Help! Vanilla install and now getting expired certificate!

I guess the -fix version is what you’ve just updated yourself in order to get the site to work? (It’s hard to know if there was a problem of some sort with these before if you’ve replaced the old link.)

1 Like

Morning, yes that’s correct - the two -fix files are the ones I created based on @JuergenAuer. In the live directory I replaced the two links that were pointing to the corresponding *4* files with links to the -fix files. The README file says chain.pem is used by Nginx, which I don’t run and I didn’t have a candidate cert.pem file so I took a chance to see if updating just the other two files would get Apache back up and running and it did! :slight_smile:

The privkey file I copied from the 0070_key-certbot.pem file in /etc/letsencrypt/keys which matched the timestamp of the first order url that was reporting as active. I ran wget https://acme-v02.api.letsencrypt.org/acme/cert/03901262143fcbde158e9856deacc09ade47 on the server running Apache to download the file that I renamed to fullchain-fix.pem, which I guess proves at least that my server could access the acme-v02.api.letsencrypt.org server ok last night without a timeout.

1 Like

Happy to read that it had worked.

Now you have a new certificate:

CN=ljay.org.uk
	23.04.2019
	22.07.2019
expires in 89 days	ljay.org.uk, www.ljay.org.uk - 2 entries

Your site has a small error - Grade I - change that script

http://pagead2.googlesyndication.com/pagead/show_ads.js

to https.

  • perhaps use the test system to find a solution of the main problem
  • is there a limit (size of files) your server can download?

The problem is curious, challenge works, but the last step after Letsencrypt has created the certificate doesn’t work. So the CT entry is done -> you hit the limit.

1 Like

Thanks, me too! :slight_smile: Thanks for your help :+1:

Oops, have updated the pagead to https.

No download size limit that I’m aware of, no.

It’s most odd, yes - one moment the script quite happily POSTs to acme-v02.api.letsencrypt.org and then a few seconds later it times out when POSTing the finalize.

e.g. the first time:

2019-03-24 22:23:17,455:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 “POST /acme/challenge/vPYZ32bS07YV7eXa1UCaARFBzsw98QlDq7dVZOTzF88/13999908124 HTTP/1.1” 200 22
4
2019-03-24 22:23:17,456:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx

then 3 seconds later:

2019-03-24 22:23:20,999:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/finalize/38909655/369600020:

2019-03-24 22:24:06,038:WARNING:certbot.renewal:Attempting to renew cert (ljay.org.uk) from /etc/letsencrypt/renewal/ljay.org.uk.conf produced an unexpected error: HTTPSConnectionPool(host=‘acme-v02.api.letsencrypt.org’, port=443): Read timed out. (read timeout=45). Skipping.

Looking through the logs it’s always that final finalize POST that times out. Is there a possibility that the problem is at the server end? :slight_smile: Not sure if there are logs you can look at that may help? The most recent time I see a timeout in my logs is:

2019-04-23 20:21:07,956:WARNING:certbot.renewal:Attempting to renew cert (ljay.org.uk) from /etc/letsencrypt/renewal/ljay.org.uk.conf produced an unexpected error: HTTPSConnectionPool(host=‘acme-v02.api.let
sencrypt.org’, port=443): Read timed out. (read timeout=45). Skipping.

I’m hesitant just to re-run the script as I don’t want to get into the Rate Limit loop again, but I’m happy to try any debugging process you suggest to get to the bottom of the issue. I can’t think of a way to get any more information about a timeout on one POST command over a different POST command to the same server, given that a similar POST succeeded a few seconds previously? To me the available evidence currently points to a problem at the acme-v02.api.letsencrypt.org finalize script, but I’m happy to be proved wrong! :smiley:

Had a chance to look at why cron wasn’t emailing me the errors and it’s because I have systemd installed and the cronjob is exiting when it detects systemd.

Systemd doesn’t seem to have the same “email root on error” functionality that cron does, so I have disabled the systemd timer and edited the cron job so it ignores systemd.

It looks like you can persuade systemd to email on error (e.g. https://unix.stackexchange.com/questions/210429/systemd-mailto-replacement-failing), but it was easier to fall back to cron, which “just works”. :slight_smile:

With your fix, I don’t think Certbot will be able to renew this certificate anymore because it will be confused about the link structure and filenames. Would you like help in renaming these things so that Certbot can understand them again?

Hi, yes please - I tried a dry-run earlier and it wasn’t happy! :confused:

It’s definitely not happy!

Attempting to renew cert (ljay.org.uk) from /etc/letsencrypt/renewal/ljay.org.uk.conf produced an unexpected error: unorderable types: NoneType() < int(). Skipping. All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/ljay.org.uk/fullchain.pem (failure) 1 renew failure(s), 0 parse failure(s)

Hi @schoen, please can you advise how to rename the files to get things up and running again. Thanks.

Ok, I’ve got the update running again by copying the current four files to *5.pem and linking to those.

Now I’m running with cron it has emailed me the failure message:
Attempting to renew cert (ljay.org.uk) from /etc/letsencrypt/renewal/ljay.org.uk.conf produced an unexpected error: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Read timed out. (read timeout=45). Skipping. All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/ljay.org.uk/fullchain.pem (failure) 1 renew failure(s), 0 parse failure(s)

So we’re back to successfully retrieving a new certificate but timing out so not installing it. :+1: :smiley:

Any suggestions what to try? I’m thinking dig through the process trace and either increase the timeout of the call to acme-v02 and/or see if I can make the call more verbose…

Increased the time out and now I get an error as opposed to a time out:

It’s running command:

2019-04-29 09:39:43,566:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/finalize/38909655/422781000: { "payload":...

The error is:

2019-04-29 09:41:43,582:WARNING:certbot.renewal:Attempting to renew cert (ljay.org.uk) from /etc/letsencrypt/renewal/ljay.org.uk.conf produced an unexpected error: ('Connection aborted.', BadStatusLine('HTTP/1.1 0 Init\r\n',)). Skipping.

@JuergenAuer @schoen Please advise…

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.