How to renew certificate?

Rafaelhgb · August 3, 2017, 4:31pm

I have the certificate installed on my site which is in apache. But he expired, how do I renew?

https://mercadocaseiro.com.br

When I installed the certificate, I used auto renew, but it did not work:

$ sudo -i

$ crontab -e

0 1,13 * * * /home/ec2-user/certbot-auto renew

schoen · August 3, 2017, 5:13pm

Bom dia @Rafaelhgb,

What kind of output do you receive if you run this command yourself on the command line?

Rafaelhgb · August 3, 2017, 5:23pm

Bom dia @schoen hehe.

When I execute

0 1,13 * * * /home/ec2-user/certbot-auto renew

I get

command not found

schoen · August 3, 2017, 5:36pm

Nesse caso cumprimentá-lo em português não foi apenas uma cortesia, já que por acaso falo português.

The part before the “/home” is not part of the command itself, but is scheduling information for cron (in this case, meaning “run this every day at 1:00 and 13:00”). Can you run the command just starting with the /home part and see what happens in this case?

Rafaelhgb · August 3, 2017, 5:54pm

@schoen que legal, é muito difícil encontrar alguém que fale português em qualquer comunidade de tecnologia. Meu inglês não é dos melhores, mas consigo me virar hahaha

I got this message:

FATAL: Amazon Linux support is very experimental at present… if you would like to work on improving it, please ensure you have backups and then run this script again with the --debug flag!
Alternatively, you can install OS dependencies yourself and run this script again with --no-bootstrap.

schoen · August 3, 2017, 6:55pm

Parabéns por aprender um idioma estrangeiro!

Well, I guess that explains why the renewal is failing, because this same error would also occur when using the automatic renewal from cron.

@SwartzCr @bmw, how could Rafael have (apparently) gotten a cert originally using certbot-auto on Amazon Linux yet be unable to renew it using the same tool? Did the --debug requirement get added in a recent version and thus apply as a result of a certbot-auto self-upgrade?

@Rafaelhgb, is it possible that you followed a tutorial that suggested using --debug as part of the command that you used when you originally obtained the certificate?

Rafaelhgb · August 3, 2017, 7:06pm

Yes @schoen.

I used this tutorial: https://nouveauframework.org/blog/installing-letsencrypts-free-ssl-amazon-linux/

And has the debug in this line

sudo ./certbot-auto --debug -v --server https://acme-v01.api.letsencrypt.org/directory certonly -d 
YOUR_WEBSITE_HERE

This is a problem?

schoen · August 3, 2017, 7:09pm

Oh, that’s interesting. In that case you should also have --debug in the renewal command. That is, in your crontab it should say

0 1,13 * * * /home/ec2-user/certbot-auto renew --debug

instead of

0 1,13 * * * /home/ec2-user/certbot-auto renew

I didn’t know about this before.

Before making this change, we can check if this is the right solution by running

/home/ec2-user/certbot-auto renew --debug

on the command line. Hopefully it will say that your certificate was renewed.

Rafaelhgb · August 3, 2017, 7:29pm

@schoen,

Apparently installed some packages, but appeared “ImportError” on some lines.

Trackeback (most recent call last):
File "/root.../letsencrypt", line 7, in <module> from certbot.main import main
File "/root.../letsencrypt.../main.py", line 7, in <module> import zope.compenent
File "/root.../letsencrypt.../__init__.py", line 16, in <module> from zope.interface import Interface

I made the change in crontab too, using --debug. The site remains unsafe.

schoen · August 3, 2017, 8:13pm

OK, back to packaging and dependency problems. @SwartzCr @bmw?

By the way, there is a previous thread involving @Rafaelhgb's original attempts to obtain and install this certificate

but I don't think it provides any insight, because at that time the command

sudo ./certbot-auto --debug -v --server https://acme-v01.api.letsencrypt.org/directory certonly -d mercadocaseiro.com

ultimately did work fine without any dependency errors (the problems that Rafael encountered then were different and seemingly not related to the current problem).

Rafaelhgb · August 3, 2017, 8:24pm

@schoen,

Can I reinstall the certificate? Remove and install again? If so, how do I do this?

schoen · August 3, 2017, 8:35pm

Hi @Rafaelhgb,

I don’t think that will help because there is no new certificate, only the old expired one. The “replacement” certificate does not exist yet. If the old certificate were somehow reinstalled, it would still be expired.

It might be possible to try getting a fresh copy of certbot-auto and the things that it installed on your system, something like

cd
mkdir .local-backup
mv .local/{share,lib,bin} certbot-auto .local-backup
rm certbot-auto
wget https://dl.eff.org/certbot-auto
chmod a+x ./certbot-auto

Then you could try again with running

./certbot-auto renew --debug

and it should download fresh copies of some of the software that Certbot relies upon. I think this is a more practical “replacing and trying again” experiment compared to an equivalent experiment with the certificate itself.

Rafaelhgb · August 3, 2017, 9:26pm

@schoen I got haha

I used this line:

/root/.local/share/letsencrypt/bin/pip install --upgrade certbot

Obrigado pela ajuda!

schoen · August 3, 2017, 10:40pm

Legal, que bom que conseguiu.

@bmw told me that there is a certbot-auto issue that he’s about to fix related to people having two installations of certbot-auto, one as root and one as the regular user. That might have been the case in your situation.

Rafaelhgb · August 3, 2017, 10:53pm

@schoen probably because I tried to install several times and was having problem with modssl.

I must have installed as root and regular user too.

system · September 2, 2017, 10:53pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.