Not able to renew ssl certificate

Hi Team,

we are unable to renewal certificate for below domain and we are always facing the below issue and this is production instance and kindly please look into it

My domain is: confluence.dimagi.com

I ran this command: certbot -q renew --renew-hook ‘/etc/init.d/nginx reload’

It produced this output:

Attempting to renew cert (confluence.dimagi.com) from /etc/letsencrypt/renewal/confluence.dimagi.com.conf produced an unexpected error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many certificates already issued for exact set of domains: confluence.dimagi.com: see https://letsencrypt.org/docs/rate-limits/. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/confluence.dimagi.com/fullchain.pem (failure)

My web server is (include version):

The operating system my web server runs on is (include version): nginx/1.14.2

I can login to a root shell on my machine (yes or no, or I don’t know): yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.28.0

Thanks,
Sanjay

You’ve renewed it about 12 times in the past 2 weeks.

https://crt.sh/?Identity=confluence.dimagi.com&exclude=expired

(crt.sh usually lists certificates twice.)

Do you know where all those certificates went? Do you have multiple servers?

What does “sudo certbot certificates” show?

Can you please help me to renewal of this ssl certificate and this is very critical to us

sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: wiki.commcarehq.org
Domains: wiki.commcarehq.org help.commcarehq.org
Expiry Date: 2019-07-07 04:47:08+00:00 (VALID: 82 days)
Certificate Path: /etc/letsencrypt/live/wiki.commcarehq.org/fullchain.pem
Private Key Path: /etc/letsencrypt/live/wiki.commcarehq.org/privkey.pem
Certificate Name: confluence.dimagi.com
Domains: confluence.dimagi.com
Expiry Date: 2019-04-29 01:15:05+00:00 (VALID: 13 days)
Certificate Path: /etc/letsencrypt/live/confluence.dimagi.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/confluence.dimagi.com/privkey.pem


But it has been renewed. Many times. The files just aren’t in the right place for some reason.

Can you post “sudo ls -alR /etc/letsencrypt/{archive,live,renewal}”.

root@confluence:~# sudo ls -alR /etc/letsencrypt/{archive,live,renewal}
/etc/letsencrypt/archive:
total 20
drwx------ 5 root root 4096 Mar 25 03:27 .
drwxr-xr-x 9 root root 4096 Apr 15 02:38 …
drwxr-xr-x 2 root root 4096 Mar 30 04:17 confluence.dimagi.com
drwxr-xr-x 2 root root 4096 Jan 28 21:15 confluence.dimagi.com-0001
drwxr-xr-x 2 root root 4096 Apr 8 01:47 wiki.commcarehq.org

/etc/letsencrypt/archive/confluence.dimagi.com:
total 40
drwxr-xr-x 2 root root 4096 Mar 30 04:17 .
drwx------ 5 root root 4096 Mar 25 03:27 …
-rw-r–r-- 1 root root 2171 Nov 6 15:21 cert1.pem
-rw-r–r-- 1 root root 1927 Apr 15 01:37 cert2.pem
-rw-r–r-- 1 root root 1647 Nov 6 15:21 chain1.pem
-rw-r–r-- 1 root root 1647 Apr 15 01:37 chain2.pem
-rw-r–r-- 1 root root 3818 Nov 6 15:21 fullchain1.pem
-rw-r–r-- 1 root root 3574 Apr 15 01:37 fullchain2.pem
-rw-r–r-- 1 root root 1704 Nov 6 15:21 privkey1.pem
-rw-r–r-- 1 root root 1704 Apr 15 01:37 privkey2.pem

/etc/letsencrypt/archive/confluence.dimagi.com-0001:
total 24
drwxr-xr-x 2 root root 4096 Jan 28 21:15 .
drwx------ 5 root root 4096 Mar 25 03:27 …
-rw-r–r-- 1 root root 1927 Jan 28 21:15 cert1.pem
-rw-r–r-- 1 root root 1647 Jan 28 21:15 chain1.pem
-rw-r–r-- 1 root root 3574 Jan 28 21:15 fullchain1.pem
-rw-r–r-- 1 root root 1704 Jan 28 21:15 privkey1.pem

/etc/letsencrypt/archive/wiki.commcarehq.org:
total 44
drwxr-xr-x 2 root root 4096 Apr 8 01:47 .
drwx------ 5 root root 4096 Mar 25 03:27 …
-rw-r–r-- 1 root root 692 Mar 25 03:27 README
-rw-r–r-- 1 root root 1952 Mar 25 03:27 cert1.pem
-rw-r–r-- 1 root root 1952 Apr 8 01:47 cert2.pem
-rw-r–r-- 1 root root 1647 Mar 25 03:27 chain1.pem
-rw-r–r-- 1 root root 1647 Apr 8 01:47 chain2.pem
-rw-r–r-- 1 root root 3599 Mar 25 03:27 fullchain1.pem
-rw-r–r-- 1 root root 3599 Apr 8 01:47 fullchain2.pem
-rw-r–r-- 1 root root 1704 Mar 25 03:27 privkey1.pem
-rw-r–r-- 1 root root 1704 Apr 8 01:47 privkey2.pem

/etc/letsencrypt/live:
total 20
drwx------ 4 root root 4096 Feb 8 06:00 .
drwxr-xr-x 9 root root 4096 Apr 15 02:38 …
-rw-r–r-- 1 root root 740 Jan 28 21:15 README
drwxr-xr-x 2 root root 4096 Apr 15 01:37 confluence.dimagi.com
drwxr-xr-x 2 root root 4096 Apr 8 01:47 wiki.commcarehq.org

/etc/letsencrypt/live/confluence.dimagi.com:
total 12
drwxr-xr-x 2 root root 4096 Apr 15 01:37 .
drwx------ 4 root root 4096 Feb 8 06:00 …
-rw-r–r-- 1 root root 692 Jan 28 21:15 README
lrwxrwxrwx 1 root root 50 Apr 15 01:37 cert.pem -> …/…/archive/confluence.dimagi.com-0001/cert1.pem
lrwxrwxrwx 1 root root 51 Apr 15 01:37 chain.pem -> …/…/archive/confluence.dimagi.com-0001/chain1.pem
lrwxrwxrwx 1 root root 55 Apr 15 01:37 fullchain.pem -> …/…/archive/confluence.dimagi.com-0001/fullchain1.pem
lrwxrwxrwx 1 root root 53 Apr 15 01:37 privkey.pem -> …/…/archive/confluence.dimagi.com-0001/privkey1.pem

/etc/letsencrypt/live/wiki.commcarehq.org:
total 28
drwxr-xr-x 2 root root 4096 Apr 8 01:47 .
drwx------ 4 root root 4096 Feb 8 06:00 …
-rw-r–r-- 1 root root 692 Feb 6 06:24 README
lrwxrwxrwx 1 root root 43 Apr 8 01:47 cert.pem -> …/…/archive/wiki.commcarehq.org/cert2.pem
-rw-r–r-- 1 root root 1952 Feb 6 06:24 cert.pem.bkp
lrwxrwxrwx 1 root root 44 Apr 8 01:47 chain.pem -> …/…/archive/wiki.commcarehq.org/chain2.pem
-rw-r–r-- 1 root root 1647 Feb 6 06:24 chain.pem.bkp
lrwxrwxrwx 1 root root 48 Apr 8 01:47 fullchain.pem -> …/…/archive/wiki.commcarehq.org/fullchain2.pem
-rw-r–r-- 1 root root 3599 Feb 6 06:24 fullchain.pem.bkp
lrwxrwxrwx 1 root root 46 Apr 8 01:47 privkey.pem -> …/…/archive/wiki.commcarehq.org/privkey2.pem
-rw-r–r-- 1 root root 1704 Feb 6 06:24 privkey.pem.bkp

/etc/letsencrypt/renewal:
total 20
drwxr-xr-x 2 root root 4096 Apr 15 01:46 .
drwxr-xr-x 9 root root 4096 Apr 15 02:38 …
-rw-r–r-- 1 root root 649 Mar 18 05:17 confluence.dimagi.com-0001.conf.old
-rw-r–r-- 1 root root 645 Apr 15 01:37 confluence.dimagi.com.conf
-rw-r–r-- 1 root root 676 Apr 8 01:47 wiki.commcarehq.org.conf

Hi mnordhoff,

Can you please help me on this

Thanks,
Sanjay

Please also post the contents of /etc/letsencrypt/renewal/confluence.dimagi.com.conf.

The symlinks are wrong. They’re pointing to ../../archive/confluence.dimagi.com-0001/xxxx1.pem instead of ../../archive/confluence.dimagi.com/xxxx2.pem.

(Also, the forum software changed .. to , but that’s not important.)

Every time it renews, Certbot is saving the new files to /etc/letsencrypt/archive/confluence.dimagi.com/, but because /etc/letsencrypt/live/confluence.dimagi.com/ is misconfigured, it can’t find them again.

You can fix it with something along the lines of:

# Make a backup
cp -ai /etc/letsencrypt/ /root/etc-letsencrypt-backup-2019-04-15
# Replace the links
ln -fs ../../archive/confluence.dimagi.com/cert2.pem /etc/letsencrypt/live/confluence.dimagi.com/cert.pem
ln -fs ../../archive/confluence.dimagi.com/chain2.pem /etc/letsencrypt/live/confluence.dimagi.com/chain.pem
ln -fs ../../archive/confluence.dimagi.com/fullchain2.pem /etc/letsencrypt/live/confluence.dimagi.com/fullchain.pem
ln -fs ../../archive/confluence.dimagi.com/privkey2.pem /etc/letsencrypt/live/confluence.dimagi.com/privkey.pem
# Delete old directory
rm -r /etc/letsencrypt/archive/confluence.dimagi.com-0001/
1 Like

Thanks for your great help and Its working now.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.