Need help with cert renew and nginx server


#1

I could create a cert using the following command:
./letsencrypt-auto certonly -a webroot --webroot-path=/var/www/ -d mydomain.tld

In ngnix virtual host configuration file I use the following configuration:
` server{
listen 80;
listen [::]:80;

     listen 443 ssl http2;
     listen [::]:443 ssl http2;
     server_name   mydomain.tld;
     ssl_certificate     /etc/letsencrypt/live/mydomain.tld/fullchain.pem;
     ssl_certificate_key    /etc/letsencrypt/live/mydomain.tld/privkey.pem;
...

It was working fine until yesterday when hte cert expired. Then I run:./letsencrypt-auto certonly -a webroot --webroot-path=/var/www/ -d mydomain.tld`. The output was:

 - Congratulations! Your certificate and chain have been saved at

/etc/letsencrypt/live/mydomain.tld/fullchain.pem. Your cert
will expire on 2016-09-22. To obtain a new or tweaked version of
this certificate in the future, simply run letsencrypt-auto again.
To non-interactively renew all of your certificates, run
"letsencrypt-auto renew"

I’ve restarted the server but the certificate is still expired. Tried to replace the cert and run ./letsencrypt-auto renew but it says that the cert is not due. Any clues?


#2

Hello @ricardobrg,

Are you sure your new cert is here (/etc/letsencrypt/live/mydomain.tld/fullchain.pem)?. Double check it because maybe your cert is now in /etc/letsencrypt/live/mydomain.tld-xxxx/fullchain.pem where xxxx should be a number like 0001.

Cheers,
sahsanu


#3

@sahsanu thanks for your reply!

Actually the certs are not at /etc/letsencrypt/live/mydomain.tld/. They are links to certs in another directory ../../archive/mydomain.tld/cert4.pem. The content at /etc/letsencrypt/live/mydomain.tld/ is:

root@server:/etc/letsencrypt/live/mydomain.tld# ls -l
total 0
lrwxrwxrwx 1 root root 42 Jun 24 11:48 cert.pem -> ../../archive/mydomain.tld/cert4.pem
lrwxrwxrwx 1 root root 43 Jun 24 11:48 chain.pem -> ../../archive/mydomain.tld/chain4.pem
lrwxrwxrwx 1 root root 47 Jun 24 11:48 fullchain.pem -> ../../archive/mydomain.tld/fullchain4.pem
lrwxrwxrwx 1 root root 45 Jun 24 11:48 privkey.pem -> ../../archive/mydomain.tld/privkey4.pem

So looks like it creates a new filenamexxx.ext file in …/…/archive/mydomain.tld/ for each renew (I’ve tried 3 times). Looking at the archive directory the content is:

root@server:/etc/letsencrypt/archive/mydomain.tld# ls -l
total 48
-rw-r--r-- 1 root root 1805 Mar 25 13:22 cert1.pem
-rw-r--r-- 1 root root 1805 Jun 24 11:31 cert2.pem
-rw-r--r-- 1 root root 1805 Jun 24 11:41 cert3.pem
-rw-r--r-- 1 root root    0 Jun 24 13:04 cert4.pem
-rw-r--r-- 1 root root 1675 Mar 25 13:22 chain1.pem
-rw-r--r-- 1 root root 1647 Jun 24 11:31 chain2.pem
-rw-r--r-- 1 root root 1647 Jun 24 11:41 chain3.pem
-rw-r--r-- 1 root root    0 Jun 24 13:04 chain4.pem
-rw-r--r-- 1 root root 3480 Mar 25 13:22 fullchain1.pem
-rw-r--r-- 1 root root 3452 Jun 24 11:31 fullchain2.pem
-rw-r--r-- 1 root root 3452 Jun 24 11:41 fullchain3.pem
-rw-r--r-- 1 root root    0 Jun 24 13:04 fullchain4.pem
-rw-r--r-- 1 root root 1704 Mar 25 13:22 privkey1.pem
-rw-r--r-- 1 root root 1708 Jun 24 11:31 privkey2.pem
-rw-r--r-- 1 root root 1708 Jun 24 11:41 privkey3.pem
-rw-r--r-- 1 root root    0 Jun 24 13:04 privkey4.pem

Looks like the last renew has a problem. And when I try to run the command to renew again:

An unexpected error occurred:
Error: [('PEM routines', 'PEM_read_bio', 'no start line')]
Please see the logfiles in /var/log/letsencrypt for more details.

How can I fix that?


#4

I’m not sure how that happened. Certbot performs a number of checks before writing new certificates to prevent breaking things, I haven’t seen this error before.

Try deleting the *4.pem files in archive/ and create new symlinks to *3.pem for every file in /etc/letsencrypt/live/mydomain.tld. (ln -s ../../archive/mydomain.tld/cert3.pem cert.pem, etc.)

That should get nginx working again. I would recommend running ./letsencrypt-auto renew --dry-run afterwards to make sure things will work for your next renewal as well.


#5

@pfg thanks for your help but it didn’t solve the problem.

Following the same idea I removed all the other files (*2 - *3.pem) and just kept *1.pem in archive/mydomain.tld. Changed the links, restarted nginx and - of course - it sais the certificate expired.

Then I run ./letsencrypt-auto renew --dry-run and everything was fine. After thta I run ./letsencrypt-auto renew and got the message
Congratulations, all renewals succeeded. The following certs have been renewed: /etc/letsencrypt/live/mydomain.tld/fullchain.pem (success)

Restarted nginx and still have the message in the browser that the certificate is expired… back to square 1… :pensive:


#6

What’s the output of ls -l /etc/letsencrypt/archive/mydomain.tld now?


#7

It’s with *2.pem archives now and the links at live looks correct…

root@server:/opt/letsencrypt# ls -l /etc/letsencrypt/archive/mydomain.tld
total 32
-rw-r--r-- 1 root root 1805 Mar 25 13:22 cert1.pem
-rw-r--r-- 1 root root 1805 Jun 24 14:09 cert2.pem
-rw-r--r-- 1 root root 1675 Mar 25 13:22 chain1.pem
-rw-r--r-- 1 root root 1647 Jun 24 14:09 chain2.pem
-rw-r--r-- 1 root root 3480 Mar 25 13:22 fullchain1.pem
-rw-r--r-- 1 root root 3452 Jun 24 14:09 fullchain2.pem
-rw-r--r-- 1 root root 1704 Mar 25 13:22 privkey1.pem
-rw-r--r-- 1 root root 1704 Jun 24 14:09 privkey2.pem
root@server:/opt/letsencrypt# ls -l /etc/letsencrypt/live/mydomain.tld
total 0
lrwxrwxrwx 1 root root 42 Jun 24 14:09 cert.pem -> ../../archive/mydomain.tld/cert2.pem
lrwxrwxrwx 1 root root 43 Jun 24 14:09 chain.pem -> ../../archive/mydomain.tld/chain2.pem
lrwxrwxrwx 1 root root 47 Jun 24 14:09 fullchain.pem -> ../../archive/mydomain.tld/fullchain2.pem
lrwxrwxrwx 1 root root 45 Jun 24 14:09 privkey.pem -> ../../archive/mydomain.tld/privkey2.pem

#8

Check the expiration date via openssl:

openssl x509 -enddate -noout -in /etc/letsencrypt/live/mydomain.tld/cert.pem

If that shows a date 3 months from now, you’re probably looking at a nginx/configuration problem. Make sure your site is actually served by the server block in your first post (and not some other block that, for example, points directly to the now-expired /etc/letsencrypt/archive/mydomain.tld/cert1.pem, check that your nginx is actually restarting, etc.


#9

Yes, the expiration date is correct and the nginx service is restarting correctly according to the logs…

BUT…

There was a nginx daemon running that wasn’t started as a service. Porbably some command line test made ages ago… I’ve killed it and restarted the service and now everything is running fine. Thank you for your help!


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.