Manual renewal not working

rwatsonagi · July 26, 2018, 5:11pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: agi.net & agisign.com

I ran this command: LetsEncrypt.exe --renew --baseuri “https://acme-v01.api.letsencrypt.org/”

It produced this output: No scheduled renewals found

My web server is (include version):Internet Information Services (Version 8.5.9600.16384)
The operating system my web server runs on is (include version): Windows Server 2012 R2

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): yes

We have two SSL sites running on the same server, agisign.com and agi.net. We received an email notification that agi.net is going to expire in 20 days. Running the above command line argument states there are no certificates to renew. Also note the --forcerenewal command arg is not recognized.

Thank you!

JuergenAuer · July 26, 2018, 5:28pm

Hi @rwatsonagi

your agi.net

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:false;include_subdomains:false;domain:agi.net;issuer_uid:4428624498008853827&lu=cert_search

the certificate is created 2018-06-03, so it's more then 30 days valide.

Your two agisign.com - certificates:

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:false;include_subdomains:true;domain:agisign.com;issuer_uid:4428624498008853827&lu=cert_search

they are from 2018-06-08 and 2018-06-26, also new.

So if your Letsencrypt.exe uses a 30-day time to renew, there is nothing to do.

But: Your https://www.agi.net/ doesn't use a letsencrypt-certificate, it's from Comodo.

rwatsonagi · July 26, 2018, 5:34pm

I’m sorry, I just realized I left off the sub domain on both, should be:
c2c.agi.net and c2c.agisign.com
Both were created with LetsEncrypt.exe

Thanks!

rwatsonagi · July 27, 2018, 1:19am

Wanted to add this is a production environment and I am a little desperate to get it resolved. I can probably create a new cert, but it is my understanding that there’s a limit to the number of certs for each domain. Any help would be greatly appreciated.

Thank you in advance!

JuergenAuer · July 27, 2018, 8:29am

The first certificate ends 2018-08-10

https://transparencyreport.google.com/https/certificates/ZgRWi%2Bbyx9%2BqpsN33X9cr2o0UJdnj9OvxMSp8USqGng%3D

That may produce the mail. The second ends in 2018-09, so it's too new.

But the first certificate is not used, there is a Comodo-certificate.

What's the output of

certbot certificates

Perhaps the c2c.agi.net is saved otherwhere

mnordhoff · July 27, 2018, 8:33am

https://c2c.agi.net/ is using Cloudflare. The browser-to-Cloudflare connection uses Cloudflare’s Comodo certificate, but the Cloudflare-to-origin connection could be using the Let’s Encrypt certificate. A third party can’t confirm that, though.

Edit: https://c2c.agisign.com/ is using Cloudflare too. I didn’t check the other hostnames.

JuergenAuer · July 27, 2018, 8:39am

I saw that. But does the certbot - renew - command only renew certificates, which are used?

What's with certificates used with special mail servers or self-written-programs, so that certbot hasn't information where the certificate is used?

danb35 · July 27, 2018, 10:31am

certbot renew renews any certs it's aware of (which would typically be those in /etc/letsencrypt/archive/) that have less than the specified period of validity (usually 30 days) remaining. It doesn't know or care how or where those certs are used.

rwatsonagi · July 27, 2018, 12:23pm

All our external facing servers use Cloud Flare.

Maybe the problem has something to do with multiple sites/certs on one server? We only have this problem with renewals on the two servers (development and production) that have two sites and certificates. We have another server gmdi.agisign.com that has a certificate from Lets Encrypt that has been renewed successfully multiple times.

Is there a way to force a renewal for a specific certificate?

JuergenAuer · July 27, 2018, 1:46pm

You can always create a new certificate: Reuse the options of the first run, not --renew.

PS: Sorry, you are using Letsencrypt.exe, not certbot.

rwatsonagi · July 27, 2018, 2:37pm

Recreating a new cert whenever the existing one expires will also require rebinding the cert in IIS. Difficult to automate. Also, isn’t there a limit as to how many new certificates that can be created for the same site?

Can cerbot force a renewal?

Thank you!

JuergenAuer · July 27, 2018, 3:13pm

Yes, but this is required. I don't know how other tools do that, I am using my own (Windows 2012).

There is a limit of 20 new subdomains per domain in one week. Renew should always work.

And you can only create 5 certificates in one week with exact the same set of domain names. But there is a testsystem with it's own limits (higher).

As I know, Certbot is only for Unix-systems. There

is no Window-option.

jared.m · July 27, 2018, 3:28pm

I believe what @JuergenAuer was meaning to say is that there is a limit of 20 certificates per registered domain per seven days.

JuergenAuer · July 27, 2018, 3:31pm

I agree

Thanks! (oh, the comment is too short)

rwatsonagi · July 27, 2018, 4:38pm

Looks like I’ll just create a new cert whenever the current one is about to expire.

Thank you all for your help!

system · August 26, 2018, 4:38pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.