LetsEncrypt / Certificate Renewal Issue (Ongoing Issue)

root@eve-ng:~# certbot-auto certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: lab.addmoreroutes.com
Domains: lab.addmoreroutes.com
Expiry Date: 2020-07-10 15:56:55+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/lab.addmoreroutes.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/lab.addmoreroutes.com/privkey.pem


Right now I donā€™t see your server answering on port 443ā€”is there a firewall and is it different where you are?

Yes, there is a fw and I have made some recent changes. 443 should be responsive now

The cert does not contain the ā€œwwwā€ (as ServerAlias mentioned above).
If you are using that name you should add it to the cert.
If not, then you should remove it from the virtuall host config.

[Correction] I was getting " You dont have permissionsā€¦" error message for internal access. I was able to correct the Apache2.conf file and got internal access to work again which is good. I am not able to access externally and right now I am looking at a firewall/nat issue.

I was able to fix this issue. Can you assist with a Ubuntu cronjob for this moving forward

Certbot will automatically setup a renewal job.
Perhaps not via cronā€¦
Try:
systemctl list-timers

I can try to give that a go. But this isn't an Apache forum, so most of us aren't experts! What I put below works, though it might not be the only way to do things.

As others have said, your certificate doesn't cover "www.lab.addmoreroutes.com", just "lab.addmoreroutes.com". That's fine, I only cover "darksteve.tk" and not"www.darksteve.tk" with my certificate. Just be aware that adding "www" will throw an error if you use it.

Your Apache vhosts should contain something like the following:

<VirtualHost *:80>
    ServerName lab.addmoreroutes.com
    Redirect permanent / https://lab.addmoreroutes.com/
</VirtualHost>

<VirtualHost *:443>
    DocumentRoot /path/to/your/website
    ServerName lab.addmoreroutes.com
    SSLEngine on
    SSLCertificateFile "/etc/letsencrypt/live/lab.addmoreroutes.com/fullchain.pem"
    SSLCertificateKeyFile "/etc/letsencrypt/live/lab.addmoreroutes.com/privkey.pem"
</VirtualHost>

The first section will redirect all http traffic (unencrypted port 80) to your https site (encrypted port 443). You posted the location of your certificates so I added the correct path for those, but only you know where your website is located, so you need to fill out the path for that yourself.

I hope that helps, and gives you a starting point. Good luck!

EDIT: Certbot needs access to port 80 in order to renew. The above works for me and also allows renewing without any issues. I've been renewing since 2016!

Also, you can renew by using "certbot renew". If you add that to a weekly cron job, it will be visually obvious what the command does and it will renew your certificate once the certificate has only 30 days left. You can run "certbot renew" as often as you like, it won't hassle the Let's Encrypt servers until your certificate is close to expiry. (That is, provided you don't "--force" a renewal, which you shouldn't need to do under most circumstances.)

EDIT2: I almost forgot! Always do a backup of the files you edit! This is especially important when you're still learning. You might break an functioning site while fixing your non-functioning site. Just a simple "cp vhosts.conf vhosts.conf.bak" or something will do. I'm on FreeBSD, not linux, so I can't say for sure what your files are called!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.