How to renew the Let's Encrypt certificate? On Ubuntu @ EC2 instance of AWS

8ba · January 21, 2021, 2:16pm

I received an email saying that my Let's Encrypt certificate will expire in 10 days.

My domain is:

civictechhub.org

I ran this command:

What command should I run to renew? I have SSH access to the EC2 instance on AWS which is serving the website.

It produced this output:

/

My web server is (include version):

T2 EC2 instance on AWS

The operating system my web server runs on is (include version):

Ubuntu

My hosting provider, if applicable, is:

AWS

I can login to a root shell on my machine (yes or no, or I don't know):

Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

No, not really. I have the domain name on Namecheap.

No, via the command line on my local computer, via a .pem key SSHing into the server.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

JuergenAuer · January 21, 2021, 2:24pm

Hi @8ba

please read the link shared in the mail.

rg305 · January 21, 2021, 2:28pm

I'll take a wild guess here and say that to renew your LE cert, you should repeat whatever you did to get the cert you have now.
OR try:
certbot renew
[if you use certbot]

So, which ACME client or method did you use to get the cert you are using now?

8ba · January 21, 2021, 8:55pm

@rg305 Hi, thanks for your advice. I tried

certbot renew

but the reply was:

[Errno 13] Permission denied: '/var/log/letsencrypt/.certbot.lock'
Either run as root, or set --config-dir, --work-dir, and --logs-dir to writeable paths.

So I tried sudo certbot renew

and the reply was:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/civictechhub.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/civictechhub.org/fullchain.pem expires on 2021-04-21 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

What should I do now please? Any further advice would be much appreciated.

8ba · January 21, 2021, 8:57pm

I started this post because I received the following mail:

Your certificate (or certificates) for the names listed below will expire in 10 days (on 29 Jan 21 18:19 +0000). Please make sure to renew your certificate before then, or visitors to your website will encounter errors.

We recommend renewing certificates automatically when they have a third of their
total lifetime left. For Let's Encrypt's current 90-day certificates, that means
renewing 30 days before expiration. See
https://letsencrypt.org/docs/integration-guide/ for details.

[civictechhub.org](http://civictechhub.org)
[www.civictechhub.org](http://www.civictechhub.org)

For any questions or support, please visit https://community.letsencrypt.org/. Unfortunately, we can't provide support by email.

For details about when we send these emails, please visit https://letsencrypt.org/docs/expiration-emails/. In particular, note that this reminder email is still sent if you've obtained a slightly different certificate by adding or removing names. If you've replaced this certificate with a newer one that covers more or fewer names than the list above, you may be able to ignore this message.

JuergenAuer · January 21, 2021, 9:39pm

Please read that document.

There you can find all answers.

schoen · January 22, 2021, 5:34am

I think the part Jürgen particularly wants to you pay attention to is

However, I don't think that case applies to your situation. According to the logs you linked to at crt.sh, your certificate was successfully renewed today but hadn't been renewed before today. That doesn't explain why it renewed today (without your being aware!?), yet not before that.

Are you running Certbot on your local machine, or on EC2?

You said

which made me think that you were running it on your local machine and then copying it, but maybe I misunderstood what you were referring to.

8ba · January 22, 2021, 11:08am

@schoen I was accessing the EC2 via my local machine's command line.

I logged in using

$ ssh -i [PathToPem] ubuntu@[IP-ADDRESS]

Perhaps the certificate was renewed because I executed the following commands yesterday?

$ certbot renew
$ sudo certbot renew

following the suggestion of @rg305

I am happy that you indicate that it is renewed though! A piece of mind!

rg305 · January 22, 2021, 12:46pm

Then all that is missing is automating the renewal process.
Please show:
sudo crontab -l
sudo crontab -u root -l
sudo systemctl list-timers

8ba · January 22, 2021, 2:13pm

sudo crontab -l or sudo crontab -u root -l

Response:
no crontab for root

sudo systemctl list-timers

Response:

NEXT                         LEFT          LAST                         PASSED   
Fri 2021-01-22 18:07:29 UTC  3h 59min left Fri 2021-01-22 05:44:15 UTC  8h ago   
Sat 2021-01-23 00:03:56 UTC  9h left       Fri 2021-01-22 13:01:15 UTC  1h 7min a
Sat 2021-01-23 06:57:37 UTC  16h left      Fri 2021-01-22 06:32:15 UTC  7h ago   
Sat 2021-01-23 09:11:58 UTC  19h left      Fri 2021-01-22 09:11:58 UTC  4h 56min 
Sat 2021-01-23 09:54:53 UTC  19h left      Fri 2021-01-22 13:35:15 UTC  33min ago
Mon 2021-01-25 00:00:00 UTC  2 days left   Mon 2021-01-18 00:00:01 UTC  4 days ag

6 timers listed.
Pass --all to see loaded but inactive timers, too.

Also tried sudo systemctl list-timers --all

Which is basically identical. It showed 8 timers, but the two additional ones were just listed as:

n/a                          n/a           n/a                          n/a      
n/a                          n/a           n/a                          n/a

What does this tell us @rg305 always interested to learn more.

rg305 · January 22, 2021, 3:08pm

There is nothing in CRON.
And the system timers aren't showing any names, so that is less than useful.

It is supposed to show us all the scheduled jobs (with some human recognizable details).

rg305 · January 22, 2021, 3:03pm

sudo systemctl list-timers

I get more columns:

NEXT                         LEFT          LAST                         PASSED       UNIT                         ACTIVATES
Fri 2021-01-22 19:58:00 UTC  4h 55min left Fri 2021-01-22 03:18:11 UTC  11h ago      snap.certbot.renew.timer     snap.certbot.renew.service
Fri 2021-01-22 20:46:47 UTC  5h 44min left Fri 2021-01-22 07:30:48 UTC  7h ago       motd-news.timer              motd-news.service
Sat 2021-01-23 00:19:52 UTC  9h left       Fri 2021-01-22 10:17:48 UTC  4h 44min ago apt-daily.timer              apt-daily.service
Sat 2021-01-23 06:46:15 UTC  15h left      Fri 2021-01-22 06:33:47 UTC  8h ago       apt-daily-upgrade.timer      apt-daily-upgrade.service
Sat 2021-01-23 13:50:11 UTC  22h left      Fri 2021-01-22 13:50:11 UTC  1h 12min ago systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service
Mon 2021-01-25 00:00:00 UTC  2 days left   Mon 2021-01-18 00:00:11 UTC  4 days ago   fstrim.timer                 fstrim.service

6 timers listed.
Pass --all to see loaded but inactive timers, too.

system · February 21, 2021, 3:03pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.