Renew SSL Certificate

shahjs2002 · April 22, 2022, 9:19pm

Dear Support Team,
i just recently take over one data center where i found one web server using lets encrypt ssl certificate which will be expire after a month. now want to renew but don't have any idea how to renew.

My domain is: alwatan.com.sa
Distributor ID: Ubuntu
Description: Ubuntu 20.04.1 LTS
Release: 20.04
Codename: focal

can any one guide please... thank you .

9peppe · April 22, 2022, 9:37pm

What certificate are you worried about? It looks like a few are renewing automatically without issue.

shahjs2002 · April 22, 2022, 9:56pm

i am not familiar that's the reason. i am here for help.

9peppe · April 22, 2022, 9:57pm

Ok, but there are a lot of possible variables here. A lot of possibilities to get and configure a Let's Encrypt certificate.

I don't know your system. Only you do.

shahjs2002 · April 22, 2022, 10:03pm

SSLCertificateFile /etc/letsencrypt/live/live.alwatan.com.sa/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/live.alwatan.com.sa/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf

above mention files are located in our server. and it will be expire on 29 may. i don't if it will be renew automatic or we have to do it manual . previous It person done this before i am new to this so i don't know.

9peppe · April 22, 2022, 10:11pm

So it's nginx and certbot.

Run this command:

sudo certbot certificates

and

sudo certbot renew --dry-run

if those commands do not complain, you're probably fine.

It should autorenew 30 days before on April 29th.

shahjs2002 · April 22, 2022, 10:14pm

should i wait until 29 april or 30 april and then use these commands ?

shahjs2002 · April 22, 2022, 10:15pm

Found the following certs:
Certificate Name: press.alwatan.com.sa
Domains: press.alwatan.com.sa
Expiry Date: 2022-05-29 14:40:04+00:00 (VALID: 36 days)
Certificate Path: /etc/letsencrypt/live/live.alwatan.com.sa/fullchain.pem
Private Key Path: /etc/letsencrypt/live/live.alwatan.com.sa/privkey.pem

after run first command these information received.

9peppe · April 22, 2022, 10:16pm

Good. The second command will tell you if the renewal can proceed automatically.

shahjs2002 · April 22, 2022, 10:23pm

sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/live.alwatan.com.sa.conf

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for live.alwatan.com.sa
Waiting for verification...
Challenge failed for domain live.alwatan.com.sa
http-01 challenge for live.alwatan.com.sa
Cleaning up challenges
Attempting to renew cert (live.alwatan.com.sa) from /etc/letsencrypt/renewal/live.alwatan.com.sa.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/live.alwatan.com.sa/fullchain.pem (failure)

** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/live.alwatan.com.sa/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: press.alwatan.com.sa
Type: connection
Detail: 37.224.xx.xx: Fetching
http://live.alwatan.com.sa/.well-known/acme-challenge/2V5dqgx8IVHGcJWU5eTjxSqpkmp5au3MkihIc0TiTK8:
Timeout during connect (likely firewall problem)

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

9peppe · April 22, 2022, 10:27pm

Are you editing your DNS records at the moment?

Because that domain doesn't point to any IP address.

shahjs2002 · April 22, 2022, 10:27pm

no i am not editing anything just i use the 2nd command

9peppe · April 22, 2022, 10:31pm

So, press.alwatan.com.sa doesn't respond to me.

And live.alwatan.com.sa doesn't actually exist as a subdomain on your nameservers.

shahjs2002 · April 22, 2022, 10:33pm

press.alwatan.com.sa is the correct one

9peppe · April 22, 2022, 10:34pm

Yes, and it redirects to "live" for at least some clients.

shahjs2002 · April 22, 2022, 10:37pm

yes people from outside they access ... from outside. but ssl certificate is install and configure on other server ... and between ssl certificate installed server & public ip address there is firewall ... which specific ports allowed from outside and inside no issues

shahjs2002 · April 22, 2022, 10:38pm

what you suggest should we wait until 29 april. maybe it will renew automatically...

9peppe · April 22, 2022, 10:45pm

Waiting will do no good.

You have to understand how to allow public access to port 80 on that server, so that validation can proceed.

Then you can configure certbot to do it automatically (if possible at all)

shahjs2002 · April 22, 2022, 11:17pm

yes i did allowed to this ssl server port 80 .
how to check if cerbot is already configure

rg305 · April 22, 2022, 11:31pm

Looks like Apache

That said, yes, without a public IP what is the point of having a public cert?
can't find live.alwatan.com.sa: Non-existent domain