Renew is not working / no error / 10 days remaining

Help
1

My domain is:chat.ddnss.org

I ran this command:

  • to get the certs on 2017-11-11:
    certbot-auto -d chat.ddnss.org certonly
    … 1 = Spin up a temporary webserver (standalone)

  • to renew (got notification about expire on 09 Feb 18):
    certbot-auto renew --no-self-upgrade

It produced this output:No renewals were attempted.

My web server is (include version):ejabberd 16.09

The operating system my web server runs on is (include version):Raspbian Stretch

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no

–> Am I too impatient? 10 days left, but no renewals were attempted.

2

What is the output of the command certbot-auto certificates?

3

Uups…

“No certs found.”

I´m confused… The cert is working on chat.ddnss.org

4

Is it possible that you’ve moved files around in your /etc/letsencrypt directories? Certbot uses a lot of symlinks and is very sensitive to changes in these directories that it didn’t make, which can cause it to no longer see your certificates.

5

After getting the original certs on my Raspi i moved to another fresh install (same OS).
Now instead of running:

certbot-auto -d chat.ddnss.org certonly

I created all needed folders (same as on the original install) by hand:

mkdir /etc/letsencrypt/live/;mkdir /etc/letsencrypt/live/chat.ddnss.org/

and inserted the original (saved from the first install) files to /etc/letsencrypt/live/chat.ddnss.org/ (cert.pem, chain.pem, fullchain.pem, privkey.pem).

This worked, but I suspect running certbot-auto -d chat.ddnss.org certonly didn´t create this files only but some more (symlinks?) that are missing now?

If so, can I make up for it?

6

Yeah, creating those by hand is not an easy process. Most of them are symlinks and will break if not done properly, The /etc/letsencrypt/archive directory holds the real files and is a necessary directory. It would probably just be best to nuke and pave on this one, rather than trying to track down each little piece to fix. Clear out these contents and let Certbot regenerate everything on its own.

7

Many thanks for your reply.

The reason for getting this stupid idea was a SD-card crash on my old system.

Nothing but the mentioned files survived. On the other hand about 20 clients (widespread in the hole country…) of my ejabberd chat server used these old files. I hoped to avoid installing new certificates on all clients.

Is there still a way to avoid to provide the new certs to all clients??

EDIT: after some thought, I’m not sure if my question is nonsense…

8

certbot certificates and certbot renew also both rely on the contents of /etc/letsencrypt/renewal, so if you didn’t copy that, Certbot isn’t going to find any of the certificates for renewal purposes (even though they still work as certificates).

9

When you perform a renewal, you would need to distribute the new certificates to every server that uses them. However, once the server has been configured appropriately, the certificates are presented automatically in the TLS protocol handshake to clients that make inbound connections to that service.

10

Do you perform client authentication with those certificates? If not (the usual case), you don’t have to provide them to you clients at all.

11

Found this control panel www.clustercs.com with free account and let’s encrypt automatic renewals … semes ok so far, will update later with my findings!

12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.