Problems renewing Let's Encrypt Certificate

Alright. Give me a minute to check them

6 Likes

Looks fairly good. You should enable the HTTP (port 80) config for keith to match its HTTPS config. So, do: a2ensite keith

Then, go ahead and restart Apache ! Let me know when it's done I will help evaluate sites

6 Likes

THEY ALL WORK! :slight_smile:

1 Like

How can I thank you?

2 Likes

You just did :slight_smile:

I agree sites look good. Your HTTP redirect to HTTPS and all the certs are current and correct.

Your first post showed using a --manual method to get a cert. You are using a DNS Challenge to get your wildcards. You will have to renew these manually using the same command because certbot cannot auto-renew --manual.

I would like to fix the cert name and file names for nietmetmij.be to get rid of that -0001 in the name. This might cause problems the next time you renew that cert.

6 Likes

These are my test / play / develop - sites! (on vectrex.be you can play all the Classic Vectrex-games, assembler code in the browser)

but yes, tried that by renaming the folder and altering the
nietmetmij-le-ssl.conf - file, but renaming the folder was a bad idea, I guess the nietmetmij-le-ssl.conf was emptied after that ..

Sorry to interupt, but a question..
In the future? how could I update the SSL-files? (and can it be done automatically?)
The first time, I just copied over the command and then deleting and doing it again worked for a couple of times, but I understand now, deleting is a bad idea..

1 Like

Your Apache config files are just edited like any other file. I have no guesses as to how those were zeroed out.

The apache config files should not need updating for the certs anymore. It looks like you re-arranged your certs considerably but did not update the related apache config files. We just did that.

If you maintain your certs the same way you should not have to update the apache ssl config files anymore.

That said, there might be a problem with nietmetmij and we should look at that. I assume you are doing them all the same so get a new cert like this

sudo certbot certonly --manual --agree-tos --preferred-challenges dns -d nietmetmij.be -d *.nietmetmij.be

Then, show result of

sudo certbot certificates

Do not restart apache or change any apache config file. Just run the two certbot commands

5 Likes

I can't do this anymore,
I have to choose:
2: Renew & replace the cert (limit ~5 per 7 days)

and if I choose 2, I get an error that I allready used my 5 renewels

OK. That might be fine then. I didn't think certbot would reuse the -0001 name and that it would create a new one without the -0001. But, that looks like it will reuse it so that's ok.

Just to be sure, I'd like to see the contents of this:

/etc/letsencrypt/renewal/nietmetmij.be.conf
6 Likes

it is

/etc/letsencrypt/renewal/nietmetmij-0001.be.conf

# renew_before_expiry = 30 days
version = 0.40.0
archive_dir = /etc/letsencrypt/archive/nietmetmij.be-0001
cert = /etc/letsencrypt/live/nietmetmij.be-0001/cert.pem
privkey = /etc/letsencrypt/live/nietmetmij.be-0001/privkey.pem
chain = /etc/letsencrypt/live/nietmetmij.be-0001/chain.pem
fullchain = /etc/letsencrypt/live/nietmetmij.be-0001/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = c705ebd7a2a77942c45220ca7fc013ce
pref_challs = dns-01,
authenticator = manual
manual_public_ip_logging_ok = True
server = https://acme-v02.api.letsencrypt.org/directory

OK, I think it's fine. Just monitor your renewal dates and renew manually.

Yes, automation is possible. For DNS Challenge you need a certbot DNS plug-in that supports your DNS provider (see certbot docs). Or, switch to a different ACME client (like acme.sh) which supports many more DNS API's. That takes some learning and changes to your apache configs.

You are using a wildcard cert so need the DNS Challenge. But, if you didn't need a wildcard you could have used the HTTP Challenge which is fairly easy to automate. I don't have time to help with that today. Maybe someone else will help or review the certbot docs.

5 Likes

Hey man, you did more than enough, thanks again, and I'll try to add some likes,
because your resprect-level on this forum looks too low for what you do for people!

Thanks again, I hope I can give some help in return in the futurre.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.