Not able to renew ssl certificate

#1

Hi Team,

we are unable to renewal certificate for below domain and we are always facing the below issue and this is production instance and kindly please look into it

My domain is: confluence.dimagi.com

I ran this command: certbot -q renew --renew-hook ‘/etc/init.d/nginx reload’

It produced this output:

Attempting to renew cert (confluence.dimagi.com) from /etc/letsencrypt/renewal/confluence.dimagi.com.conf produced an unexpected error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many certificates already issued for exact set of domains: confluence.dimagi.com: see https://letsencrypt.org/docs/rate-limits/. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/confluence.dimagi.com/fullchain.pem (failure)

My web server is (include version):

The operating system my web server runs on is (include version): nginx/1.14.2

I can login to a root shell on my machine (yes or no, or I don’t know): yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.28.0

Thanks,
Sanjay

#2

You’ve renewed it about 12 times in the past 2 weeks.

https://crt.sh/?Identity=confluence.dimagi.com&exclude=expired

(crt.sh usually lists certificates twice.)

Do you know where all those certificates went? Do you have multiple servers?

What does “sudo certbot certificates” show?

#3

Can you please help me to renewal of this ssl certificate and this is very critical to us

sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: wiki.commcarehq.org
Domains: wiki.commcarehq.org help.commcarehq.org
Expiry Date: 2019-07-07 04:47:08+00:00 (VALID: 82 days)
Certificate Path: /etc/letsencrypt/live/wiki.commcarehq.org/fullchain.pem
Private Key Path: /etc/letsencrypt/live/wiki.commcarehq.org/privkey.pem
Certificate Name: confluence.dimagi.com
Domains: confluence.dimagi.com
Expiry Date: 2019-04-29 01:15:05+00:00 (VALID: 13 days)
Certificate Path: /etc/letsencrypt/live/confluence.dimagi.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/confluence.dimagi.com/privkey.pem


#4

But it has been renewed. Many times. The files just aren’t in the right place for some reason.

Can you post “sudo ls -alR /etc/letsencrypt/{archive,live,renewal}”.

#5

root@confluence:~# sudo ls -alR /etc/letsencrypt/{archive,live,renewal}
/etc/letsencrypt/archive:
total 20
drwx------ 5 root root 4096 Mar 25 03:27 .
drwxr-xr-x 9 root root 4096 Apr 15 02:38 …
drwxr-xr-x 2 root root 4096 Mar 30 04:17 confluence.dimagi.com
drwxr-xr-x 2 root root 4096 Jan 28 21:15 confluence.dimagi.com-0001
drwxr-xr-x 2 root root 4096 Apr 8 01:47 wiki.commcarehq.org

/etc/letsencrypt/archive/confluence.dimagi.com:
total 40
drwxr-xr-x 2 root root 4096 Mar 30 04:17 .
drwx------ 5 root root 4096 Mar 25 03:27 …
-rw-r–r-- 1 root root 2171 Nov 6 15:21 cert1.pem
-rw-r–r-- 1 root root 1927 Apr 15 01:37 cert2.pem
-rw-r–r-- 1 root root 1647 Nov 6 15:21 chain1.pem
-rw-r–r-- 1 root root 1647 Apr 15 01:37 chain2.pem
-rw-r–r-- 1 root root 3818 Nov 6 15:21 fullchain1.pem
-rw-r–r-- 1 root root 3574 Apr 15 01:37 fullchain2.pem
-rw-r–r-- 1 root root 1704 Nov 6 15:21 privkey1.pem
-rw-r–r-- 1 root root 1704 Apr 15 01:37 privkey2.pem

/etc/letsencrypt/archive/confluence.dimagi.com-0001:
total 24
drwxr-xr-x 2 root root 4096 Jan 28 21:15 .
drwx------ 5 root root 4096 Mar 25 03:27 …
-rw-r–r-- 1 root root 1927 Jan 28 21:15 cert1.pem
-rw-r–r-- 1 root root 1647 Jan 28 21:15 chain1.pem
-rw-r–r-- 1 root root 3574 Jan 28 21:15 fullchain1.pem
-rw-r–r-- 1 root root 1704 Jan 28 21:15 privkey1.pem

/etc/letsencrypt/archive/wiki.commcarehq.org:
total 44
drwxr-xr-x 2 root root 4096 Apr 8 01:47 .
drwx------ 5 root root 4096 Mar 25 03:27 …
-rw-r–r-- 1 root root 692 Mar 25 03:27 README
-rw-r–r-- 1 root root 1952 Mar 25 03:27 cert1.pem
-rw-r–r-- 1 root root 1952 Apr 8 01:47 cert2.pem
-rw-r–r-- 1 root root 1647 Mar 25 03:27 chain1.pem
-rw-r–r-- 1 root root 1647 Apr 8 01:47 chain2.pem
-rw-r–r-- 1 root root 3599 Mar 25 03:27 fullchain1.pem
-rw-r–r-- 1 root root 3599 Apr 8 01:47 fullchain2.pem
-rw-r–r-- 1 root root 1704 Mar 25 03:27 privkey1.pem
-rw-r–r-- 1 root root 1704 Apr 8 01:47 privkey2.pem

/etc/letsencrypt/live:
total 20
drwx------ 4 root root 4096 Feb 8 06:00 .
drwxr-xr-x 9 root root 4096 Apr 15 02:38 …
-rw-r–r-- 1 root root 740 Jan 28 21:15 README
drwxr-xr-x 2 root root 4096 Apr 15 01:37 confluence.dimagi.com
drwxr-xr-x 2 root root 4096 Apr 8 01:47 wiki.commcarehq.org

/etc/letsencrypt/live/confluence.dimagi.com:
total 12
drwxr-xr-x 2 root root 4096 Apr 15 01:37 .
drwx------ 4 root root 4096 Feb 8 06:00 …
-rw-r–r-- 1 root root 692 Jan 28 21:15 README
lrwxrwxrwx 1 root root 50 Apr 15 01:37 cert.pem -> …/…/archive/confluence.dimagi.com-0001/cert1.pem
lrwxrwxrwx 1 root root 51 Apr 15 01:37 chain.pem -> …/…/archive/confluence.dimagi.com-0001/chain1.pem
lrwxrwxrwx 1 root root 55 Apr 15 01:37 fullchain.pem -> …/…/archive/confluence.dimagi.com-0001/fullchain1.pem
lrwxrwxrwx 1 root root 53 Apr 15 01:37 privkey.pem -> …/…/archive/confluence.dimagi.com-0001/privkey1.pem

/etc/letsencrypt/live/wiki.commcarehq.org:
total 28
drwxr-xr-x 2 root root 4096 Apr 8 01:47 .
drwx------ 4 root root 4096 Feb 8 06:00 …
-rw-r–r-- 1 root root 692 Feb 6 06:24 README
lrwxrwxrwx 1 root root 43 Apr 8 01:47 cert.pem -> …/…/archive/wiki.commcarehq.org/cert2.pem
-rw-r–r-- 1 root root 1952 Feb 6 06:24 cert.pem.bkp
lrwxrwxrwx 1 root root 44 Apr 8 01:47 chain.pem -> …/…/archive/wiki.commcarehq.org/chain2.pem
-rw-r–r-- 1 root root 1647 Feb 6 06:24 chain.pem.bkp
lrwxrwxrwx 1 root root 48 Apr 8 01:47 fullchain.pem -> …/…/archive/wiki.commcarehq.org/fullchain2.pem
-rw-r–r-- 1 root root 3599 Feb 6 06:24 fullchain.pem.bkp
lrwxrwxrwx 1 root root 46 Apr 8 01:47 privkey.pem -> …/…/archive/wiki.commcarehq.org/privkey2.pem
-rw-r–r-- 1 root root 1704 Feb 6 06:24 privkey.pem.bkp

/etc/letsencrypt/renewal:
total 20
drwxr-xr-x 2 root root 4096 Apr 15 01:46 .
drwxr-xr-x 9 root root 4096 Apr 15 02:38 …
-rw-r–r-- 1 root root 649 Mar 18 05:17 confluence.dimagi.com-0001.conf.old
-rw-r–r-- 1 root root 645 Apr 15 01:37 confluence.dimagi.com.conf
-rw-r–r-- 1 root root 676 Apr 8 01:47 wiki.commcarehq.org.conf

#6

Hi mnordhoff,

Can you please help me on this

Thanks,
Sanjay

#7

Please also post the contents of /etc/letsencrypt/renewal/confluence.dimagi.com.conf.

The symlinks are wrong. They’re pointing to ../../archive/confluence.dimagi.com-0001/xxxx1.pem instead of ../../archive/confluence.dimagi.com/xxxx2.pem.

(Also, the forum software changed .. to , but that’s not important.)

Every time it renews, Certbot is saving the new files to /etc/letsencrypt/archive/confluence.dimagi.com/, but because /etc/letsencrypt/live/confluence.dimagi.com/ is misconfigured, it can’t find them again.

You can fix it with something along the lines of:

# Make a backup
cp -ai /etc/letsencrypt/ /root/etc-letsencrypt-backup-2019-04-15
# Replace the links
ln -fs ../../archive/confluence.dimagi.com/cert2.pem /etc/letsencrypt/live/confluence.dimagi.com/cert.pem
ln -fs ../../archive/confluence.dimagi.com/chain2.pem /etc/letsencrypt/live/confluence.dimagi.com/chain.pem
ln -fs ../../archive/confluence.dimagi.com/fullchain2.pem /etc/letsencrypt/live/confluence.dimagi.com/fullchain.pem
ln -fs ../../archive/confluence.dimagi.com/privkey2.pem /etc/letsencrypt/live/confluence.dimagi.com/privkey.pem
# Delete old directory
rm -r /etc/letsencrypt/archive/confluence.dimagi.com-0001/
1 Like
#8

Thanks for your great help and Its working now.