Just another cannot renew Certificate problem


#1

My first install using Let’s Encrypt on RPI3 with Openhab, and I’m unable to update the certificate for the first time.


Processing /etc/letsencrypt/renewal/gallifrey99.midcoip.net.conf

Cert is due for renewal, auto-renewing…
Renewing an existing certificate
/usr/lib/python2.7/dist-packages/acme/jose/jwa.py:110: CryptographyDeprecationWarning: signer and verifier have been deprecated. Please use sign and verify instead.
signer = key.signer(self.padding, self.hash)
Performing the following challenges:
http-01 challenge for gallifrey99.midcoip.net
Waiting for verification…
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0002_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0002_csr-certbot.pem
Attempting to renew cert from /etc/letsencrypt/renewal/gallifrey99.midcoip.net.conf produced an unexpected error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new cert :: too many certificates already issued for exact set of domains: gallifrey99.midcoip.net: see https://letsencrypt.org/docs/rate-limits/. Skipping.

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/gallifrey99.midcoip.net/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

My domain is: gallifrey99.midcoip.net

I ran this command: sudo certbot renew

It produced this output:

My web server is (include version): Openhab

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):YES

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):none


#2

Have you been force-renewing? Something has issued 5 of that certificate in the last week.

Can you show

certbot --version
sudo certbot certificates

#3

certbot 0.10.2


Found the following certs:
Certificate Name: gallifrey99.midcoip.net
Domains: gallifrey99.midcoip.net
Expiry Date: 2018-07-04 22:55:55+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/gallifrey99.midcoip.net/fullchain.pem
Private Key Path: /etc/letsencrypt/live/gallifrey99.midcoip.net/privkey.pem

Just home from vacation, so I haven’t tried until today


#4

@DrMac, have you deleted files from those two directories? If not, it sounds like Certbot – or this Certbot – wasn’t what issued the last score or so of certificates…

Still, there are lots of valid certificates, issued from June 5 to yesterday (or possibly even more recently). Do you know what’s creating them? Certbot? A different ACME client? A different computer?

Could /etc/letsencrypt/ have been reverted to an older version? Like if certificates are getting issued in temporary Docker environments and subsequently erased, or if the disk failed and the computer was restored from a month-old backup…?

When was the last time you tried to renew it? As far as the logs on crt.sh are aware, only 2 duplicate certificates have been issued within the last week, so you can still issue 3 more. But its information can be a little out-of-date.

https://tools.letsdebug.net/cert-search?m=domain&q=gallifrey99.midcoip.net&d=2160


#5

Unfortunately the crt.sh backlog is still massive (but the ingester is being rewritten so hopefully it will be fixed soon), so the UI is not accurate. It seems like the domain is actually rate limited.

Apart from that, it may be worth checking out whether you can upgrade from Certbot 0.10 to a recent version, there are a tonne of missing bugfixes in the interval.


#6

I’ve deleted the files from the directory & tried a few times with the same errors.
I’m not sure what would be issuing new certificates… this is running on RPI3, Openhabian.
I have not restored any backups.
Last attempt (other than today) to renew was when I was testing…2 1/2 months ago.


#7

Could you confirm that with this:

sudo grep -RF "challenge for gallifrey99.midcoip.net" /var/log/letsencrypt

#8

How many files were there? Do you have backups?


#9

there are a lot listed there. here are the first few

/var/log/letsencrypt/letsencrypt.log.39:2018-06-27 17:26:41,520:INFO:certbot.auth_handler:http-01 challenge for gallifrey99.midcoip.net
/var/log/letsencrypt/letsencrypt.log.11:2018-07-04 21:17:34,073:INFO:certbot.auth_handler:http-01 challenge for gallifrey99.midcoip.net
/var/log/letsencrypt/letsencrypt.log.44:2018-06-25 05:32:11,548:INFO:certbot.auth_handler:http-01 challenge for gallifrey99.midcoip.net
/var/log/letsencrypt/letsencrypt.log.84:2018-06-05 05:15:58,287:INFO:certbot.auth_handler:http-01 challenge for gallifrey99.midcoip.net
/var/log/letsencrypt/letsencrypt.log.56:2018-06-19 05:00:49,192:INFO:certbot.auth_handler:http-01 challenge for gallifrey99.midcoip.net
/var/log/letsencrypt/letsencrypt.log.203:2018-04-07 21:18:17,777:INFO:certbot.auth_handler:http-01 challenge for gallifrey99.midcoip.net
/var/log/letsencrypt/letsencrypt.log.47:2018-06-23 17:11:41,747:INFO:certbot.auth_handler:http-01 challenge for gallifrey99.midcoip.net
/var/log/letsencrypt/letsencrypt.log.219:2018-04-05 02:18:05,834:INFO:certbot.auth_handler:http-01 challenge for gallifrey99.midcoip.net
/var/log/letsencrypt/letsencrypt.log.58:2018-06-18 05:38:06,503:INFO:certbot.auth_handler:http-01 challenge for gallifrey99.midcoip.net
/var/log/letsencrypt/letsencrypt.log.81:2018-06-06 17:18:41,997:INFO:certbot.auth_handler:http-01 challenge for gallifrey99.midcoip.net
/var/log/letsencrypt/letsencrypt.log.65:2018-06-14 17:10:39,046:INFO:certbot.auth_handler:http-01 challenge for gallifrey99.midcoip.net
/var/log/letsencrypt/letsencrypt.log.16:2018-07-04 20:58:26,049:INFO:certbot.auth_handler:http-01 challenge for gallifrey99.midcoip.net
/var/log/letsencrypt/letsencrypt.log.38:2018-06-28 05:30:26,414:INFO:certbot.auth_handler:http-01 challenge for gallifrey99.midcoip.net
/var/log/letsencrypt/letsencrypt.log.197:2018-04-10 03:06:23,287:INFO:certbot.auth_handler:http-01 challenge for gallifrey99.midcoip.net
/var/log/letsencrypt/letsencrypt.log.77:2018-06-08 17:44:59,287:INFO:certbot.auth_handler:http-01 challenge for gallifrey99.midcoip.net
/var/log/letsencrypt/letsencrypt.log.14:2018-07-04 21:05:29,389:INFO:certbot.auth_handler:tls-sni-01 challenge for gallifrey99.midcoip.net
/var/log/letsencrypt/letsencrypt.log.35:2018-06-29 17:34:04,250:INFO:certbot.auth_handler:http-01 challenge for gallifrey99.midcoip.net
/var/log/letsencrypt/letsencrypt.log.73:2018-06-10 17:26:06,653:INFO:certbot.auth_handler:http-01 challenge for gallifrey99.midcoip.net
/var/log/letsencrypt/letsencrypt.log.21:2018-07-04 20:17:14,732:INFO:certbot.auth_handler:http-01 challenge for gallifrey99.midcoip.net

this seems like maybe my Rpi is trying to auto renew then?


#10

yes, I copied them to a temp folder before deleting them


#11

As an example, this certificate was successfully issued at 05:30:32: https://crt.sh/?id=563990701

Can you post “ls -alR /etc/letsencrypt/{archive,live}”?


#12

It may also help to post the full contents of /var/log/letsencrypt/letsencrypt.log.38. If Certbot crashed before it saved the certificate to the filesystem, it woul be visible here.

Otherwise, @mnordhoff’s theory about you inadvertently deleting the certificates would seem to be likely.


#13

/etc/letsencrypt/archive:
total 20
drwx------ 5 root root 4096 Apr 5 18:55 .
drwxr-xr-x 8 root root 4096 Apr 4 21:22 …
drwxr-xr-x 2 root root 4096 Apr 4 22:50 gallifrey99.midcoip.net
drwxr-xr-x 2 root root 4096 Apr 5 18:47 gallifrey99.midcoip.net-0001
drwxr-xr-x 2 root root 4096 Apr 5 18:55 gallifrey99.midcoip.net-0002

/etc/letsencrypt/archive/gallifrey99.midcoip.net:
total 40
drwxr-xr-x 2 root root 4096 Apr 4 22:50 .
drwx------ 5 root root 4096 Apr 5 18:55 …
-rw-r–r-- 1 root root 2175 Apr 4 21:22 cert1.pem
-rw-r–r-- 1 root root 2175 Jul 4 12:40 cert2.pem
-rw-r–r-- 1 root root 1647 Apr 4 21:22 chain1.pem
-rw-r–r-- 1 root root 1647 Jul 4 12:40 chain2.pem
-rw-r–r-- 1 root root 3822 Apr 4 21:22 fullchain1.pem
-rw-r–r-- 1 root root 3822 Jul 4 12:40 fullchain2.pem
-rw-r–r-- 1 root root 1704 Apr 4 21:22 privkey1.pem
-rw-r–r-- 1 root root 1704 Jul 4 12:40 privkey2.pem

/etc/letsencrypt/archive/gallifrey99.midcoip.net-0001:
total 40
drwxr-xr-x 2 root root 4096 Apr 5 18:47 .
drwx------ 5 root root 4096 Apr 5 18:55 …
-rw-r–r-- 1 root root 2175 Apr 5 18:17 cert1.pem
-rw-r–r-- 1 root root 2179 Apr 5 18:47 cert2.pem
-rw-r–r-- 1 root root 1647 Apr 5 18:17 chain1.pem
-rw-r–r-- 1 root root 1647 Apr 5 18:47 chain2.pem
-rw-r–r-- 1 root root 3822 Apr 5 18:17 fullchain1.pem
-rw-r–r-- 1 root root 3826 Apr 5 18:47 fullchain2.pem
-rw-r–r-- 1 root root 1704 Apr 5 18:17 privkey1.pem
-rw-r–r-- 1 root root 1704 Apr 5 18:47 privkey2.pem

/etc/letsencrypt/archive/gallifrey99.midcoip.net-0002:
total 24
drwxr-xr-x 2 root root 4096 Apr 5 18:55 .
drwx------ 5 root root 4096 Apr 5 18:55 …
-rw-r–r-- 1 root root 2175 Apr 5 18:55 cert1.pem
-rw-r–r-- 1 root root 1647 Apr 5 18:55 chain1.pem
-rw-r–r-- 1 root root 3822 Apr 5 18:55 fullchain1.pem
-rw-r–r-- 1 root root 1704 Apr 5 18:55 privkey1.pem

/etc/letsencrypt/live:
total 12
drwx------ 3 root root 4096 Apr 5 18:58 .
drwxr-xr-x 8 root root 4096 Apr 4 21:22 …
drwxr-xr-x 2 root root 4096 Jul 4 20:41 gallifrey99.midcoip.net

/etc/letsencrypt/live/gallifrey99.midcoip.net:
total 12
drwxr-xr-x 2 root root 4096 Jul 4 20:41 .
drwx------ 3 root root 4096 Apr 5 18:58 …
lrwxrwxrwx 1 root root 52 Jul 4 12:40 cert.pem -> …/…/archive/gallifrey99.midcoip.net-0002/cert1.pem
lrwxrwxrwx 1 root root 53 Jul 4 12:40 chain.pem -> …/…/archive/gallifrey99.midcoip.net-0002/chain1.pem
lrwxrwxrwx 1 root root 57 Jul 4 12:40 fullchain.pem -> …/…/archive/gallifrey99.midcoip.net-0002/fullchain1.pem
lrwxrwxrwx 1 root root 55 Jul 4 12:40 privkey.pem -> …/…/archive/gallifrey99.midcoip.net-0002/privkey1.pem
-rw-r–r-- 1 root root 543 Apr 5 18:55 README

I remember when I was first trying to set this up it installed several times & I believe I deleted some items that were duped: gallifrey99.midcoip.net-0001 & gallifrey99.midcoip.net-0002


#14

certificates were working this morning. I’ve been trying to update them off and on today. They are now expired tho.


#15

The live/gallifrey99.midcoip.net/ symlinks are pointing to the archive/gallifrey99.midcoip.net-0002/ directory. Certbot saves the new certificates to archive/gallifrey99.midcoip.net/ but can’t find them again because the symlinks are pointing elsewhere. So you’re still using the older certificate, and Certbot is renewing repeatedly and unnecessarily and issuing dozens of duplicate certificates.

Take a backup of /etc/letsencrypt/ and fix the symlinks. Unless I made a typo, it should be:

sudo ln -fs ../../archive/gallifrey99.midcoip.net/cert2.pem /etc/letsencrypt/live/gallifrey99.midcoip.net/cert.pem
sudo ln -fs ../../archive/gallifrey99.midcoip.net/chain2.pem /etc/letsencrypt/live/gallifrey99.midcoip.net/chain.pem
sudo ln -fs ../../archive/gallifrey99.midcoip.net/fullchain2.pem /etc/letsencrypt/live/gallifrey99.midcoip.net/fullchain.pem
sudo ln -fs ../../archive/gallifrey99.midcoip.net/privkey2.pem /etc/letsencrypt/live/gallifrey99.midcoip.net/privkey.pem

(Edit: I did make a mistake. I wrote “../../gallifrey99.midcoip.net/” instead of “../../archive/gallifrey99.midcoip.net/”. Fixed now.)

In future, you can use “sudo certbot delete --cert-name example.com-0001” to delete all of a certificate’s files. (I’m not certain Certbot 0.10.2 supports it, though.)

You can also use e.g. “certbot --apache --cert-name example.com -d example.com -d www.example.com” to issue a new certificate and replace an existing one even if Certbot doesn’t want to (because it’s not a superset of the existing example.com certificate’s names). Again, I’m not certain 0.10.2 supports that option.

Certbot doesn’t have a built-in command to rename a certificate. I’d suggest avoiding renaming if possible… If you have to rename something, you need to adjust the symlinks in /etc/letsencrypt/live/ and possibly rename and edit the conf file in /etc/letsencrypt/renewal/.


#16

the commands went good.
now when updating I get:


Processing /etc/letsencrypt/renewal/gallifrey99.midcoip.net.conf

target /etc/letsencrypt/gallifrey99.midcoip.net/cert2.pem of symlink /etc/letsencrypt/live/gallifrey99.midcoip.net/cert.pem does not exist
Renewal configuration file /etc/letsencrypt/renewal/gallifrey99.midcoip.net.conf is broken. Skipping.

No renewals were attempted.

Additionally, the following renewal configuration files were invalid:
/etc/letsencrypt/renewal/gallifrey99.midcoip.net.conf (parsefail)
0 renew failure(s), 1 parse failure(s)


#17

Yeah, I made a mistake with the new symlink target. :sweat:

I just edited my previous post.

Can you do it again with the fixed version?

sudo ln -fs ../../archive/gallifrey99.midcoip.net/cert2.pem /etc/letsencrypt/live/gallifrey99.midcoip.net/cert.pem
sudo ln -fs ../../archive/gallifrey99.midcoip.net/chain2.pem /etc/letsencrypt/live/gallifrey99.midcoip.net/chain.pem
sudo ln -fs ../../archive/gallifrey99.midcoip.net/fullchain2.pem /etc/letsencrypt/live/gallifrey99.midcoip.net/fullchain.pem
sudo ln -fs ../../archive/gallifrey99.midcoip.net/privkey2.pem /etc/letsencrypt/live/gallifrey99.midcoip.net/privkey.pem

#18

ok, ran the updated commands.
Now when updating I get:


Processing /etc/letsencrypt/renewal/gallifrey99.midcoip.net.conf

Cert not yet due for renewal

The following certs are not due for renewal yet:
/etc/letsencrypt/live/gallifrey99.midcoip.net/fullchain.pem (skipped)
No renewals were attempted.


#19

Right. It was recently renewed, and now it can find the new certificate, so renewing again isn’t necessary.

Does “certbot certificates” look good?

If you reload or restart the web server, does the site work now?


#20

Found the following certs:
Certificate Name: gallifrey99.midcoip.net
Domains: gallifrey99.midcoip.net
Expiry Date: 2018-10-02 16:40:32+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/gallifrey99.midcoip.net/fullchain.pem
Private Key Path: /etc/letsencrypt/live/gallifrey99.midcoip.net/privkey.pem

Page dosen’t load.

RPI reboot and page is now loading!