LetsEncrypt auto renew ---help


#1

I’m hosting an email marketing app on Amazon Ec2 with Bitnami. Im trying to auto renew my Lets encrypt certificate. I added the following Cronjob…

#letsencrypt renewal
17 */12 * * * /home/bitnami/certbotsetup/certbot-auto renew --quiet

My email marketing app already has several cronjobs running. I added these cronjobs as a regular user.
The Letsencrypt cronjob was added as the root user. I was wondering if that made any difference?

I issued the following commands on my sever…

“openssl x509 -in /etc/letsencrypt/live/email-marketing.trade/cert.pem -noout -dates”

“email-marketing.trade” is the name of my domain
here’s the output of the above command…

“notBefore=Nov 24 01:44:28 2017 GMT
notAfter=Feb 22 01:44:28 2018 GMT”

I don’t see any new certificates being issued. I’m still able to browse to my domain and the certificate is still there in my browser. I’m assuming that the “notAfter=Feb 22 01:44:28 2018 GMT” is the expiry date of my certificate. Is that assumption correct? (because today is Feb 24 2018) I’m also assuming that the path to my “cerbot-auto” is at “/home/bitnami/certbotsetup/certbot-auto renew” is the that the right file? I’m basing this on some advice you guys gave me a while back about auto-renewal.

Is my timing on the cronjobs correct? Whats the proper way to set my certificates on auto-renew?

Thanks,
Lance


#2

Looks like indeed no certificates have been issued since the now-expired one. Your site is still working (though for me it just displays a Bitnami holding page) because it is behind Cloudflare, which has its own valid certificate that’s separate from your Let’s Encrypt certificate. That’s used for the connection from the browser to Cloudflare. The LE cert is only used for the connection from Cloudflare to your origin server. Since it’s being accepted despite having expired, I guess you don’t have the full/strict mode enabled in Cloudflare.

If you want to enable strict mode (which is a good idea) you’ll need to either get a valid certificate for your origin server (probably by renewing your Let’s Encrypt certificate) or else use Cloudflare’s Origin CA.

If you want to try to renew the Let’s Encrypt cert, I’d suggest trying to run the renew command manually to see if you get a useful error message. Perhaps without the --quiet flag:

/home/bitnami/certbotsetup/certbot-auto renew

#3

I changed my Cloudflare settings to Full/Strict mode and then I issued the command “/home/bitnami/certbotsetup/certbot-auto renew” and I got the following errors…

Attempting to renew cert (email-marketing.trade) from /etc/letsencrypt/renewal/email-marketing.trade.conf produced an unexpected error: Failed authorization procedure. email-marketing.trade (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://email-marketing.trade/.well-known/acme-challenge/mRUrqaK44u6_fBM-k-7nLzIAOnZunj0iKo4q4E9XiwQ: "

<html class="no-js ". Skipping. All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/email-marketing.trade/fullchain.pem (failure) What the heck I'm I doing wrong?

#4

You might need to disable full/strict mode until you’ve got a valid certificate - ie, disable it, get the certificate, then re-enable it.


#5

I can’t figure out how to renw the certificate. I disabled the SSL completely on Cloudflare. I looked at the following tutorial https://certbot.eff.org/#ubuntutrusty-apache

Originally I followed a different tutorial on installing certbot with wget. The tutorial on certbot.eff.org says to use sudo-apt and install the required dependencies.

originally I followed this tutorial https://www.sarathshyam.in/2017/02/05/howto-install-letsencrypt-ssl-certificate-on-aws-bitnami-ec2/ and was able to get a certificate. I just changed the path to /opt/bitnami/apache2/htdocs. Instead of “/home/bitnami/apps/wordpress/htdocs/”

I’ve tried "./certbot-auto certonly --webroot -w /opt/bitnami/apache2/htdocs -d email-marketing.trade -d www.email-marketing.trade"
I also tried "./certbot-auto renew --dry-run’

I can’t figure out how to renew the certifcate


#6

What output or error messages did you see in each of these cases?


#7

when I run…

“./certbot-auto certonly --webroot -w /opt/bitnami/apache2/htdocs -d email-marketing.trade -d www.email-marketing.trade”

The command worked the first time I issued the certifcates

I get this error…

" To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided."

I tried “./certbot-auto renew” I then got the following errors…

“Attempting to renew cert (email-marketing.trade) from /etc/letsencrypt/renewal/email-marketing.trade.conf produced an unexpected error: Failed authorization procedure. email-marketing.trade (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://email-marketing.trade/.well-known/acme-challenge/eeRXloqIjvo6Aa_hbcx4hRFMeXB6R0EUKfvlWU7hJj0: Error getting validation data. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/email-marketing.trade/fullchain.pem (failure)”

…and…

“To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.”

I don’t understnad what’s going on. I disabled certificates in Cloudflare as another member of the forum suggested. I would also like to setup SSL on all my apps in the Bitnami ec2 container. That’s how I had setup.


#8

Right now you’ve got a redirect loop. Your HTTPS site is redirecting to HTTP, and vice versa. You’ll almost certainly need to fix that first.


#9

Do you have any ideas on fixing redirect loops? Or should I use google?


#10

Well you probably want to redirect from HTTP to HTTPS, so you just need to figure out what’s redirecting from HTTPS to HTTP and disable the redirect there. It can be helpful to check the headers of the redirect response for clues as to what’s doing the redirect; in your headers I’m seeing Server: cloudflare so maybe the redirect is there? Have you configured Cloudflare to force HTTP on your site? If so, don’t do that :slight_smile:


#11

Can I completely remove certbot? And re-install it? Nothing I’ve tried seems to work. I disabled the A record that points to my ip address. The site is fine. I don’t know how you could even see Cloudflare!!!

How do I uninstall Certbot? I mean completely remove it? Then re-install it?

certbot worked fine the first time


#12

Removing Certbot will not change your web server configuration in any way, so it won’t, for example, fix redirection loops.


#13

Still confused about renewal.

I still have another site with a valid lets-encrypt certificate

I just added a cronjob as root…

17 */12 * * * /home/bitnami/certbotsetup/certbot-auto --quiet

Then I issued the following commands…
openssl x509 -in /etc/letsencrypt/live/yeah-nothing.com/cert.pem -noout -dates

It doesn’t appear a new certificate was issued.

I edited the cronjob without the quiet flag…

17 */12 * * * /home/bitnami/certbotsetup/certbot-auto

I went into my Certbot direcory and ran “./certbot-auto

I got the following errors…

"Failed to find executable apache2ctl in PATH: /opt/bitnami/varnish/bin:/opt/bitnami/sqlite/bin:/opt/bitnami/php/bin:/opt/bitnami/mysql/bin:/opt/bitnami/apache2/bin:/opt/bitnami/common/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games
"
what’s happening here?


#14

Maybe it’s in /home/bitnami rather than /opt/bitnami?


#15

You might take a peek at your configuration to see how many “listen” directives are present just to be sure. Try grep -r “Listen” /etc/apache2/* (adapt path for your configuration) and see if there are more than one instance of the listen directive. If so remove redundant entries and restart your server and try again… The “listen Directive” can be present in more than one file and if so can muck up the works… You only need a single “Listen 80” and a single “Listen 443”… Hope this helps a bit.


#16

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.