How to correctly add auto-renewal (Debian 9 (Stretch))

CRON and SYSTEMD are different things.
They both do the same kinds of things but are not related to each other.

To see if CRON actually ran at 00:41, you would have to check your firewall logs (if you have any) or maybe the LE log file (but that may also be empty since we used the -q parameter)

Please show:
/var/log/letsencrypt/letsencrypt.log

1 Like

Wow you are right.
I opened this file and this is what I saw

2019-11-08 00:41:03,290:DEBUG:certbot.plugins.selection:Selecting plugin: * apache
Description: Apache Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT
Initialized: <certbot_apache.override_debian.DebianConfigurator object at 0x7f538e7c3c50>
2019-11-08 00:41:03,291:DEBUG:certbot.plugins.storage:Plugin storage file /etc/letsencrypt/.pluginstorage.json was empty, no$
2019-11-08 00:41:03,292:DEBUG:certbot.cli:Var authenticator=apache (set by user).
2019-11-08 00:41:03,292:DEBUG:certbot.cli:Var installer=apache (set by user).
2019-11-08 00:41:03,324:INFO:certbot.renewal:Cert not yet due for renewal
2019-11-08 00:41:03,324:DEBUG:certbot.plugins.selection:Requested authenticator apache and installer apache
2019-11-08 00:41:03,329:DEBUG:certbot.plugins.selection:Selecting plugin: * apache
Description: Apache Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT
Initialized: <certbot_apache.override_debian.DebianConfigurator object at 0x7f538e7c3350>
2019-11-08 00:41:03,330:DEBUG:certbot.plugins.storage:Plugin storage file /etc/letsencrypt/.pluginstorage.json was empty, no$
2019-11-08 00:41:03,331:DEBUG:certbot.cli:Var authenticator=apache (set by user).
2019-11-08 00:41:03,331:DEBUG:certbot.cli:Var installer=apache (set by user).
2019-11-08 00:41:03,361:INFO:certbot.renewal:Cert not yet due for renewal
2019-11-08 00:41:03,362:DEBUG:certbot.plugins.selection:Requested authenticator apache and installer apache
2019-11-08 00:41:03,367:DEBUG:certbot.plugins.selection:Selecting plugin: * apache
Description: Apache Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT
Initialized: <certbot_apache.override_debian.DebianConfigurator object at 0x7f538e731710>
2019-11-08 00:41:03,368:DEBUG:certbot.plugins.storage:Plugin storage file /etc/letsencrypt/.pluginstorage.json was empty, no$
2019-11-08 00:41:03,369:DEBUG:certbot.cli:Var authenticator=apache (set by user).
2019-11-08 00:41:03,369:DEBUG:certbot.cli:Var installer=apache (set by user).
2019-11-08 00:41:03,403:INFO:certbot.renewal:Cert not yet due for renewal
2019-11-08 00:41:03,403:DEBUG:certbot.plugins.selection:Requested authenticator apache and installer apache
2019-11-08 00:41:03,409:DEBUG:certbot.plugins.selection:Selecting plugin: * apache
Description: Apache Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT
Initialized: <certbot_apache.override_debian.DebianConfigurator object at 0x7f538e72da90>
2019-11-08 00:41:03,409:DEBUG:certbot.plugins.storage:Plugin storage file /etc/letsencrypt/.pluginstorage.json was empty, no$
2019-11-08 00:41:03,409:DEBUG:certbot.renewal:no renewal failures
1 Like

You’re all set :slight_smile:

1 Like

Your certificate should automatically renew soon…

1 Like

Yes and I ran

ls -l /etc/letsencrypt/renewal/

and got this

total 16
-rw-r--r-- 1 root root 540 Nov 10 12:44 elami.mk.conf
-rw-r--r-- 1 root root 590 Nov 10 12:46 justsayingkiddo.nl.conf
-rw-r--r-- 1 root root 509 Sep 13 11:45 kentivo.de.conf
-rw-r--r-- 1 root root 529 Sep 13 11:34 www.kentivo.de.conf

before it was

total 16
-rw-r–r-- 1 root root 499 Sep 11 11:18 elami.mk.conf
-rw-r–r-- 1 root root 549 Sep 11 11:53 justsayingkiddo.nl.conf
-rw-r–r-- 1 root root 509 Sep 13 11:45 kentivo.de.conf
-rw-r–r-- 1 root root 529 Sep 13 11:34 www.kentivo.de.conf

This means they renewed automatically correct ?

I do see the new cert being served now:

Thank you very much <3

I think it just needed time to update :slight_smile:

Thank you again!

I guess the “restart” took some time…
Maybe system is low on resources.
But if you didn’t restart apache, then it did it all by itself as you wanted :slight_smile:

Yes I didn’t do any restart manually, so it must have done it by itself which is the point :slight_smile:
Thank you very much!

1 Like

I started getting errors when the other domains that we are not using needed to be renewed
-rw-r–r-- 1 root root 509 Sep 13 11:45 kentivo.de.conf
-rw-r–r-- 1 root root 529 Sep 13 11:34 www.kentivo.de.conf

The server was down and we got this

AH00060: seg fault or similar nasty error detected in the parent process
AH00098: pid file /var/run/apache2/apache2.pid overwritten -- Unclean shutdown of previous Apache run?
AH00489: Apache/2.4.25 (Debian) mod_fcgid/2.3.9 OpenSSL/1.0.2s configured -- resuming normal operations
Command line: '/usr/sbin/apache2' 
AH00491: caught SIGTERM, shutting down
AH00489: Apache/2.4.25 (Debian) mod_fcgid/2.3.9 OpenSSL/1.0.2s configured -- resuming normal operations
AH00094: Command line: '/usr/sbin/apache2'

From the log /var/log/letsencrypt/letsencrypt.log

I can separate this as important or I can send you the whole log privately there is some sensitive info in there.

Domain: kentivo.de
Type:   unauthorized
Detail: Invalid response from http://kentivo.com/?lang=de [IP ADDRESS]: "<!DOCTYPE html>\n<html lang=\"de-DE\">\n<head>\n<meta charset=\"UTF-8\">\n<meta name=\"viewport\" content=\"width=device-width, initial-sca"

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
2019-11-14 12:46:11,399:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 91, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 180, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
AuthorizationError: Some challenges have failed.

I have removed the cron job until I fix this because it will just keep downing the server.

All help is greatly appreciated !

Thank you

Try using “reload” instead of “restart

But the error causing it to go off rails is the two domains that are trying to update, can I delete those certificates safely ? They are not in use anyway.
Last time I tried deleting certificates my server went to hell and everything was causing an error code and couldn’t restore my server.
I want to do it only if I can do it right and remove those two domains so that there are no more errors caused, As I have just added one new domain with the command
sudo certbot-auto --apache -d example.com -d www.example.com

Now I have this

ls -l /etc/letsencrypt/renewal/
total 20
-rw-r--r-- 1 root root 544 Nov 15 15:30 alpha.kentivo.com.conf
-rw-r--r-- 1 root root 540 Nov 10 12:44 elami.mk.conf
-rw-r--r-- 1 root root 590 Nov 10 12:46 justsayingkiddo.nl.conf
-rw-r--r-- 1 root root 509 Sep 13 11:45 kentivo.de.conf
-rw-r--r-- 1 root root 529 Sep 13 11:34 www.kentivo.de.conf

Yes (be sure their certs are not being used anywhere).
Use:
certbot delete --cert-name example.com