I installed 'certbot-auto' some years ago, when I got started using letsencrypt. I was reading up all the posts and instructions from letsencrypt site at that time and followed the instructions to install 'certbot-auto'. And it has been working for me to renew certs for around 2 years
Please focus on my requests:
And understand this:
It's almost 3am here - please don't waste time.
# ls -l /etc/httpd/sites-available/
total 44
-rw-r--r-- 1 root root 873 May 10 16:02 ch0101.planchurch.com-le-ssl.conf
-rw-r--r-- 1 root root 427 Feb 12 2020 ch0101.planchurch.com.conf
-rw-r--r-- 1 root root 381 Feb 12 2020 tcc.planchurch.com.conf
# ls -l /etc/httpd/sites-enabled/
total 0
lrwxrwxrwx 1 root root 53 Aug 10 2018 ch0101.plnchurch.com.conf -> /etc/httpd/sites-available/ch0101.planchurch.com.conf
lrwxrwxrwx 1 root root 50 Feb 12 2020 tcc.planchurch.com.conf -> /etc/httpd/sites-available/tcc.planchurch.com.conf
It seems the tcc.planchurch.com-le-ssl.conf
file has been deleted.
Let's see if certbot
can rebuild that for you, with:
certbot --reinstall
Walk through the prompts, choose:
- Apache Web Server plugin (apache)
tcc.planchurch.com
- Redirect
certbot --reinstall
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Which names would you like to activate HTTPS for?
1: ch0101.planchurch.com
2: tcc.planchurch.com
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 2
Attempting to parse the version 1.10.1 renewal configuration file found at /etc/letsencrypt/renewal/ch0101.planchurch.com.conf with version 0.35.1 of Certbot. This might not work.
Obtaining a new certificate
An unexpected error occurred:
There were too many requests of a given type :: Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: tcc.planchurch.com: see Rate Limits - Let's Encrypt
Please see the logfiles in /var/log/letsencrypt for more details.
OK that certbot
version is rather old.
Please show the files:
cat /etc/httpd/sites-enabled/tcc.planchurch.com.conf
cat /etc/httpd/sites-available/ch0101.planchurch.com-le-ssl.conf
[I'm going to have to make the file by hand]
# cat /etc/httpd/sites-enabled/tcc.planchurch.com.conf
<VirtualHost *:80>
ServerName tcc.planchurch.com
DocumentRoot /var/www/tcc.planchurch.com/public_html
ErrorLog /var/www/tcc.planchurch.com/error.log
CustomLog /var/www/tcc.planchurch.com/requests.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =tcc.planchurch.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
# cat /etc/httpd/sites-available/ch0101.planchurch.com-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName ch0101.planchurch.com
# Server Alias planchurch.com
DocumentRoot /var/www/ch0101.planchurch.com/public_html
ErrorLog /var/www/ch0101.planchurch.com/error.log
CustomLog /var/www/ch0101.planchurch.com/requests.log combined
RewriteEngine on
# Some rewrite rules in this file were disabled on your HTTPS site,
# because they have the potential to create redirection loops.
# RewriteCond %{SERVER_NAME} =ch0101.planchurch.com
# RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
SSLCertificateFile /etc/letsencrypt/live/ch0101.planchurch.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/ch0101.planchurch.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/ch0101.planchurch.com/chain.pem
</VirtualHost>
</IfModule>
Ok I'm going to need to do more than I thought.
Do these three lines as one command:
certbot certonly --webroot \
-w /var/www/tcc.planchurch.com/public_html -d tcc.planchurch.com \
-w /var/www/ch0101.planchurch.com/public_html -d ch0101.planchurch.com
certbot certonly --webroot \
-w /var/www/tcc.planchurch.com/public_html -d tcc.planchurch.com
-w /var/www/ch0101.planchurch.com/public_html -d ch0101.planchurch.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Attempting to parse the version 1.10.1 renewal configuration file found at /etc/letsencrypt/renewal/ch0101.planchurch.com.conf with version 0.35.1 of Certbot. This might not work.
You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/ch0101.planchurch.com.conf)
It contains these names: ch0101.planchurch.com
You requested these names for the new certificate: tcc.planchurch.com,
ch0101.planchurch.com.
Do you want to expand and replace this existing certificate with the new
certificate?
(E)xpand/(C)ancel: e
Renewing an existing certificate
IMPORTANT NOTES:
-
Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/ch0101.planchurch.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/ch0101.planchurch.com/privkey.pem
Your cert will expire on 2022-08-11. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew all of your certificates, run
"certbot renew" -
If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: Donate - Let's Encrypt
Donating to EFF: Support EFF's Work on Let's Encrypt | Electronic Frontier Foundation
Progress!
Do you know how to edit a file?
Do you know how to create a new file?
yes. I know how to edit and create new file
The simplest is to edit file:
/etc/httpd/sites-enabled/tcc.planchurch.com.conf
and update the contents to:
<VirtualHost *:80>
ServerName tcc.planchurch.com
DocumentRoot /var/www/tcc.planchurch.com/public_html
ErrorLog /var/www/tcc.planchurch.com/error.log
CustomLog /var/www/tcc.planchurch.com/requests.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =tcc.planchurch.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<VirtualHost *:443>
ServerName tcc.planchurch.com
DocumentRoot /var/www/tcc.planchurch.com/public_html
ErrorLog /var/www/tcc.planchurch.com/error.log
CustomLog /var/www/tcc.planchurch.com/requests.log combined
SSLCertificateFile /etc/letsencrypt/live/ch0101.planchurch.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/ch0101.planchurch.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/ch0101.planchurch.com/chain.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
Otherwise, you can create a new file:
/etc/httpd/sites-available/tcc.planchurch.com-le-ssl.conf
with just:
<VirtualHost *:443>
ServerName tcc.planchurch.com
DocumentRoot /var/www/tcc.planchurch.com/public_html
ErrorLog /var/www/tcc.planchurch.com/error.log
CustomLog /var/www/tcc.planchurch.com/requests.log combined
SSLCertificateFile /etc/letsencrypt/live/ch0101.planchurch.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/ch0101.planchurch.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/ch0101.planchurch.com/chain.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
and then include that file into the main apache
config file.
In either case, you will need to restart or reload Apache
to use the new file and cert.
Am I correct to understand that your steps have 'expanded' the cert for ch0101.planchurch.com to 'include' the cert for 'tcc.planchurch.com' ?
Will this get around the limitation of my exceeding the 5 count to issue cert for the domain 'tcc.planchurch.com' ?
Let confirm our action, with:
certbot certificates
It is a very ond version of Apache
and certbot
, so I'm not 100% certain.
Is there any possibility of 'resetting' the 'count' at letsencrypt server so that I can get a new cert issued specifically for 'tcc.planchurch.com'?
No such thing.
Only time can clear that limit.
# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Found the following certs:
Certificate Name: ch0101.planchurch.com
Domains: tcc.planchurch.com ch0101.planchurch.com
Expiry Date: 2022-08-11 06:27:33+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/ch0101.planchurch.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/ch0101.planchurch.com/privkey.pem
OK so there is one cert now with both names on it.
We can split those up next week.
understood. Let me proceed to edit the files as per your instruction
I have completed the steps following your instruction.
Browsing to the url tcc.planchurch.com still is insecure.
Any further advise?
I realise your are staying awake to help. It it probably 4 am for now you.
If more time is needed to debug, suggest you get some sleep and we can continue when you wake up.