Issues renewing certificate on Ubuntu 18.04.6 LTS

My domain is: unifi.penntech-it.com

I ran this command: sudo certbot --force-renewal -d unifi.penntech-it.com

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for unifi.penntech-it.com
Enabled Apache rewrite module
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/apache2/sites-available/000-default-le-ssl.conf
Enabled Apache socache_shmcb module
Enabled Apache ssl module
Deploying Certificate to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/000-default-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.


1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.


Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Enabled Apache rewrite module
Redirecting vhost in /etc/apache2/sites-enabled/000-default.conf to ssl vhost in /etc/apache2/sites-available/000-default-le-ssl.conf


Your existing certificate has been successfully renewed, and the new certificate
has been installed.

The new certificate covers the following domains: https://unifi.penntech-it.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=unifi.penntech-it.com


IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/unifi.penntech-it.com/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/unifi.penntech-it.com/privkey.pem
    Your cert will expire on 2022-05-08. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot again
    with the "certonly" option. To non-interactively renew all of
    your certificates, run "certbot renew"

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let's Encrypt: Donate - Let's Encrypt
    Donating to EFF: Support EFF's Work on Let's Encrypt | Electronic Frontier Foundation

My web server is (include version):
Server version: Apache/2.4.29 (Ubuntu)
Server built: 2022-01-05T14:50:41

The operating system my web server runs on is (include version):
Ubuntu 18.04.6 LTS (GNU/Linux 5.4.0-1068-azure x86_64

My hosting provider, if applicable, is:
Azure

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Control panel and CLI

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.27.0

I appear to have successfully renewed the certificate, I restarted the server however when I browse to https://unifi.penntech-it.com:8443 it still shows that the certificate is not valid

HI @craig8 and welcome to the LE community forum :slight_smile:

Please show the outputs of:
apachectl -t -D DUMP_VHOSTS
netstat -pant | grep -i listen

Also, stay away from using --force-renewal
[nothing good comes from using it for regular renewals - never add it to any script]

1 Like

Hi @rg305
Thanks for coming back to me, please see outputs below... first command is interesting!

Ubiquiti_Admin@UbiquitiUCC:~$ apachectl -t -D DUMP_VHOSTS
AH00526: Syntax error on line 33 of /etc/apache2/sites-enabled/000-default-le-ssl.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/unifi.penntech-it.com/fullchain.pem' does not exist or is empty
Action '-t -D DUMP_VHOSTS' failed.
The Apache error log may have more information.

Ubiquiti_Admin@UbiquitiUCC:~$ netstat -pant | grep -i listen
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 127.0.0.1:27117 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp6 0 0 :::8443 :::* LISTEN -
tcp6 0 0 :::443 :::* LISTEN -
tcp6 0 0 :::6789 :::* LISTEN -
tcp6 0 0 :::8843 :::* LISTEN -
tcp6 0 0 :::8880 :::* LISTEN -
tcp6 0 0 :::8080 :::* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -

1 Like

Try:
sudo apachectl -t -D DUMP_VHOSTS
sudo netstat -pant | grep -i listen

2 Likes

Did you move that?

Show us this file, please.

@rg305

Ubiquiti_Admin@UbiquitiUCC:~$ sudo apachectl -t -D DUMP_VHOSTS
[sudo] password for Ubiquiti_Admin:
VirtualHost configuration:
*:443 unifi.penntech-it.com (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
*:80 ubiquitiucc.internal.cloudapp.net (/etc/apache2/sites-enabled/000-default.conf:1)

Ubiquiti_Admin@UbiquitiUCC:~$ sudo netstat -pant | grep -i listen
tcp 0 0 127.0.0.1:27117 0.0.0.0:* LISTEN 1689/bin/mongod
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 820/systemd-resolve
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1055/sshd
tcp6 0 0 :::8443 :::* LISTEN 1542/java
tcp6 0 0 :::443 :::* LISTEN 1073/apache2
tcp6 4 0 :::6789 :::* LISTEN 1542/java
tcp6 0 0 :::8843 :::* LISTEN 1542/java
tcp6 0 0 :::8880 :::* LISTEN 1542/java
tcp6 0 0 :::8080 :::* LISTEN 1542/java
tcp6 0 0 :::80 :::* LISTEN 1073/apache2
tcp6 0 0 :::22 :::* LISTEN 1055/sshd

1 Like

@9peppe
Hi,
No didnt move any files

File contents:

# The ServerName directive sets the request scheme, hostname and port that # the server uses to identify itself. This is used when creating # redirection URLs. In the context of virtual hosts, the ServerName # specifies what hostname must appear in the request's Host: header to # match this virtual host. For the default virtual host (this file) this # value is not decisive as it is used as a last resort host regardless. # However, you must set it for any further virtual host explicitly. #ServerName www.example.com
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html

    # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
    # error, crit, alert, emerg.
    # It is also possible to configure the loglevel for particular
    # modules, e.g.
    #LogLevel info ssl:warn

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    # For most configuration files from conf-available/, which are
    # enabled or disabled at a global level, it is possible to
    # include a line for only one particular virtual host. For example the
    # following line enables the CGI configuration for this host only
    # after it has been globally disabled with "a2disconf".
    #Include conf-available/serve-cgi-bin.conf

ServerName unifi.penntech-it.com
SSLCertificateFile /etc/letsencrypt/live/unifi.penntech-it.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/unifi.penntech-it.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf

Based on the netstat command you have java listening on port 8443. You will need to copy over the Let's Encrypt cert you just got to your java server. Certbot only is able to configure Apache or nginx.

That java server currently sends a Let's Encrypt cert that expired a long time ago

2 Likes

THIS IS JUST FOR RENEWING

The shorter name is only served via HTTPS.
You can probably (indirectly) "use" that vhost with:
certbot --webroot -w /document/root/path -d unifi.penntech-it.com

You can find the actual DocumentRoot used in the file:

USING THE CERT
Will require going through whatever steps were taken originally to get the Java app to use a cert.

1 Like

Managed to get this sorted, found the old article I used to initially set this up and just needed to run the following command to import the SSL into the controller: sudo /usr/local/bin/unifi_ssl_import.sh

Only thing is I am not sure now how to configure this to auto-renew

The guide shows how to automate the renewals.

Let's begin at the beginning...
Please show the output of:
sudo certbot certificates

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.