If reboot of server with Apache did not help then your Apache config refers to your old cert. You need to update it to use your new certificate
3 Likes
Thanks - any instructions or tutorials on how to do that would be great. Could it be something with this error and any way to fix that?
[Errno 13] Permission denied: '/var/log/letsencrypt/.certbot.lock'
Either run as root, or set --config-dir, --work-dir, and --logs-dir to writeable paths.
Hi, i have renewed the certificate using
sudo /opt/bitnami/bncert-tool
Command.
Even now, when i check the website in Mozilla Firefox browser i get this error "SEC_ERROR_REVOKED_CERTIFICATE".
As per your guidelines , i have renewed the certificate, but why does the error still persist. My website domain name is www.srpointofsale.com
2 Likes
Was that successful? I'm asking because I don't see a recent certificate on crt.sh: https://crt.sh/?Identity=srpointofsale.com&deduplicate=Y
For very specific issues and troubles, it's probably a good idea to open a new thread in the Help section and answer all the questions from the questionnaire when you start the new thread. Same probably goes for @bz2086.
4 Likes
i just used
sudo /opt/bitnami/bncert-tool
Can you please guide me if there is any other way to renew the certificate ?
1 Like
Please open a new thread in the #help section and we'll see from there. Looks like your issue, with the very sparse information we're getting, will take a few hundered posts or so.
3 Likes
That's a Bitnami question.
LE has already provided two (wildcard) certs today:
crt.sh | danyasdecor.com
3 Likes
i checked your site ...how did you get it working?
How do you use the wildcard certs (im on a bitnami aws prestashop ami)
Regarding your statement @mholt, we've learned from here that we can't rely on the renewal process with caddy release 2.4.6. It's too slow to mitigate the issue of already revoked certificates.
We've expected that the renewal is started once as soon - or at least in time with max. 1 - 2 hour delay - as the certificates are being revoked. But this is not the case we've observed. Many revoked certificates have not been renewed up to now (with the default automatic HTTPS configuration using site addresses in the Caddyfile).
Also the workaround noted there
delete the certificate from Caddy’s storage, then reload Caddy
could also let us run into the Let's Encrypt API rate limits for the Certificates per Registered Domain due to the fact it does not renew but issues new certificates.
A bit frustrating and unexpected, but nevertheless, caddy is still our choice of webserver.
A renewal is just a brand new certificate with the same set of hostnames compared to a previously issued certificate. This is all determined server-side at Let's Encrypt. From the point of view of a client such as Caddy, all renewals are just brand new issued certificates. There is no "flag" or "option" in the ACME protocol that registers an order for a new certificate as renewal or not.
3 Likes
Thank you for clarification about the certificate renewal!
A renewal is just a brand new certificate with the same set of hostnames compared to a previously issued certificate. This is all determined server-side at Let's Encrypt.
May we assume that in the event of
- deleting the certificates to force the ACME client to get new ones
- AND using the same Let's Encrypt account
it won't count against the Certificates per Registered Domain (50 per week) limit?
1 Like
IF Caddy somehow issues certificates with the exact same set of hostnames compared to previously issued certificates: yes.
However, if deleting all the certificates from Caddy makes Caddy to issue certificates with randomly selected hostnames so the set of hostnames in a certificate is different compared to previously issued certificates, then NO.
Ideally, an ACME client has the capability to force a renewal for exactly this reason or at least renew an already revoked certificate. There should be no need to delete all certificates first.. But not everything is ideal of course unfortunately.
3 Likes
I believe this was the solution for renewing certificates on a much much older version of Caddy. Please read the docs to see the recommended way today.
3 Likes
I believe this was the solution for renewing certificates on a much much older version of Caddy. Please read the docs to see the recommended way today.
I thought so too, but please have a look at Let's Encrypt Certificate revoked but not renewed (as referenced in this thread).
@rconrad What's in your Caddy logs? No one who has reported this behavior has showed us their logs, so we can only guess without them.
Completely new to this and not sure which steps to take to renew our certification.
Site: chat.bioangels.net
Installed a Rocket.Chat server with a Snap and created an SSL with Caddy and Let's Encrypt.
I check the online database and our site was affected. But I'm not sure how to renew our certification or where our certifications are even located (or which version of Caddy I am using).
OS: Ubuntu 20.04
Hosted by Digital Ocean
What's in your Caddy logs? No one who has reported this behavior has showed us their logs, so we can only guess without them.
Because we haven't seen any logs with an indication about the OCSP issue.
Except - of course - where the renewals worked with the tls.cache.maintenance event
OCSP status for managed certificate is REVOKED; attempting to replace with new certificate
But even assuming that the OCSP cache could be the reason, we deleted $XDG_DATA_HOME/caddy/ocsp and restarted caddy without success.
One presumably could build a test case with a manual certificate revocation and measure / debug the issue easily.
Interesting. We were 'unaffected' per the tool LE created, but the cert is revoked and we needed to triage. FYI.