Till now:
root@vserv2200.swisslink.ch:/root# certbot certificates -d kreator.ch
Saving debug log to /var/log/letsencrypt/letsencrypt.log
No certs found.
Yes, that is expected.
Try:
./certbot certonly -d kreator.ch --apache
root@vserv2200.swisslink.ch:/root# certbot certonly -d kreator.ch --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA
OK the previous certs are gone.
The only way to get a cert now is with a system that has a certā¦
STOP APACHE
And try:
./certbot certonly -d kreator.ch -d www.kreator.ch --standalone
Here the log:
2019-02-01 04:26:33,133:DEBUG:certbot.main:Root logging level set at 20
2019-02-01 04:26:33,133:INFO:certbot.main:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-02-01 04:26:33,134:DEBUG:certbot.main:certbot version: 0.10.2
2019-02-01 04:26:33,134:DEBUG:certbot.main:Arguments: ['-d', 'kreator.ch', '--apache']
2019-02-01 04:26:33,134:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint$
2019-02-01 04:26:33,135:DEBUG:certbot.plugins.selection:Requested authenticator apache and installer apache
2019-02-01 04:26:33,955:DEBUG:certbot.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server plugin - Beta
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.configurator:ApacheConfigurator
Initialized: <certbot_apache.configurator.ApacheConfigurator object at 0x7fef2e53b150>
Prep: True
2019-02-01 04:26:33,958:DEBUG:certbot.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server plugin - Beta
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.configurator:ApacheConfigurator
Initialized: <certbot_apache.configurator.ApacheConfigurator object at 0x7fef2e53b150>
Prep: True
2019-02-01 04:26:33,959:DEBUG:certbot.plugins.selection:Selected authenticator <certbot_apache.configurator.ApacheConfi$
2019-02-01 04:26:33,991:DEBUG:certbot.main:Picked account: <Account(3977b6509a888cf23c46922dfe620be0)>
2019-02-01 04:26:33,992:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/directory.
2019-02-01 04:26:33,995:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.l$
2019-02-01 04:26:34,312:DEBUG:requests.packages.urllib3.connectionpool:"GET /directory HTTP/1.1" 200 658
2019-02-01 04:26:34,313:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 658
Replay-Nonce: f0eonkea8ZlHrudoCHRkBIrifPSwl-KDmFLkwxlNAWY
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Fri, 01 Feb 2019 04:26:34 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Fri, 01 Feb 2019 04:26:34 GMT
Connection: keep-alive
{
"UHwoOvtRh1o": "Adding random entries to the directory",
"key-change": "https://acme-v01.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"terms-of-service": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
"website": "https://letsencrypt.org"
},
"new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz",
"new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert",
"new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg",
"revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert"
}
2019-02-01 04:26:34,313:INFO:certbot.main:Obtaining a new certificate
2019-02-01 04:26:34,314:DEBUG:root:Requesting fresh nonce
2019-02-01 04:26:34,314:DEBUG:root:Sending HEAD request to https://acme-v01.api.letsencrypt.org/acme/new-authz.
Bingo.
live folder created
1 Like
Please show:
ls -lR /etc/letsencrypt/live/
certbot certificates
Try restarting Apache.
I had to adapt ssl.conf
Apache restarted
āOnlyā this: not yet
Iāll reboot the server
yes to new path for new cert
We are getting close to the (old) target
Yes and from there I think we can move forward with certbot-auto
You wonāt have to remove certbot (for now it still serving a good purpose)
This would be to nice,
Which names would you like to activate HTTPS for?
1: kreator.ch
2: mathias.kreator.ch
3: www.kreator.ch
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ācā to cancel): 1
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for kreator.ch
Error while running apache2ctl graceful.
httpd not running, trying to start
Action āgracefulā failed.
The Apache error log may have more information.
From apache error log:
[Fri Feb 01 02:19:19.077320 2019] [ssl:emerg] [pid 1561:tid 139812496062336] AH02572: Failed to configure at least one
[Fri Feb 01 02:19:19.077355 2019] [ssl:emerg] [pid 1561:tid 139812496062336] SSL Library Error: error:140A80B1:SSL rout
[Fri Feb 01 02:19:19.077366 2019] [ssl:emerg] [pid 1561:tid 139812496062336] AH02311: Fatal error initialising mod_ssl,
AH00016: Configuration Failed
[Fri Feb 01 02:57:20.461720 2019] [ssl:emerg] [pid 3811:tid 139626587768704] AH02572: Failed to configure at least one
[Fri Feb 01 02:57:20.461767 2019] [ssl:emerg] [pid 3811:tid 139626587768704] SSL Library Error: error:140A80B1:SSL rout$
[Fri Feb 01 02:57:20.461778 2019] [ssl:emerg] [pid 3811:tid 139626587768704] AH02311: Fatal error initialising mod_ssl,$
We already have a working method to get those certs.
In fact you can get them all in one cert with:
stop apache
certbot certonly -d kreator.ch -d www.kreator.ch -d mathias.kreator.ch --standalone
or separately with:
stop apache
certbot certonly -d kreator.ch --standalone
certbot certonly -d www.kreator.ch --standalone
certbot certonly -d mathias.kreator.ch --standalone
or any combination you desire.
But that is using TLS-SNI-01 and stopping/restarting a web server to get cert(s) [far from ideal].
Please show this state now:
./certbot-auto certificates
Reached the limit with the first one:
root@vserv2200.swisslink.ch:/root# service apache2 stop
root@vserv2200.swisslink.ch:/root# certbot certonly -d kreator.ch --standalone
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for kreator.ch
Waiting for verificationā¦
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0010_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0010_csr-certbot.pem
An unexpected error occurred:
There were too many requests of a given type :: Error creating new cert :: too many certificates already issued for exact set of domains: kreator.ch: see https://letsencrypt.org/docs/rate-limits/
Please see the logfiles in /var/log/letsencrypt for more details.
You already have a cert for that name - why run that command again?
Please show:
./certbot certificates
./certbot-auto certificates
I thought it was your instruction
Found the following certs:
Certificate Name: kreator.ch
Domains: kreator.ch www.kreator.ch
Expiry Date: 2019-05-02 03:35:09+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/kreator.ch/fullchain.pem
Private Key Path: /etc/letsencrypt/live/kreator.ch/privkey.pem
If you want my opinion/instruction...
Get one cert (to cover all three names - simplifies things, for now):