I have a Let's Encrypt certificate for my ec2 instance. I have set up auto renewal with
echo "0 0,12 * * * root /opt/certbot/bin/python -c 'import random; import time; time.sleep(random.random() * 3600)' && sudo certbot renew -q" | sudo tee -a /etc/crontab > /dev/null
Which to my understanding renews the certificate at noon and midnight.
How do I verify the renewal, or see how many days are left out of the 90? Also, if the certificate does expire, do I just manually re-do the whole process? Can that be done before it actually expires?
If someone could please verify that the update email command is
certbot update_account --email firstname.lastname@example.org
incase I need to change it. Sorry for the many questions. Thank you in advance!
You can run
sudo certbot certificates to see the current certificates and the days until expiration.
You could do that. Or just run
sudo certbot renew? You can do that manually too. It doesn't matter if the certificate is expired.
Yes, Certbot by default won't renew if there's more than 30 days until expiry left. It'll start to renew if 30 days or less are left.
Also, I've moved your thread to the Help section as it isn't really an Issuance Policy thread IMO.
Thank you for your prompt response and I apologize for putting it in the wrong section. When I ran the
sudo certbot certificates I got this is in return
Renewal configuration file /etc/letsencrypt/renewal/katboose.com.conf produced an unexpected error: expected /etc/letsencrypt/live/katboose.com/privkey.pem to be a symlink. Skipping.
The following renewal configurations were invalid:
Then someone or something destroyed the
/etc/letsencrypt/ directory. One should not manually add/remove/modify or in any other way change the files and directories in that directory.
So what do I do from there? Can I fix it? Do I create a new certificate?
That's a possibility. Are there any subdirectories in
Can you please show the output of:
ls -l /etc/letsencrypt/live/katboose.com/ /etc/letsencrypt/archive/katboose.com/
-rw-r--r--. 1 root root 1484 Jul 28 22:04 cert1.pem
-rw-r--r--. 1 root root 3749 Jul 28 22:04 chain1.pem
-rw-r--r--. 1 root root 5233 Jul 28 22:04 fullchain1.pem
-rw-------. 1 root root 549 Aug 7 12:41 privkey1.pem
-rw-r--r--. 1 root root 692 Jul 28 22:04 README
lrwxrwxrwx. 1 root root 37 Jul 28 22:04 cert.pem -> ../../archive/katboose.com/cert1.pem
lrwxrwxrwx. 1 root root 38 Jul 28 22:04 chain.pem -> ../../archive/katboose.com/chain1.pem
lrwxrwxrwx. 1 root root 42 Jul 28 22:04 fullchain.pem -> ../../archive/katboose.com/fullchain1.pem
-rw-------. 1 root root 4575 Jul 28 22:06 keystore.p12
-rw-------. 1 root root 227 Aug 7 12:45 privkey.pem
Maybe because of the private key I tried to make? I needed it for an rds issue that I had.
Yes, that should be a symbolic link, not a file. Please do not overwrite any existing files in those directories.
I don't know what that current
/etc/letsencrypt/live/katboose.com/privkey.pem actually is (it's half the size of the
privkey1.pem from the
/archive/ directory, but if you want to fix your Certbot, you could run:
sudo mv /etc/letsencrypt/live/katboose.com/privkey.pem /etc/letsencrypt/live/katboose.com/privkey.orig.pem
sudo ln -s ../../archive/katboose.com/privkey1.pem /etc/letsencrypt/live/katboose.com/privkey.pem
Then your Certbot should be fixed.
It asked for a pem passphrase to run
sudo certbot certificates?
Enter PEM pass phrase:
An unexpected error occurred:
TypeError: Password was not given but private key is encrypted
I entered what password it would be had I made one and it didn't work.
Well, that's weird. Certbot doesn't encrypt its private keys. Did you also modify stuff in the
Maybe it's just better to start all over again.
Is there anything using the certificate in
/etc/letsencrypt/ at all?
If not you could delete the cert using
sudo certbot delete --cert-name katboose.com and start over.
Again, thank you for your time and prompt responses. I deleted the cert but it broke my instance because apache was looking for the ssl files. I had already automated the installation of tls with certbot so I just created a new instance and ran my script. You were correct. Once I redid everything it worked fine and I can now see when it expires.
Thank you again for answering all my questions.
Well, that's why I asked:
But I'm glad you got it working in the end somehow.
Please be more careful in the future and don't modify anything inside
I will, thank you. After panic creating a new instance, I sat back and I fixed my issue. The instance is fine. I removed the symbolic link between apache and the old certificate. That and a couple other things managed to do the trick.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.