Noob struggling with renewing

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: setpad.ca

I ran this command: sudo certbot renew --dry-run

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/setpad.ca-0002.conf


Cert is due for renewal, auto-renewing...
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)
Attempting to renew cert (setpad.ca-0002) from /etc/letsencrypt/renewal/setpad.ca-0002.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.


Processing /etc/letsencrypt/renewal/setpad.ca-0001.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Attempting to renew cert (setpad.ca-0001) from /etc/letsencrypt/renewal/setpad.ca-0001.conf produced an unexpected error: urn:ietf:params:acme:error:malformed :: The request message was malformed :: Method not allowed. Skipping.


Processing /etc/letsencrypt/renewal/clone1.setpad.ca.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Attempting to renew cert (clone1.setpad.ca) from /etc/letsencrypt/renewal/clone1.setpad.ca.conf produced an unexpected error: urn:ietf:params:acme:error:malformed :: The request message was malformed :: Method not allowed. Skipping.


Processing /etc/letsencrypt/renewal/setpad.ca.conf


Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 64, in _reconstitute
renewal_candidate = storage.RenewableCert(full_path, config)
File "/usr/lib/python3/dist-packages/certbot/storage.py", line 460, in init
self._check_symlinks()
File "/usr/lib/python3/dist-packages/certbot/storage.py", line 519, in _check_symlinks
"expected {0} to be a symlink".format(link))
certbot.errors.CertStorageError: expected /etc/letsencrypt/live/setpad.ca/cert.pem to be a symlink
Renewal configuration file /etc/letsencrypt/renewal/setpad.ca.conf is broken. Skipping.


Processing /etc/letsencrypt/renewal/www.setpad.ca.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Attempting to renew cert (www.setpad.ca) from /etc/letsencrypt/renewal/www.setpad.ca.conf produced an unexpected error: urn:ietf:params:acme:error:malformed :: The request message was malformed :: Method not allowed. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/setpad.ca-0002/fullchain.pem (failure)
/etc/letsencrypt/live/setpad.ca-0001/fullchain.pem (failure)
/etc/letsencrypt/live/clone1.setpad.ca/fullchain.pem (failure)
/etc/letsencrypt/live/www.setpad.ca/fullchain.pem (failure)


** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/setpad.ca-0002/fullchain.pem (failure)
/etc/letsencrypt/live/setpad.ca-0001/fullchain.pem (failure)
/etc/letsencrypt/live/clone1.setpad.ca/fullchain.pem (failure)
/etc/letsencrypt/live/www.setpad.ca/fullchain.pem (failure)

Additionally, the following renewal configurations were invalid:
/etc/letsencrypt/renewal/setpad.ca.conf (parsefail)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)


4 renew failure(s), 1 parse failure(s)

My web server is (include version): nginx 1.10.3

The operating system my web server runs on is (include version): Debian 9.6 (stretch)

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.28.0

======
Hi. Yesterday received an notification saying my certificates would expire in 20 days.

When I installed Letsencrypt last year, the process was so easy and seamless that I didn't bother taking notes, and so now I am clueless as to what I need to do.
Thanks for your help

2 Likes

Hi and welcome to the community!

First about the email - you probably got more certs that you needed when you originally set things up.
Let's check that with:
certbot certificates

[&2* readers: Get involved; Be heard. It starts with: if you read something you like, then like it :heart:]

3 Likes

Hey there. Thanks for the quick reply.

Here is the output from "certbot certificates". You are right, there is probably more stuff than needed. And now that you are mentioning it, I now recall that the original host was cloned. So the output shows that the cert that is about to expire (setpad.ca) is actually not the host where I am running this command, which is clone1.setpad.ca, and has still 74 days before renewal. So maybe there is no urgency?

Meanwhile, the original host (setpad.ca) cert is NOT about to renew. I'll put its "certbot certificates" below this one.


Found the following certs:
Certificate Name: setpad.ca-0002
Domains: setpad.ca
Expiry Date: 2020-10-31 21:55:19+00:00 (VALID: 14 days)
Certificate Path: /etc/letsencrypt/live/setpad.ca-0002/fullchain.pem
Private Key Path: /etc/letsencrypt/live/setpad.ca-0002/privkey.pem
Certificate Name: setpad.ca-0001
Domains: setpad.ca www.setpad.ca
Expiry Date: 2020-12-22 04:11:33+00:00 (VALID: 66 days)
Certificate Path: /etc/letsencrypt/live/setpad.ca-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/setpad.ca-0001/privkey.pem
Certificate Name: clone1.setpad.ca
Domains: clone1.setpad.ca
Expiry Date: 2020-12-30 19:09:32+00:00 (VALID: 74 days)
Certificate Path: /etc/letsencrypt/live/clone1.setpad.ca/fullchain.pem
Private Key Path: /etc/letsencrypt/live/clone1.setpad.ca/privkey.pem
Certificate Name: www.setpad.ca
Domains: www.setpad.ca
Expiry Date: 2020-12-30 19:09:41+00:00 (VALID: 74 days)
Certificate Path: /etc/letsencrypt/live/www.setpad.ca/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.setpad.ca/privkey.pem

The following renewal configurations were invalid:
/etc/letsencrypt/renewal/setpad.ca.conf


From the original host:


Found the following certs:
Certificate Name: setpad.ca-0001
Domains: setpad.ca www.setpad.ca
Expiry Date: 2020-12-21 13:52:53+00:00 (VALID: 65 days)
Certificate Path: /etc/letsencrypt/live/setpad.ca-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/setpad.ca-0001/privkey.pem

The following renewal configurations were invalid:
/etc/letsencrypt/renewal/setpad.ca.conf


2 Likes

This probably started the mess.

We need to see which cert(s) are actually in use before deleting any.
For that, let's try:
nginx -T | grep -i cert

[&2* readers: Get involved; Be heard. It starts with: if you read something you like, then like it :heart:]

2 Likes

Indeed. on the original host, "nginx -T | grep -i cert" reports only this cert:

ssl_certificate /etc/letsencrypt/live/setpad.ca-0001/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/setpad.ca-0001/privkey.pem;

... And this cert is not about to expire, as per:


Found the following certs:
Certificate Name: setpad.ca-0001
Domains: setpad.ca www.setpad.ca
Expiry Date: 2020-12-21 13:52:53+00:00 (VALID: 65 days)
Certificate Path: /etc/letsencrypt/live/setpad.ca-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/setpad.ca-0001/privkey.pem

The following renewal configurations were invalid:
/etc/letsencrypt/renewal/setpad.ca.conf


3 Likes

Then that is the one to keep.

For the others:
certbot delete --cert-name www.setpad.ca
certbot delete --cert-name setpad.ca-0002
certbot delete --cert-name clone1.setpad.ca

Then again:
certbot certificates

[&2* readers: Get involved; Be heard. It starts with: if you read something you like, then like it :heart:]

2 Likes

certbot certificates

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/setpad.ca.conf produced an unexpected error: expected /etc/letsencrypt/live/setpad.ca/cert.pem to be a symlink. Skipping.


Found the following certs:
Certificate Name: setpad.ca-0001
Domains: setpad.ca www.setpad.ca
Expiry Date: 2020-12-21 13:52:53+00:00 (VALID: 64 days)
Certificate Path: /etc/letsencrypt/live/setpad.ca-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/setpad.ca-0001/privkey.pem

The following renewal configurations were invalid:
/etc/letsencrypt/renewal/setpad.ca.conf


1 Like

Although renew --dry-run still has these errors:


Processing /etc/letsencrypt/renewal/setpad.ca-0001.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Attempting to renew cert (setpad.ca-0001) from /etc/letsencrypt/renewal/setpad.ca-0001.conf produced an unexpected error: urn:ietf:params:acme:error:malformed :: The request message was malformed :: Method not allowed. Skipping.


Processing /etc/letsencrypt/renewal/setpad.ca.conf


Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 64, in _reconstitute
renewal_candidate = storage.RenewableCert(full_path, config)
File "/usr/lib/python3/dist-packages/certbot/storage.py", line 460, in init
self._check_symlinks()
File "/usr/lib/python3/dist-packages/certbot/storage.py", line 519, in _check_symlinks
"expected {0} to be a symlink".format(link))
certbot.errors.CertStorageError: expected /etc/letsencrypt/live/setpad.ca/cert.pem to be a symlink
Renewal configuration file /etc/letsencrypt/renewal/setpad.ca.conf is broken. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/setpad.ca-0001/fullchain.pem (failure)


** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/setpad.ca-0001/fullchain.pem (failure)

Additionally, the following renewal configurations were invalid:
/etc/letsencrypt/renewal/setpad.ca.conf (parsefail)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)


1 renew failure(s), 1 parse failure(s)

IMPORTANT NOTES:

  • Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal.
1 Like

sudo certbot update_symlinks

1 Like

That seems to have helped. The symlink error is gone, but there is still another error:

sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/setpad.ca-0001.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Attempting to renew cert (setpad.ca-0001) from /etc/letsencrypt/renewal/setpad.ca-0001.conf produced an unexpected error: urn:ietf:params:acme:error:malformed :: The request message was malformed :: Method not allowed. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/setpad.ca-0001/fullchain.pem (failure)


** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/setpad.ca-0001/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)


1 renew failure(s), 0 parse failure(s)

1 Like

Your version of certbot is ancient with many known bugs. Try updating it to the snaps version. :slightly_smiling_face:

3 Likes

It probably doesn't support the POST-as-GET method yet. This was added in version 0.29.0.

3 Likes

Bingo!
That did the trick. Much thanks!

2 Likes