My domain is www.titchen.co
I have set up auto renewal for my certificate but it expired few days ago!
Can anyone help me with what I can do to check, renew and set up auto renewal properly?
Last time I tried to do this it broke my site, so I just want to play it safe and ask how I can check the status first before doing anything!
Thanks!!!
Can you provide more specific information?
What happened last time? How did your site break?
What kind of auto-renewal did you set up? Is it trying to renew the certificate? Is it failing?
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know):
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
Hi,
So basically last time I try to renew/setup auto renew of the certificate, my site broke down and I cannot access it. I had a friend help to solve it so I am not exactly sure what happened there, apparently something about apache stopped working…? Sorry I’m new to this!
My site is hosted on AWS EC2, Bitnami wordpress
Running certbot --version, the output:
certbot 0.26.1
If you could guide me on what I should do next, maybe try renewing first?
Thank you!!
Hi @titchen,
You may have an easier time trying the Bitnami bncert-tool when dealing with their specific software stack configuration. https://docs.bitnami.com/aws/how-to/generate-install-lets-encrypt-ssl/#use-the-bitnami-https-configuration-tool
Let me know if you have any success with that. I also recommend testing against the Let’s Encrypt staging environment so that you don’t hit rate limits.
From the looks of it, it appears you’re following the Alternative approach and skipped Step 1: Install the Lego client.
Hi @titchen,
In your tar xf command you left the “X.Y.Z” in the filename. That needs to be replaced with the version number you downloaded, or you could use a shell wildcard:
Run tar xf lego_*.tar.gz and then the sudo mv lego /opt/bitnami/letsencrypt/lego command should work.
Thanks, this is the output?
How can I find out my version number so I can run the previous command again?
Hi @titchen, did you run that command in the same directory you downloaded the lego archive? It looks like the answer may be no because no files matched the wildcard.
Let’s try running all of the instructions from the Bitnami Alternative Approach docs you’re trying to follow all at once:
cd /tmp
curl -Ls https://api.github.com/repos/xenolf/lego/releases/latest | grep browser_download_url | grep linux_amd64 | cut -d '"' -f 4 | wget -O lego.tar.gz -i -
tar xf lego.tar.gz
sudo mkdir -p /opt/bitnami/letsencrypt
sudo mv lego /opt/bitnami/letsencrypt/lego
You should be able to run these commands without error exactly as written. After that you can continue with “Step 2” of the Alternative Approach instructions.
If you’re curious, I slightly modified the wget used in the curl command line to specifically output to lego.tar.gz (by adding -O lego.tar.gz) so we can ignore the version and simply tar xf lego.tar.gz.
Thanks!! I’ve ran the command without error. However, I already have a certificate which expired few days ago:
so I tried to run the renew command on the guide:
sudo /opt/bitnami/ctlscript.sh stop
sudo /opt/bitnami/letsencrypt/lego --tls --email="yum@titchen.co" --domains="kitchen.co" --path="/opt/bitnami/letsencrypt" renew --days 90
sudo /opt/bitnami/ctlscript.sh start
it still doesn’t work?
Hi @titchen,
I suspect that your new Lego install doesn’t know about the old certificate. I recommend you consider starting fresh.
Got it! So should I just go through the steps, would that contradict with the current certificate or it will overrides it?
unless it’s some kind of closed world (like some kind of panel) I think it will be safe to make websever to look at new certificate.
So I ran the step two command, but it just stopped at this and doesn’t do anything else:
what should I do?
I guess you used --tls want to be tls-sni-01, but it’s deprecated due to security reason, and replaced with tls-alpn-01, but it mostly needs standalone server and bitmani is unlikely support. can you use http-01 challenge?
hmm…how do I actually do that? Sorry, newbie here!
It looks to me like you used "smart quotes" in your command and the shell is waiting for more input. You need to use regular quotation marks and not the smart quote characters. Try typing them instead of copy/pasting into your terminal.
It's hard to tell from the picture of the output but I believe you made a couple of small mistakes.
One was from running the lego command, I see in your output:
flag provided but not defined -email-yum@titchen.co
I think that should have been -email yum@titchen.co and a space was replaced by a -.
The second error I can see was when you were creating the symlinks from the issued certificates to the location your webserver config tries to load them from.
I think you ran:
sudo ln -sf /opt/bitnami/letsencrypt/certificates/DOMAIN.key /opt/bitnami/apache2/conf/server.key
sudo ln -sf /opt/bitnami/letsencrypt/certificates/DOMAIN.crt /opt/bitnami/apache2/conf/server.crt
and DOMAIN was supposed to be replaced by your real domain name.
I bet those symlinks are now broken and that's why Apache won't start saying:
'/opt/bitnami/apache2/conf/server.crt` does not exist or is empty.
You'll want to go back in the process to fix the lego command you ran. Make sure you don't move on to the next step of the instructions until each command completes without an error.
After you fix the lego command you should change your sudo ln -sf commands to make sure they use your real domain name and not the placeholder "DOMAIN".
