I created an SSL cert for my domain (home.mydomain.co.uk) using the Let's Encrypt add-on for Home Assistant (v5.2.9). The domain is registered at Cloudflare. This worked fine for accessing my Home Assistant server. I then introduced an nginx server on another machine, and am now using it to proxy forward requests to my Home Assistant server. I copied the files from the SSL folder on my Home Assistant server (fullchain.pem and privkey.pem) to the /etc/letsencrypt/archive/home.mydomain.co.uk/ folder on the nginx server. I then created symbolic links to them in the /etc/letsencrypt/live/home.mydomain.co.uk/ folder.
I am now trying to write a script to renew the SSL cert - using sudo certbot renew. I already use this method, on the same machine, to renew another LetsEncrypt domain. I am running certbot 0.40.0.
I am getting this error:
CertstorageError: expected /etc/letsencrypt/live/home.mydomain.co.uk/cert.pem to be a symlink
I'm guessing that I do not have the correct files and symlinks in the right places for certbot to perform the renewal. Could anyone guide me on which folders/files/links I need to create for certbot to be able to renew this domain? It currently renews my existing domain without any issues.
You appear to have forged someone else's domain in your post. Please don't do that. While it is more difficult to offer assistance when you don't share your real dimain, it is extremely bad form to abuse a domain that is not yours. There are reserved exapmle domains that should be used instead, such as example.com.
Holy smoke! That version is ancient! Certbot versions 0.x, 1.x, and 2.x are all past their prime. Please review the installation instructions for version 3.x at:
If you are going to need to use the same certificate on multiple hosts, it often makes more sense to choose on host to obtain the certificate and automate distribution of that certificate to your other hosts.
I have to hand this off to other volunteers for the moment, but I'll check back later.
Oh sorry I was using "mydomain.co.uk" as an example - I didn't realise that this might be considered a real domain. I'll use example.com in the future.
I generated the original certificate quite a while ago, and wasn't aware of the existence of newer versions - I'll look into updating it.
So if I just delete the files and re-request a certificate, will it not matter that there is already a current certificate in existence?
No, the same server can have many certificates. And, two different servers can each have a cert for the exact same set of domain names (although this is rarely needed).
I doubt that --standalone option shown in that renewal file is the best choice for a server using nginx. Either the --nginx or --webroot option is likely better. The --standalone requires your nginx to be stopped for the cert request and renewals. These other two options allow nginx to stay running.
There is also a DNS Challenge but that is often more difficult to setup.
If you need help sorting that please provide your actual domain name(s) as well as other info from the form below as it relates to your nginx server. Thanks
==========================
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
Many thanks for the advice. I will try the "nginx" option instead of "standalone". I guess I'll have to wait for a few weeks until the first cert expires to see if it all works OK.
Why is waiting needed? You can request a new cert on the new machine today. The limit is 5 identical certs per account per week. Getting that many each week isn't good practice But, getting an extra or two during transition is perfectly reasonable.
You can even test using --dry-run option. That uses the Let's Encrypt staging (test) system. It won't issue a publicly trusted cert but works great for testing setups.
The --dry-run command for --nginx requires a different syntax than you'll use for your production cert. But, try this first:
Example Domain
This domain is for use in illustrative examples in documents. You may use this domain in literature without prior coordination or asking for permission.
Thanks for the suggestion. I just tried it, and the result looked promising:
You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/example.co.uk.conf)
It contains these names: example.ddns.net
You requested these names for the new certificate: example.co.uk,
example.ddns.net.
Do you want to expand and replace this existing certificate with the new
certificate?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(E)xpand/(C)ancel: E
Simulating renewal of an existing certificate for example.co.uk and example.ddns.net
The dry run was successful.
I'm not sure I understand what it means by "expand and replace this existing certificate with the new certificate". It suggests to me a single certificate for both domains
???
No - that's the thing. The cert for the first domain was created a few years ago, using certbot directly. The other cert was only created a week or so ago, on a different machine, using the Let's Encrypt add-in for Home Assistant. I wasn't aware that it was possible to have a single cert for two different domains.
If I do a dry run for each cert individually, I get a message for the older cert :
An RSA certificate named example.com already exists. Do you want to update it to ECDSA?
(U)pdate key type / (K)eep existing key type:
Presumably updating would be the best choice?
Interestingly, don't get offered this option if I request certs for both domains at the same time.
I did the dry run separately for each domain on the nginx server only (assuming that the certs on the Home Assistant server would now be redundant). I have now requested new certs for both domains, and got a surprisingly helpful message that a task had been scheduled to renew the certs when the are due to expire.
I now have an different issue, in that it seems incoming https requests to the nginx server are failing, as they are being forwarded to port 443 on the Home Assistant (where I have now disable the SSL certs). Looks like I now have an nginx config issue to address....
No it's more complicated than that. My router forwards to the nginx server (which hosts a couple of sites), and the nginx server forwards requests for my Home Assistant domain to the Home Assistant server. In theory nginx should be listening for https requests and forwarding them to the Home Assistant server as http requests, but that doesn't seem to be happening - the HA server seems to be receiving the requests as https, and if I disable the SSL cert on the HA host my requests are failing with an SSL error :0(
Ah, yes, sounds like your proxy_pass isn't right. Or, experiment using different proxied ports as debug aid. But, yeah, this is getting outside scope of this place
Sorry to trouble you again, but I think I have made a mistake somewhere in the generation of the SSL cert for my domain. The app that I use to connect to my domain was refusing to connect, due to a "hostname certificate mismatch".
When I query the details of my cert, it is making references to another dynamic domain name which I own (which is pointed at the same IP address as the domain that I am now dealing with). So in the code below, I am querying the cert for home.example.co.uk, but am seeing references to example2.ddns.net:
I'm thinking that this is maybe the reason why my app is objecting?
I know that you'd really need to know the actual name of the domain in question to give a definitive answer, but due to the way I am using it I'd prefer not to share it on a public forum. Maybe I could DM you the actual domain name?
First, I am not sure why your post would have been flagged. Did you flag it yourself because there is enough info in the openssl command to identify your domain? All LE certs are logged in the public Certificate Transparency logs which can be searched using various criteria.
Yes, hiding names makes helping with these kinds of problems very difficult.
But, in short, the domain in the URL must match a name in the cert of the service you connect to. Generally, in nginx each HTTPS server block has a cert for every name listed in server_name. You can proxy from that server block to whatever you want. Even use HTTP if you wish if you are connecting across a trusted network.
I now know the names involved so that wouldn't help. I only help in this public forum so if you won't provide the actual names I don't think I can be much more help.
Yes I have no idea why it was flagged/hidden. I had already opened a separate question, but the domain is home.richmondtech.co.uk.
The CN and Alternative Name on the cert is ianmanning.ddns.net
My web server is (include version):nginx 1.18.0
The operating system my web server runs on is (include version):Lubuntu 20.04 LTS
My hosting provider, if applicable, is:Cloudflare
I can login to a root shell on my machine (yes or no, or I don't know):yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):Cloudflare
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 3.0.1
But, getting an extra or two during transition is perfectly reasonable.