Manual Renewal and Email change

dhmaras · August 14, 2023, 6:09pm

Hello,

I have a Let's Encrypt certificate for my ec2 instance. I have set up auto renewal with

echo "0 0,12 * * * root /opt/certbot/bin/python -c 'import random; import time; time.sleep(random.random() * 3600)' && sudo certbot renew -q" | sudo tee -a /etc/crontab > /dev/null

Which to my understanding renews the certificate at noon and midnight.
How do I verify the renewal, or see how many days are left out of the 90? Also, if the certificate does expire, do I just manually re-do the whole process? Can that be done before it actually expires?

If someone could please verify that the update email command is

certbot update_account --email yourname@example.com

incase I need to change it. Sorry for the many questions. Thank you in advance!

Osiris · August 14, 2023, 6:18pm

You can run sudo certbot certificates to see the current certificates and the days until expiration.

You could do that. Or just run sudo certbot renew? You can do that manually too. It doesn't matter if the certificate is expired.

Yes, Certbot by default won't renew if there's more than 30 days until expiry left. It'll start to renew if 30 days or less are left.

Looks correct.

Also, I've moved your thread to the Help section as it isn't really an Issuance Policy thread IMO.

dhmaras · August 14, 2023, 6:22pm

Thank you for your prompt response and I apologize for putting it in the wrong section. When I ran the sudo certbot certificates I got this is in return

Renewal configuration file /etc/letsencrypt/renewal/katboose.com.conf produced an unexpected error: expected /etc/letsencrypt/live/katboose.com/privkey.pem to be a symlink. Skipping.

The following renewal configurations were invalid:
/etc/letsencrypt/renewal/katboose.conf

Osiris · August 14, 2023, 6:24pm

Then someone or something destroyed the /etc/letsencrypt/ directory. One should not manually add/remove/modify or in any other way change the files and directories in that directory.

dhmaras · August 14, 2023, 6:25pm

So what do I do from there? Can I fix it? Do I create a new certificate?

Osiris · August 14, 2023, 6:27pm

That's a possibility. Are there any subdirectories in /etc/letsencrypt/live/ and /etc/letsencrypt/archive/?

dhmaras · August 14, 2023, 6:28pm

Just Katboose.com

Osiris · August 14, 2023, 6:45pm

Can you please show the output of:

ls -l /etc/letsencrypt/live/katboose.com/ /etc/letsencrypt/archive/katboose.com/

dhmaras · August 14, 2023, 6:54pm

/etc/letsencrypt/archive/katboose.com/:
total 20
-rw-r--r--. 1 root root 1484 Jul 28 22:04 cert1.pem
-rw-r--r--. 1 root root 3749 Jul 28 22:04 chain1.pem
-rw-r--r--. 1 root root 5233 Jul 28 22:04 fullchain1.pem
-rw-------. 1 root root 549 Aug 7 12:41 privkey1.pem

/etc/letsencrypt/live/katboose.com/:
total 16
-rw-r--r--. 1 root root 692 Jul 28 22:04 README
lrwxrwxrwx. 1 root root 37 Jul 28 22:04 cert.pem -> ../../archive/katboose.com/cert1.pem
lrwxrwxrwx. 1 root root 38 Jul 28 22:04 chain.pem -> ../../archive/katboose.com/chain1.pem
lrwxrwxrwx. 1 root root 42 Jul 28 22:04 fullchain.pem -> ../../archive/katboose.com/fullchain1.pem
-rw-------. 1 root root 4575 Jul 28 22:06 keystore.p12
-rw-------. 1 root root 227 Aug 7 12:45 privkey.pem

Maybe because of the private key I tried to make? I needed it for an rds issue that I had.

Osiris · August 14, 2023, 7:03pm

Yes, that should be a symbolic link, not a file. Please do not overwrite any existing files in those directories.

I don't know what that current /etc/letsencrypt/live/katboose.com/privkey.pem actually is (it's half the size of the privkey1.pem from the /archive/ directory, but if you want to fix your Certbot, you could run:

sudo mv /etc/letsencrypt/live/katboose.com/privkey.pem /etc/letsencrypt/live/katboose.com/privkey.orig.pem
sudo ln -s ../../archive/katboose.com/privkey1.pem /etc/letsencrypt/live/katboose.com/privkey.pem

Then your Certbot should be fixed.

dhmaras · August 14, 2023, 7:11pm

It asked for a pem passphrase to run sudo certbot certificates?

Enter PEM pass phrase:
An unexpected error occurred:
TypeError: Password was not given but private key is encrypted

I entered what password it would be had I made one and it didn't work.

Osiris · August 14, 2023, 7:18pm

Well, that's weird. Certbot doesn't encrypt its private keys. Did you also modify stuff in the /etc/letsencrypt/archive/ directory?

Maybe it's just better to start all over again.

Is there anything using the certificate in /etc/letsencrypt/ at all?

If not you could delete the cert using sudo certbot delete --cert-name katboose.com and start over.

dhmaras · August 14, 2023, 8:10pm

Again, thank you for your time and prompt responses. I deleted the cert but it broke my instance because apache was looking for the ssl files. I had already automated the installation of tls with certbot so I just created a new instance and ran my script. You were correct. Once I redid everything it worked fine and I can now see when it expires.

Thank you again for answering all my questions.

Osiris · August 14, 2023, 8:11pm

Well, that's why I asked:

But I'm glad you got it working in the end somehow.

Please be more careful in the future and don't modify anything inside /etc/letsencrypt/ manually.

dhmaras · August 15, 2023, 1:41pm

I will, thank you. After panic creating a new instance, I sat back and I fixed my issue. The instance is fine. I removed the symbolic link between apache and the old certificate. That and a couple other things managed to do the trick.

system · September 14, 2023, 1:41pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.