My email marketing app already has several cronjobs running. I added these cronjobs as a regular user.
The Letsencrypt cronjob was added as the root user. I was wondering if that made any difference?
I don’t see any new certificates being issued. I’m still able to browse to my domain and the certificate is still there in my browser. I’m assuming that the “notAfter=Feb 22 01:44:28 2018 GMT” is the expiry date of my certificate. Is that assumption correct? (because today is Feb 24 2018) I’m also assuming that the path to my “cerbot-auto” is at “/home/bitnami/certbotsetup/certbot-auto renew” is the that the right file? I’m basing this on some advice you guys gave me a while back about auto-renewal.
Is my timing on the cronjobs correct? Whats the proper way to set my certificates on auto-renew?
Looks like indeed no certificates have been issued since the now-expired one. Your site is still working (though for me it just displays a Bitnami holding page) because it is behind Cloudflare, which has its own valid certificate that’s separate from your Let’s Encrypt certificate. That’s used for the connection from the browser to Cloudflare. The LE cert is only used for the connection from Cloudflare to your origin server. Since it’s being accepted despite having expired, I guess you don’t have the full/strict mode enabled in Cloudflare.
If you want to enable strict mode (which is a good idea) you’ll need to either get a valid certificate for your origin server (probably by renewing your Let’s Encrypt certificate) or else use Cloudflare’s Origin CA.
If you want to try to renew the Let’s Encrypt cert, I’d suggest trying to run the renew command manually to see if you get a useful error message. Perhaps without the --quiet flag:
I changed my Cloudflare settings to Full/Strict mode and then I issued the command “/home/bitnami/certbotsetup/certbot-auto renew” and I got the following errors…
Attempting to renew cert (email-marketing.trade) from /etc/letsencrypt/renewal/email-marketing.trade.conf produced an unexpected error: Failed authorization procedure. email-marketing.trade (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://email-marketing.trade/.well-known/acme-challenge/mRUrqaK44u6_fBM-k-7nLzIAOnZunj0iKo4q4E9XiwQ: "
<html class="no-js ". Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/email-marketing.trade/fullchain.pem (failure)
What the heck I'm I doing wrong?
Originally I followed a different tutorial on installing certbot with wget. The tutorial on certbot.eff.org says to use sudo-apt and install the required dependencies.
The command worked the first time I issued the certifcates
I get this error…
" To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided."
I tried “./certbot-auto renew” I then got the following errors…
“Attempting to renew cert (email-marketing.trade) from /etc/letsencrypt/renewal/email-marketing.trade.conf produced an unexpected error: Failed authorization procedure. email-marketing.trade (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://email-marketing.trade/.well-known/acme-challenge/eeRXloqIjvo6Aa_hbcx4hRFMeXB6R0EUKfvlWU7hJj0: Error getting validation data. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/email-marketing.trade/fullchain.pem (failure)”
…and…
“To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.”
I don’t understnad what’s going on. I disabled certificates in Cloudflare as another member of the forum suggested. I would also like to setup SSL on all my apps in the Bitnami ec2 container. That’s how I had setup.
Well you probably want to redirect from HTTP to HTTPS, so you just need to figure out what’s redirecting from HTTPS to HTTP and disable the redirect there. It can be helpful to check the headers of the redirect response for clues as to what’s doing the redirect; in your headers I’m seeing Server: cloudflare so maybe the redirect is there? Have you configured Cloudflare to force HTTP on your site? If so, don’t do that
Can I completely remove certbot? And re-install it? Nothing I’ve tried seems to work. I disabled the A record that points to my ip address. The site is fine. I don’t know how you could even see Cloudflare!!!
How do I uninstall Certbot? I mean completely remove it? Then re-install it?
You might take a peek at your configuration to see how many "listen" directives are present just to be sure. Try grep -r "Listen" /etc/apache2/* (adapt path for your configuration) and see if there are more than one instance of the listen directive. If so remove redundant entries and restart your server and try again.. The "listen Directive" can be present in more than one file and if so can muck up the works.... You only need a single "Listen 80" and a single "Listen 443"... Hope this helps a bit.
