Letsencryptt Renew fail on main domain

BenoitAdam94 · January 6, 2021, 6:13pm

My domain is: http://hygiene-bucco-dentaire.com/

I ran theses command:

letsencrypt run
letsencrypt certificates
letsencrypt -d hygiene-bucco-dentaire.com

It produced this output: http://pastebin.fr/79923

My web server is (include version): nginx

The operating system my web server runs on is (include version): Ubuntu 18.04.5 LTS

My hosting provider, if applicable, is: OVH

I can login to a root shell on my machine : yes

I'm using a control panel to manage my site : no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): no idea here sorry

Welcome to my problem

My main problem is that I can't send any mail since a few days.

So, I try to renew all certificate. When I type "letsencrypt" I have 6 proposal, I renewed them = no problem

When I do "letsencrypt certificates", I can see 8 domains, with 2 expired

So i did "letsencrypt -d hygiene-bucco-dentaire.com" to renew the general domain

Now I can see 8 domains with 1 expired.

I don't understand with I can't renew that last expired domain, and also why 2 options doesn't appear in the main "letsencrypt" command.

See pastebin

Thank you in advance.

Osiris · January 6, 2021, 6:20pm

There's something strange going on with your certificates:

  Certificate Name: mail.conceptys-france.com
    Domains: hygiene-bucco-dentaire.com
    Expiry Date: 2021-04-06 16:59:45+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/mail.conceptys-france.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/mail.conceptys-france.com/privkey.pem

As you can see, the name says mail.~, but the domain section only lists the apex domain hygiene-bucco-dentaire.com.

While this doesn't invalidate the certificate in any way, it is a little bit confusing.

Perhaps your mailserver is pointing to the certificate name with the mail.~ subdomain, which in fact (as stated above) doesn't actually contain the mail subdomain?

BenoitAdam94 · January 6, 2021, 6:52pm

well the main mail domain is rerouted from "mail.conceptys-france.com", that's normal.

But everything worked before the expiration of the certificate at the end of december... that's weird...

EDIT : this is the certificate of the domain conceptys-france.com :

root@conceptys-france:~# letsencrypt certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Attempting to parse the version 1.9.0 renewal configuration file found at /etc/letsencrypt/renewal/conceptys-france.com.conf with version 0.36.0 of Certbot. This might not work.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: conceptys-france.com
Domains: conceptys-france.com formation.conceptys-france.com gestion.conceptys-france.com gestiontest.conceptys-france.com sql.conceptys-france.com test.conceptys-france.com webmail.conceptys-france.com www.conceptys-france.com
Expiry Date: 2021-03-17 01:14:53+00:00 (VALID: 69 days)
Certificate Path: /etc/letsencrypt/live/conceptys-france.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/conceptys-france.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Osiris · January 6, 2021, 8:10pm

That is not related to certificates/TLS/Let's Encrypt. I'm talking about the confusing name and contents of your certificates as seen in the certbot output.

Anyway, a few issues:

Your IMAP and SMTP services are still using the expired certificate, probably because they are refering to the certificate named hygiene-bucco-dentaire.com with the file /etc/letsencrypt/live/hygiene-bucco-dentaire.com/fullchain.pem. That is not the same certificate you issued in your pastebin output, because that certificate is called mail.conceptys-france.com but with the single hostname conceptys-france.com in it.
That new certificate wasn't installed in nginx, because nginx isn't properly configured, so certbot doesn't understand its configuration file.

BenoitAdam94 · January 6, 2021, 8:29pm

mmmm but what do I do now ? What file need I to change ? nginx.conf ?

I tryed that :

root@mail:~# letsencrypt certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Nginx Web Server plugin (nginx)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator nginx, Installer None
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): hygiene-bucco-dentaire.com
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificat                                                                             e name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/mail.conceptys-france.com.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Keeping the existing certificate

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not yet due for renewal; no action taken.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Osiris · January 6, 2021, 8:31pm

Yes, fix your nginx configuration.

Certbot requires a proper nginx configuration, it can't create one. You need to fix nginx or fix the certificate manually in the nginx configuration.

BenoitAdam94 · January 6, 2021, 8:46pm

Strange, because I did the renewal 3 month ago and everything went alright. Not sure what I exactly did tough...

My nginx.conf is only going to other files

user www-data;
worker_processes 1;
pid /var/run/nginx.pid;

events {
    worker_connections 1024;
}

http {
    include /etc/nginx/conf-enabled/*.conf;
    include /etc/nginx/sites-enabled/*.conf;
}

Which leads to folders with symbolic link (not sure how to follow them with windows/filezilla) :

nginxconf2 !

Osiris · January 6, 2021, 8:49pm

The symlinks in sites-enabled link to the corresponding files in sites-available.

BenoitAdam94 · January 6, 2021, 9:06pm

Ah yeah right

I clearly can find the "6 domain" that I see when I type letsencrypt run :

nginx-list1

So where does come that 7 domain I succeeded renewing ? And where hide the 8 domain aswell ?

P.S : This are the content of file.

00-default-ssl.conf

#
# Note: This file must be loaded before other virtual host config files,
#
# HTTPS
server {
    listen 443 ssl;
    server_name _;

	root /opt/www/default/;
	index index.php;


    include /etc/nginx/templates/misc.tmpl;
    include /etc/nginx/templates/ssl.tmpl;
    #include /etc/nginx/templates/iredadmin.tmpl;
    #include /etc/nginx/templates/roundcube.tmpl;
	#
    include /etc/nginx/templates/adminer.tmpl;
    include /etc/nginx/templates/phplist.tmpl;
	#
    #include /etc/nginx/templates/sogo.tmpl;
    #include /etc/nginx/templates/netdata.tmpl;
    include /etc/nginx/templates/php-catchall.tmpl;
    #include /etc/nginx/templates/stub_status.tmpl;
	
}

00-default.conf

#
# Note: This file must be loaded before other virtual host config files,
#
# HTTP
server {
    # Listen on ipv4
    listen 80;

    # Listen on ipv6.
    # Note: this setting listens on both ipv4 and ipv6 with Nginx release
    #       shipped in some Linux/BSD distributions.
    #listen [::]:80;

    server_name _;
	
	location ^~ /.well-known/acme-challenge/ {
		root /opt/www/default/;
	}
	
    # Redirect all insecure http:// requests to https://
    return 301 https://$host$request_uri;
}

01-mailist.conf

#
# PHPList
# HTTPS
server {
    listen 443 ssl;
    server_name mailist.hygiene-bucco-dentaire.com;

    root /opt/www/phplist;
    index index.php index.html;

    include /etc/nginx/templates/misc.tmpl;
    include /etc/nginx/templates/ssl.tmpl;
	include /etc/nginx/templates/hsts.tmpl;

    include /etc/nginx/templates/phplist.tmpl;
    ssl_certificate /etc/letsencrypt/live/mail.conceptys-france.com-0001/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/mail.conceptys-france.com-0001/privkey.pem; # managed by Certbot


}

02-webmail.conf

#
# Webmail
# HTTPS
server {
    listen 443 ssl;
    server_name webmail.hygiene-bucco-dentaire.com;

    root /opt/www/roundcubemail;
    index index.php index.html;

    include /etc/nginx/templates/misc.tmpl;
    include /etc/nginx/templates/ssl.tmpl;

	include /etc/nginx/templates/hsts.tmpl;
	
    include /etc/nginx/templates/roundcube-subdomain.tmpl;
    ssl_certificate /etc/letsencrypt/live/mail.conceptys-france.com-0001/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/mail.conceptys-france.com-0001/privkey.pem; # managed by Certbot


}

03-mailadmin.conf

#
# IRedAdmin
# HTTPS
server {
    listen 443 ssl;
    server_name mailadmin.hygiene-bucco-dentaire.com;

    root /opt/www/iredadmin;
    index index.php index.html;

    include /etc/nginx/templates/misc.tmpl;
    include /etc/nginx/templates/ssl.tmpl;
    include /etc/nginx/templates/hsts.tmpl;

    include /etc/nginx/templates/iredadmin-subdomain.tmpl;

    error_log /var/log/nginx/mailadmin.hygiene-bucco-dentaire.com.error.log  warn;
    ssl_certificate /etc/letsencrypt/live/mail.conceptys-france.com-0001/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/mail.conceptys-france.com-0001/privkey.pem; # managed by Certbot


}

04-sql.conf

#
# Adminer
# HTTPS
server {
    listen 443 ssl;
    server_name sql.hygiene-bucco-dentaire.com;

    root /opt/www/adminer;
    index latest.php;

    include /etc/nginx/templates/misc.tmpl;
    include /etc/nginx/templates/ssl.tmpl;
	include /etc/nginx/templates/hsts.tmpl;

    include /etc/nginx/templates/adminer.tmpl;
    ssl_certificate /etc/letsencrypt/live/mail.conceptys-france.com-0001/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/mail.conceptys-france.com-0001/privkey.pem; # managed by Certbot



}

05-supervision.conf

#
# NetData
# HTTPS
#server {
#    listen 443 ssl;
#    server_name supervision.hygiene-bucco-dentaire.com;
#
#    #root /var/www/html;
#    #index index.php index.html;
#
#    include /etc/nginx/templates/misc.tmpl;
#    include /etc/nginx/templates/ssl.tmpl;
#
#	include /etc/nginx/templates/stub_status.tmpl;
#    include /etc/nginx/templates/netdata-subdomain.tmpl;
#
#}
upstream backend {
    # the Netdata server
    server 127.0.0.1:19999;
    keepalive 64;
}

server {
    # nginx listens to this
    listen 443 ssl;

    # the virtual host name of this
    server_name supervision.hygiene-bucco-dentaire.com;

    location / {
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://backend;
        proxy_http_version 1.1;
        proxy_pass_request_headers on;
        proxy_set_header Connection "keep-alive";
        proxy_store off;
    }
    ssl_certificate /etc/letsencrypt/live/mail.conceptys-france.com-0001/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/mail.conceptys-france.com-0001/privkey.pem; # managed by Certbot


}

06-mailconceptys.conf

#
# Webmail
# HTTPS
server {
    listen 443 ssl;
    server_name mail.conceptys-france.com;
	
	location ^~ /.well-known/ {
		allow all;
		default_type "text/plain";
		root /opt/www/default/;
	}
	
    root /opt/www/roundcubemail;
    index index.php index.html;

    include /etc/nginx/templates/misc.tmpl;
    include /etc/nginx/templates/ssl.tmpl;

	include /etc/nginx/templates/hsts.tmpl;
	
    include /etc/nginx/templates/roundcube-subdomain.tmpl;

    error_log /var/log/nginx/mail.conceptys-france.com.error.log  warn;
    ssl_certificate /etc/letsencrypt/live/mail.conceptys-france.com-0001/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/mail.conceptys-france.com-0001/privkey.pem; # managed by Certbot



}

Osiris · January 6, 2021, 9:11pm

See the output of certbot in your pastebin:

Could not automatically find a matching server block for hygiene-bucco-dentaire.com. Set the server_name directive to use the Nginx installer.

BenoitAdam94 · January 6, 2021, 9:34pm

ok, I change those "server name _;" in 00-xxx.cfg file

now i have 7 domains :

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: mail.conceptys-france.com
2: hygiene-bucco-dentaire.com
3: mailadmin.hygiene-bucco-dentaire.com
4: mailist.hygiene-bucco-dentaire.com
5: sql.hygiene-bucco-dentaire.com
6: supervision.hygiene-bucco-dentaire.com
7: webmail.hygiene-bucco-dentaire.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 2
Cert not yet due for renewal

but what about this, I always do not know what to choose between those options :

Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/00-default-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.

schoen · January 7, 2021, 5:36am

The default in newer versions is Redirect (2) and I think that option is almost always preferable.

The Redirect means that if someone goes to http://hygiene-bucco-dentaire.com/, the web server will tell the browser to switch to https://hygiene-bucco-dentaire.com/ automatically. This is usually desirable because there's rarely a reason for a user to access a site with HTTP if the same site is available with HTTPS.

BenoitAdam94 · January 7, 2021, 12:01pm

ah yeah indeed, thank for that

BenoitAdam94 · January 7, 2021, 12:02pm

Seems I don't have that output error/warning now, thanks you for that, Unfortunately I'm still stuck and no idea what to do next...

Osiris · January 7, 2021, 2:19pm

With what? https://hygiene-bucco-dentaire.com/ has a functional certificate.

BenoitAdam94 · January 7, 2021, 3:22pm

Yeah but my SMTP still got problems :

2021-01-07 15:20:40 SERVER -> CLIENT: 220 mail.hygiene-bucco-dentaire.com ESMTP Postfix
2021-01-07 15:20:40 CLIENT -> SERVER: EHLO gestiontest.conceptys-france.com
2021-01-07 15:20:40 SERVER -> CLIENT: 250-mail.hygiene-bucco-dentaire.com250-PIPELINING250-SIZE 15728640250-ETRN250-STARTTLS250-ENHANCEDSTATUSCODES250-8BITMIME250-DSN250 SMTPUTF8
2021-01-07 15:20:40 CLIENT -> SERVER: STARTTLS
2021-01-07 15:20:40 SERVER -> CLIENT: 220 2.0.0 Ready to start TLS
SMTP Error: Could not connect to SMTP host.
2021-01-07 15:20:40 CLIENT -> SERVER: QUIT
2021-01-07 15:20:40
2021-01-07 15:20:40
SMTP connect() failed. https://github.com/PHPMailer/PHPMailer/wiki/Troubleshooting

Same with connecting from thunderbird, which also worked before the certificate expired...

(P.S : ping for the host is ok)

C:\Users\Benoit>ping mail.hygiene-bucco-dentaire.com

Pinging mail.hygiene-bucco-dentaire.com [51.68.228.94] with 32 bytes of data:
Reply from 51.68.228.94: bytes=32 time=11ms TTL=48
Reply from 51.68.228.94: bytes=32 time=12ms TTL=48
Reply from 51.68.228.94: bytes=32 time=11ms TTL=48
Reply from 51.68.228.94: bytes=32 time=11ms TTL=48

Ping statistics for 51.68.228.94:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 11ms, Maximum = 12ms, Average = 11ms

Osiris · January 7, 2021, 3:51pm

I've already given some tips about your mailserver earlier: Letsencryptt Renew fail on main domain

Bottom line: your certificate names are mixed up and a correct nginx configuration doesn't mean your mailserver magically uses the correct certificate.

Check your mailserver configuration files and make sure it uses the correct certificate. A reload is necessary after every configuration file edit to make sure the most recent config is used.

BenoitAdam94 · January 7, 2021, 7:18pm

I have no idea what configuration file I should change here.

Are we talking about postfix ?

Osiris · January 7, 2021, 7:21pm

Yes, Postfix seems to be your SMTP daemon. No idea about IMAP though, there is no response on port 143.

BenoitAdam94 · January 7, 2021, 7:21pm

Just found these lines in postfix main.cf

smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

What the fuck is snakeoil ?

Topic		Replies	Views
Recent Renewal issues Help	3	455	October 17, 2020
Cant renew certificate - getting errors Help	4	1348	December 29, 2016
Renewing of letsencrypt certificate failed and now server is down Help	10	584	October 28, 2022
Expiring domains Vs my Let's Encrypt subscriber account Help	5	711	October 11, 2018
Cannot Renew Domain Help	3	712	July 8, 2018

Letsencryptt Renew fail on main domain

Related topics