Issues with renewal

Help
1

Hi guy's hope everyone are doing fine, i have successfully installed my certificates with your kind help 2 years ago but the auto renewal failed 2 days ago. The only change i have made recently was to cancel one of my 3 domains ''escapingthematrix.online'' so i suspect this might be my issue. Now i only have 2 domains left as for ''sortirdelamatrice.online'' and ''naos-soultrap.online''

So do i just have to delete the nginx server block in sites-availables directory for ''escapingthematrix.online'' and after issuing the command: sudo certbot renew --nginx?

Here my dry run result ;

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/sortirdelamatrice.online.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for sortirdelamatrice.online
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/sortirdelamatrice.online/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certs could not be renewed:
  /etc/letsencrypt/live/escapingthematrix.online/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

The following certs were successfully renewed:
  /etc/letsencrypt/live/naos-soultrap.online-0001/fullchain.pem (success)
  /etc/letsencrypt/live/naos-soultrap.online/fullchain.pem (success)
  /etc/letsencrypt/live/sortirdelamatrice.online/fullchain.pem (success)

The following certs could not be renewed:
  /etc/letsencrypt/live/escapingthematrix.online/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: escapingthematrix.online
   Type:   dns
   Detail: DNS problem: NXDOMAIN looking up A for
   escapingthematrix.online - check that a DNS record exists for this
   domain; DNS problem: NXDOMAIN looking up AAAA for
   escapingthematrix.online - check that a DNS record exists for this
   domain

   Domain: www.escapingthematrix.online
   Type:   dns
   Detail: DNS problem: NXDOMAIN looking up A for
   www.escapingthematrix.online - check that a DNS record exists for
   this domain; DNS problem: NXDOMAIN looking up AAAA for
   www.escapingthematrix.online - check that a DNS record exists for
   this domain
2

Well, you have actually 4 domain names you want certs for. The above 2 and their www subdomains.

It is important to remove the nginx server blocks for the obsolete domain. But, the needed Certbot command is different than that. The Certbot renew just acts on the cert profiles from your existing certs. A different command is needed to reset the old profile.

And, from the public cert history I can tell you have several different cert profiles.

We should update the cert profile you currently use and delete the other ones you don't use. Including one that was issued today.

So, let's start by you showing us the output of this

sudo certbot certificates
5 Likes
3

Hi Mike thank for replying and yes you are right the correct command should be ;

sudo certbot renew --nginx -d sortirdelamatrice.online -d www.sortirdelamatrice.online -d naos-soultrap.online -d www.naos-soultrap.online

I forgot to mention that i have tried and succeed doing a force renew command on both ''sortirdelamatrice.online'' and ''naos-soultrap.online'' but both website are still unsecured as you can see here ; https://www.sortirdelamatrice.online/

Do i have to remove both certificates before issuing a new one?

Here is the certbot certificates ;

Found the following certs:
  Certificate Name: escapingthematrix.online
    Domains: sortirdelamatrice.online escapingthematrix.online naos-soultrap.onl                                ine www.escapingthematrix.online www.naos-soultrap.online www.sortirdelamatrice.                                online
    Expiry Date: 2024-09-21 13:45:02+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/escapingthematrix.online/fullchain.p                                em
    Private Key Path: /etc/letsencrypt/live/escapingthematrix.online/privkey.pem
  Certificate Name: naos-soultrap.online-0001
    Domains: naos-soultrap.online
    Expiry Date: 2024-12-21 23:50:04+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/naos-soultrap.online-0001/fullchain.                                pem
    Private Key Path: /etc/letsencrypt/live/naos-soultrap.online-0001/privkey.pe                                m
  Certificate Name: naos-soultrap.online
    Domains: naos-soultrap.online www.naos-soultrap.online
    Expiry Date: 2024-11-18 19:18:17+00:00 (VALID: 55 days)
    Certificate Path: /etc/letsencrypt/live/naos-soultrap.online/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/naos-soultrap.online/privkey.pem
  Certificate Name: sortirdelamatrice.online
    Domains: sortirdelamatrice.online
    Expiry Date: 2024-12-21 23:48:46+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/sortirdelamatrice.online/fullchain.p                                em
    Private Key Path: /etc/letsencrypt/live/sortirdelamatrice.online/privkey.pem
4

No, that isn't the right command for your situation.

Your nginx server is using the cert profile with the name escapingthematrix.online

So, try this test and report what happens. Do not proceed beyond this yet please. Yes, I realize this profile name is for the domain you no longer use. That is not important at this stage.

sudo certbot certonly --nginx --dry-run --cert-name escapingthematrix.online -d sortirdelamatrice.online -d www.sortirdelamatrice.online -d naos-soultrap.online -d www.naos-soultrap.online

No, there are actually 4 cert profiles active but we will clean this up later.

Please stop trying that. It is not the right approach and just wasting resources.

6 Likes
5

It was successful Mike.

Found the following certs:
  Certificate Name: escapingthematrix.online
    Domains: sortirdelamatrice.online escapingthematrix.online naos-soultrap.onl                                ine www.escapingthematrix.online www.naos-soultrap.online www.sortirdelamatrice.                                online
    Expiry Date: 2024-09-21 13:45:02+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/escapingthematrix.online/fullchain.p                                em
    Private Key Path: /etc/letsencrypt/live/escapingthematrix.online/privkey.pem
  Certificate Name: naos-soultrap.online-0001
    Domains: naos-soultrap.online
    Expiry Date: 2024-12-21 23:50:04+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/naos-soultrap.online-0001/fullchain.                                pem
    Private Key Path: /etc/letsencrypt/live/naos-soultrap.online-0001/privkey.pe                                m
  Certificate Name: naos-soultrap.online
    Domains: naos-soultrap.online www.naos-soultrap.online
    Expiry Date: 2024-11-18 19:18:17+00:00 (VALID: 55 days)
    Certificate Path: /etc/letsencrypt/live/naos-soultrap.online/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/naos-soultrap.online/privkey.pem
  Certificate Name: sortirdelamatrice.online
    Domains: sortirdelamatrice.online
    Expiry Date: 2024-12-21 23:48:46+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/sortirdelamatrice.online/fullchain.p                                em
    Private Key Path: /etc/letsencrypt/live/sortirdelamatrice.online/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
pierre@sortirdelamatrice:~$ ^C
pierre@sortirdelamatrice:~$
pierre@sortirdelamatrice:~$
pierre@sortirdelamatrice:~$
pierre@sortirdelamatrice:~$ sudo certbot certonly --nginx --dry-run --cert-name escapingthematrix.online -d sortirdelamatrice.online -d www.sortirdelamatrice.online -d naos-soultrap.online -d www.naos-soultrap.online
[sudo] password for pierre:
Sorry, try again.
[sudo] password for pierre:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You are updating certificate escapingthematrix.online to include new domain(s):
(None)

You are also removing previously included domain(s):
- escapingthematrix.online
- www.escapingthematrix.online

Did you intend to make this change?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(U)pdate cert/(C)ancel: u
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for naos-soultrap.online
http-01 challenge for sortirdelamatrice.online
http-01 challenge for www.naos-soultrap.online
http-01 challenge for www.sortirdelamatrice.online
Waiting for verification...
Cleaning up challenges
2 Likes
6

Excellent. Now issue same command but just omitting the --dry-run

That should get a fresh production cert and update the renewal profile

We will test that renewal and cleanup the unused cert profiles after that. One step at a time :slight_smile:

5 Likes
7

It was successful again Mike but is there a propagation time period since the websites are still unsecured?

EDIT; my mistake i forgot to reload nginx now it's working fine.

pierre@sortirdelamatrice:~$ sudo certbot certonly --nginx --cert-name escapingthematrix.online -d sortirdelamatrice.online -d www.sortirdelamatrice.online -d naos-soultrap.online -d www.naos-soultrap.online
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You are updating certificate escapingthematrix.online to include new domain(s):
(None)

You are also removing previously included domain(s):
- escapingthematrix.online
- www.escapingthematrix.online

Did you intend to make this change?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(U)pdate cert/(C)ancel: u
Renewing an existing certificate

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/escapingthematrix.online/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/escapingthematrix.online/privkey.pem
   Your cert will expire on 2024-12-22. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le
3 Likes
8

Nice fix and nice use of --dry-run for testing, @MikeMcQ!

5 Likes
9

Excellent. I confirm I see the new cert with 4 domains used by your nginx. Now, to finish up. Let's delete the unused cert profiles. Certbot will try to renew each of them until we delete them. You don't need these certs since those names are covered in your other cert.

So, issue these 3 commands

sudo certbot delete --cert-name naos-soultrap.online-0001
sudo certbot delete --cert-name naos-soultrap.online
sudo certbot delete --cert-name sortirdelamatrice.online

And, when done with those show output of this to confirm the automated renew works properly

sudo certbot renew --dry-run
3 Likes
10

All good Mike and here the dry run result;

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Deleted all files relating to certificate naos-soultrap.online-0001.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
pierre@sortirdelamatrice:~$ sudo certbot delete --cert-name naos-soultrap.online
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Deleted all files relating to certificate naos-soultrap.online.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
pierre@sortirdelamatrice:~$ sudo certbot delete --cert-name sortirdelamatrice.online
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Deleted all files relating to certificate sortirdelamatrice.online.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
pierre@sortirdelamatrice:~$ sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/escapingthematrix.online.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for naos-soultrap.online
http-01 challenge for sortirdelamatrice.online
http-01 challenge for www.naos-soultrap.online
http-01 challenge for www.sortirdelamatrice.online
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/escapingthematrix.online/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/escapingthematrix.online/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Here the certificates;

pierre@sortirdelamatrice:~$ sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: escapingthematrix.online
    Domains: sortirdelamatrice.online naos-soultrap.online www.naos-soultrap.online www.sortirdelamatrice.online
    Expiry Date: 2024-12-22 22:36:15+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/escapingthematrix.online/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/escapingthematrix.online/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Likes
11

Excellent. Looks good. Should be fine going forward.

5 Likes
12

Thank a lot Mike your support is simply fantastic! I just have 2 more questions and i am done ;

1- Can i now delete the escapingthematrix.online.conf from nginx sites availables?

2- I wont to donate but there is 2 links one is ```
Donating to ISRG / Let's Encrypt: Additional Donation Information - Let's Encrypt

and the other is ; ```
Donating to EFF:                    https://eff.org/donate-le

So what is the difference between the 2 links?

3 Likes
13

If that is the server block for that obsolete domain then yes. Usually people have a symlink in /sites-enabled to the /sites-available folder. If you have that you should remove that first.

Then try sudo nginx -t to test your nginx conf.

Let's Encrypt is the Certificate Authority (CA). It is what manages and issues the certs. It is run by the ISRG. Who also operate this forum :slight_smile:

Certbot is developed by the EFF. At one time it was done by ISRG too but the EFF have handled it for a long time.

Donations are not required but I am sure both organizations appreciate them. Pick your favorite or even split your intended amount to each.

5 Likes
14

OK that's fine with me i will split to both and with that kind of support it's the least we can do!

Perfect and thank again for helping me putting back those websites securely online, have a good week.

Regards Peter

4 Likes
16

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.