Problem to renew certificate

My domain is: admin.fleetomatic.net

I ran this command: certbot certonly --webroot -w /opt/tomcat/webapps/ROOT/ -d admin.fleetomatic.net -d www.admin.fleetomatic.net

It produced this output: I didn’t save whole text, but was text Congratulations and seemed that everything was okay, but date of generated certificate is 22.08.2019. I generated that today, why is old date?
I tried several times, and now I have problem with limit rate, so it’s not possible to renew certificate probably for next two weeks. It’s a big problem now for me, as I need urgently to enable HTTPS.

My web server is (include version): Tomcat 9

The operating system my web server runs on is (include version): Ubuntu 18.04

My hosting provider, if applicable, is: Hetzner

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.23.0

Where are you seeing that the date is 22.08.2019?

Can you post the output of “sudo certbot certificates”?

Hi, thank you for quick response. I think that I messed up this, but I don’t know how to fix it.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/admin.fleetomatic.net-0001.conf produced an unexpected error: expected /etc/letsencrypt/live/admin.fleetomatic.net-0001/cert.pem to be a symlink. Skipping.
Revocation status for /etc/letsencrypt/live/admin.fleetomatic.net/cert.pem is unknown


Found the following certs:
Certificate Name: admin.fleetomatic.net
Domains: admin.fleetomatic.net www.admin.fleetomatic.net
Expiry Date: 2019-08-22 09:46:36+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/admin.fleetomatic.net/fullchain.pem
Private Key Path: /etc/letsencrypt/live/admin.fleetomatic.net/privkey.pem

The following renewal configuration files were invalid:
/etc/letsencrypt/renewal/admin.fleetomatic.net-0001.conf

Okay. Please post “sudo ls -alR /etc/letsencrypt/{archive,live,renewal}”.

/etc/letsencrypt/archive:
total 16
drwx------ 4 root root 4096 May 24 12:46 .
drwxr-xr-x 9 tomcat tomcat 4096 Sep 20 22:40 …
drwxr-xr-x 2 root root 4096 Sep 20 20:35 admin.fleetomatic.net
drwxr-xr-x 2 root root 4096 May 24 12:46 admin.fleetomatic.net-0001

/etc/letsencrypt/archive/admin.fleetomatic.net:
total 40
drwxr-xr-x 2 root root 4096 Sep 20 20:35 .
drwx------ 4 root root 4096 May 24 12:46 …
-rw-r–r-- 1 root root 1964 May 24 09:35 cert1.pem
-rw-r–r-- 1 root root 1964 Sep 20 22:11 cert2.pem
-rw-r–r-- 1 root root 1647 May 24 09:35 chain1.pem
-rw-r–r-- 1 root root 1647 Sep 20 22:11 chain2.pem
-rw-r–r-- 1 root root 3611 May 24 09:35 fullchain1.pem
-rw-r–r-- 1 root root 3611 Sep 20 22:11 fullchain2.pem
-rw-r–r-- 1 root root 1708 May 24 09:35 privkey1.pem
-rw-r–r-- 1 root root 1708 Sep 20 22:11 privkey2.pem

/etc/letsencrypt/archive/admin.fleetomatic.net-0001:
total 24
drwxr-xr-x 2 root root 4096 May 24 12:46 .
drwx------ 4 root root 4096 May 24 12:46 …
-rw-r–r-- 1 root root 1964 May 24 12:46 cert1.pem
-rw-r–r-- 1 root root 1647 May 24 12:46 chain1.pem
-rw-r–r-- 1 root root 3611 May 24 12:46 fullchain1.pem
-rw-r–r-- 1 root root 1704 May 24 12:46 privkey1.pem

/etc/letsencrypt/live:
total 12
drwx------ 3 root root 4096 Sep 20 22:40 .
drwxr-xr-x 9 tomcat tomcat 4096 Sep 20 22:40 …
drwxrwxrwx 2 root root 4096 Sep 20 22:18 admin.fleetomatic.net

/etc/letsencrypt/live/admin.fleetomatic.net:
total 40
drwxrwxrwx 2 root root 4096 Sep 20 22:18 .
drwx------ 3 root root 4096 Sep 20 22:40 …
-rwxrwxrwx 1 root root 4198 Sep 20 22:18 MyDSKeyStore.jks
-rwxrwxrwx 1 root root 543 May 24 12:46 README
lrwxrwxrwx 1 root root 50 Sep 20 22:11 cert.pem -> …/…/archive/admin.fleetomatic.net-0001/cert1.pem
-rwxrwxrwx 1 root root 3066 Sep 20 22:18 cert_and_key.p12
lrwxrwxrwx 1 root root 51 Sep 20 22:11 chain.pem -> …/…/archive/admin.fleetomatic.net-0001/chain1.pem
lrwxrwxrwx 1 root root 55 Sep 20 22:11 fullchain.pem -> …/…/archive/admin.fleetomatic.net-0001/fullchain1.pem
-rwxrwxrwx 1 root root 8670 Sep 20 14:30 jndi-create-all.sql
-rwxrwxrwx 1 root root 882 Sep 20 14:30 jndi-drop-all.sql
lrwxrwxrwx 1 root root 53 Sep 20 22:11 privkey.pem -> …/…/archive/admin.fleetomatic.net-0001/privkey1.pem

/etc/letsencrypt/renewal:
total 16
drwxr-xr-x 2 root root 4096 Sep 20 22:11 .
drwxr-xr-x 9 tomcat tomcat 4096 Sep 20 22:40 …
-rw-r–r-- 1 root root 691 May 24 12:46 admin.fleetomatic.net-0001.conf
-rw-r–r-- 1 root root 666 Sep 20 22:11 admin.fleetomatic.net.conf

Some of Certbot's files have been moved around or deleted, so it's not working properly.

Good news -- the new files were saved.

But the symlinks in /etc/letsencrypt/live/admin.fleetomatic.net/ are pointing to the wrong directory.

You can fix that with something like:

sudo ln -fs ../../archive/admin.fleetomatic.net/cert2.pem /etc/letsencrypt/live/admin.fleetomatic.net/cert.pem
sudo ln -fs ../../archive/admin.fleetomatic.net/chain2.pem /etc/letsencrypt/live/admin.fleetomatic.net/chain.pem
sudo ln -fs ../../archive/admin.fleetomatic.net/fullchain2.pem /etc/letsencrypt/live/admin.fleetomatic.net/fullchain.pem
sudo ln -fs ../../archive/admin.fleetomatic.net/privkey2.pem /etc/letsencrypt/live/admin.fleetomatic.net/privkey.pem

Afterwards, you might want to delete /etc/letsencrypt/archive/admin.fleetomatic.net-0001/ and /etc/letsencrypt/renewal/admin.fleetomatic.net-0001.conf.

In the future, use "sudo certbot delete --cert-name example.com" to delete certificates, and don't try to rename them. (Or, if you do rename them, you have to be sure to update everything.)

You can use e.g. "sudo certbot certonly --cert-name example.com -w /path/ -d example.net -d www.example.net" to replace a certificate with one that doesn't overlap with the existing certificate's names.

It's not directly related, but if it's possible, you should set up a deploy hook to automatically create the .p12 file and restart Tomcat or whatever, so you don't have to do that part manually every time the certificate is renewed.

Edit:

Just to make sure it's up-to-date, can you post the contents of /etc/letsencrypt/renewal/admin.fleetomatic.net.conf?

(I also made other edits, including a typo fix.)

1 Like

Thank you very much, it’s working now. I will spend some time to learn this, because I don’t want to get in this position again. But again, thank you very much.

Here is the content of conf:

renew_before_expiry = 30 days

version = 0.23.0
archive_dir = /etc/letsencrypt/archive/admin.fleetomatic.net
cert = /etc/letsencrypt/live/admin.fleetomatic.net/cert.pem
privkey = /etc/letsencrypt/live/admin.fleetomatic.net/privkey.pem
chain = /etc/letsencrypt/live/admin.fleetomatic.net/chain.pem
fullchain = /etc/letsencrypt/live/admin.fleetomatic.net/fullchain.pem

Options used in the renewal process

[renewalparams]
account = 97120a42d23c9308049fd4a5f9b12c55
authenticator = webroot
installer = None
webroot_path = /opt/tomcat/webapps/ROOT,
[[webroot_map]]
admin.fleetomatic.net = /opt/tomcat/webapps/ROOT
www.admin.fleetomatic.net = /opt/tomcat/webapps/ROOT

That looks good. :smile:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.