Renew certificates automatically

mikygee · August 14, 2017, 4:18pm

Hello,

I’m trying to get my certificates renewed automatically. Where should I start ?

I created a conf file in /etc/letsencrypt/renewal/serv1.mydomain.conf

cert = /etc/letsencrypt/live/serv1.mydomain.org/serv1.mydomain.org_pp.crt
privkey = /etc/letsencrypt/live/serv1.mydomain.org/serv1.mydomain.org.key
fullchain = /etc/letsencrypt/live/serv1.mydomain.org/serv1.mydomain.org_chaine_pp.crt
chain = /etc/letsencrypt/live/serv1.mydomain.org/CA_Staging_Intermediaire_Lets_Encrypt.crt

[renewalparams]
authenticator = webroot
installer = None
account = 04048eeb4f5e5e72210c505f9b16f44b
server = https://acme-staging.api.letsencrypt.org/directory
email = admin@mydomain.org
webroot_path = /var/www/htdocs
[[webroot_map]]
serv1.mydomain.org = /var/www/htdocs

All four files are symbolic links.

I ran certbot -q renew but I get an error

2017-08-14 15:58:40,154:DEBUG:certbot.main:Root logging level set at 30
2017-08-14 15:58:40,156:INFO:certbot.main:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2017-08-14 15:58:40,157:DEBUG:certbot.main:certbot version: 0.12.0
2017-08-14 15:58:40,157:DEBUG:certbot.main:Arguments: ['-q']
2017-08-14 15:58:40,159:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoint#standalone)
2017-08-14 15:58:40,166:DEBUG:certbot.storage:No matches for target cert.
2017-08-14 15:58:40,166:DEBUG:certbot.storage:No matches for target privkey.
2017-08-14 15:58:40,166:DEBUG:certbot.storage:No matches for target chain.
2017-08-14 15:58:40,167:DEBUG:certbot.storage:No matches for target fullchain.
2017-08-14 15:58:40,167:WARNING:certbot.renewal:Attempting to renew cert from /etc/letsencrypt/renewal/serv1.mydomain.org.conf produced an unexpected error: max() arg is an empty sequence. Skipping.
2017-08-14 15:58:40,168:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/site-packages/certbot/renewal.py", line 409, in handle_renewal_request
    renewal_candidate.ensure_deployed()
  File "/usr/local/lib/python2.7/site-packages/certbot/storage.py", line 726, in ensure_deployed
    if self.has_pending_deployment():
  File "/usr/local/lib/python2.7/site-packages/certbot/storage.py", line 746, in has_pending_deployment
    return smallest_current < self.latest_common_version()
  File "/usr/local/lib/python2.7/site-packages/certbot/storage.py", line 702, in latest_common_version
    return max(n for n in versions[0] if all(n in v for v in versions[1:]))
ValueError: max() arg is an empty sequence

2017-08-14 15:58:40,169:DEBUG:certbot.main:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/local/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.12.0', 'console_scripts', 'certbot')()
  File "/usr/local/lib/python2.7/site-packages/certbot/main.py", line 896, in main
    return config.func(config, plugins)
  File "/usr/local/lib/python2.7/site-packages/certbot/main.py", line 702, in renew
    renewal.handle_renewal_request(config)
  File "/usr/local/lib/python2.7/site-packages/certbot/renewal.py", line 435, in handle_renewal_request
    len(renew_failures), len(parse_failures)))
Error: 1 renew failure(s), 0 parse failure(s)

I read many things and did a lot of tests but I’m lost and I would like to know what should I do first.

Thanks

schoen · August 14, 2017, 5:05pm

Certbot effectively does not officially support creating this kind of file yourself. Normally it always creates it for you when you originally obtain a certificate using Certbot. There are many prerequisites and hidden assumptions about the format and contents of this file and the other items in /etc/letsencrypt. If you want, I can try to tell you about all of them, but I would think the simplest case would be to allow Certbot to create all of these things in the way it expects. Is there any reason that that option wouldn't work in your setup?

rg305 · August 14, 2017, 5:06pm

I would start by un-doing any files that you created.
Review the user guide for renewal process.
Get the renewal process command working.
Then use a cron job to automate that manual command.

mikygee · August 16, 2017, 1:22pm

Hello,

Thank you both for your reply.
One reason is that I use Openbsd and I was not able to do things the linux way

I signed my csr using this command
letsencrypt certonly --authenticator manual --server https://acme-v01.api.letsencrypt.org/directory --manual-public-ip-logging-ok --text --email email@mydomain.com --csr www.mydomain.com.der --cert-path …/certs/www.mydomain.com.crt --fullchain-path …/certs/www.mydomain.com_chaine.crt

Regards

schoen · August 16, 2017, 4:32pm

Hi @mikygee,

Can you be more specific about “not able to do things the linux way”? I’m just trying to understand what the best option for you would be.

The Certbot renewer, as I suggested, has a lot of hardcoded assumptions about path and filenames, which it requires in order to able to renew a certificate for you. Would you like me to tell you what all of those assumptions are so you can try to recreate that structure yourself?

Notably, Certbot never creates its own renewal structure when you use --csr (are you sure that you needed to use an external CSR for some reason?).

mikygee · August 16, 2017, 4:46pm

Hello Schoen,

Thank you for your answers.

First, I use certbot version 0.12.0 which is included in port Openbsd 6.1 ports (released in spring 2017)

I’m signing csr on a machine which is a reverse proxy and holds the certificates but also for other machines that don’t have access to the Internet.

So far, the only command line that worked with me to generate a new certificate is
letsencrypt certonly --authenticator manual --server https://acme-v01.api.letsencrypt.org/directory --manual-public-ip-logging-ok --text --email email@mydomain.com --csr www.mydomain.com.der --cert-path …/certs/www.mydomain.com.crt --fullchain-path …/certs/www.mydomain.com_chaine.crt

I don’t see any new files created in /etc/letsencrypt subdirectory after I lauch this command.
I think that I removed somes files in /etc/letsencrypt in the past

# ls /etc/letsencrypt/
accounts cli.ini  live     renewal

Should I try to reinstall the package ?

Schoen: Notably, Certbot never creates its own renewal structure when you use --csr (are you sure that you needed to use an external CSR for some reason?)
I’m not sure what you mean.
To make the csr, I generate a private key, then a csr, then I convert the csr in der format. I use openssl commands.

Regards

schoen · August 16, 2017, 4:55pm

Basically, certbot renew is totally incompatible with certbot --csr; they are separate code paths and construct requests to the certificate authority in a totally separate way. If you need to use --csr, you currently can't use certbot renew, regardless of how the directory structure is set up.

Certbot aims to automate the private key generation as well as the CSR generation. Using something like letsencrypt certonly --authenticator manual --manual-public-ip-logging-ok -d www.mydomain.com -d mydomain.com should work just as well, but it should generate a private key and CSR for you internally, as well as saving all of these things in the places that it expects.

system · September 15, 2017, 4:56pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.