Yes, agreed.
@whiki I see your testing and spicewars domains just fine but it makes no sense given what you've shown. Can you show results of this:
sudo ls -lRa /etc/letsencrypt/live
And, contents of this file:
/etc/apache2/sites-enabled/testing-whiki-le-ssl.conf
The result of that command is:
drwx------ 5 root root 4096 Mar 19 12:28 .
drwxr-xr-x 9 root root 4096 Mar 19 15:06 ..
-rw-r--r-- 1 root root 740 Mar 17 21:49 README
drwxr-xr-x 2 root root 4096 Mar 19 12:14 spicewars.whiki.online
drwxr-xr-x 2 root root 4096 Mar 19 12:28 spicewars.whiki.online-0001
drwxr-xr-x 2 root root 4096 Mar 19 11:57 testing.whiki.online
/etc/letsencrypt/live/spicewars.whiki.online:
total 12
drwxr-xr-x 2 root root 4096 Mar 19 12:14 .
drwx------ 5 root root 4096 Mar 19 12:28 ..
-rw-r--r-- 1 root root 692 Mar 17 21:49 README
lrwxrwxrwx 1 root root 46 Mar 19 12:14 cert.pem -> ../../archive/spicewars.whiki.online/cert3.pem
lrwxrwxrwx 1 root root 47 Mar 19 12:14 chain.pem -> ../../archive/spicewars.whiki.online/chain3.pem
lrwxrwxrwx 1 root root 51 Mar 19 12:14 fullchain.pem -> ../../archive/spicewars.whiki.online/fullchain3.pem
lrwxrwxrwx 1 root root 49 Mar 19 12:14 privkey.pem -> ../../archive/spicewars.whiki.online/privkey3.pem
/etc/letsencrypt/live/spicewars.whiki.online-0001:
total 12
drwxr-xr-x 2 root root 4096 Mar 19 12:28 .
drwx------ 5 root root 4096 Mar 19 12:28 ..
-rw-r--r-- 1 root root 692 Mar 19 12:28 README
lrwxrwxrwx 1 root root 51 Mar 19 12:28 cert.pem -> ../../archive/spicewars.whiki.online-0001/cert1.pem
lrwxrwxrwx 1 root root 52 Mar 19 12:28 chain.pem -> ../../archive/spicewars.whiki.online-0001/chain1.pem
lrwxrwxrwx 1 root root 56 Mar 19 12:28 fullchain.pem -> ../../archive/spicewars.whiki.online-0001/fullchain1.pem
lrwxrwxrwx 1 root root 54 Mar 19 12:28 privkey.pem -> ../../archive/spicewars.whiki.online-0001/privkey1.pem
/etc/letsencrypt/live/testing.whiki.online:
total 12
drwxr-xr-x 2 root root 4096 Mar 19 11:57 .
drwx------ 5 root root 4096 Mar 19 12:28 ..
-rw-r--r-- 1 root root 692 Mar 19 03:40 README
lrwxrwxrwx 1 root root 44 Mar 19 11:57 cert.pem -> ../../archive/testing.whiki.online/cert5.pem
lrwxrwxrwx 1 root root 45 Mar 19 11:57 chain.pem -> ../../archive/testing.whiki.online/chain5.pem
lrwxrwxrwx 1 root root 49 Mar 19 11:57 fullchain.pem -> ../../archive/testing.whiki.online/fullchain5.pem
lrwxrwxrwx 1 root root 47 Mar 19 11:57 privkey.pem -> ../../archive/testing.whiki.online/privkey5.pem
and the contents of testing-whiki-le.ssl.conf:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin email@email.com
ServerName testing.whiki.online
DocumentRoot /var/www/html/mediawiki
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLCertificateFile /etc/letsencrypt/live/testing.whiki.online/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/testing.whiki.online/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
Ok, great, that VirtualHost has the right cert file names (makes sense now).
You can delete the cert spicewars.whiki.online as you don't use it. This will prevent it being renewed unnecessarily.
sudo certbot delete --cert-name spicewars.whiki.online
Other than that it is looking good. Even the redirects seem fine now. Do they look good to you?
After deleting the unneeded cert you could try this to ensure your renewal will work:
sudo certbot renew --dry-run
I've deleted the certificate.
When running the command, I get this error:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/spicewars.whiki.online-0001.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Account registered.
Simulating renewal of an existing certificate for spicewars.whiki.online
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/testing.whiki.online.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for testing.whiki.online
Failed to renew certificate testing.whiki.online with error: File not found: bd2ab4fc635212ac477d64c6ed839fc95959eb600d9eb81ab3de9b832667d36e
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following simulated renewals succeeded:
/etc/letsencrypt/live/spicewars.whiki.online-0001/fullchain.pem (success)
The following simulated renewals failed:
/etc/letsencrypt/live/testing.whiki.online/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Also, I think something with the SSL is stopping me from generating rewrite's from index.php > /wiki/.
For example, if I put a URL in here, to generate the rewrite syntax, I get an error saying the certificate validation failed:
SSL_connect returned=1 errno=0 state=error: certificate verify failed
---------------------------------------------------------------------
(OpenSSL::SSL::SSLError)
/usr/lib/ruby/2.1.0/net/http.rb:920:in `connect'
/usr/lib/ruby/2.1.0/net/http.rb:920:in `block in connect'
/usr/lib/ruby/2.1.0/timeout.rb:76:in `timeout'
/usr/lib/ruby/2.1.0/net/http.rb:920:in `connect'
/usr/lib/ruby/2.1.0/net/http.rb:863:in `do_start'
/usr/lib/ruby/2.1.0/net/http.rb:852:in `start'
/web/redwerks.org/shorturls/detector.rb:100:in `get'
/web/redwerks.org/shorturls/detector.rb:163:in `detect'
/web/redwerks.org/shorturls/handler.rb:51:in `handle_request'
config.ru:19:in `block (2 levels) in <main>'
/var/lib/gems/2.1.0/gems/passenger-5.0.26/src/ruby_supportlib/phusion_passenger/rack/thread_handler_extension.rb:97:in `call'
/var/lib/gems/2.1.0/gems/passenger-5.0.26/src/ruby_supportlib/phusion_passenger/rack/thread_handler_extension.rb:97:in `process_request'
/var/lib/gems/2.1.0/gems/passenger-5.0.26/src/ruby_supportlib/phusion_passenger/request_handler/thread_handler.rb:152:in `accept_and_process_next_request'
/var/lib/gems/2.1.0/gems/passenger-5.0.26/src/ruby_supportlib/phusion_passenger/request_handler/thread_handler.rb:113:in `main_loop'
/var/lib/gems/2.1.0/gems/passenger-5.0.26/src/ruby_supportlib/phusion_passenger/request_handler.rb:416:in `block (3 levels) in start_threads'
/var/lib/gems/2.1.0/gems/passenger-5.0.26/src/ruby_supportlib/phusion_passenger/utils.rb:113:in `block in create_thread_and_abort_on_exception'
https://shorturls.redwerks.org/?url=https%3A%2F%2Fspicewars.whiki.online%2Findex.php%2FMain_Page
Well, that is disturbing.
Can you show the contents of these two files? Let's work on one problem at a time.
/etc/letsencrypt/renewal/spicewars.whiki.online-0001.conf
/etc/letsencrypt/renewal/testing.whiki.online.conf
Spice Wars:
# renew_before_expiry = 30 days
version = 1.25.0
archive_dir = /etc/letsencrypt/archive/spicewars.whiki.online-0001
cert = /etc/letsencrypt/live/spicewars.whiki.online-0001/cert.pem
privkey = /etc/letsencrypt/live/spicewars.whiki.online-0001/privkey.pem
chain = /etc/letsencrypt/live/spicewars.whiki.online-0001/chain.pem
fullchain = /etc/letsencrypt/live/spicewars.whiki.online-0001/fullchain.pem
# Options used in the renewal process
[renewalparams]
account = 25dfb803d679bde0bd5a62fae2c86336
authenticator = apache
installer = apache
server = https://acme-v02.api.letsencrypt.org/directory
key_type = rsa
Testing:
# renew_before_expiry = 30 days
version = 1.25.0
archive_dir = /etc/letsencrypt/archive/testing.whiki.online
cert = /etc/letsencrypt/live/testing.whiki.online/cert.pem
privkey = /etc/letsencrypt/live/testing.whiki.online/privkey.pem
chain = /etc/letsencrypt/live/testing.whiki.online/chain.pem
fullchain = /etc/letsencrypt/live/testing.whiki.online/fullchain.pem
# Options used in the renewal process
[renewalparams]
account = 25dfb803d679bde0bd5a62fae2c86336
authenticator = dns-digitalocean
dns_digitalocean_credentials = [redacted]
server = https://acme-v02.api.letsencrypt.org/directory
key_type = rsa
That website sends a faulty cert chain. I would avoid using it.
Oh, sorry, I thought you had switched to Apache Authenticator for both your domain names. I see you are using Apache Auth for spicewars but DNS for testing domain.
I am not familiar with Digital Ocean DNS Authenticator. Do you recognize the file described by the dry-run? It might be easier to have both domains using the same authenticator though.
File not found: bd2ab4fc635212ac477d64c6ed839fc95959eb600d9eb81ab3de9b832667d36e
I wouldn't be surprised if the file got deleted sometime this morning when I was trying to fix/set it up properly. How would I go about switching to Apache Auth for the testing domain?
I think this would work
sudo certbot --apache --cert-name testing.whiki.online
You may need to choose option 2 (renew and replace) to update the renewal conf file. I can't easily adjust my test server to confirm that right now (sorry).
I'll try again in a couple of days, I've hit a rate limit at the moment, but I'm not surprised.
An unexpected error occurred:
There were too many requests of a given type :: Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: testing.whiki.online: see https://letsencrypt.org/docs/rate-limits/
Well, we usually discourage people from manually updating the renewal conf files because they usually make a mess.
With that warning, your case may be one where that might be easier. Your apache testing VirtualHost looks identical (except for names) to spicewars and spicewars renewal is working.
So, you could try taking these lines from your working spicewars and replace the renewalparms section in your testing conf file with these:
# Options used in the renewal process
[renewalparams]
account = 25dfb803d679bde0bd5a62fae2c86336
authenticator = apache
installer = apache
server = https://acme-v02.api.letsencrypt.org/directory
key_type = rsa
Since the testing renewal does not work anyway you don't need a backup of it before changing. But, if you do make sure to place any backup in a folder outside of the /etc/letsencrypt folders.
That seemed to work! Thank you for your help 
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.