pe-0001/cert1.pem
lrwxrwxrwx 1 root root 51 Oct 5 23:48 chain.pem -> …/…/archive/siminchikkunarayku.pe-0001/chain1.pem
lrwxrwxrwx 1 root root 55 Oct 5 23:48 fullchain.pem -> …/…/archive/siminchikkunarayku.pe-0001/fullchain1.pem
lrwxrwxrwx 1 root root 53 Oct 5 23:48 privkey.pem -> …/…/archive/siminchikkunarayku.pe-0001/privkey1.pem
-rw-r–r-- 1 root root 543 Oct 5 23:48 README

mnordhoff · January 19, 2018, 7:17pm

Then…

ls -al /etc/letsencrypt/archive/siminchikkunarayku.pe/
ls -al /etc/letsencrypt/archive/siminchikkunarayku.pe-0001/

Reynaldo · January 19, 2018, 7:18pm

sudo ls -al /etc/letsencrypt/archive/siminchikkunarayku.pe-0001
total 24
drwxr-xr-x 2 root root 4096 Oct 5 23:48 .
drwx------ 3 root root 4096 Oct 5 23:48 …
-rw-r–r-- 1 root root 1814 Oct 5 23:48 cert1.pem
-rw-r–r-- 1 root root 1647 Oct 5 23:48 chain1.pem
-rw-r–r-- 1 root root 3461 Oct 5 23:48 fullchain1.pem
-rw-r–r-- 1 root root 1704 Oct 5 23:48 privkey1.pem

Reynaldo · January 19, 2018, 7:18pm

sudo ls -al /etc/letsencrypt/archive/
total 12
drwx------ 3 root root 4096 Oct 5 23:48 .
drwxr-xr-x 9 root root 4096 Jan 19 19:12 …
drwxr-xr-x 2 root root 4096 Oct 5 23:48 siminchikkunarayku.pe-0001

mnordhoff · January 19, 2018, 7:22pm

There really isn’t a /etc/letsencrypt/archive/siminchikkunarayku.pe/ directory?

Reynaldo · January 19, 2018, 7:23pm

No, only siminchikkunarayku.pe-0001

mnordhoff · January 19, 2018, 7:27pm

Well… It’s just a matter of fixing what’s happened to Certbot’s configuration files.

Do you want to do it today? It might be a little simpler to wait until January 23 or so when you can just issue a new certificate (though you’d have to stop it from repeating what it’s doing now first).

Reynaldo · January 19, 2018, 7:33pm

Yes, if possible, this has been not working for some days already.

mnordhoff · January 19, 2018, 7:35pm

Yeah.

Please post:

sudo ls -lt /etc/letsencrypt/keys/

Note: It’s a directory full of private keys. Don’t give people your private key files! But a list of filenames isn’t very sensitive.

Reynaldo · January 19, 2018, 7:41pm

sudo ls -lt /etc/letsencrypt/keys/
[sudo] password for quechua:
total 416
-rw------- 1 root root 1708 Jan 19 16:51 0103_key-certbot.pem
-rw------- 1 root root 1704 Jan 19 16:50 0102_key-certbot.pem
-rw------- 1 root root 1704 Jan 19 16:09 0101_key-certbot.pem
-rw------- 1 root root 1708 Jan 19 16:08 0100_key-certbot.pem
-rw------- 1 root root 1704 Jan 19 16:07 0099_key-certbot.pem
-rw------- 1 root root 1708 Jan 19 15:59 0098_key-certbot.pem
-rw------- 1 root root 1704 Jan 19 12:17 0097_key-certbot.pem
-rw------- 1 root root 1704 Jan 19 00:10 0096_key-certbot.pem
-rw------- 1 root root 1704 Jan 18 12:02 0095_key-certbot.pem
-rw------- 1 root root 1704 Jan 18 00:47 0094_key-certbot.pem
-rw------- 1 root root 1708 Jan 17 23:09 0093_key-certbot.pem
-rw------- 1 root root 1704 Jan 17 23:08 0092_key-certbot.pem
-rw------- 1 root root 1708 Jan 17 22:32 0091_key-certbot.pem
-rw------- 1 root root 1708 Jan 17 22:31 0090_key-certbot.pem
-rw------- 1 root root 1704 Jan 17 21:59 0089_key-certbot.pem
-rw------- 1 root root 1704 Jan 17 21:28 0088_key-certbot.pem
-rw------- 1 root root 1708 Jan 17 12:13 0087_key-certbot.pem
-rw------- 1 root root 1704 Jan 17 00:31 0086_key-certbot.pem
-rw------- 1 root root 1704 Jan 16 12:51 0085_key-certbot.pem
-rw------- 1 root root 1704 Jan 16 00:29 0084_key-certbot.pem
-rw------- 1 root root 1704 Jan 15 12:12 0083_key-certbot.pem
-rw------- 1 root root 1704 Jan 15 00:58 0082_key-certbot.pem
-rw------- 1 root root 1704 Jan 14 12:25 0081_key-certbot.pem
-rw------- 1 root root 1704 Jan 14 00:33 0080_key-certbot.pem
-rw------- 1 root root 1704 Jan 13 12:50 0079_key-certbot.pem
-rw------- 1 root root 1704 Jan 11 00:44 0078_key-certbot.pem
-rw------- 1 root root 1704 Jan 10 12:57 0077_key-certbot.pem
-rw------- 1 root root 1704 Jan 10 00:53 0076_key-certbot.pem
-rw------- 1 root root 1704 Jan 9 16:50 0075_key-certbot.pem
-rw------- 1 root root 1704 Jan 9 16:43 0074_key-certbot.pem
-rw------- 1 root root 1704 Jan 9 12:38 0073_key-certbot.pem
-rw------- 1 root root 1704 Jan 9 00:03 0072_key-certbot.pem
-rw------- 1 root root 1704 Jan 8 12:08 0071_key-certbot.pem
-rw------- 1 root root 1708 Jan 8 00:52 0070_key-certbot.pem
-rw------- 1 root root 1704 Jan 7 12:52 0069_key-certbot.pem
-rw------- 1 root root 1704 Jan 7 00:37 0068_key-certbot.pem
-rw------- 1 root root 1704 Jan 6 12:08 0067_key-certbot.pem
-rw------- 1 root root 1704 Jan 6 00:14 0066_key-certbot.pem
-rw------- 1 root root 1708 Jan 5 12:37 0065_key-certbot.pem
-rw------- 1 root root 1704 Jan 5 00:28 0064_key-certbot.pem
-rw------- 1 root root 1704 Jan 4 12:02 0063_key-certbot.pem
-rw------- 1 root root 1704 Jan 4 00:09 0062_key-certbot.pem
-rw------- 1 root root 1704 Jan 3 12:47 0061_key-certbot.pem
-rw------- 1 root root 1704 Jan 3 00:45 0060_key-certbot.pem
-rw------- 1 root root 1704 Jan 2 12:55 0059_key-certbot.pem
-rw------- 1 root root 1704 Jan 2 00:28 0058_key-certbot.pem
-rw------- 1 root root 1704 Jan 1 12:57 0057_key-certbot.pem
-rw------- 1 root root 1704 Jan 1 00:42 0056_key-certbot.pem
-rw------- 1 root root 1708 Dec 31 12:48 0055_key-certbot.pem
-rw------- 1 root root 1704 Dec 31 00:38 0054_key-certbot.pem
-rw------- 1 root root 1708 Dec 30 12:49 0053_key-certbot.pem
-rw------- 1 root root 1704 Dec 30 00:00 0052_key-certbot.pem
-rw------- 1 root root 1704 Dec 29 12:38 0051_key-certbot.pem
-rw------- 1 root root 1704 Dec 29 00:48 0050_key-certbot.pem
-rw------- 1 root root 1704 Dec 28 12:21 0049_key-certbot.pem
-rw------- 1 root root 1704 Dec 28 00:30 0048_key-certbot.pem
-rw------- 1 root root 1704 Dec 27 12:26 0047_key-certbot.pem
-rw------- 1 root root 1704 Dec 27 00:01 0046_key-certbot.pem
-rw------- 1 root root 1704 Dec 26 12:34 0045_key-certbot.pem
-rw------- 1 root root 1704 Dec 26 00:04 0044_key-certbot.pem
-rw------- 1 root root 1704 Dec 25 12:28 0043_key-certbot.pem
-rw------- 1 root root 1708 Dec 25 00:49 0042_key-certbot.pem
-rw------- 1 root root 1704 Dec 24 12:04 0041_key-certbot.pem
-rw------- 1 root root 1704 Dec 24 00:50 0040_key-certbot.pem
-rw------- 1 root root 1704 Dec 23 12:38 0039_key-certbot.pem
-rw------- 1 root root 1700 Dec 23 00:09 0038_key-certbot.pem
-rw------- 1 root root 1704 Dec 22 12:51 0037_key-certbot.pem
-rw------- 1 root root 1704 Dec 22 00:43 0036_key-certbot.pem
-rw------- 1 root root 1708 Dec 21 12:50 0035_key-certbot.pem
-rw------- 1 root root 1704 Dec 21 00:39 0034_key-certbot.pem
-rw------- 1 root root 1704 Dec 20 12:34 0033_key-certbot.pem
-rw------- 1 root root 1704 Dec 20 00:26 0032_key-certbot.pem
-rw------- 1 root root 1708 Dec 19 12:27 0031_key-certbot.pem
-rw------- 1 root root 1704 Dec 19 00:07 0030_key-certbot.pem
-rw------- 1 root root 1704 Dec 18 12:16 0029_key-certbot.pem
-rw------- 1 root root 1708 Dec 18 00:20 0028_key-certbot.pem
-rw------- 1 root root 1704 Dec 17 12:34 0027_key-certbot.pem
-rw------- 1 root root 1704 Dec 17 00:11 0026_key-certbot.pem
-rw------- 1 root root 1704 Dec 16 12:56 0025_key-certbot.pem
-rw------- 1 root root 1704 Dec 16 00:04 0024_key-certbot.pem
-rw------- 1 root root 1708 Dec 15 12:37 0023_key-certbot.pem
-rw------- 1 root root 1704 Dec 15 00:23 0022_key-certbot.pem
-rw------- 1 root root 1708 Dec 14 12:04 0021_key-certbot.pem
-rw------- 1 root root 1708 Dec 14 00:55 0020_key-certbot.pem
-rw------- 1 root root 1704 Dec 13 12:15 0019_key-certbot.pem
-rw------- 1 root root 1704 Dec 13 00:30 0018_key-certbot.pem
-rw------- 1 root root 1704 Dec 12 12:40 0017_key-certbot.pem
-rw------- 1 root root 1708 Dec 12 00:57 0016_key-certbot.pem
-rw------- 1 root root 1704 Dec 11 12:49 0015_key-certbot.pem
-rw------- 1 root root 1704 Dec 11 00:24 0014_key-certbot.pem
-rw------- 1 root root 1708 Dec 10 12:51 0013_key-certbot.pem
-rw------- 1 root root 1704 Dec 10 00:29 0012_key-certbot.pem
-rw------- 1 root root 1704 Dec 9 12:48 0011_key-certbot.pem
-rw------- 1 root root 1704 Dec 9 00:19 0010_key-certbot.pem
-rw------- 1 root root 1708 Dec 8 12:58 0009_key-certbot.pem
-rw------- 1 root root 1708 Dec 8 00:59 0008_key-certbot.pem
-rw------- 1 root root 1704 Dec 7 12:30 0007_key-certbot.pem
-rw------- 1 root root 1704 Dec 7 00:04 0006_key-certbot.pem
-rw------- 1 root root 1708 Dec 6 12:31 0005_key-certbot.pem
-rw------- 1 root root 1704 Dec 6 00:33 0004_key-certbot.pem
-rw------- 1 root root 1704 Dec 5 12:20 0003_key-certbot.pem
-rw------- 1 root root 1704 Dec 5 00:07 0002_key-certbot.pem
-rw------- 1 root root 1704 Oct 5 23:48 0001_key-certbot.pem
-rw------- 1 root root 1704 Oct 5 23:46 0000_key-certbot.pem

mnordhoff · January 19, 2018, 8:08pm

Okay...

/etc/letsencrypt/keys/ contains your private keys, and all Let's Encrypt certificates are in public logs. As long as the keys aren't lost, you can download the certificates, fix the files, and put everything back together again.

Going by the timestamps, this key:

is for this certificate:

https://crt.sh/?id=306294887

Let's see...

Go to your home directory or something, then:

mkdir -m 755 siminchikkunarayku.pe
cd siminchikkunarayku.pe

Download the certificate:

curl -o cert1.pem https://crt.sh/?d=306294887

and the intermediate:

curl -o chain1.pem https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt

and create the "fullchain" file:

cat cert1.pem chain1.pem >fullchain1.pem

and copy the private key (as root):

sudo cp -ai /etc/letsencrypt/keys/0094_key-certbot.pem privkey1.pem

You should be able to double check the private key and certificate match like this:

openssl x509 -modulus -noout -in cert1.pem | sha256sum
sudo openssl rsa -modulus -noout -in privkey1.pem | sha256sum

If the hashes are the same, they match.

Make sure the permissions on the other files are reasonable:

chmod 644 cert1.pem chain1.pem fullchain1.pem

Make sure the directory and files are owned by root:

sudo chown root:root cert1.pem chain1.pem fullchain1.pem
cd ..
sudo chown root:root siminchikkunarayku.pe

Move it to /etc/letsencrypt/archive:

sudo mv -i siminchikkunarayku.pe /etc/letsencrypt/archive/

And fix the symlinks in the /etc/letsencrypt/live directory:

sudo ln -fs ../../archive/siminchikkunarayku.pe/cert1.pem /etc/letsencrypt/live/siminchikkunarayku.pe/cert.pem
sudo ln -fs ../../archive/siminchikkunarayku.pe/chain1.pem /etc/letsencrypt/live/siminchikkunarayku.pe/chain.pem
sudo ln -fs ../../archive/siminchikkunarayku.pe/fullchain1.pem /etc/letsencrypt/live/siminchikkunarayku.pe/fullchain.pem
sudo ln -fs ../../archive/siminchikkunarayku.pe/privkey1.pem /etc/letsencrypt/live/siminchikkunarayku.pe/privkey.pem

If I got that right, everything should be okay now. And Certbot should renew correctly in about 59 days.

Reynaldo · January 19, 2018, 8:22pm

it went all smooth, thanks!

Can I continue using ubuntu repo’s certbot?
I had downloaded certbot-auto and try it once too.

A cron job is still needed for auto renewal?

mnordhoff · January 19, 2018, 8:33pm

That's hard to say...

As things are now, you're using Certbot 0.19.0 and TLS-SNI-01 validation. Renewal will eventually stop working.

If the PPA is upgraded to Certbot 0.21.0 in the next couple months, you won't have to switch to certbot-auto.

That probably didn't do any harm, but you could examine /etc/letsencrypt/renewal/siminchikkunarayku.pe.conf to check if it was created with 0.19.0 or 0.21.0.

The Certbot PPA package includes a systemd timer to automatically renew.

If you use certbot-auto, you need to deactivate the certbot package's timer (by uninstalling the package, or disabling the timer with systemctl), and set up a timer or cron job to run certbot-auto renew.

Reynaldo · January 19, 2018, 8:40pm

renew_before_expiry = 30 days

version = 0.17.0
archive_dir = /etc/letsencrypt/archive/siminchikkunarayku.pe
cert = /etc/letsencrypt/live/siminchikkunarayku.pe/cert.pem
privkey = /etc/letsencrypt/live/siminchikkunarayku.pe/privkey.pem
chain = /etc/letsencrypt/live/siminchikkunarayku.pe/chain.pem
fullchain = /etc/letsencrypt/live/siminchikkunarayku.pe/fullchain.pem

Options used in the renewal process

[renewalparams]
authenticator = apache
installer = apache
account = ae6c152b0093048b4482f3323a5937a5

Reynaldo · January 19, 2018, 8:41pm

Can I touch this file manually , or can the tool update this?

mnordhoff · January 19, 2018, 8:43pm

You probably don’t need to make any manual changes to it.

system · February 18, 2018, 8:44pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.