Problems renewing Let's Encrypt Certificate

erik1 · October 4, 2022, 11:39am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: vectrex.be

I ran this command:
(first, I deleted the old certificate, with: sudo certbot delete, then I did:
sudo certbot certonly --manual --agree-tos --preferred-challenges dns -d vectrex.be -d *.vectrex.be

It produced this output:
IMPORTANT NOTES:

Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/vectrex.be/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/vectrex.be/privkey.pem
Your cert will expire on 2023-01-02. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew all of your certificates, run
"certbot renew"
If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: Donate - Let's Encrypt
Donating to EFF: Support EFF's Work on Let's Encrypt | Electronic Frontier Foundation

My web server is (include version): Ubuntu 20.04.3 LTS

The operating system my web server runs on is (include version): Ubuntu 20.04.3 LTS

My hosting provider, if applicable, is:Strato

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 0.40.0

MikeMcQ · October 4, 2022, 12:16pm

Welcome to the community @erik1

First, there is no reason to delete the old certificate. In fact, this can cause problems because your server is (normally) using it. And, any failure to get a new cert will then have your server failing.

You are successfully getting certs with that command. You got 5 of them today and that is your limit for a whole week. So, please do not delete them any more.

Your server is not using the new cert. Instead it is using an older cert with these two domain names and two others

blijf-in-uw-kot.be
vectrex.be
www.blijf-in-uw-kot.be
www.vectrex.be

The response headers say you are using Apache. Can you show result of this:

sudo apachectl -t -D DUMP_VHOSTS

erik1 · October 4, 2022, 12:33pm

I really appreciate this.

when I do:
sudo apachectl -t -D DUMP_VHOSTS,
I get an error:

AH00526: Syntax error on line 48 of /etc/apache2/sites-enabled/keith-ssl.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/keith.be-0001/fullchain.pem' does not exist or is empty
Action '-t -D DUMP_VHOSTS' failed.
The Apache error log may have more information.
..
This is strange, since the keith.be - site works as expected..

MikeMcQ · October 4, 2022, 12:45pm

It will until you restart Apache. Then Apache will fail. It looks like you have deleted even more cert files that Apache is actively using. What does this show:

sudo certbot certificates

erik1 · October 4, 2022, 12:52pm

Certificate Name: bierkalender.be
Domains: bierkalender.be *.bierkalender.be
Expiry Date: 2023-01-02 10:21:19+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/bierkalender.be/fullchain.pem
Private Key Path: /etc/letsencrypt/live/bierkalender.be/privkey.pem
Certificate Name: blijf-in-uw-kot.be
Domains: blijf-in-uw-kot.be *.blijf-in-uw-kot.be
Expiry Date: 2023-01-02 11:11:14+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/blijf-in-uw-kot.be/fullchain.pem
Private Key Path: /etc/letsencrypt/live/blijf-in-uw-kot.be/privkey.pem
Certificate Name: keith.be
Domains: keith.be *.keith.be
Expiry Date: 2022-11-12 17:22:39+00:00 (VALID: 39 days)
Certificate Path: /etc/letsencrypt/live/keith.be/fullchain.pem
Private Key Path: /etc/letsencrypt/live/keith.be/privkey.pem
Certificate Name: nietmetmij.be-0001
Domains: nietmetmij.be *.nietmetmij.be
Expiry Date: 2022-11-12 17:40:30+00:00 (VALID: 39 days)
Certificate Path: /etc/letsencrypt/live/nietmetmij.be-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/nietmetmij.be-0001/privkey.pem
Certificate Name: vectrex.be
Domains: vectrex.be *.vectrex.be
Expiry Date: 2023-01-02 09:42:12+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/vectrex.be/fullchain.pem
Private Key Path: /etc/letsencrypt/live/vectrex.be/privkey.pem

MikeMcQ · October 4, 2022, 1:07pm

It looks like you now have individual certs for each domain name. But, before you used some certs with multiple names. I like that you now have individual certs but it requires changes to Apache config. Since your Apache config is faulty we will need to review it piece by piece.

Can you show result of this

ls -lR /etc/apache2/{sites-available,sites-enabled}

erik1 · October 4, 2022, 1:15pm

-rw-r--r-- 1 root root 1332 okt 1 2020 000-default.conf
-rw-r--r-- 1 root root 2036 feb 21 2022 bierkalender.conf
-rw-r--r-- 1 root root 2364 feb 16 2022 bierkalender-le-ssl.conf
-rw-r--r-- 1 root root 2047 dec 27 2021 biuk.conf
-rw-r--r-- 1 root root 2053 mrt 18 2022 biuk-le-ssl.conf
-rw-r--r-- 1 root root 6338 okt 1 2020 default-ssl.conf
-rw-r--r-- 1 root root 1720 mrt 20 2022 keith.conf
-rw-r--r-- 1 root root 2067 okt 4 14:41 keith-ssl.conf
-rw-r--r-- 1 root root 1846 mrt 21 2022 n8.conf
-rw-r--r-- 1 root root 2084 mrt 17 2022 nietmetmij.conf
-rw-r--r-- 1 root root 2080 mrt 17 2022 nietmetmij-le-ssl.conf
-rw-r--r-- 1 root root 1938 mrt 21 2022 notariaatnijlen.conf
-rw-r--r-- 1 root root 1997 dec 27 2021 vectrex.conf
-rw-r--r-- 1 root root 2019 mrt 18 2022 vectrex-le-ssl.conf

/etc/apache2/sites-enabled:
total 0
lrwxrwxrwx 1 root root 35 dec 2 2021 000-default.conf -> ../sites-available/000-default.conf
lrwxrwxrwx 1 root root 28 dec 27 2021 biuk.conf -> ../sites-available/biuk.conf
lrwxrwxrwx 1 root root 33 feb 25 2022 keith-ssl.conf -> ../sites-available/keith-ssl.conf
lrwxrwxrwx 1 root root 26 mrt 22 2022 n8.conf -> ../sites-available/n8.conf
lrwxrwxrwx 1 root root 34 mrt 22 2022 nietmetmij.conf -> ../sites-available/nietmetmij.conf
lrwxrwxrwx 1 root root 51 mrt 17 2022 nietmetmij-le-ssl.conf -> /etc/apache2/sites-available/nietmetmij-le-ssl.conf
lrwxrwxrwx 1 root root 39 mrt 21 2022 notariaatnijlen.conf -> ../sites-available/notariaatnijlen.conf
lrwxrwxrwx 1 root root 31 dec 7 2021 vectrex.conf -> ../sites-available/vectrex.conf
lrwxrwxrwx 1 root root 48 dec 27 2021 vectrex-le-ssl.conf -> /etc/apache2/sites-available/vectrex-le-ssl.conf
root@h2955757:/etc/letsencrypt/live/nietmetmij.be-0001#

MikeMcQ · October 4, 2022, 1:20pm

Let's do them one at a time.

You have a cert for bierkalender.be and a conf for it in /sites-available. But, it is not in /sites-enabled. Do you still want this site to work?

erik1 · October 4, 2022, 1:23pm

nietmetmij.be is the most important site atm , then bierkalender and vectrex.be

others are less important atm

MikeMcQ · October 4, 2022, 1:25pm

Ok. Can you show contents of this file. Please put 3 backticks before and after the output like this:
```
contents of: bierkalender-le-ssl.conf
```

erik1 · October 4, 2022, 1:32pm


<IfModule mod_ssl.c>
<VirtualHost *:443>
        # A lot more comment here

        ServerName bierkalender.be
        ServerAlias www.bierkalender.be
        DocumentRoot /var/www/bierkalender

        <Directory /var/www/bierkalender>
            DirectoryIndex index.py
            AllowOverride All
            Order allow,deny
            Allow from all
        </Directory>

        <Directory /var/www/bierkalender/cgi-bin>
            Options ExecCGI
            SetHandler cgi-script
        </Directory>

        <Directory /var/www/bierkalender>
            Options +ExecCGI
            AddHandler cgi-script .py
        </Directory>

        # A lot more comment here

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # A lot more comment here
        
RewriteEngine on
# A lot more comment here


Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/bierkalender.be-0001/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/bierkalender.be-0001/privkey.pem
</VirtualHost>
</IfModule>

MikeMcQ · October 4, 2022, 1:36pm

You need to remove the "-0001" from the path in those two file names (like below) and then enable that site in Apache (use a2ensite or whatever method you use). If you have any questions ask first.

We need these two lines to use the path name shown in the certbot certificates command you used earlier.

SSLCertificateFile /etc/letsencrypt/live/bierkalender.be/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/bierkalender.be/privkey.pem

When that's done let me know and we'll do the next one.

erik1 · October 4, 2022, 1:39pm

done, but the site bierkalender.be still gives a certificate error in the browser (but ok, I didn't get an error when I restarted apache this time, so that's progress)

MikeMcQ · October 4, 2022, 1:45pm

Please don't restart Apache yet (any more). We should get your config fixed. Then test the config. Then we'll restart Apache.

Your bierkalender.be site is using the cert for keith - that's why it does not work. You should probably a2dissite bierkalender until we get all your config fixed.

Next one is biuk. I don't see a cert for it but what is contents of this:

/etc/apache2/sites-available/biuk.conf

erik1 · October 4, 2022, 1:51pm


<VirtualHost *:80>
        # More commentlines here
        ServerName blijf-in-uw-kot.be
        ServerAlias www.blijf-in-uw-kot.be
        DocumentRoot /var/www/blijfinuwkot

        <Directory /var/www/blijfinuwkot>
            DirectoryIndex index.py
            AllowOverride All
            Order allow,deny
            Allow from all
        </Directory>

        <Directory /var/www/blijfinuwkot/cgi-bin>
            Options ExecCGI
            SetHandler cgi-script
        </Directory>

        <Directory /var/www/blijfinuwkot>
            Options +ExecCGI
            AddHandler cgi-script .py
        </Directory>
        # More commentlines here
        
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # More commentlines here
RewriteEngine on
RewriteCond %{SERVER_NAME} =blijf-in-uw-kot.be [OR]
RewriteCond %{SERVER_NAME} =www.blijf-in-uw-kot.be
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

MikeMcQ · October 4, 2022, 1:56pm

And, contents of this (sorry, should have asked for both right away)

/etc/apache2/sites-available/biuk-le-ssl.conf

erik1 · October 4, 2022, 1:58pm


<IfModule mod_ssl.c>
<VirtualHost *:443>
        # comment here
        
        ServerName blijf-in-uw-kot.be
        ServerAlias www.blijf-in-uw-kot.be
        DocumentRoot /var/www/blijfinuwkot

        <Directory /var/www/blijfinuwkot>
            DirectoryIndex index.py
            AllowOverride All
            Order allow,deny
            Allow from all
        </Directory>

        <Directory /var/www/blijfinuwkot/cgi-bin>
            Options ExecCGI
            SetHandler cgi-script
        </Directory>

        <Directory /var/www/blijfinuwkot>
            Options +ExecCGI
            AddHandler cgi-script .py
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # Comment here 
        

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/blijf-in-uw-kot.be-0001/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/blijf-in-uw-kot.be-0001/privkey.pem
</VirtualHost>
</IfModule>

MikeMcQ · October 4, 2022, 2:02pm

Change the above two lines. Remove the "-0001" from the path name so they are like:

SSLCertificateFile /etc/letsencrypt/live/blijf-in-uw-kot.be/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/blijf-in-uw-kot.be/privkey.pem

Again, we are using the path name in your Apache config that matches the certbot certificates results earlier.

Once you change these paths run: a2ensite biuk-le-ssl
Do not restart Apache yet

Let me know when that is all done. I will start working on next step.

MikeMcQ · October 4, 2022, 2:05pm

Next one is keith. What is contents of this:

/etc/apache2/sites-available/keith-ssl.conf

erik1 · October 4, 2022, 2:08pm


<IfModule mod_ssl.c>
<VirtualHost *:443>
        # Comment here
        
        ServerName keith.be
        ServerAlias www.keith.be

        WSGIScriptAlias / /var/www/keith/application/join.wsgi

        <Directory /var/www/keith/application>
                options FollowSymLinks
                AllowOverride None
                Require all granted
        </Directory>


        # Comment here
        
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # Comment here

RewriteEngine on
# Some rewrite rules in this file were disabled on your HTTPS site,
# because they have the potential to create redirection loops.

# RewriteCond %{SERVER_NAME} =keith.be [OR]
# RewriteCond %{SERVER_NAME} =www.keith.be
# RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]


Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/keith.be/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/keith.be/privkey.pem
</VirtualHost>
</IfModule>