How to receive Let'sEncypt certificates

In the past I used the certbot-auto command to renew certificates. This script is not supported since some time, but I still could run it in the past to get new certificates. Today the certificates expired and the (installed) certbot-auto does not work anymore.

Following the LE recommendations I successfully installed snapd. Executing "snap install core" resulted in the error message:

error: system does not fully support snapd: cannot mount squashfs image using "squashfs": mount:
       /tmp/sanity-mountpoint-998542305: unknown filesystem type 'squashfs'.

Commands like "modprobe squashfs" did not help.

As a consequence I do not have LetsEncrypt certificates anymore and my website is no longer functional (the previous certificates expired).

My website is hosted on a Raspberry 4B(Debian 11.2) over which I have full administrative control (Linux).

My domain is:
himbaerchen.de (it has been registered with strato.de)

I ran this command:
Furthermore I downloaded certbot from GitHub and ran "certbot --apache -d himbaerchen.de".

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
An unexpected error occurred:
requests.exceptions.ConnectionError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewC
onnectionError('<urllib3.connection.HTTPSConnection object at 0xb3312f70>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution')
Please see the logfiles in /var/log/letsencrypt for more details.) 

However, the log files do NOT show additional information.
My web server is (include version):
Apache 2.4

The operating system my web server runs on is (include version):
Debian 11.2

My hosting provider, if applicable, is:
strato.de (only registrar)

I can login to a root shell on my machine (yes or no, or I don't know):
yes, I can

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
via ssh

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot --version
certbot 1.12.0

Could somebody provide a sophisticated answer, please?
I would like to have a solution with which the certificates are automatically renewed.

IMPORTANT: My website is based on DynDNS (each time my router is booted it receives another external IPv4 address, but "himbaerchen.de" ALWAYS points to the actual IPv4 address).

This version will work (for now):

That seems like your DNS setting may be broken.

You can try

curl -v https://acme-v02.api.letsencrypt.org/directory

for comparison purposes to see if something is wrong with your server's ability to make outgoing connections.

Running

curl -v https://acme-v02.api.letsencrypt.org/directory

• Trying 172.65.32.248:443...
• Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0)
• ALPN, offering h2
• ALPN, offering http/1.1
• successfully set certificate verify locations:
• CAfile: /etc/ssl/certs/ca-certificates.crt
• CApath: /etc/ssl/certs
• TLSv1.3 (OUT), TLS handshake, Client hello (1):
• TLSv1.3 (IN), TLS handshake, Server hello (2):
• TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
• TLSv1.3 (IN), TLS handshake, Certificate (11):
• TLSv1.3 (IN), TLS handshake, CERT verify (15):
• TLSv1.3 (IN), TLS handshake, Finished (20):
• TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
• TLSv1.3 (OUT), TLS handshake, Finished (20):
• SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
• ALPN, server accepted to use h2
• Server certificate:
• subject: CN=acme-v01.api.letsencrypt.org
• start date: Dec 17 02:28:18 2021 GMT
• expire date: Mar 17 02:28:17 2022 GMT
• subjectAltName: host "acme-v02.api.letsencrypt.org" matched cert's "acme-v02.api.letsencrypt.org"
• issuer: C=US; O=Let's Encrypt; CN=R3
• SSL certificate verify ok.
• Using HTTP2, server supports multi-use
• Connection state changed (HTTP/2 confirmed)
• Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
• Using Stream ID: 1 (easy handle 0x1a35490)

GET /directory HTTP/2
Host: acme-v02.api.letsencrypt.org
user-agent: curl/7.74.0
accept: /

• TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
• TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
• old SSL session ID is stale, removing
• Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
  < HTTP/2 200
  < server: nginx
  < date: Tue, 04 Jan 2022 10:00:04 GMT
  < content-type: application/json
  < content-length: 658
  < cache-control: public, max-age=0, no-cache
  < x-frame-options: DENY
  < strict-transport-security: max-age=604800
  <
  {
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
  "caaIdentities": [
  "letsencrypt.org"
  ],
  "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
  "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "quE3562kW10": "Adding random entries to the directory",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
• Connection #0 to host acme-v02.api.letsencrypt.org left intact

type or paste code here

which seems to be OK. Otherwise point me to the problem, please.

Running

certbot --apache -d himbaerchen.de

resulted in:

certbot --apache -d himbaerchen.de
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/himbaerchen.de-0001.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Attempt to reinstall this existing certificate
2: Renew & replace the certificate (may be subject to CA rate limits)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate for himbaerchen.de
Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/NextCloud.conf
Enhancement redirect was already set.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Your existing certificate has been successfully renewed, and the new certificate
has been installed.

The new certificate covers the following domains: https://himbaerchen.de
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/himbaerchen.de-0001/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/himbaerchen.de-0001/privkey.pem
   Your certificate will expire on 2022-04-03. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again with the "certonly" option. To non-interactively
   renew *all* of your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

The output shows that I have new certificates (valid until 2022-04-03) but accessing my website results in an error message that the certificates expired on 2022-01-03 16:07.

The registrar told me that it may take up to 24 hours until DNS entries have been propagated.

The "certbot-auto" always worked without problems. Unfortunately the snapd-based solution does not always work. I deleted snapd, booted the machine and installed snapd from scratch. It worked, but running snap install core did not. My kernel does not support squashfs. Why to base a new version of certbot on something special?

Please don't renew a perfectly fine certificate without a good reason. If the problem is installing a certificate, re-issuing a certificate and replacing a perfectly fine certificate doesn't magically fix the installing part.

The current situation:

1. My website uses DynDNS.
2. "ping example.com" gets resolved into the correct external IPv4 address. From this I conclude that DNS works.
3. In strato.de (registrar) there are still the previous TXT records, no new ones which usually were output when running "certbot-auto".
4. Obviously due to "certbot --apache -d example.com" (though running successfully) I now have in directory /etc/letsencrypt/live TWO "domains":

• example.com (dated of Oct 5, 2021)
• example-0001.com (dated of Jan 4, 2022).

5. Probably in the context of "certbot --apache -d example.com" certificates have been "assigned" to the NextCloud application, but not to example.com.

What exactly do you recommend me to solve the problem and to receive valid certificates?
Note: In principal I am willing to deploy the snapd mechanism, but my kernel does not support squashfs (though Debian 11.2 is installed)
(If you need further information I'll supply it)

Any ideas welcome!

My advice:

• Don't install certbot directly from Github. Use one of the recommended installation methods as described on e.g. Get Certbot — Certbot 1.22.0 documentation or https://certbot.eff.org/. There are alternatives listed if snap doesn't work;
• Analyse your Apache configuration. It seems you might have multiple configuration files which probably confuses the apache certbot plugin. A good place to start your Apache configuration check is the command: sudo apachectl -S

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.