My certificate is up to date, but is not working anymore

Help
#1

My domain is:
fileshare.eastndc.eu
eastndc.eu

I ran this command:

  sudo /usr/bin/certbot renew --pre-hook "service haproxy stop" --post-hook "service haproxy start" --renew-hook "/root/haproxy_letsencrypt/concat_certificate.sh"

et :

  sudo /usr/bin/certbot renew --dry-run --pre-hook "service haproxy stop" --post-hook "service haproxy start" --renew-hook "/root/haproxy_letsencrypt/concat_certificate.sh"

It produced this output:

Without --dry-run, certbot renew indicates that the certificate is up to date :

/etc/letsencrypt/live/fileshare.acroe-ica.org/fullchain.pem expires on 2021-09-04

And it is correctly dated in /etc/letsencrypt/live But the HTTPS connection to the websites do not work.

With the --dry-run option (but not sure this is the issue !!), I obtain :

Renewing an existing certificate
Attempting to renew cert (fileshare.acroe-ica.org) from /etc/letsencrypt/renewal/fileshare.acroe-ica.org.conf produced an unexpected error: urn:ietf:params:acme:error:malformed :: The request message was malformed :: Method not allowed. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/fileshare.acroe-ica.org/fullchain.pem (failure)

My web server is (include version):
HA-Proxy version 1.6.3 2015/12/25

The operating system my web server runs on is (include version):**
Ubuntu 16.04.6 LTS

My hosting provider, if applicable, is: myself, on various machines behind HAProxy (which acts as a proxy)

I can login to a root shell on my machine (yes or no, or I don't know)
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel) :
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.31.0

====
few details :

My certificate has been correctly renewed, but now the HTTPS access to my websites is not possible https://fileshare.acroe-ica.org/

The certificate was renewed on June, +, 2021, successfully as far as I checked.

It is up to date : cerbot renew indicates :

/etc/letsencrypt/live/fileshare.acroe-ica.org/fullchain.pem expires on 2021-09-04 (skipped)

The certificate is in /etc/letsencrypt/live with the appropriate date, June 6th.

Still, the certificate does not function, for example on :
https://fileshare.acroe-ica.org/

I already had this problem before, but the solution (removing /etc/haproxy/certs/fileshare.acroe-ica.org.pem and renewing again) is not working this time.

I tried also rebooting, restarting haproxy, and other things, without success.

I am not at all a specialist... so, any help very much appreciated, thanks !!

Thanks in advance,
Nicolas

1 Like
#2

Please show this file:

1 Like
#3

Bienvenue à nouveau dans la Communauté Let's Encrypt, Nicolas :slightly_smiling_face:

Please also show the outputs of:

sudo ls -lRa /etc/letsencrypt
sudo certbot certificates

Please put 3 backticks above and below each output, like this:

```
output
```

This is an entirely different domain name:

than this:

The problem you are currently facing is that your website is still serving the old certificate, which is usually caused by corruption under /etc/letsencrypt, the new certificate not being correctly installed in your webserver, or your webserver not having been reloaded after renewing your certificate.

1 Like
#4

Thanks for asking rg305. Here is the content of /etc/letsencrypt/renewal/fileshare.acroe-ica.org.conf :

# renew_before_expiry = 30 days
version = 0.31.0
archive_dir = /etc/letsencrypt/archive/fileshare.acroe-ica.org
cert = /etc/letsencrypt/live/fileshare.acroe-ica.org/cert.pem
privkey = /etc/letsencrypt/live/fileshare.acroe-ica.org/privkey.pem
chain = /etc/letsencrypt/live/fileshare.acroe-ica.org/chain.pem
fullchain = /etc/letsencrypt/live/fileshare.acroe-ica.org/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = standalone
account = 96240ca70e8c08700a0f2b1fc8064d06
http01_port = 8888
server = https://acme-v02.api.letsencrypt.org/directory
2 Likes
#5

Thanks for answering Griffin.

For the recursive listing ls -lRa /etc/letsencrypt, I attach a txt file since it is rather long.

For certbot certificates, here they are :

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: fileshare.acroe-ica.org
    Domains: fileshare.acroe-ica.org eastndc.eu fileshare.eastndc.eu www-test.eastndc.eu www.eastndc.eu
    Expiry Date: 2021-09-04 17:18:48+00:00 (VALID: 46 days)
    Certificate Path: /etc/letsencrypt/live/fileshare.acroe-ica.org/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/fileshare.acroe-ica.org/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

It seems that the active certificate is the latest, renews June 2021 ?

hence, I'd say this option you quote would be the correct one :

or your webserver not having been reloaded after renewing your certificate.

This is an entirely different domain name:
fileshare.eastndc.eu
...
fileshare.acroe-ica.org

Indeed, but all are served by a unique machine running HaProxy, and the url are rederected by HaProxy on several backends.

Thanks,
Nicolas

1 Like
#6

I don't see the text file. :man_shrugging:

1 Like
#7

problem solved I think.

Though I would be grateful if you could check the new certificate is OK on e.g. https://eastndc.eu/ and https://fileshare.acroe-ica.org/

In fact, it seems that the file in /etc/haproxy/certs/fileshare.acroe-ica.org.pem had not be updated on renew, and still featured the old certificate.

hence, for some reason, my renew hook script, in the command

/usr/bin/certbot renew --renew-hook "/root/haproxy_letsencrypt/concat_certificate.sh"

which is supposed to reinstall the certificate in /etc/haproxy/certs did not run correctly.

This script is rather simpler. Hence, are there known cases when the --renew-hook option fails to trigger the hook script ?

Anyway, thank you very much for you time !

nicolas

1 Like