Renew LE key's on Domoticz

I am running Domoticz latest version on a raspberry

image

The first time i instal certbot and created key's acording on this site:

Afther created the key's i use the folowing site for copy this keys to Domoticz.

https://www.domoticz.com/wiki/Native_secure_access_with_Lets_Encrypt

On this site the key is placed in the domoticz directory but afther every update of domoticz i must replace the key. So i replaced the key to another directory Domotic-cert.
I was verry glad that all this was working ..

But then i get a mail that i must renew my key's the key i used was valid to 8-febr-2023
So afther the command for renwewing the key's and look if the key was renewed and it was.

Expiry Date: 2023-04-20 16:30:27+00:00 (VALID: 88 days)

Afther this i used the same commands to place use it for domoticz but if i check my certificate on the website it keeps the ld date of 2023-02-08.

So why does it not update it on domticz???

Certbot 1.12.0
used sudo apt install certbot to install

To move it to Domoticz i used this from the site

Add the certificate to Domoticz

Then you add the created certificate to Domoticz with :

sudo mv ~/domoticz/server_cert.pem ~/domoticz/server_cert.pem.org # see below about DH params why not just delete it sudo cat /etc/letsencrypt/live//privkey.pem > ~/domoticz/server_cert.pem sudo cat /etc/letsencrypt/live//fullchain.pem >> ~/domoticz/server_cert.pem sudo cp ~/domoticz/server_cert.pem ~/domoticz/letsencrypt_server_cert.pem sudo /etc/init.d/domoticz.sh restart

As every update of domoticz overwrites your certificate, the last command backups your new certificate so that you may may restore it if needed.

When there's a domoticz error after rebooting the service like : Error: [web:443] missing SSL DH parameters from file

Add the DHparam :

sudo cat /etc/ssl/certs/dhparam.pem >> ~/domoticz/server_cert.pem

and if you get also an error like : /etc/ssl/certs/dhparam.pem: No such file or directory

cd /etc/ssl/certs sudo openssl dhparam -out dhparam.pem 2048 sudo cat /etc/ssl/certs/dhparam.pem >> ~/domoticz/server_cert.pem sudo /etc/init.d/domoticz.sh restart

Welcome @NvBgm

You did not provide your domain name so I could not check this but you probably got certs with different combinations of domain names in the past.

If you read your email carefully it will describe the cert it is warning you about. If you are no longer using that cert you can ignore the friendly warning email.

Use the https://crt.sh site to lookup your cert history. That may be clearer what is happening. Also see:
Expiration Emails - Let's Encrypt

3 Likes

Hello Mike,
Thank you for reply. I think I'm going crazy. After writing this message I checked my certificate on the website again and I see that it is now valid until 20-04-2023. This means that the key has been extended. It's strange that I can't find it anywhere in Domoticz either. The directory that I created for this appears not to be used at all. It is a mystery to me what happened, but at least I can continue until April.
Oh yes my domain is NvBgm1.nl
I checked crt.sh but all seems ok to me..
I hope everything goes well at the next renewal. thanks

2 Likes

Your most recent certs cover only the domain name nvbgm1.nl (crt.sh link)

The certs you got earlier had that and its www subdomain. The email was warning about the cert with both names expiring Feb8. If you don't need the www subdomain in your cert anymore you can safely ignore this warning.

But, if you want both names covered by your cert you should review what changed in your cert request method.

3 Likes

I do need this subdomain but the question is how can i correct this so i can use it again?

You include both domain names in the Certbot command.

You were getting certs with both names back in Nov so just do what you did then (crt.sh history here)

If that is not enough info please show us the certbot command you used to get the latest cert.

3 Likes

Below is the command I used.
sudo certbot renew --cert-name nvbgm1.nl --cert-name --webroot-path /home/nvbgm/domoticz_cert

I now see that I only used it for nvbgm1.nl.
I have now tested it again with both nvbgm1.nl and www.nvbgm1.nl as a dry run and I get the following error.
nvbgm@Rasp4A:~ $ sudo certbot renew --cert-name nvbgm1.nl --cert-name www.nvbgm1.nl --webroot-path /home/nvbgm/domoticz_cert --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
No certificate found with name www.nvbgm1.nl (expected /etc/letsencrypt/renewal/www.nvbgm1.nl.conf).
nvbgm@Rasp4A:~$

No, that's not the right format. Let's start at the beginning. Please show output of this

sudo certbot certificates
3 Likes

nvbgm@Rasp4A:~ $ sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: nvbgm1.nl
Serial Number: 487da7d8ff9e59be847c219c8c0cd944e8b
Key Type: RSA
Domains: nvbgm1.nl
Expiry Date: 2023-04-20 16:30:27+00:00 (VALID: 88 days)
Certificate Path: /etc/letsencrypt/live/nvbgm1.nl/fullchain.pem
Private Key Path: /etc/letsencrypt/live/nvbgm1.nl/privkey.pem


nvbgm@Rasp4A:~ $

And now show the contents of this file (sorry, should have asked for this with cert list)

/etc/letsencrypt/renewal/nvbgm1.nl.conf
3 Likes

Thats no problem
This is the conf. file

renew_before_expiry = 30 days

version = 1.12.0
archive_dir = /etc/letsencrypt/archive/nvbgm1.nl
cert = /etc/letsencrypt/live/nvbgm1.nl/cert.pem
privkey = /etc/letsencrypt/live/nvbgm1.nl/privkey.pem
chain = /etc/letsencrypt/live/nvbgm1.nl/chain.pem
fullchain = /etc/letsencrypt/live/nvbgm1.nl/fullchain.pem

Options used in the renewal process

[renewalparams]
account = f9ec1172644a2810aaca8fec3333dee7
authenticator = standalone
server = https://acme-v02.api.letsencrypt.org/directory
webroot_path = /home/nvbgm/domoticz_cert,
[[webroot_map]]

This should work to restore the www domain to that cert

sudo certbot certonly --standalone --cert-name nvbgm1.nl -d nvbgm1.nl -d www.nvbgm1.nl

It should ask if you want to expand the cert for the second domain and reply yes.

3 Likes

Yes that works...


Found the following certs:
Certificate Name: nvbgm1.nl
Serial Number: 3f488a546626efd22557ed8702ca0a8d689
Key Type: RSA
Domains: nvbgm1.nl www.nvbgm1.nl
Expiry Date: 2023-04-22 14:19:10+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/nvbgm1.nl/fullchain.pem
Private Key Path: /etc/letsencrypt/live/nvbgm1.nl/privkey.pem


Thank you, Maby one more question ??
What is the correct command to renew this certs ??

2 Likes

sudo certbot renew

Depending on how you've installed Certbot, there already may be a cronjob or systemd timer for that.

4 Likes

I can not find any of those in systemd or crontab..
I following the install of site Raspberry Pi SSL Certificates using Let's Encrypt - Pi My Life Up
And use install the standard version of certbot.
sudo apt install certbot

Below is advice for auto renewal with Certbot
https://eff-certbot.readthedocs.io/en/stable/using.html#automated-renewals

3 Likes

Thanks for the link. I did see a timer on my system so i think certbot renew automatic.

NEXT LEFT LAST PASSED UNIT ACTIVATES
Mon 2023-01-23 22:19:09 CET 11h left Mon 2023-01-23 07:10:08 CET 3h 37min ago certbot.timer certbot.service

Thanks guys, you helped me a lot. and i learned a lot..

4 Likes