Reinstalling an expired cert not successful

festus · May 13, 2022, 6:49am

I installed 'certbot-auto' some years ago, when I got started using letsencrypt. I was reading up all the posts and instructions from letsencrypt site at that time and followed the instructions to install 'certbot-auto'. And it has been working for me to renew certs for around 2 years

rg305 · May 13, 2022, 6:50am

Please focus on my requests:

And understand this:

It's almost 3am here - please don't waste time.

festus · May 13, 2022, 6:53am

# ls -l /etc/httpd/sites-available/
total 44
-rw-r--r-- 1 root root 873 May 10 16:02 ch0101.planchurch.com-le-ssl.conf
-rw-r--r-- 1 root root 427 Feb 12 2020 ch0101.planchurch.com.conf
-rw-r--r-- 1 root root 381 Feb 12 2020 tcc.planchurch.com.conf

# ls -l /etc/httpd/sites-enabled/
total 0
lrwxrwxrwx 1 root root 53 Aug 10 2018 ch0101.plnchurch.com.conf -> /etc/httpd/sites-available/ch0101.planchurch.com.conf
lrwxrwxrwx 1 root root 50 Feb 12 2020 tcc.planchurch.com.conf -> /etc/httpd/sites-available/tcc.planchurch.com.conf

rg305 · May 13, 2022, 6:59am

It seems the tcc.planchurch.com-le-ssl.conf file has been deleted.
Let's see if certbot can rebuild that for you, with:
certbot --reinstall

Walk through the prompts, choose:

Apache Web Server plugin (apache)
tcc.planchurch.com
Redirect

festus · May 13, 2022, 7:04am

certbot --reinstall

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

Which names would you like to activate HTTPS for?

1: ch0101.planchurch.com
2: tcc.planchurch.com

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 2
Attempting to parse the version 1.10.1 renewal configuration file found at /etc/letsencrypt/renewal/ch0101.planchurch.com.conf with version 0.35.1 of Certbot. This might not work.
Obtaining a new certificate
An unexpected error occurred:
There were too many requests of a given type :: Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: tcc.planchurch.com: see Rate Limits - Let's Encrypt
Please see the logfiles in /var/log/letsencrypt for more details.

rg305 · May 13, 2022, 7:09am

OK that certbot version is rather old.

Please show the files:
cat /etc/httpd/sites-enabled/tcc.planchurch.com.conf
cat /etc/httpd/sites-available/ch0101.planchurch.com-le-ssl.conf

[I'm going to have to make the file by hand]

festus · May 13, 2022, 7:12am

# cat /etc/httpd/sites-enabled/tcc.planchurch.com.conf

<VirtualHost *:80>
    ServerName tcc.planchurch.com
    DocumentRoot /var/www/tcc.planchurch.com/public_html
    ErrorLog /var/www/tcc.planchurch.com/error.log
    CustomLog /var/www/tcc.planchurch.com/requests.log combined

RewriteEngine on
RewriteCond %{SERVER_NAME} =tcc.planchurch.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

# cat /etc/httpd/sites-available/ch0101.planchurch.com-le-ssl.conf

<IfModule mod_ssl.c>
<VirtualHost *:443>

    ServerName ch0101.planchurch.com
#    Server Alias planchurch.com
    DocumentRoot /var/www/ch0101.planchurch.com/public_html
    ErrorLog /var/www/ch0101.planchurch.com/error.log
    CustomLog /var/www/ch0101.planchurch.com/requests.log combined

RewriteEngine on
# Some rewrite rules in this file were disabled on your HTTPS site,
# because they have the potential to create redirection loops.

# RewriteCond %{SERVER_NAME} =ch0101.planchurch.com
# RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
SSLCertificateFile /etc/letsencrypt/live/ch0101.planchurch.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/ch0101.planchurch.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/ch0101.planchurch.com/chain.pem
</VirtualHost>
</IfModule>

rg305 · May 13, 2022, 7:25am

Ok I'm going to need to do more than I thought.

Do these three lines as one command:

certbot certonly --webroot \
-w /var/www/tcc.planchurch.com/public_html -d tcc.planchurch.com \
-w /var/www/ch0101.planchurch.com/public_html -d ch0101.planchurch.com

festus · May 13, 2022, 7:30am

certbot certonly --webroot \

-w /var/www/tcc.planchurch.com/public_html -d tcc.planchurch.com
-w /var/www/ch0101.planchurch.com/public_html -d ch0101.planchurch.com

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Attempting to parse the version 1.10.1 renewal configuration file found at /etc/letsencrypt/renewal/ch0101.planchurch.com.conf with version 0.35.1 of Certbot. This might not work.

You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/ch0101.planchurch.com.conf)

It contains these names: ch0101.planchurch.com

You requested these names for the new certificate: tcc.planchurch.com,
ch0101.planchurch.com.

Do you want to expand and replace this existing certificate with the new
certificate?

(E)xpand/(C)ancel: e
Renewing an existing certificate

IMPORTANT NOTES:

Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/ch0101.planchurch.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/ch0101.planchurch.com/privkey.pem
Your cert will expire on 2022-08-11. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew all of your certificates, run
"certbot renew"
If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: Donate - Let's Encrypt
Donating to EFF: Support EFF's Work on Let's Encrypt | Electronic Frontier Foundation

rg305 · May 13, 2022, 7:33am

Progress!

Do you know how to edit a file?
Do you know how to create a new file?

festus · May 13, 2022, 7:34am

yes. I know how to edit and create new file

rg305 · May 13, 2022, 7:36am

The simplest is to edit file:
/etc/httpd/sites-enabled/tcc.planchurch.com.conf
and update the contents to:

<VirtualHost *:80>
  ServerName tcc.planchurch.com
  DocumentRoot /var/www/tcc.planchurch.com/public_html
  ErrorLog /var/www/tcc.planchurch.com/error.log
  CustomLog /var/www/tcc.planchurch.com/requests.log combined
  RewriteEngine on
  RewriteCond %{SERVER_NAME} =tcc.planchurch.com
  RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<VirtualHost *:443>
  ServerName tcc.planchurch.com
  DocumentRoot /var/www/tcc.planchurch.com/public_html
  ErrorLog /var/www/tcc.planchurch.com/error.log
  CustomLog /var/www/tcc.planchurch.com/requests.log combined
  SSLCertificateFile /etc/letsencrypt/live/ch0101.planchurch.com/cert.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/ch0101.planchurch.com/privkey.pem
  SSLCertificateChainFile /etc/letsencrypt/live/ch0101.planchurch.com/chain.pem
  Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>

Otherwise, you can create a new file:
/etc/httpd/sites-available/tcc.planchurch.com-le-ssl.conf
with just:

<VirtualHost *:443>
  ServerName tcc.planchurch.com
  DocumentRoot /var/www/tcc.planchurch.com/public_html
  ErrorLog /var/www/tcc.planchurch.com/error.log
  CustomLog /var/www/tcc.planchurch.com/requests.log combined
  SSLCertificateFile /etc/letsencrypt/live/ch0101.planchurch.com/cert.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/ch0101.planchurch.com/privkey.pem
  SSLCertificateChainFile /etc/letsencrypt/live/ch0101.planchurch.com/chain.pem
  Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>

and then include that file into the main apache config file.

In either case, you will need to restart or reload Apache to use the new file and cert.

festus · May 13, 2022, 7:39am

Am I correct to understand that your steps have 'expanded' the cert for ch0101.planchurch.com to 'include' the cert for 'tcc.planchurch.com' ?

Will this get around the limitation of my exceeding the 5 count to issue cert for the domain 'tcc.planchurch.com' ?

rg305 · May 13, 2022, 7:40am

Let confirm our action, with:
certbot certificates

It is a very ond version of Apache and certbot, so I'm not 100% certain.

festus · May 13, 2022, 7:40am

Is there any possibility of 'resetting' the 'count' at letsencrypt server so that I can get a new cert issued specifically for 'tcc.planchurch.com'?

rg305 · May 13, 2022, 7:41am

No such thing.
Only time can clear that limit.

festus · May 13, 2022, 7:43am

# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: ch0101.planchurch.com
Domains: tcc.planchurch.com ch0101.planchurch.com
Expiry Date: 2022-08-11 06:27:33+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/ch0101.planchurch.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/ch0101.planchurch.com/privkey.pem

rg305 · May 13, 2022, 7:44am

OK so there is one cert now with both names on it.
We can split those up next week.

festus · May 13, 2022, 7:44am

understood. Let me proceed to edit the files as per your instruction

festus · May 13, 2022, 7:54am

I have completed the steps following your instruction.
Browsing to the url tcc.planchurch.com still is insecure.
Any further advise?

I realise your are staying awake to help. It it probably 4 am for now you.
If more time is needed to debug, suggest you get some sleep and we can continue when you wake up.