Letsencrypt and ESMC (Eset Security Management Center)

Help
1

Hi!

90 days ago I have successfully created certificate for ESMC appliance. ESMC is based on Tomcat web server (is listening port 443). To simplify SSL creation I have installed Apache on the same machine (is listening port 80).

The certificate was created and deployed with commands:
certbot certonly --webroot -w /usr/share/tomcat/webapps -d esmc.rta.lv

openssl pkcs12 -export -out /tmp/esmc.rta.lv_fullchain_and_key.p12
-in /etc/letsencrypt/live/esmc.rta.lv/fullchain.pem
-inkey /etc/letsencrypt/live/esmc.rta.lv/privkey.pem
-name tomcat

keytool -importkeystore
-deststorepass MyPassword -destkeypass MyPassword -destkeystore esmc.rta.lv.jks
-srckeystore /tmp/esmc.rta.lv_fullchain_and_key.p12 -srcstoretype PKCS12 -srcstorepass MyPassword
-alias tomcat

cp esmc.rta.lv.jks /etc/tomcat/

According changes in server.xml, tomcat restarting & all is working.

Now I need to renew the certificate. I tried to run commands:
certbot certonly --webroot -w /usr/share/tomcat/webapps -d esmc.rta.lv,
certbot certonly, certbot renew - in all cases I am getting error:

2019-08-16 09:34:50,071:DEBUG:acme.client:Storing nonce: yakCZq2thNzbGhxHjS7O91aBEa84wz5RS_Vo6T89R7Y
2019-08-16 09:34:50,090:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/certbot”, line 9, in
load_entry_point(‘certbot==0.36.0’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python2.7/site-packages/certbot/main.py”, line 1381, in main
return config.func(config, plugins)
File “/usr/lib/python2.7/site-packages/certbot/main.py”, line 1264, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File “/usr/lib/python2.7/site-packages/certbot/main.py”, line 115, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File “/usr/lib/python2.7/site-packages/certbot/renewal.py”, line 314, in renew_cert
lineage.save_successor(prior_version, new_cert, new_key.pem, new_chain, config)
File “/usr/lib/python2.7/site-packages/certbot/storage.py”, line 1105, in save_successor
with util.safe_open(target[“privkey”], “wb”, chmod=BASE_PRIVKEY_MODE) as f:
File “/usr/lib/python2.7/site-packages/certbot/util.py”, line 223, in safe_open
fd = filesystem.open(path, os.O_CREAT | os.O_EXCL | os.O_RDWR, *open_args)
File “/usr/lib/python2.7/site-packages/certbot/compat/filesystem.py”, line 97, in open
return os.open(file_path, flags, mode)
OSError: [Errno 17] File exists: ‘/etc/letsencrypt/archive/esmc.rta.lv/privkey2.pem’
2019-08-16 09:34:50,093:ERROR:certbot.log:An unexpected error occurred:

And now after 5 unsuccessful attempt esmc.rta.lv was blocked.

2

Hi @rzevsskij

did you run the command as root / sudo?

Does that file exist?

3

Can you post the output of “sudo ls -alR /etc/letsencrypt/”?

Have you modified or deleted any of the files in /etc/letsencrypt/?

What version of Certbot are you using?

4

Yes! I run it as root and file exist

5

Result of “ sudo ls -alR /etc/letsencrypt/ ”:
Last login: Mon Aug 19 09:03:29 CEST 2019 on pts/1
/etc/letsencrypt/:
total 36
drwxr-xr-x. 9 root root 4096 Aug 19 09:03 .
drwxr-xr-x. 95 root root 8192 Aug 14 17:11 …
drwx------. 4 root root 84 Aug 14 18:54 accounts
drwx------. 4 root root 47 Aug 16 09:36 archive
drwxr-xr-x. 2 root root 4096 Aug 19 09:03 csr
-rw-r–r--. 1 root root 3901 May 21 11:24 esmc.rta.lv.jks
drwx------. 2 root root 4096 Aug 19 09:03 keys
drwx------. 3 root root 37 May 21 11:17 live
-rw-r–r--. 1 root root 1591 May 20 12:59 options-ssl-apache.conf
drwxr-xr-x. 2 root root 57 May 22 07:05 renewal
drwxr-xr-x. 5 root root 40 May 20 12:56 renewal-hooks
-rw-r–r--. 1 root root 64 May 20 12:59 .updated-options-ssl-apache-conf-digest.txt

/etc/letsencrypt/accounts:
total 4
drwx------. 4 root root 84 Aug 14 18:54 .
drwxr-xr-x. 9 root root 4096 Aug 19 09:03 …
drwx------. 3 root root 22 Aug 14 18:54 acme-staging-v02.api.letsencrypt.org
drwx------. 3 root root 22 May 20 12:59 acme-v02.api.letsencrypt.org

/etc/letsencrypt/accounts/acme-staging-v02.api.letsencrypt.org:
total 0
drwx------. 3 root root 22 Aug 14 18:54 .
drwx------. 4 root root 84 Aug 14 18:54 …
drwx------. 3 root root 45 Aug 14 18:54 directory

/etc/letsencrypt/accounts/acme-staging-v02.api.letsencrypt.org/directory:
total 0
drwx------. 3 root root 45 Aug 14 18:54 .
drwx------. 3 root root 22 Aug 14 18:54 …
drwx------. 2 root root 61 Aug 14 18:54 1111c7f0bbed2c790afdbfeddb9b5fc2

/etc/letsencrypt/accounts/acme-staging-v02.api.letsencrypt.org/directory/1111c7f0bbed2c790afdbfeddb9b5fc2:
total 12
drwx------. 2 root root 61 Aug 14 18:54 .
drwx------. 3 root root 45 Aug 14 18:54 …
-rw-r–r--. 1 root root 74 Aug 14 18:54 meta.json
-r--------. 1 root root 1632 Aug 14 18:54 private_key.json
-rw-r–r--. 1 root root 86 Aug 14 18:54 regr.json

/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org:
total 0
drwx------. 3 root root 22 May 20 12:59 .
drwx------. 4 root root 84 Aug 14 18:54 …
drwx------. 3 root root 45 May 20 13:02 directory

/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory:
total 0
drwx------. 3 root root 45 May 20 13:02 .
drwx------. 3 root root 22 May 20 12:59 …
drwx------. 2 root root 61 May 20 13:02 6767caf4ec753d20c3dd39423d3539b3

/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/6767caf4ec753d20c3dd39423d3539b3:
total 12
drwx------. 2 root root 61 May 20 13:02 .
drwx------. 3 root root 45 May 20 13:02 …
-rw-r–r--. 1 root root 74 May 20 13:02 meta.json
-r--------. 1 root root 1632 May 20 13:02 private_key.json
-rw-r–r--. 1 root root 78 May 20 13:02 regr.json

/etc/letsencrypt/archive:
total 8
drwx------. 4 root root 47 Aug 16 09:36 .
drwxr-xr-x. 9 root root 4096 Aug 19 09:03 …
drwxr-xr-x. 2 root root 4096 May 22 07:05 esmc.rta.lv
drwxr-xr-x. 2 root root 79 May 21 11:17 esmc.rta.lv-0001

/etc/letsencrypt/archive/esmc.rta.lv:
total 36
drwxr-xr-x. 2 root root 4096 May 22 07:05 .
drwx------. 4 root root 47 Aug 16 09:36 …
-rw-r–r--. 1 root root 1899 May 21 08:08 cert1.pem
-rw-r–r--. 1 root root 1899 May 22 07:05 cert2.pem
-rw-r–r--. 1 root root 1647 May 21 08:08 chain1.pem
-rw-r–r--. 1 root root 1647 May 22 07:05 chain2.pem
-rw-r–r--. 1 root root 3546 May 21 08:08 fullchain1.pem
-rw-r–r--. 1 root root 3546 May 22 07:05 fullchain2.pem
-rw-------. 1 root root 1708 May 21 08:08 privkey1.pem
-rw-------. 1 root root 1708 May 22 07:05 privkey2.pem

/etc/letsencrypt/archive/esmc.rta.lv-0001:
total 16
drwxr-xr-x. 2 root root 79 May 21 11:17 .
drwx------. 4 root root 47 Aug 16 09:36 …
-rw-r–r--. 1 root root 1903 May 21 11:17 cert1.pem
-rw-r–r--. 1 root root 1647 May 21 11:17 chain1.pem
-rw-r–r--. 1 root root 3550 May 21 11:17 fullchain1.pem
-rw-------. 1 root root 1704 May 21 11:17 privkey1.pem

/etc/letsencrypt/csr:
total 228
drwxr-xr-x. 2 root root 4096 Aug 19 09:03 .
drwxr-xr-x. 9 root root 4096 Aug 19 09:03 …
-rw-r–r--. 1 root root 920 May 20 13:02 0000_csr-certbot.pem
-rw-r–r--. 1 root root 920 May 20 13:24 0001_csr-certbot.pem
-rw-r–r--. 1 root root 920 May 20 13:25 0002_csr-certbot.pem
-rw-r–r--. 1 root root 920 May 20 13:28 0003_csr-certbot.pem
-rw-r–r--. 1 root root 920 May 20 13:40 0004_csr-certbot.pem
-rw-r–r--. 1 root root 920 May 20 13:45 0005_csr-certbot.pem
-rw-r–r--. 1 root root 920 May 20 14:18 0006_csr-certbot.pem
-rw-r–r--. 1 root root 920 May 20 14:20 0007_csr-certbot.pem
-rw-r–r--. 1 root root 920 May 20 14:22 0008_csr-certbot.pem
-rw-r–r--. 1 root root 920 May 20 14:28 0009_csr-certbot.pem
-rw-r–r--. 1 root root 920 May 20 15:33 0010_csr-certbot.pem
-rw-r–r--. 1 root root 920 May 20 18:50 0011_csr-certbot.pem
-rw-r–r--. 1 root root 920 May 20 18:52 0012_csr-certbot.pem
-rw-r–r--. 1 root root 920 May 20 18:54 0013_csr-certbot.pem
-rw-r–r--. 1 root root 920 May 20 19:01 0014_csr-certbot.pem
-rw-r–r--. 1 root root 920 May 20 19:46 0015_csr-certbot.pem
-rw-r–r--. 1 root root 920 May 20 20:18 0016_csr-certbot.pem
-rw-r–r--. 1 root root 920 May 21 08:08 0017_csr-certbot.pem
-rw-r–r--. 1 root root 920 May 21 11:17 0018_csr-certbot.pem
-rw-r–r--. 1 root root 920 May 22 07:04 0019_csr-certbot.pem
-rw-r–r--. 1 root root 920 Aug 14 15:33 0020_csr-certbot.pem
-rw-r–r--. 1 root root 920 Aug 14 15:37 0021_csr-certbot.pem
-rw-r–r--. 1 root root 920 Aug 14 15:39 0022_csr-certbot.pem
-rw-r–r--. 1 root root 920 Aug 14 15:41 0023_csr-certbot.pem
-rw-r–r--. 1 root root 920 Aug 14 15:42 0024_csr-certbot.pem
-rw-r–r--. 1 root root 920 Aug 14 15:42 0025_csr-certbot.pem
-rw-r–r--. 1 root root 920 Aug 14 15:45 0026_csr-certbot.pem
-rw-r–r--. 1 root root 920 Aug 14 15:50 0027_csr-certbot.pem
-rw-r–r--. 1 root root 920 Aug 14 17:05 0028_csr-certbot.pem
-rw-r–r--. 1 root root 920 Aug 14 17:31 0029_csr-certbot.pem
-rw-r–r--. 1 root root 920 Aug 14 17:33 0030_csr-certbot.pem
-rw-r–r--. 1 root root 920 Aug 14 17:36 0031_csr-certbot.pem
-rw-r–r--. 1 root root 920 Aug 14 17:50 0032_csr-certbot.pem
-rw-r–r--. 1 root root 920 Aug 14 17:53 0033_csr-certbot.pem
-rw-r–r--. 1 root root 920 Aug 14 18:27 0034_csr-certbot.pem
-rw-r–r--. 1 root root 920 Aug 14 18:40 0035_csr-certbot.pem
-rw-r–r--. 1 root root 920 Aug 14 18:46 0036_csr-certbot.pem
-rw-r–r--. 1 root root 920 Aug 14 18:48 0037_csr-certbot.pem
-rw-r–r--. 1 root root 920 Aug 14 19:08 0038_csr-certbot.pem
-rw-r–r--. 1 root root 920 Aug 14 19:09 0039_csr-certbot.pem
-rw-r–r--. 1 root root 920 Aug 15 07:25 0040_csr-certbot.pem
-rw-r–r--. 1 root root 920 Aug 15 07:40 0041_csr-certbot.pem
-rw-r–r--. 1 root root 920 Aug 15 07:51 0042_csr-certbot.pem
-rw-r–r--. 1 root root 920 Aug 15 07:52 0043_csr-certbot.pem
-rw-r–r--. 1 root root 920 Aug 15 07:55 0044_csr-certbot.pem
-rw-r–r--. 1 root root 920 Aug 15 08:04 0045_csr-certbot.pem
-rw-r–r--. 1 root root 920 Aug 16 09:20 0046_csr-certbot.pem
-rw-r–r--. 1 root root 920 Aug 16 09:23 0047_csr-certbot.pem
-rw-r–r--. 1 root root 920 Aug 16 09:27 0048_csr-certbot.pem
-rw-r–r--. 1 root root 920 Aug 16 09:34 0049_csr-certbot.pem
-rw-r–r--. 1 root root 920 Aug 16 09:35 0050_csr-certbot.pem
-rw-r–r--. 1 root root 920 Aug 16 09:44 0051_csr-certbot.pem
-rw-r–r--. 1 root root 920 Aug 16 09:45 0052_csr-certbot.pem
-rw-r–r--. 1 root root 920 Aug 16 09:51 0053_csr-certbot.pem
-rw-r–r--. 1 root root 920 Aug 19 09:03 0054_csr-certbot.pem

/etc/letsencrypt/keys:
total 228
drwx------. 2 root root 4096 Aug 19 09:03 .
drwxr-xr-x. 9 root root 4096 Aug 19 09:03 …
-rw-------. 1 root root 1704 May 20 13:02 0000_key-certbot.pem
-rw-------. 1 root root 1704 May 20 13:24 0001_key-certbot.pem
-rw-------. 1 root root 1704 May 20 13:25 0002_key-certbot.pem
-rw-------. 1 root root 1704 May 20 13:28 0003_key-certbot.pem
-rw-------. 1 root root 1704 May 20 13:40 0004_key-certbot.pem
-rw-------. 1 root root 1704 May 20 13:45 0005_key-certbot.pem
-rw-------. 1 root root 1704 May 20 14:18 0006_key-certbot.pem
-rw-------. 1 root root 1704 May 20 14:20 0007_key-certbot.pem
-rw-------. 1 root root 1708 May 20 14:22 0008_key-certbot.pem
-rw-------. 1 root root 1708 May 20 14:28 0009_key-certbot.pem
-rw-------. 1 root root 1704 May 20 15:33 0010_key-certbot.pem
-rw-------. 1 root root 1704 May 20 18:50 0011_key-certbot.pem
-rw-------. 1 root root 1704 May 20 18:52 0012_key-certbot.pem
-rw-------. 1 root root 1708 May 20 18:54 0013_key-certbot.pem
-rw-------. 1 root root 1704 May 20 19:01 0014_key-certbot.pem
-rw-------. 1 root root 1704 May 20 19:46 0015_key-certbot.pem
-rw-------. 1 root root 1708 May 20 20:18 0016_key-certbot.pem
-rw-------. 1 root root 1708 May 21 08:08 0017_key-certbot.pem
-rw-------. 1 root root 1704 May 21 11:17 0018_key-certbot.pem
-rw-------. 1 root root 1708 May 22 07:04 0019_key-certbot.pem
-rw-------. 1 root root 1704 Aug 14 15:33 0020_key-certbot.pem
-rw-------. 1 root root 1708 Aug 14 15:37 0021_key-certbot.pem
-rw-------. 1 root root 1704 Aug 14 15:39 0022_key-certbot.pem
-rw-------. 1 root root 1704 Aug 14 15:41 0023_key-certbot.pem
-rw-------. 1 root root 1704 Aug 14 15:42 0024_key-certbot.pem
-rw-------. 1 root root 1704 Aug 14 15:42 0025_key-certbot.pem
-rw-------. 1 root root 1704 Aug 14 15:45 0026_key-certbot.pem
-rw-------. 1 root root 1704 Aug 14 15:50 0027_key-certbot.pem
-rw-------. 1 root root 1704 Aug 14 17:05 0028_key-certbot.pem
-rw-------. 1 root root 1708 Aug 14 17:31 0029_key-certbot.pem
-rw-------. 1 root root 1704 Aug 14 17:33 0030_key-certbot.pem
-rw-------. 1 root root 1708 Aug 14 17:36 0031_key-certbot.pem
-rw-------. 1 root root 1704 Aug 14 17:50 0032_key-certbot.pem
-rw-------. 1 root root 1704 Aug 14 17:53 0033_key-certbot.pem
-rw-------. 1 root root 1704 Aug 14 18:27 0034_key-certbot.pem
-rw-------. 1 root root 1704 Aug 14 18:40 0035_key-certbot.pem
-rw-------. 1 root root 1704 Aug 14 18:46 0036_key-certbot.pem
-rw-------. 1 root root 1704 Aug 14 18:48 0037_key-certbot.pem
-rw-------. 1 root root 1704 Aug 14 19:08 0038_key-certbot.pem
-rw-------. 1 root root 1704 Aug 14 19:09 0039_key-certbot.pem
-rw-------. 1 root root 1708 Aug 15 07:25 0040_key-certbot.pem
-rw-------. 1 root root 1704 Aug 15 07:40 0041_key-certbot.pem
-rw-------. 1 root root 1704 Aug 15 07:51 0042_key-certbot.pem
-rw-------. 1 root root 1704 Aug 15 07:52 0043_key-certbot.pem
-rw-------. 1 root root 1704 Aug 15 07:55 0044_key-certbot.pem
-rw-------. 1 root root 1704 Aug 15 08:04 0045_key-certbot.pem
-rw-------. 1 root root 1704 Aug 16 09:20 0046_key-certbot.pem
-rw-------. 1 root root 1708 Aug 16 09:23 0047_key-certbot.pem
-rw-------. 1 root root 1704 Aug 16 09:27 0048_key-certbot.pem
-rw-------. 1 root root 1704 Aug 16 09:34 0049_key-certbot.pem
-rw-------. 1 root root 1704 Aug 16 09:35 0050_key-certbot.pem
-rw-------. 1 root root 1704 Aug 16 09:44 0051_key-certbot.pem
-rw-------. 1 root root 1704 Aug 16 09:45 0052_key-certbot.pem
-rw-------. 1 root root 1704 Aug 16 09:51 0053_key-certbot.pem
-rw-------. 1 root root 1704 Aug 19 09:03 0054_key-certbot.pem

/etc/letsencrypt/live:
total 8
drwx------. 3 root root 37 May 21 11:17 .
drwxr-xr-x. 9 root root 4096 Aug 19 09:03 …
drwxr-xr-x. 2 root root 110 May 22 07:08 esmc.rta.lv
-rw-r–r--. 1 root root 740 May 21 08:08 README

/etc/letsencrypt/live/esmc.rta.lv:
total 8
drwxr-xr-x. 2 root root 110 May 22 07:08 .
drwx------. 3 root root 37 May 21 11:17 …
lrwxrwxrwx. 1 root root 40 May 22 07:05 cert.pem -> …/…/archive/esmc.rta.lv-0001/cert1.pem
lrwxrwxrwx. 1 root root 41 May 22 07:05 chain.pem -> …/…/archive/esmc.rta.lv-0001/chain1.pem
-rw-r–r--. 1 root root 3901 May 22 07:08 esmc.rta.lv.jks
lrwxrwxrwx. 1 root root 45 May 22 07:05 fullchain.pem -> …/…/archive/esmc.rta.lv-0001/fullchain1.pem
lrwxrwxrwx. 1 root root 43 May 22 07:05 privkey.pem -> …/…/archive/esmc.rta.lv-0001/privkey1.pem
-rw-r–r--. 1 root root 692 May 21 11:17 README

/etc/letsencrypt/renewal:
total 12
drwxr-xr-x. 2 root root 57 May 22 07:05 .
drwxr-xr-x. 9 root root 4096 Aug 19 09:03 …
-rw-r–r--. 1 root root 579 May 21 11:17 esmc.rta.lv-0001.conf
-rw-r–r--. 1 root root 554 May 22 07:05 esmc.rta.lv.conf

/etc/letsencrypt/renewal-hooks:
total 4
drwxr-xr-x. 5 root root 40 May 20 12:56 .
drwxr-xr-x. 9 root root 4096 Aug 19 09:03 …
drwxr-xr-x. 2 root root 6 May 20 12:56 deploy
drwxr-xr-x. 2 root root 6 May 20 12:56 post
drwxr-xr-x. 2 root root 6 May 20 12:56 pre

/etc/letsencrypt/renewal-hooks/deploy:
total 0
drwxr-xr-x. 2 root root 6 May 20 12:56 .
drwxr-xr-x. 5 root root 40 May 20 12:56 …

/etc/letsencrypt/renewal-hooks/post:
total 0
drwxr-xr-x. 2 root root 6 May 20 12:56 .
drwxr-xr-x. 5 root root 40 May 20 12:56 …

/etc/letsencrypt/renewal-hooks/pre:
total 0
drwxr-xr-x. 2 root root 6 May 20 12:56 .
drwxr-xr-x. 5 root root 40 May 20 12:56 …

Have you modified or deleted any of the files in /etc/letsencrypt/ ? - as I remember - no, except changes possibly made by script

6

Any more ideas ???

7

I don't understand that error:

Normally, Apache/nginx doesn't block the key files.

Run your basic command

with the -vvv option, so you have a lot of debug informations.

Perhaps

  • make a backup
  • delete that blocking file (or rename it)
  • try it again
8

Don't try to issue another certificate yet.

That's not how it's supposed to be. The four symlinks should be pointing to the files in ../../archive/esmc.rta.lv/, not ../../archive/esmc.rta.lv-0001/. Certbot is probably getting confused.

You need to fix the symlinks. Then Certbot will probably work fine.

1 Like
9

Thank you! I am blocked and can’t try just now. I will fix symlinks and will try to issue new certificate on Friday

10

Thank you very much!!! We did it!!!

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/esmc.rta.lv/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/esmc.rta.lv/privkey.pem
    Your cert will expire on 2019-11-21. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew all of your certificates, run
    “certbot renew”

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.