Renew not working because of two Current Certificate folders

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:walkershire.net

I ran this command: certbot renew

It produced this output:

My web server is (include version): Apple Mini

The operating system my web server runs on is (include version):
MACOS Monerey 12.6
My hosting provider, if applicable, is:my company server on Comcast Business
I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):1.30.0

I have several domains with LetsEncript certificates which were installed about July 10, 2022. I tried to renew them on September 20 but had the --apache-bin is missing error and the PluginError('Unable to create a lock file in /etc/apache2.”. I found a fix by Griffin on Community.LetsEncript and tried it. The response said the it was successful with a mid December expiration date. I later checked the certificates expiration by clicking on the lock icon using a browser which showed Saturday, October 8, 2022 at 2:22:19 PM.

Today I reinstalled Apache and then CertBot version 1.30.0 using Brew. Then ran certbot renew and got the same apache-bin and PluginError as before.

Ran Griffins ‘ certbot certonly --webroot -w /path/to/webroot/for/www.sobco.com -d "www.sobco.com" --dry-run ‘. Log shows:

The dry run was successful.

lowerlevel@70-89-220-117-clean-air-engineering-il ~ % certbot certonly --webroot -w /usr/local/var/www/walkershire -d "www.walkershire.net"

Saving debug log to /usr/local/etc/certbot/logs/letsencrypt.log

Certificate not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.

(ref: /usr/local/etc/certbot/certs/renewal/www.walkershire.net.conf)

What would you like to do?


1: Keep the existing certificate for now

2: Renew & replace the certificate (may be subject to CA rate limits)


Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

Renewing an existing certificate for www.walkershire.net

Successfully received certificate.

Certificate is saved at: /usr/local/etc/certbot/certs/live/www.walkershire.net/fullchain.pem

Key is saved at: /usr/local/etc/certbot/certs/live/www.walkershire.net/privkey.pem

This certificate expires on 2022-12-31.

These files will be updated when the certificate renews.

NEXT STEPS:

  • The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See User Guide — Certbot 1.30.0 documentation for instructions.

If you like Certbot, please consider supporting our work by:


lowerlevel@70-89-220-117-clean-air-engineering-il ~ %

But the browser locks shows October 8, 2022 at 2:22:19 PM because they are not using the www certificate folder.

There are 2 folders in usr/local/etc/certbot/certs/live. Walkershire.net and www.walkershire.net. That may be because I

1st created 5 certificates for the plain domain names:

2022-07-18 17:31:36,150:DEBUG:certbot._internal.display.obj:Notifying user: Found the following certs:

Certificate Name: walkershire.net

Domains: walkershire.net beyond.cleanair.com d7036.com envirotemps.com hi-tech.rent

Later with late night help from rg305(who is very good) on my CaptainBill log Challenges Failed Due To Invalid Response From .well-known I created the 11 domain certificates as can be seen at the bottom of this thread.

What should I do to get all 11 certificates renewed ?

I would separate each site onto its own certificate.
And obtain those certificates via --webroot authentication.

7 Likes

I solved my issues by:

Changed the paths to the cert folder in Apache httpd_vhost.conf by removing www. from the folder name.

Then I put all the Options in the httpd_vhost.conf file between the Directory tags.

Then used rg305 suggestions to:

sudo certbot certonly --cert-name walkershire.net --webroot \

-w /usr/local/var/www/walkershire -d "walkershire.net,www.walkershire.net"
..................etc.
which make 11 certificates that all expire in 3 months.

Several domains show the lock but have the "Not fully Secure.." notice. They are:

  D7036 .com 

 Hi-Tech.Rent 

 Hi-TechRent.com

I have tried to change the embedded links from http: to https without success: I suspect is more bad code.

Thank you for your help.

A couple things

Using whynopadlock.com I see an error about hi-tech.rent using an http: url for search.freefind (maybe you missed one?). See its report here
That might explain why it is not "fully secure". You could try the other two yourself.

Actually, you have 1 certificate with 11 names on it. I am perhaps nitpicking. You can see your certs nicely with the Let's Debug cert search tool. Or, with sudo certbot certificates command.

5 Likes

My server just stopped working with this message in error log:
(13)Permission denied: AH02574: Init: Can't open server private key file /usr/local/etc/certbot/certs/live/walkershire.net/privkey.pem
[Sun Oct 09 11:51:40.086418 2022] [ssl:emerg] [pid 4233] AH02311: Fatal error initialising mod_ssl, exiting. See /usr/local/var/log/httpd/error_log for more information
[Sun Oct 09 11:51:40.087103 2022] [ssl:emerg] [pid 4233] AH02564: Failed to configure encrypted (?) private key localhost:443:0, check /usr/local/etc/certbot/certs/live/walkershire.net/privkey.pem
AH00016: Configuration Failed

Certbot Certificate shows:
Certificate Name: walkershire.net
Serial Number: 37cac5e5a72cb9e5ace47290abb02b68cc2
Key Type: RSA
Domains: walkershire.net beyond.cleanair.com d7036.com envirotemps.com hi-tech.rent hi-techrent.com www.d7036.com www.envirotemps.com www.hi-tech.rent www.hi-techrent.com www.walkershire.net
Expiry Date: 2023-01-01 21:16:31+00:00 (VALID: 83 days)
Certificate Path: /usr/local/etc/certbot/certs/live/walkershire.net/fullchain.pem
Private Key Path: /usr/local/etc/certbot/certs/live/walkershire.net/privkey.pem
Certificate Name: www.walkershire.net
Serial Number: 4b51d14a3b773e4eb49450b6761bfa54578
Key Type: RSA
Domains: www.walkershire.net
Expiry Date: 2022-12-31 21:10:48+00:00 (VALID: 82 days)
Certificate Path: /usr/local/etc/certbot/certs/live/www.walkershire.net/fullchain.pem
Private Key Path: /usr/local/etc/certbot/certs/live/www.walkershire.net/privkey.pem

I still have 2 folders in my cert/live folder. the www.walkershire.net folder was created in July. Can I delete it?

I have

  1. started server by restarting computer
  2. Apache did not start but it should start on power on.
  3. I started Apache using sudo apachectl start instead of brew services
    4 . It started!

No, do not manually delete anything within certbot control.
If you want to delete that cert, use:
certbot delete --cert-name www.walkershire.net

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.