Letsencryptt Renew fail on main domain

My domain is: http://hygiene-bucco-dentaire.com/

I ran theses command:

It produced this output: http://pastebin.fr/79923

My web server is (include version): nginx

The operating system my web server runs on is (include version): Ubuntu 18.04.5 LTS

My hosting provider, if applicable, is: OVH

I can login to a root shell on my machine : yes

I'm using a control panel to manage my site : no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): no idea here sorry :frowning:

Welcome to my problem

My main problem is that I can't send any mail since a few days.

So, I try to renew all certificate. When I type "letsencrypt" I have 6 proposal, I renewed them = no problem

When I do "letsencrypt certificates", I can see 8 domains, with 2 expired

So i did "letsencrypt -d hygiene-bucco-dentaire.com" to renew the general domain

Now I can see 8 domains with 1 expired.

I don't understand with I can't renew that last expired domain, and also why 2 options doesn't appear in the main "letsencrypt" command.

See pastebin

Thank you in advance.

1 Like

There's something strange going on with your certificates:

  Certificate Name: mail.conceptys-france.com
    Domains: hygiene-bucco-dentaire.com
    Expiry Date: 2021-04-06 16:59:45+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/mail.conceptys-france.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/mail.conceptys-france.com/privkey.pem

As you can see, the name says mail.~, but the domain section only lists the apex domain hygiene-bucco-dentaire.com.

While this doesn't invalidate the certificate in any way, it is a little bit confusing.

Perhaps your mailserver is pointing to the certificate name with the mail.~ subdomain, which in fact (as stated above) doesn't actually contain the mail subdomain?

2 Likes

well the main mail domain is rerouted from "mail.conceptys-france.com", that's normal.

But everything worked before the expiration of the certificate at the end of december... that's weird...

EDIT : this is the certificate of the domain conceptys-france.com :

root@conceptys-france:~# letsencrypt certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Attempting to parse the version 1.9.0 renewal configuration file found at /etc/letsencrypt/renewal/conceptys-france.com.conf with version 0.36.0 of Certbot. This might not work.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: conceptys-france.com
Domains: conceptys-france.com formation.conceptys-france.com gestion.conceptys-france.com gestiontest.conceptys-france.com sql.conceptys-france.com test.conceptys-france.com webmail.conceptys-france.com www.conceptys-france.com
Expiry Date: 2021-03-17 01:14:53+00:00 (VALID: 69 days)
Certificate Path: /etc/letsencrypt/live/conceptys-france.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/conceptys-france.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

That is not related to certificates/TLS/Let's Encrypt. I'm talking about the confusing name and contents of your certificates as seen in the certbot output.

Anyway, a few issues:

  • Your IMAP and SMTP services are still using the expired certificate, probably because they are refering to the certificate named hygiene-bucco-dentaire.com with the file /etc/letsencrypt/live/hygiene-bucco-dentaire.com/fullchain.pem. That is not the same certificate you issued in your pastebin output, because that certificate is called mail.conceptys-france.com but with the single hostname conceptys-france.com in it.
  • That new certificate wasn't installed in nginx, because nginx isn't properly configured, so certbot doesn't understand its configuration file.
1 Like

mmmm but what do I do now ? What file need I to change ? nginx.conf ?

I tryed that :

root@mail:~# letsencrypt certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Nginx Web Server plugin (nginx)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator nginx, Installer None
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): hygiene-bucco-dentaire.com
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificat                                                                             e name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/mail.conceptys-france.com.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Keeping the existing certificate

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not yet due for renewal; no action taken.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Yes, fix your nginx configuration.

Certbot requires a proper nginx configuration, it can't create one. You need to fix nginx or fix the certificate manually in the nginx configuration.

1 Like

Strange, because I did the renewal 3 month ago and everything went alright. Not sure what I exactly did tough...

My nginx.conf is only going to other files

user www-data;
worker_processes 1;
pid /var/run/nginx.pid;

events {
    worker_connections 1024;
}

http {
    include /etc/nginx/conf-enabled/*.conf;
    include /etc/nginx/sites-enabled/*.conf;
}

Which leads to folders with symbolic link (not sure how to follow them with windows/filezilla) :

nginxconf2 !

1 Like

The symlinks in sites-enabled link to the corresponding files in sites-available.

1 Like

Ah yeah right

I clearly can find the "6 domain" that I see when I type letsencrypt run :

nginx-list1

So where does come that 7 domain I succeeded renewing ? And where hide the 8 domain aswell ?

:interrobang:

P.S : This are the content of file.

00-default-ssl.conf

#
# Note: This file must be loaded before other virtual host config files,
#
# HTTPS
server {
    listen 443 ssl;
    server_name _;

	root /opt/www/default/;
	index index.php;


    include /etc/nginx/templates/misc.tmpl;
    include /etc/nginx/templates/ssl.tmpl;
    #include /etc/nginx/templates/iredadmin.tmpl;
    #include /etc/nginx/templates/roundcube.tmpl;
	#
    include /etc/nginx/templates/adminer.tmpl;
    include /etc/nginx/templates/phplist.tmpl;
	#
    #include /etc/nginx/templates/sogo.tmpl;
    #include /etc/nginx/templates/netdata.tmpl;
    include /etc/nginx/templates/php-catchall.tmpl;
    #include /etc/nginx/templates/stub_status.tmpl;
	
}

00-default.conf

#
# Note: This file must be loaded before other virtual host config files,
#
# HTTP
server {
    # Listen on ipv4
    listen 80;

    # Listen on ipv6.
    # Note: this setting listens on both ipv4 and ipv6 with Nginx release
    #       shipped in some Linux/BSD distributions.
    #listen [::]:80;

    server_name _;
	
	location ^~ /.well-known/acme-challenge/ {
		root /opt/www/default/;
	}
	
    # Redirect all insecure http:// requests to https://
    return 301 https://$host$request_uri;
}

01-mailist.conf

#
# PHPList
# HTTPS
server {
    listen 443 ssl;
    server_name mailist.hygiene-bucco-dentaire.com;

    root /opt/www/phplist;
    index index.php index.html;

    include /etc/nginx/templates/misc.tmpl;
    include /etc/nginx/templates/ssl.tmpl;
	include /etc/nginx/templates/hsts.tmpl;

    include /etc/nginx/templates/phplist.tmpl;
    ssl_certificate /etc/letsencrypt/live/mail.conceptys-france.com-0001/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/mail.conceptys-france.com-0001/privkey.pem; # managed by Certbot


}

02-webmail.conf

#
# Webmail
# HTTPS
server {
    listen 443 ssl;
    server_name webmail.hygiene-bucco-dentaire.com;

    root /opt/www/roundcubemail;
    index index.php index.html;

    include /etc/nginx/templates/misc.tmpl;
    include /etc/nginx/templates/ssl.tmpl;

	include /etc/nginx/templates/hsts.tmpl;
	
    include /etc/nginx/templates/roundcube-subdomain.tmpl;
    ssl_certificate /etc/letsencrypt/live/mail.conceptys-france.com-0001/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/mail.conceptys-france.com-0001/privkey.pem; # managed by Certbot


}

03-mailadmin.conf

#
# IRedAdmin
# HTTPS
server {
    listen 443 ssl;
    server_name mailadmin.hygiene-bucco-dentaire.com;

    root /opt/www/iredadmin;
    index index.php index.html;

    include /etc/nginx/templates/misc.tmpl;
    include /etc/nginx/templates/ssl.tmpl;
    include /etc/nginx/templates/hsts.tmpl;

    include /etc/nginx/templates/iredadmin-subdomain.tmpl;

    error_log /var/log/nginx/mailadmin.hygiene-bucco-dentaire.com.error.log  warn;
    ssl_certificate /etc/letsencrypt/live/mail.conceptys-france.com-0001/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/mail.conceptys-france.com-0001/privkey.pem; # managed by Certbot


}

04-sql.conf

#
# Adminer
# HTTPS
server {
    listen 443 ssl;
    server_name sql.hygiene-bucco-dentaire.com;

    root /opt/www/adminer;
    index latest.php;

    include /etc/nginx/templates/misc.tmpl;
    include /etc/nginx/templates/ssl.tmpl;
	include /etc/nginx/templates/hsts.tmpl;

    include /etc/nginx/templates/adminer.tmpl;
    ssl_certificate /etc/letsencrypt/live/mail.conceptys-france.com-0001/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/mail.conceptys-france.com-0001/privkey.pem; # managed by Certbot



}

05-supervision.conf

#
# NetData
# HTTPS
#server {
#    listen 443 ssl;
#    server_name supervision.hygiene-bucco-dentaire.com;
#
#    #root /var/www/html;
#    #index index.php index.html;
#
#    include /etc/nginx/templates/misc.tmpl;
#    include /etc/nginx/templates/ssl.tmpl;
#
#	include /etc/nginx/templates/stub_status.tmpl;
#    include /etc/nginx/templates/netdata-subdomain.tmpl;
#
#}
upstream backend {
    # the Netdata server
    server 127.0.0.1:19999;
    keepalive 64;
}

server {
    # nginx listens to this
    listen 443 ssl;

    # the virtual host name of this
    server_name supervision.hygiene-bucco-dentaire.com;

    location / {
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://backend;
        proxy_http_version 1.1;
        proxy_pass_request_headers on;
        proxy_set_header Connection "keep-alive";
        proxy_store off;
    }
    ssl_certificate /etc/letsencrypt/live/mail.conceptys-france.com-0001/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/mail.conceptys-france.com-0001/privkey.pem; # managed by Certbot


}

06-mailconceptys.conf

#
# Webmail
# HTTPS
server {
    listen 443 ssl;
    server_name mail.conceptys-france.com;
	
	location ^~ /.well-known/ {
		allow all;
		default_type "text/plain";
		root /opt/www/default/;
	}
	
    root /opt/www/roundcubemail;
    index index.php index.html;

    include /etc/nginx/templates/misc.tmpl;
    include /etc/nginx/templates/ssl.tmpl;

	include /etc/nginx/templates/hsts.tmpl;
	
    include /etc/nginx/templates/roundcube-subdomain.tmpl;

    error_log /var/log/nginx/mail.conceptys-france.com.error.log  warn;
    ssl_certificate /etc/letsencrypt/live/mail.conceptys-france.com-0001/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/mail.conceptys-france.com-0001/privkey.pem; # managed by Certbot



}
1 Like

See the output of certbot in your pastebin:

Could not automatically find a matching server block for hygiene-bucco-dentaire.com. Set the server_name directive to use the Nginx installer.

1 Like

ok, I change those "server name _;" in 00-xxx.cfg file

now i have 7 domains :

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: mail.conceptys-france.com
2: hygiene-bucco-dentaire.com
3: mailadmin.hygiene-bucco-dentaire.com
4: mailist.hygiene-bucco-dentaire.com
5: sql.hygiene-bucco-dentaire.com
6: supervision.hygiene-bucco-dentaire.com
7: webmail.hygiene-bucco-dentaire.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 2
Cert not yet due for renewal

but what about this, I always do not know what to choose between those options :

Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/00-default-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
1 Like

The default in newer versions is Redirect (2) and I think that option is almost always preferable.

The Redirect means that if someone goes to http://hygiene-bucco-dentaire.com/, the web server will tell the browser to switch to https://hygiene-bucco-dentaire.com/ automatically. This is usually desirable because there's rarely a reason for a user to access a site with HTTP if the same site is available with HTTPS.

2 Likes

ah yeah indeed, thank for that :slight_smile:

1 Like

Seems I don't have that output error/warning now, thanks you for that, Unfortunately I'm still stuck and no idea what to do next... :confused:

1 Like

With what? https://hygiene-bucco-dentaire.com/ has a functional certificate.

1 Like

Yeah but my SMTP still got problems :

2021-01-07 15:20:40 SERVER -> CLIENT: 220 mail.hygiene-bucco-dentaire.com ESMTP Postfix
2021-01-07 15:20:40 CLIENT -> SERVER: EHLO gestiontest.conceptys-france.com
2021-01-07 15:20:40 SERVER -> CLIENT: 250-mail.hygiene-bucco-dentaire.com250-PIPELINING250-SIZE 15728640250-ETRN250-STARTTLS250-ENHANCEDSTATUSCODES250-8BITMIME250-DSN250 SMTPUTF8
2021-01-07 15:20:40 CLIENT -> SERVER: STARTTLS
2021-01-07 15:20:40 SERVER -> CLIENT: 220 2.0.0 Ready to start TLS
SMTP Error: Could not connect to SMTP host.
2021-01-07 15:20:40 CLIENT -> SERVER: QUIT
2021-01-07 15:20:40
2021-01-07 15:20:40
SMTP connect() failed. https://github.com/PHPMailer/PHPMailer/wiki/Troubleshooting

Same with connecting from thunderbird, which also worked before the certificate expired...

(P.S : ping for the host is ok)

C:\Users\Benoit>ping mail.hygiene-bucco-dentaire.com

Pinging mail.hygiene-bucco-dentaire.com [51.68.228.94] with 32 bytes of data:
Reply from 51.68.228.94: bytes=32 time=11ms TTL=48
Reply from 51.68.228.94: bytes=32 time=12ms TTL=48
Reply from 51.68.228.94: bytes=32 time=11ms TTL=48
Reply from 51.68.228.94: bytes=32 time=11ms TTL=48

Ping statistics for 51.68.228.94:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 11ms, Maximum = 12ms, Average = 11ms
1 Like

I've already given some tips about your mailserver earlier: Letsencryptt Renew fail on main domain

Bottom line: your certificate names are mixed up and a correct nginx configuration doesn't mean your mailserver magically uses the correct certificate.

Check your mailserver configuration files and make sure it uses the correct certificate. A reload is necessary after every configuration file edit to make sure the most recent config is used.

1 Like

I have no idea what configuration file I should change here.

Are we talking about postfix ?

1 Like

Yes, Postfix seems to be your SMTP daemon. No idea about IMAP though, there is no response on port 143.

1 Like

Just found these lines in postfix main.cf

smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

What the fuck is snakeoil ?

1 Like