Letsencrypt certificates unable to update after created a second cert (called the same way)


#1

My Server configuration is described here and worked perfectly fine after i got help:

as described in that thread i created a certificate for my domain + all subdomains. everything worked well.

yesterday i’ve tryed to create a certificate for only ‘acegames.de’ to give tls to my mailserver.

previously the first cert was only named ‘acegames.de’. Now there is acegames.de-0001 (the first one) and acegames.de-0002 (mailserver). today (and yesterday night) i got some cron-error-mail:

2016-11-21 00:59:03,221:WARNING:certbot.storage:Attempting to parse the version 0.9.3 renewal configuration file found at /etc/letsencrypt/renewal/acegames.de-0002.conf with version 0.8.1 of Certbot. This might not work.
2016-11-21 00:59:03,257:WARNING:certbot.renewal:renewal config file {} is missing a required file reference
2016-11-21 00:59:03,257:WARNING:certbot.renewal:Renewal configuration file /etc/letsencrypt/renewal/acegames.de.conf is broken. Skipping.
2016-11-21 00:59:03,258:WARNING:certbot.storage:Attempting to parse the version 0.9.3 renewal configuration file found at /etc/letsencrypt/renewal/acegames.de-0001.conf with version 0.8.1 of Certbot. This might not work.

The following certs are not due for renewal yet:
/etc/letsencrypt/live/acegames.de-0002/fullchain.pem (skipped)
/etc/letsencrypt/live/acegames.de-0001/fullchain.pem (skipped)
No renewals were attempted.

Additionally, the following renewal configuration files were invalid:
/etc/letsencrypt/renewal/acegames.de.conf
(parsefail)
0 renew failure(s), 1 parse failure(s)

i think with automaticly rewriting the acegames.de-certificate to acegames.de-0001 it broke the system itself. by the way: i did not up/downgrade the certbot-version.

thanks in advance
Luke Röper


#2

You previously created a certificate

certbot-auto --apache -d acegames.de - d www.acegames.de - d download.acegames.de

so it created a single certificate for 3 domain names, and stored in in the first ( /etc/letsencrypt/live/acegames.de

When you then tried to create a new cert

certbot-auto --apache -d acegames.de

This is trying to create a cert for acegames.de - and place it in /etc/letsencrypt/acegames.de … which already exists - so it creates a acegames.de-0001 etc.

My first question would be - since you wanted a cert for acegames.de for your mail. Why not just use the existing certificate ? It doesn’t matter that it has the alternate names on it - it will still work perfectly, and save the confusion of multiple certificates for the same domain name.

The configuration on your system does now need tidying up a little :wink: I guess the question is what do you want to end up with ?

If the aim was just to allow TLS on your mail for acegames.de. I’d suggest effecively going back to your old configuration, where you just have one certificate, and use it for both your webserver, and your mail services.

If you want two different certificates, then personally I’d probably go for one cert as www.acegames.de, acegames.de, download.acegames.de (for your sebserver - which is stored in www.acegames.de and the other just for acegames.de which would be stored in acegames.de. That way you don’t have quite the same confusion over certificate names / folders.

You can of course have them as separate folders acegames.de-0001 and acegames.de-0002 but personally I find that starts getting confusing.

With regard to the different versions - have you got 2 versions of certbot installed, in different locations - so that one is run when in cron, and a different one is run from the command line ?


#3

Done, Symlinks deleted, recreated,…

now i only get this E-Mail:

2016-11-26 00:00:54,370:
WARNING:certbot.storage:
Attempting to parse the version 0.9.3 renewal configuration file found at
/etc/letsencrypt/renewal/acegames.de.conf
with version 0.8.1 of Certbot.
This might not work.

i think it created two cron-renewal-jobs because of the fact that i removed certbot-auto and then installed it again.(it was broken…)

could be that they were different versions.
so how can i lookup the cronjobs created by letsencrypt/certbot-auto?


#4

Do you have more than one version of certbot installed ?

If you have ssh access then

crontab -l

should list your cron jobs for that account.


#5

The Problem ist that these cron jobs are not running on root (ive just tested it again). i just dont know what user they are running on⁣. it isnt root because it gives out “no crontab for root”


#6

I’d suggest checking your main log then ( /var/log/syslog or /var/log/messages depending on your OS )


#7

E-Mail: (recieved: 12:33)
Subject:

Cron root@553182-561 test -x /usr/bin/certbot && perl -e ‘sleep int(rand(3600))’ && certbot -q renew

Text:

2016-11-27 12:33:53,859:

/var/log/syslog:

Nov 27 12:33:54 553182-561 postfix/pickup[20794]: 3F449212EA: uid=0 from=
Nov 27 12:33:54 553182-561 postfix/cleanup[22217]: 3F449212EA: message-id=20161127113354.3F449212EA@553182-561.pph-server.de
Nov 27 12:33:54 553182-561 postfix/qmgr[4954]: 3F449212EA: from=root@acegames.de, size=883, nrcpt=1 (queue active)
Nov 27 12:33:55 553182-561 dovecot: lda(report@acegames.de): msgid=20161127113354.3F449212EA@553182-561.pph-server.de: saved mail to INBOX
Nov 27 12:33:55 553182-561 postfix/pipe[22221]: 3F449212EA: to=report@acegames.de, orig_to=, relay=dovecot, delay=1.1, delays=0.41/0.1/0/0.63, dsn=2.0.0, status=sent (delivered via dovecot service)
Nov 27 12:33:55 553182-561 postfix/qmgr[4954]: 3F449212EA: removed

/var/log/mail.log:
same as syslog

/var/log/letsencrypt/letsencrypt.log: interesting… letsencrypt-time is -1Realtime

2016-11-27 11:33:53,809:DEBUG:certbot.main:Root logging level set at 30
2016-11-27 11:33:53,810:INFO:certbot.main:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2016-11-27 11:33:53,810:DEBUG:certbot.main:certbot version: 0.8.1
2016-11-27 11:33:53,810:DEBUG:certbot.main:Arguments: [’-q’]
2016-11-27 11:33:53,811:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoint#standalone)
2016-11-27 11:33:53,859:WARNING:certbot.storage:Attempting to parse the version 0.9.3 renewal configuration file found at /etc/letsencrypt/renewal/acegames.de.conf with version 0.8.1 of Certbot. This might not work.
2016-11-27 11:33:53,895:DEBUG:certbot.plugins.selection:Requested authenticator <certbot.cli._Default object at 0x7fc57d220f50> and installer <certbot.cli._Default object at 0x7fc57d220f50>
2016-11-27 11:33:53,896:DEBUG:certbot.cli:Default Detector is Namespace(account=<certbot.cli._Default object at 0x7fc57d274250>, agree_dev_preview=None, allow_subset_of_names=<certbot.cli._Default object at 0x7fc57d24ac10>, apache=<certbot.cli._Default object at 0x7fc57d226090>, apache_challenge_location=<certbot.cli._Default object at 0x7fc57d2203d0>, apache_ctl=<certbot.cli._Default object at 0x7fc57d21cb90>, apache_dismod=<certbot.cli._Default object at 0x7fc57d220e10>, apache_enmod=<certbot.cli._Default object at 0x7fc57d220fd0>, apache_handle_modules=<certbot.cli._Default object at 0x7fc57d2200d0>, apache_handle_sites=<certbot.cli._Default object at 0x7fc57d21cd90>, apache_init_script=<certbot.cli._Default object at 0x7fc57d21ca50>, apache_le_vhost_ext=<certbot.cli._Default object at 0x7fc57d220ad0>, apache_server_root=<certbot.cli._Default object at 0x7fc57d220910>, apache_vhost_root=<certbot.cli._Default object at 0x7fc57d220710>, authenticator=<certbot.cli._Default object at 0x7fc57d220f50>, break_my_certs=<certbot.cli._Default object at 0x7fc57d274b50>, cert_path=<certbot.cli._Default object at 0x7fc57d220450>, chain_path=<certbot.cli._Default object at 0x7fc57d220750>, checkpoints=<certbot.cli._Default object at 0x7fc57d21cf10>, config_dir=<certbot.cli._Default object at 0x7fc57d220850>, config_file=None, configurator=<certbot.cli._Default object at 0x7fc57d220f50>, csr=<certbot.cli._Default object at 0x7fc57d21ce10>, debug=<certbot.cli._Default object at 0x7fc57d274750>, dialog_mode=<certbot.cli._Default object at 0x7fc57d25add0>, domains=<certbot.cli._Default object at 0x7fc57d25a610>, dry_run=<certbot.cli._Default object at 0x7fc57d25ac50>, duplicate=<certbot.cli._Default object at 0x7fc57d274350>, email=<certbot.cli._Default object at 0x7fc57d25a790>, expand=<certbot.cli._Default object at 0x7fc57d25a310>, fullchain_path=<certbot.cli._Default object at 0x7fc57d220650>, func=<function renew at 0x7fc57d7bb758>, hsts=<certbot.cli._Default object at 0x7fc57d21c090>, http01_port=<certbot.cli._Default object at 0x7fc57d274a50>, ifaces=<certbot.cli._Default object at 0x7fc57d220250>, init=<certbot.cli._Default object at 0x7fc57d220050>, installer=<certbot.cli._Default object at 0x7fc57d220f50>, key_path=<certbot.cli._Default object at 0x7fc57d220550>, logs_dir=<certbot.cli._Default object at 0x7fc57d220a50>, manual=<certbot.cli._Default object at 0x7fc57d226390>, manual_public_ip_logging_ok=<certbot.cli._Default object at 0x7fc57d21c110>, manual_test_mode=<certbot.cli._Default object at 0x7fc57d21c310>, must_staple=<certbot.cli._Default object at 0x7fc57d274d50>, nginx=<certbot.cli._Default object at 0x7fc57d226190>, no_self_upgrade=<certbot.cli._Default object at 0x7fc57d274550>, no_verify_ssl=<certbot.cli._Default object at 0x7fc57d274850>, noninteractive_mode=<certbot.cli._Default object at 0x7fc57d25af50>, num=<certbot.cli._Default object at 0x7fc57d21cc10>, os_packages_only=<certbot.cli._Default object at 0x7fc57d274450>, post_hook=<certbot.cli._Default object at 0x7fc57d21c890>, pre_hook=<certbot.cli._Default object at 0x7fc57d21c790>, prepare=<certbot.cli._Default object at 0x7fc57d220150>, quiet=True, redirect=<certbot.cli._Default object at 0x7fc57d274e50>, register_unsafely_without_email=<certbot.cli._Default object at 0x7fc57d25aad0>, reinstall=<certbot.cli._Default object at 0x7fc57d25a490>, renew_by_default=<certbot.cli._Default object at 0x7fc57d24ae50>, renew_hook=<certbot.cli._Default object at 0x7fc57d21c990>, rsa_key_size=<certbot.cli._Default object at 0x7fc57d274c50>, server=<certbot.cli._Default object at 0x7fc57d220b50>, staging=<certbot.cli._Default object at 0x7fc57d220c50>, standalone=<certbot.cli._Default object at 0x7fc57d226290>, standalone_supported_challenges=<certbot.cli._Default object at 0x7fc57d21c850>, staple=<certbot.cli._Default object at 0x7fc57d21c490>, strict_permissions=<certbot.cli._Default object at 0x7fc57d21c690>, text_mode=<certbot.cli._Default object at 0x7fc57d25c110>, tls_sni_01_port=<certbot.cli._Default object at 0x7fc57d274950>, tos=<certbot.cli._Default object at 0x7fc57d274150>, uir=<certbot.cli._Default object at 0x7fc57d21c290>, update_registration=<certbot.cli._Default object at 0x7fc57d25a910>, user_agent=<certbot.cli._Default object at 0x7fc57d21cd10>, validate_hooks=<certbot.cli._Default object at 0x7fc57d21ca90>, verb=‘renew’, verbose_count=<certbot.cli._Default object at 0x7fc57d25c290>, webroot=<certbot.cli._Default object at 0x7fc57d226490>, webroot_map=<certbot.cli._Default object at 0x7fc57d21c510>, webroot_path=<certbot.cli._Default object at 0x7fc57d21c710>, work_dir=<certbot.cli._Default object at 0x7fc57d220950>)
2016-11-27 11:33:54,010:DEBUG:parsedatetime:parse (top of loop): [30 days][]
2016-11-27 11:33:54,017:DEBUG:parsedatetime:CRE_UNITS matched
2016-11-27 11:33:54,017:DEBUG:parsedatetime:parse (bottom) [][30 days][][]
2016-11-27 11:33:54,017:DEBUG:parsedatetime:weekday False, dateStd False, dateStr False, time False, timeStr False, meridian False
2016-11-27 11:33:54,017:DEBUG:parsedatetime:dayStr False, modifier False, modifier2 False, units True, qunits False
2016-11-27 11:33:54,017:DEBUG:parsedatetime:_evalString(30 days, time.struct_time(tm_year=2016, tm_mon=11, tm_mday=27, tm_hour=11, tm_min=33, tm_sec=54, tm_wday=6, tm_yday=332, tm_isdst=0))
2016-11-27 11:33:54,017:DEBUG:parsedatetime:_buildTime: [30 ][][days]
2016-11-27 11:33:54,018:DEBUG:parsedatetime:units days --> realunit days
2016-11-27 11:33:54,018:DEBUG:parsedatetime:return
2016-11-27 11:33:54,018:INFO:certbot.renewal:Cert not yet due for renewal
2016-11-27 11:33:54,018:DEBUG:certbot.renewal:no renewal failures


#8

Since you have a random sleep in your command ( up to an hour) you need to looks wider in your syslog. what if you “grep -i cron /var/log/syslog” can you identify the cron ?


#9

found it at 12:00:

Nov 27 12:00:01 553182-561 CRON[21983]: (root) CMD (test -x /usr/bin/certbot && perl -e ‘sleep int(rand(3600))’ && certbot -q renew)

manually searched for more output.
but that’s all of it.

no output in /var/log/mail.log


#10

so ive just edited
/etc/letsencrypt/renewal/acegames.de.conf

from:

version = 0.9.3
cert = /etc/letsencrypt/live/acegames.de/cert-cert.pem
privkey = /etc/letsencrypt/live/acegames.de/cert-privkey.pem
chain = /etc/letsencrypt/live/acegames.de/cert-chain.pem
fullchain = /etc/letsencrypt/live/acegames.de/cert-fullchain.pem

[renewalparams]
authenticator = apache
installer = apache
account = ac6f43868e9a468f9a9d42bc372d91a4

to:

version = 0.8.1
cert = /etc/letsencrypt/live/acegames.de/cert-cert.pem
privkey = /etc/letsencrypt/live/acegames.de/cert-privkey.pem
chain = /etc/letsencrypt/live/acegames.de/cert-chain.pem
fullchain = /etc/letsencrypt/live/acegames.de/cert-fullchain.pem

[renewalparams]
authenticator = apache
installer = apache
account = ac6f43868e9a468f9a9d42bc372d91a4


#11

certbot renew


Processing /etc/letsencrypt/renewal/acegames.de.conf

The following certs are not due for renewal yet:
/etc/letsencrypt/live/acegames.de/cert-fullchain.pem (skipped)
No renewals were attempted.

looks good so far… lets wait if there will be an Email.


#12

Same issue here, solved the same way.

FYI, the cron job is located in /etc/cron.d.


#13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.