Not able to create/renew a certificate

Help
1

Hi guys,

I try to renew a Let’s encrypt certificate to use my Nextcloud at a raspberry Pi.

I used the command:
root@nextcloud:/etc# /etc/letsencrypt/letsencrypt-auto certonly --agree-tos --renew-by-default -a webroot --webroot-path /var/www/nextcloud/ -d my-domain.dyndns.de

I get the following output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for my-domain.dyndns.de
Using the webroot path /var/www/nextcloud for all unmatched domains.
Waiting for verification…
Cleaning up challenges

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/my-domain.dyndns.de/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/my-domain.dyndns.de/privkey.pem
    Your cert will expire on 2018-03-13. To obtain a new or tweaked
    version of this certificate in the future, simply run
    letsencrypt-auto again. To non-interactively renew all of your
    certificates, run “letsencrypt-auto renew”

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

It seems that it worked. But If I try to synchronise my Computer with the Nextcloud, I get the message my certificate is expired.

How can I try to find out what the problem is?

2

Certonly, as the name implies, will only obtain the certificate. You then need to install it in whatever web server is in use. The Installer None part also indicates this. I’m not familiar with NextCloud, so I can’t be of any assistance with how that works, but assuming you’re pointing it to the Let’s Encrypt ‘live’ directory and your certificate hasn’t changed names, you should just be able to reload the server to apply the new certificate.

A side note, I see you have the --renew-by-default flag set. This is probably from an old and mistaken tutorial, and I would strongly recommend removing that flag in the future. It’s been deprecated, with --force-renewal taking its place. Both function identically, and what they do is force renewal of your certificate, even if it isn’t within 30 days of expiring. Depending on your setup, this can lead to rate limit issues.

3

Thanks!! I restart the Raspberry and it works. Is there any terminal command so I can find out how long the certificate is still valid?

4

The easiest way to verify it would be to use cURL. Let’s say your domain is whatever.com, run curl -vvv https://whatever.com. Near the top of the result, look for the lines start date and expire date.

5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.