Moving to a new server - renew dry-run errors


#1

Hi all,

I recently moved my site to a new hosting company. in the process I went from ubuntu 14.04 to ubuntu 16.04. with the 14.04 system, I installed certbot using wget per the certbot website instructions and used the webroot method to obtain my certs since nginx plugin support is still experimental. on the 16.04 system, I installed let’s encrypt from the repositories as directed by certbot. my /etc/letsencrypt directory was copied from the old server to the new one.

when I ran the letsencrypt renew --dry-run command, it gave me the following error::

Processing /etc/letsencrypt/renewal/mysite.com.conf
2016-09-26 21:05:47,997:WARNING:letsencrypt.cli:Attempting to renew cert from /etc/letsencrypt/renewal/mysite.com.conf produced an unexpected error: 'server'. Skipping.
** DRY RUN: simulating 'letsencrypt renew' close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/mysite.com/fullchain.pem (failure)
** DRY RUN: simulating 'letsencrypt renew' close to cert expiry
**(The test certificates above have not been saved.)
1 renew failure(s), 0 parse failure(s)

I’m not really sure what ‘server’ means as far as an error. is it an issue that I went from certbot to letsencrypt?

something I also noticed is that on my other ubuntu server in my house (14.04), I use the following command to renew my certs:
/usr/local/letsencrypt/letsencrypt-auto renew

whereas with ubuntu 16.04, the certbot site tells me to simply use:
letsencrypt renew

will that suffice? will it know what I ran to initially grabbed the certs because I haven’t ran it on the new server yet? I’m assuming it might be stores in the /etc/letsencrypt folder somewhere…

any help is appreciated!


#2

The letsencrypt package in Ubuntu 16.04 is slightly outdated and isn’t forwards-compatible with renewal configuration files generated by more recent versions of certbot. I’d probably stick with certbot-auto (that’s just the new name for letsencrypt-auto - the commands are compatible). Alternatively, you could start with a clean configuration (i.e. move /etc/letsencrypt out of the way) and re-issue all certificates.

You could also attempt to modify the configuration files in /etc/letsencrypt/renewal/ to make them compatible with the older version in Ubuntu 16.04, but I’m not aware of any documentation that mentions what has changed, so this would be a trial-and-error effort.


#3

thanks for the recommendation on going over to certbot-auto. after removing letsencrypt, I installed certbot-auto and ran the renew command:


Processing /etc/letsencrypt/renewal/mysite.com.conf

** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/mysite.com/fullchain.pem (success)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)

I definitely like seeing that! thanks for the tip!!

as an aside, can I see which email address I used when creating the certs anywhere?


#4

You can poke around in /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/*/regr.json to see the email address. It’ll look something like {"contact": ["mailto:example@example.com"] ....

./certbot-auto register --update-registration allows you to change the address.


#5

perfect! thanks for your help!!!


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.