Invalid certificate after renew


#1

Hi!

I’m having problems renewing my certificate. I had some problem and tried the --staging flag, but now it seems that I cannot get back to a valid certificate. Maybe someone of you has an idea that would help me.
In short:
certbot certificates: shows a certificate expiring next year, but (INVALID: TEST_CERT)
certbot renew --dry-run: Congratulations, all renewals succeeded. (The test certificates above have not been saved.)
certbot renew: not due for renewal

My domain is: cloud.bcks.eu

I ran this command: certbot renew (in different variants)

It produced this output: Success or “Attempting to renew cert from /etc/letsencrypt/renewal/cloud.bcks.eu.conf produced an unexpected error: You’ve asked to renew/replace a seemingly valid certificate with a test certificate (domains: cloud.bcks.eu). We will not do that unless you use the --break-my-certs flag!. Skipping.”

My web server is (include version): nginx

I can login to a root shell on my machine (yes or no, or I don’t know): yes

certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: cloud.bcks.eu
Domains: cloud.bcks.eu home.bcks.eu read.bcks.eu
Expiry Date: 2019-02-13 17:30:21+00:00 (INVALID: TEST_CERT)
Certificate Path: /etc/letsencrypt/live/cloud.bcks.eu/fullchain.pem
Private Key Path: /etc/letsencrypt/live/cloud.bcks.eu/privkey.pem


#2

Ah, I think I still have the staging environent in the renewal conf… imagine a head hitting a wall here


#3

Hi @ftastisch

there is a Fake LE - certificate installed. So you have already installed the wrong certificate.

And you have an “Internal Server Error” = 500.

You should fix that first.


#4

Please show:
/etc/letsencrypt/renewal/cloud.bcks.eu.conf


#5

How did you find the internal server error?
Before the old certificate ran out yesterday everything (seemed) to be fine.


#6

Yes, I just noticed it:
server = https://acme-staging.api.letsencrypt.org/directory

I’m having problems finding the correct server though, you would not have link?


#7

Try:
https://acme-v01.api.letsencrypt.org/directory
https://acme-v02.api.letsencrypt.org/directory


#8

My Browser accepts the Fake LE certificate as valide and trusted :wink:

And checked with my own online-tool

http://cloud.bcks.eu/ 301 https://cloud.bcks.eu/ 3.313 A
http://www.cloud.bcks.eu/ 301 https://cloud.bcks.eu/ 1.670 E
https://cloud.bcks.eu/ 500 0.804 S
Internal Server Error
https://www.cloud.bcks.eu/ 500 0.673 S
Internal Server Error

that ignores certificate errors and shows the 500.


#9

Now I see the Letsencrypt - certificate.

Created today.

And the Internal server error.


#10

Yes, I managed to renew the certificate. In a backup I found that before the --staging test there was no server in the renewal file. That did the trick.

Now I’ll have to find what I broke while trying to renew the certificate.


#11

Ok, now it’s running again as before. Your tool still shows an error, I’ll try to figure that out.

Thank you for your help!


#12

Yep, if you have a dns entry www.yourdomain, you should create one certificate with two names (non-www and www) and use this.


#13

So basically I could avoid this by either removing the dns entry or removing the certificate and then run someting like:
certbot certonly --webroot -w /var/www/letsencrypt -d cloud.bcks.de -d www.cloud.bcks.eu --rsa-key-size 4096

Or did I miss something?


#14

Or I could simply use --expand, am I right? :wink:


#15

--expand just prevents you from being prompted; you still have to specify all of the names that you want the new certificate to cover.


#16

Ok, that did not work yet as it seems… I’ll keep on reading how to fix it.


#17

Yes, these are the two options.

If you have a www dns entry, a user can use this domain name. So http and https should answer - without a certificate error.

It’s interesting to see that there are big german journals, www works - and non-www has a timeout.