Need a little insight with getting Certbot working with a Godaddy Web page in the way

Help
#1

Greetings,

Due to the way GoDaddy does their Web site hosting I had to go this route for getting certbot to create my certificate for my mail server. My server is CentOS Linux release 7.9.2009 (Core) and my Certbot is certbot 1.11.0.

I have this set for the Virtual server

<VirtualHost *:80>
   DocumentRoot /var/www/html
   ServerName mail.nelsonsgoldenyears.com
</VirtualHost>

I ran this command to create the certificate.

certbot certonly -d mail.nelsonsgoldenyears.com -a apache \
--deploy-hook "systemctl restart postfix; systemctl restart dovecot"

I would like to know what command would be required to renew the certificate?
I would guess just running certbot renew or certbot renew -a apache.

Thank you.

1 Like
#2

Hello @Kellian,

certbot renew is enough but you shouldn't use that command manually, you should already have a cron job or systemd timer already activate when you installed certbot that will try to renew your certificate automatically.

If you want to list the systemd timers use this command and you should view the certbot timer:

systemctl list-timers

Cheers,
sahsanu

4 Likes
#3

Thanks @sahsanu for your quick reply. I just checked and I am not seeing certbot in my timers list I went ahead and added 0 0 */10 * * certbot renew >> /logs/certbot-cron.log 2>&1 to my crontab.

3 Likes
#4

Was there anything in CRON?
crontab -l

1 Like
#5

@rg305, I suppose @Kellian installed cerbot from EPEL repository and this package doesn't add neither a cron job nor a systemd timer.

Edit: I'm going to test it in a virtual machine because it should install something...
Edit 2: I've tested it and it installs a certbot-renew timer but doesn't activate it.

You are welcome. I would configure the crontab to launch certbot renew command every day instead of every 10 days but there is nothing wrong if you want to try the renewal every 10 days.

Regarding the deploy-hook, I would use reload instead of restart so using reload there won't be any downtime in your services.

In case you want to change it, you can edit the renewal conf file for your domain /etc/letsencrypt/renewal/mail.nelsonsgoldenyears.com.conf and you will see the renew_hook option to change there the commands.

Cheers,
sahsanu

3 Likes
#6

Thank you @rg305 I had nothing in Crontab and like @sahsanu mentioned I had installed from EPEL. This is a new setup so there was nothing in Crontab.

@sahsanu Thank you for that information about the deploy-hook. I will correct it. When I did the crontab I had got the information from another site. The site said that it would do it on the 10th of every month not every 10 days. That is unless they typed that information wrong on the site.

2 Likes
#7

If you want to launch the command the 10th of every month you should use 0 0 10 * * instead of 0 0 */10 * *

I've installed certbot on Centos 7.9 and it installs a systemd timer but doesn't activate it. So if instead of your crontab job you want to use the certbot timer you should enable and start it:

systemctl enable certbot-renew.timer
systemctl start certbot-renew.timer

And using systemctl list-timers you should see it.

If you enable the systemd timer you should remove the crontab entry you added, but as I said, use the one you want :wink:

2 Likes
#8

I think it only activates it once a cert has been issued.

@Kellian, Have any certs been issued by certbot (1.11.0)?

*/10 should be about 3 times a month [28~31/10]

2 Likes
#9

Thanks @sahsanu I will do that. Will I still need to edit the /etc/letsencrypt/renewal/mail.nelsonsgoldenyears.com.conf file?

2 Likes
#10

@rg305 Yes my certs were issued by 1.11.0.

1 Like
#11

If you can successfully renew a cert, those settings will be saved in the renewal.conf file and will be reused on the next certbot renew.

Please show:
sudo systemctl list-timers

2 Likes
#12

@rg305 @sahsanu I enabled the certbot timers and now it shows in my timers. I will get rid of the crontab now.

3 Likes
#13

I can't test it in this vm :(, but op already issued a cert and it didn't activate the timer...

Yes, you should edit it.

3 Likes
#14

@sahsanu Thank you I will get that edited.

With this system being a new build I know that I had received my certs but when I looked at timers there was no renew timer. I did run the enable and start commands and now it does show in timers.

@sahsanu and @rg305 Thank you both very much for all your help.

3 Likes
#15

I just checked the .conf file and this is what it put in place.

renew_hook = service postfix reload; service dovecot reload

3 Likes
#16

Looks good to me :+1:

4 Likes
#17

Excellent! Again I thank you both for all your help.

4 Likes
#19

Please show:

  1. the complete error message
  2. the output of:
    netstat -pant | grep -i listen
1 Like
#20

Sorry @rg305 I removed the post after I realized I was looking at the wrong log file. I have like 54 of them in my letsencrypt logs. I found the start of my issue though and I fixed it.

OSError: [Errno 17] File exists: '/etc/letsencrypt/archive/mail.mc-miller.net/privkey2.pem'

But that ended up landing me with this.

Error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many certificates already issued for exact set of domains: mail.mc-miller.net: see Rate Limits - Let's Encrypt - Free SSL/TLS Certificates

So I have to wait to try it again.

2 Likes
#21

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.