Renew after expire

Thank you so much, I am new to this server manage thing. I followed one article and set up successfully a couple of months ago. I did get an email to ask me renew the license a while ago but since I set up as auto renewal so I waited, but the auto-renewal does not happen, and I do not know how to renew manually because all failed so far. Any help is greatly appreciated!

Can you please let me know the commands to clean up the expired license and have a new license? thank you!

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:excelnotes.com

I ran this command:

certbot --nginx --redirect -d excelnotes.com -d www.excelnotes.com -m excelxxxx@gmail.com --agree-tos  

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log                                                                                                                                                                                                 
Plugins selected: Authenticator nginx, Installer nginx                                                                                                                                                                                                   
Cert is due for renewal, auto-renewing...                                                                                                                                                                                                                
Renewing an existing certificate                                                                                                                                                                                                                         
Performing the following challenges:                                                                                                                                                                                                                     
http-01 challenge for excelnotes.com                                                                                                                                                                                                                     
http-01 challenge for www.excelnotes.com                                                                                                                                                                                                                 
Waiting for verification...                                                                                                                                                                                                                              
Cleaning up challenges                                                                                                                                                                                                                                   
Failed authorization procedure. excelnotes.com (http-01): urn:ietf:params:acme:error:unauthorized :: The clie                                                                                                                                            
nt lacks sufficient authorization :: Invalid response from https://excelnotes.com/.well-known/acme-challenge/                                                                                                                                            
Q7JN-AWy5xbB4Lt4ru4UuuhVCZDROBu4JGn7ROokxcc [2606:4700:20::ac43:456e]: "<!DOCTYPE html>\n<!--[if lt IE 7]> <h                                                                                                                                            
tml class=\"no-js ie6 oldie\" lang=\"en-US\"> <![endif]-->\n<!--[if IE 7]>    <html class=\"no-js ", www.exce                                                                                                                                            
lnotes.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization ::                                                                                                                                            
 Invalid response from https://www.excelnotes.com/.well-known/acme-challenge/am9ATYlVuzLELiNzgOBHuhcGHJ768XXr                                                                                                                                            
ccxC7Db7UWk [2606:4700:20::ac43:456e]: "<!DOCTYPE html>\n<!--[if lt IE 7]> <html class=\"no-js ie6 oldie\" la                                                                                                                                            
ng=\"en-US\"> <![endif]-->\n<!--[if IE 7]>    <html class=\"no-js "

I ran this command:

systemctl list-timers | grep 'certbot\|activates'

It produced this output:

Mon 2021-02-08 20:14:09 UTC  13h left    Mon 2021-02-08 02:57:45 UTC  3h 30min ago certbot.timer                                                                                                                                                         
   certbot.service  

I ran this command:

ls -l /etc/cron.d/certbot

It produced this output:

-rw-r--r-- 1 root root 775 Feb 10 2019 /etc/cron.d/certbot

I ran this command:

certbot renew --dry-run

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log                                                                                                                                                                                                 
                                                                                                                                                                                                                                                         
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -                                                                                                                                                                          
Processing /etc/letsencrypt/renewal/excelnotes.com.conf                                                                                                                                                                                                  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -                                                                                                                                                                          
Cert is due for renewal, auto-renewing...                                                                                                                                                                                                                
Plugins selected: Authenticator nginx, Installer nginx                                                                                                                                                                                                   
Renewing an existing certificate                                                                                                                                                                                                                         
Performing the following challenges:                                                                                                                                                                                                                     
http-01 challenge for excelnotes.com                                                                                                                                                                                                                     
http-01 challenge for www.excelnotes.com                                                                                                                                                                                                                 
Waiting for verification...                                                                                                                                                                                                                              
Cleaning up challenges                                                                                                                                                                                                                                   
Attempting to renew cert (excelnotes.com) from /etc/letsencrypt/renewal/excelnotes.com.conf produced an unexp                                                                                                                                            
ected error: Failed authorization procedure. excelnotes.com (http-01): urn:ietf:params:acme:error:unauthorize                                                                                                                                            
d :: The client lacks sufficient authorization :: Invalid response from https://excelnotes.com/.well-known/ac                                                                                                                                            
me-challenge/Z44N8F35uTSeFR_zu0SlZcSrWFIXCmHXmGpcixBmN7k [2606:4700:20::681a:16a]: "<!DOCTYPE html>\n<!--[if                                                                                                                                             
lt IE 7]> <html class=\"no-js ie6 oldie\" lang=\"en-US\"> <![endif]-->\n<!--[if IE 7]>    <html class=\"no-js                                                                                                                                            
 ", www.excelnotes.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient auth                                                                                                                                            
orization :: Invalid response from https://www.excelnotes.com/.well-known/acme-challenge/t6wk--ycuPmXZZvA5A4O                                                                                                                                            
AFouZgiIviSoj_IARx-VJTg [2606:4700:20::ac43:456e]: "<!DOCTYPE html>\n<!--[if lt IE 7]> <html class=\"no-js ie                                                                                                                                            
6 oldie\" lang=\"en-US\"> <![endif]-->\n<!--[if IE 7]>    <html class=\"no-js ". Skipping.                                                                                                                                                               
All renewal attempts failed. The following certs could not be renewed:                                                                                                                                                                                   
  /etc/letsencrypt/live/excelnotes.com/fullchain.pem (failure)                                                                                                                                                                                           
                                                                                                                                                                                                                                                         
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -                                                                                                                                                                          
** DRY RUN: simulating 'certbot renew' close to cert expiry                                                                                                                                                                                              
**          (The test certificates below have not been saved.)                                                                                                                                                                                           
                                                                                                                                                                                                                                                         
All renewal attempts failed. The following certs could not be renewed:                                                                                                                                                                                   
  /etc/letsencrypt/live/excelnotes.com/fullchain.pem (failure)                                                                                                                                                                                           
** DRY RUN: simulating 'certbot renew' close to cert expiry                                                                                                                                                                                              
**          (The test certificates above have not been saved.)                                                                                                                                                                                           
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -                                                                                                                                                                          
1 renew failure(s), 0 parse failure(s)     

My web server is (include version): ?

The operating system my web server runs on is (include version):WordPress on Ubuntu 18.04 x64

My hosting provider, if applicable, is:vultr.com

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

1 Like

Unfortunately there's a bug with the nginx plugin in Certbot when it's combined with Cloudflare in Strict/Full SSL modes.

The best fix right now is to use the webroot plugin instead of the nginx one, e.g.

certbot renew --cert-name excelnotes.com -a webroot -w /path/to/webroot

You will need to figure out what directory your website files are stored in and change /path/to/webroot in the above command with that directory. For example, a common webroot is /var/www/html, but it's not always the case.

For a quicker workaround, you can change your Cloudflare SSL Mode temporarily to "Flexible", do the renewal, and change it back to whatever it currently is.

4 Likes

My file path is /var/www/html, can you please have me the full commands to change path and renew (very new user:))? I have set the cloudflare to flexible (I can even delete the whole thing there).

certbot renew --cert-name excelnotes.com -a webroot -w /path/to/webroot

Another question: if I delete my server and cloudflare and re-install from scratch (like a new migration), it will take time but after I install everything, can my site re-assign the license (my worry is the site is locked with the "expiry license")?

Thank you so much!

1 Like

The command would then be:

sudo certbot renew --cert-name excelnotes.com -a webroot -w /var/www/html

but ...

If you've done that insead, you should be able to just run:

sudo certbot renew

Yes, you could start from scratch without problems.

Practically speaking, you could do this at most 5 times per week, because there are some rate limits which affect your ability to create certificates for your domain.

I wouldn't recommend starting again if the only problem you're experiencing is SSL. Better to fix the specific problem you have.

4 Likes

Thank you so much! You just saved my life! It seems now the renewal is succeeded! Should I change from flexible to full now in Cloudflare?

root:~# sudo certbot renew

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/excelnotes.com.conf


Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for excelnotes.com
http-01 challenge for www.excelnotes.com
Waiting for verification...
Cleaning up challenges


new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/excelnotes.com/fullchain.pem



Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/excelnotes.com/fullchain.pem (success)


1 Like

Probably, it's the secure thing to do.

Only problem is that you'll run into the same problem at your next renewal in ~60 days and you'll need set it to Flexible again to get past it.

The more permanent fix is to switch over to the webroot authenticator as described earlier.

2 Likes

Thank you so much for all your great helps!

I will follow your instructions to switch to the webroot authenticator next time to renew it if I still use cloudflare. BTW, if i do not use cloudflare, there should no such problems, and I can just use "sudo certbot renew" to renew next time, right? I just started cloudflare about 1 month ago.

1 Like

Yeah, without the Cloudflare bug, everything will happen automatically via the systemd timer.

1 Like

I got it, there was no issues for the first a couple of months. I started cloudflare about 1 month ago, then the problem happens. I will have another think of cloudflare, thank you so much for all the helps!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.