root@ip-172-31-46-121:/etc/letsencrypt# ls -lR /etc/letsencrypt/live/
/etc/letsencrypt/live/:
total 8
-rw-r--r-- 1 root root 740 Jan 25 16:22 README
drwxr-xr-x 2 root root 4096 Nov 1 23:33 sarvagram.com
/etc/letsencrypt/live/sarvagram.com:
total 20
-rwxrwxrwx 1 ubuntu ubuntu 1842 Nov 1 23:31 cert.pem
-rwxrwxrwx 1 ubuntu ubuntu 3750 Nov 1 23:31 chain.pem
-rwxrwxrwx 1 ubuntu ubuntu 5592 Nov 1 23:31 fullchain.pem
-rwxrwxrwx 1 ubuntu ubuntu 1708 Nov 1 23:31 privkey.pem
root@ip-172-31-46-121:/etc/letsencrypt#
Did you transfer the contents of /etc/letsencrypt
from somewhere to the current location? Those files in the /live/
directory should be symbolic links to certain files in ../../archive/sarvagram.com/
. But they are not, they are regular files, which is incorrect.
Also, could you show the file listing of /etc/letsencrypt/renewal/
?
We did not transfer /etc/letsencrypt from other location ... it was created when we installed sarvagram.com cert before 3 months ... I agree. ... those sym links should have been there ... not sure what happened to them.
root@ip-172-31-46-121:/etc/letsencrypt# ls -lR /etc/letsencrypt/renewal/
/etc/letsencrypt/renewal/:
total 4
-rw-r--r-- 1 root root 43 Jan 25 12:04 sarvagram.com
root@ip-172-31-46-121:/etc/letsencrypt#
That file should have the .conf
extension. If you add that extension, Certbot will probably recognise the certificate again, once you've fixed the symbolic links.
I'm sorry, but your Certbot configuration is messed up to such an extent that I have the feeling it has been manually modified by someone. I'm not saying it's you, but something is extremely incorrect about the way the files are the way they are now which probably has not been done automatically by something.
Thanks Osiris. Before me, one more team member tried to renew the cert. But he got "Challenge failed" message. After that, I tried to renew. When it did not work, I tried to delete through "delete" command so that I can install a new certificate. Anyways ...
I will add extension ".conf" to the file.
What should I do to fix the sym links?
Based on above you will not be able to fix the symlinks as they point to /archive
folder and you say all other folders are empty.
How did you get the wildcard cert? Did you use certbot? Because that makes no sense it would not show in these folders.
What are the contents of the file /etc/letsencrypt/renewal/sarvagram.com
? This will identify what command it needed to recreate the certs.
contents of the file /etc/letsencrypt/renewal/sarvagram.com
renew_hook = sudo systemctl reload apache2
That is not a valid renewal conf file. Are you sure you have used certbot to create your certs?
And, again, how did you create that wildcard cert? With certbot?
I see that your server, right now, is sending a cert issued by cPanel on Dec1 2021 good thru Mar1 2022.
See here for your cert history
You can check what cert your server is currently sending by using a site like this:
It does look like a part of a Certbot renewal configuration file.. But only a tiny part.. Makes you wonder what happened to the other parts of it..
@surajmundada If you're happy with your cPanel certificate as @MikeMcQ has stated I would recommend to keep using that cert (if it's free). Otherwise I'd need to know if the /archive/
directory still contains certs or not.
Yes, it does. Also why that restart command is for apache when they use LiteSpeed
Thanks for all support
I had used certbot only to create wildcard cert.
The cPanel certificate is for my main domain hosted on another server. I have created this letsencrypt sarvagram.com certificate 3 months ago for subdomains and it was working until yesterday.
I can not use cPanel cert for "sarvagram.com" hosted on server 1 for subdomains "repo.sarvagram.com" on the server 2 where my apps are hosted.
I tried creating a new ssl cert on cPanel and installed it for subdomain "repo.sarvagram.com" on cpanel itself but it is not working.
I was able to create a cert for repo.sarvagram.com on server 2... all relevant folders/files are visible now inside /etc/letsencrypt/live ... but when I hit https://repo.sarvagram.com, I get "Error code: SSL_ERROR_RX_RECORD_TOO_LONG" message.
I checked on ssllabs.com and it says "Assessment failed: No secure protocols supported"
I googled ... seems like TLS1.2 vs TLS1.3 issue ... but not sure
OK. Let's ignore server 1 with your apex domain sarvagram.com
.
What certbot command did you use to create the cert for repo.sarvagram.com
on server 2?
Those files are for "ubuntu:ubuntu" not "root:root"
With 777 access not (links to files with) 644
They should be links to files in the /archive/
folder
Something has really scrambled those folders.
I would copy those four files elsewhere and remove the entire /etc/letsencrypt/
path and reinstall certbot
.
@MikeMcQ I used "certbot certonly --standalone" command to create "repo.sarvagram.com" cert .... and then configured my apache setting to use the newly installed cert.
@rg305 yeah .... something has really gone weired in those folders and I don't know how ... most probably the renew and delete command we ran initially after the cert expired messed up whole thing for us .... we are anyway reinstalling everything now
thanks a lot for all the support
I see HTTPS connections to repo.sarvagram.com
are now working. Do you still need help?
we reinstalled the cert on a new server and copied it on original server ... it is working fine now.
Thanks again for all the help and support
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.