Renew SSL using terminal with letsencrypt-auto certonly

Please fill out the fields below so we can help you better.

My domain is: elitedesignevents.xyz

I ran this command:

cd letsencrypt

./letsencrypt-auto --server https://acme-v01.api.letsencrypt.org/directory --help --debug

./letsencrypt-auto certonly -a manual -d www.elitedesignevents.xyz -d elitedesignevents.xyz --server https://acme-v01.api.letsencrypt.org/directory --agree-dev-preview --debug

chmod 0777/etc/letsencrypt/live/www.elitedesignevents.xyz/cert.pem

cp /etc/letsencrypt/live/www.elitedesignevents.xyz/cert.pem

sudo cat /etc/letsencrypt/live/www.elitedesignevents.xyz/cert.pem
sudo cat /etc/letsencrypt/live/www.elitedesignevents.xyz/privkey.pem
sudo cat /etc/letsencrypt/live/www.elitedesignevents.xyz/chain.pem

It produced this output: I could enable SSL

My operating system is (include version): Mac OS El capitan

My web server is (include version): CentOS release 6.9, cPanel Version 58.0 (build 45) NO AUTO SSL AVAILABLE!

My hosting provider, if applicable, is: hostnine.com

I can login to a root shell on my machine (yes or no, or I don’t know): no

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): yes

Hello guys

I am very new to SSL, i spent a lot of time understanding how to install a SSL certificate without root SSH access on my server. I finally did it and I now want to be able to renew the certificates for my many domains and I was hoping I can do this without repeating the steps it took to enable the SSL.

I specified what steps i took to install SSL above.

I tried renewing the SSL using these commands :

cd letsencrypt

./letsencrypt-auto certonly --standalone --renew-by-default -d elitedesignevents.xyz -d www.elitedesignevents.xyz --agree-dev-preview --debug

With the result

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at
    /etc/letsencrypt/live/www.elitedesignevents.xyz/fullchain.pem. Your
    cert will expire on 2017-07-09. To obtain a new or tweaked version
    of this certificate in the future, simply run letsencrypt-auto
    again. To non-interactively renew all of your certificates, run
    "letsencrypt-auto renew"

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate

So basically its says that it renewed my SSL but after logging in to my cpanel, the expiring date is the same.

I opened the fullchain generated and tried to install it manually in my cpanel, but i am missing the privkey,pem, it was not generated after the renewal steps and I cannot install it without a newly generated one.

Why does it say it has renewed my SSL in the congratulatory message then?

How can I do it faster for my other domains?

I spent a week trying to figure this thing out!

Thank you very much

Hi @razclud,

I’m not quite sure from your message whether you ran letsencrypt-auto on your web server or on your own Mac OS laptop. In order to modify things inside /etc, you would need to have root access. Since you said twice that you don’t have root access on the web server, I guess maybe you are running Certbot (as letsencrypt-auto) on your own laptop?

“Renewing” a certificate does not change anything about the existing certificate; in this case it means replacing it with a new certificate with substantially the same contents. Your /etc/letsencrypt/live/www.elitedesignevents.xyz/fullchain.pem refers to a new certificate, and the corresponding privkey.pem file should be available at /etc/letsencrypt/live/www.elitedesignevents.xyz/privkey.pem. If you have to upload this to a separate server and/or configure it in cPanel, you will need to upload the new privkey.pem as well.

However, I’m not sure if this is the case because it doesn’t make sense to me that --standalone would have worked if running on your own laptop, while it doesn’t make sense to me that files in /etc could be updated on the server if you don’t have root access there.

You did, in fact, get a new certificate (on whichever computer you were running Certbot on); it’s described here

https://crt.sh/?id=108460229

The computer that you ran Certbot on should have the new privkey.pem available too.

People who configure their web sites with cPanel can often use a cPanel feature called AutoSSL, https://blog.cpanel.com/autossl/, which is an alternative to running Certbot yourself and could be much easier. I believe it has to be enabled by the hosting provider.

Schoen Thank you very much for replying.

I am using my computer to install SSL. Everything is done locally. I installed SSL successfully this way for 10 domains, without root SSH.

As I said above, the version of cpanel currently on my server is an older one, so no AutoSSL, which was implemented with version 59 i think.

When installing a new SSL i get the, cert, privkey and chain which i then install in Cpanel copy/paste and it works beautifully.

When trying to RENEW it, i only get cert and chain but not the privkey. Even in the fullchain there are just those two.

Waiting for verification…
Cleaning up challenges
Generating key (4096 bits): /etc/letsencrypt/keys/0004_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0004_csr-certbot.pem

This is what i get, so the path and the filname changes, i would have to open these new files but i am missing the privkey.

This is everything i have done trying to renew it: (i deleted parts of the certificates, to be safe)

Retina:letsencrypt imac$ ./letsencrypt-auto --server https://acme-v01.api.letsencrypt.org/directory --help --debug

Upgrading certbot-auto 0.12.0 to 0.13.0...
Replacing certbot-auto...
Password:
Sorry, try again.
Password:
Creating virtual environment...
Installing Python packages...
Installation succeeded.
Requesting root privileges to run certbot...
  /Users/imac/.local/share/letsencrypt/bin/letsencrypt --server https://acme-v01.api.letsencrypt.org/directory --help --debug

  letsencrypt-auto [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
it will attempt to use a webserver both for obtaining and installing the
cert. The most common SUBCOMMANDS and flags are:

obtain, install, and renew certificates:
    (default) run   Obtain & install a cert in your current webserver
    certonly        Obtain or renew a cert, but do not install it
    renew           Renew all previously obtained certs that are near expiry
   -d DOMAINS       Comma-separated list of domains to obtain a cert for

  --apache          Use the Apache plugin for authentication & installation
  --standalone      Run a standalone webserver for authentication
  --nginx           Use the Nginx plugin for authentication & installation
  --webroot         Place files in a server's webroot folder for authentication
  --manual          Obtain certs interactively, or using shell script hooks

   -n               Run non-interactively
  --test-cert       Obtain a test cert from a staging server
  --dry-run         Test "renew" or "certonly" without saving any certs to disk

manage certificates:
    certificates    Display information about certs you have from Certbot
    revoke          Revoke a certificate (supply --cert-path)
    delete          Delete a certificate

manage your account with Let's Encrypt:
    register        Create a Let's Encrypt ACME account
  --agree-tos       Agree to the ACME server's Subscriber Agreement
   -m EMAIL         Email address for important account notifications

More detailed help:

  -h, --help [TOPIC]    print this message, or detailed help on a topic;
                        the available TOPICS are:

   all, automation, commands, paths, security, testing, or any of the
   subcommands or plugins (certonly, renew, install, register, nginx,
   apache, standalone, webroot, etc.)


Retina:~ imac$ cd letsencrypt



Retina:letsencrypt imac$ ./letsencrypt-auto certonly --standalone --renew-by-default -d elitedesignevents.xyz -d www.elitedesignevents.xyz --agree-dev-preview --debug
Requesting root privileges to run certbot...
  /Users/imac/.local/share/letsencrypt/bin/letsencrypt certonly --standalone --renew-by-default -d elitedesignevents.xyz -d www.elitedesignevents.xyz --agree-dev-preview --debug
Use of --agree-dev-preview is deprecated.
Use of --agree-dev-preview is deprecated.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for elitedesignevents.xyz
tls-sni-01 challenge for www.elitedesignevents.xyz
Waiting for verification...
Cleaning up challenges
Generating key (4096 bits): /etc/letsencrypt/keys/0005_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0005_csr-certbot.pem

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/www.elitedesignevents.xyz/fullchain.pem. Your
   cert will expire on 2017-07-09. To obtain a new or tweaked version
   of this certificate in the future, simply run letsencrypt-auto
   again. To non-interactively renew *all* of your certificates, run
   "letsencrypt-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Retina:letsencrypt imac$ sudo cat /etc/letsencrypt/keys/0005_key-certbot.pem
-----BEGIN PRIVATE KEY-----
MIIJQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQC0GRW0PsM9A/J3
Ayf/1gx2dEvyUxQZQvYWzz0/2fo5DEgwKUb4chtdLbyw0a0wurNGro0mJfbiaOFQ
2MyC2D24n6Lh+QbQ0EW/Amz7Igp5Zf084kLvS8fMw/Ucpcmc3Fg9yR4kQRn8zYtn
kajzH2ZRBSSqu0AqFhyt1z7BlYBzex85W5nT5EX/dTXolf4ha5id3s+8EFvnquxz
Ab1Tkf7zJQMefH8zB99LDCOgURALxE5UcQpELo5k+T2iTJNmmfmini4EL3+Am5ub
7yDX0s6NHbrs4p2yqLN2LE/lO7IFQRwIOcbHK2kbiShqLWdbt4tgpPe7krqKiCEN
8P9qpoUEL9zgFNIAcg2gPsnuXzvNLw3kc+L/Iz26Dn0ZEJ4tmTjHXf6U8BCOxqj4
jAjIOnQGhtbWyjcDuZmDcZYk0D4Buhc/ps/MYLN1s3wfmd9HEG4jpex9q+eWzeDT
BuP3pvtwP55TEvfcdz4PWA+zM/wDRqpTOo3n+gU1m5evFXopVXwjJ9RXA1Q2A21/
mqbVUYZXCeT90aA/sOay/V3Lgbc4i6qnQ/FbaGz5pWcwsKsK8cQocFpHHUk85LJT
GGGsL+7yPzBxeucnAyaitILM79tAu0sToZUu1nHy37wTJMpogvng9SlAh+zQZ5Qj
YLqoMTz+RZyebK8CbNREzu5/drjgKwIDAQABAoICACybKe0CvoiWOa+QcI/FDEEq
fMUAHrJDC4CKw7jU3EzU5exHzPQsDur9MQb6Z9Lx6wVOplcUgBmDsIq9p6mgtWjM
v0cc0O+ImtsnFcURDnIpwgGFkk0/ThVxd5lAzqaS6nGpwClBI8GBx0x3hbdMP3L2
++a6cXpWtIhhnmM5gqzlvC0NQ2THKtcE83hFcBBQXYpTavKXDt1hmcGqjO/RMvj6
IAi1m0sFaG86po4c5wHOGacKByLjBS1VlyeGmPfFWKh9f+MlD+/vPCshlDJPOIPv
gJtD2kW482Ym+SvNXq9ACz0UnX9YjFGGOVwmMk1KkSlDwL+1AoIBAQDNWvBTF4p6
FATj2FkAeIE07+NS7FuHgxLtEzZWMwyh3wVjyQWnA8GI+bKrwdxd0ebtJAIjI8OM
8tiLkvZDN0TN27bomoVVL+eGpMxx80sLWfl639sRXZXc8vyALxL9PZTVEk8qIX5Q
RXnr0BwbAlWaLyJdQdiBQIldpWyuzS5Ewa1bNeODN8ER5/VKv3XFK+AQu/70fob/
+xi1osmj3G5C1qvT1e/yuTecxTjOOXrxbPh3q4N3NeHDwrwK9VB5CI2VXWQmWcKY
G8Mzo3++bjE3rzyjAVGOR7MAddsTNZBbct5xzyndxMtx/z3FJtI1O3LZVuHosDEA
OBH/cMixKExfAoIBAAib4pfQZ+qg1HjPMRylf6OQ8Bfot7VEEslP+uHhtJAxWfUm
fJsCn6xJhlvUzzGJ8aO7xAlN6VTMfJnwiQpBxWz6U3U0NGTQtyIGbCh1CjQHqvex
AHBKPGlABY6mWsqVZpLj2pykOmMqyWZeyQb6UFqoFVZ1nvACV5n74NupoxpJGajT
eVtM6H8fDKQuiAe3KtkcQmx1LYp0FpwOSiySsESslD6W179DcjqyWqu0qMDV+JV3
gLReCJsBHKebgjU3OtY7r5ZVmnVlzjJqCOPvEHWuW8PvqbO67Abvotd/NfTvHLdP
1f3ulghk9hFdnPT6aRSrJMEh1++7BA207UEk1fUCggEAQn9eLyoCV4HAC5/1QifD
f0bnD+Ulxn31VPvRrpwdTRWRAz0HLY62taG2t30fUkFjQH0/DmyKmm5Yh/H98PP/
AGZXGiAPPrQaRz8/ZogBvgq7hpjsUQM3aN
RsD9Kn/KPbspW51vfUTZXjL9tceR1OGrrkaqZUThPBfp12pjUqzuW/g+3dvU4EZQ
5EOPODhNoNldRpRIQmrCYVud1L+5d4XW9+Kt120joQdVYmr5XJLgfo/cFJ9nDEbS
NIlbx4QUjJ2Etcc8MZ8iIHiW31Xx
-----END PRIVATE KEY-----
Retina:letsencrypt imac$ sudo cat /etc/letsencrypt/csr/0005_csr-certbot.pem
-----BEGIN CERTIFICATE REQUEST-----
MIIEpzCCAo8CAQIwHDEaMBgGA1UEAwwRbnVkZXNleHdlYmNhbS5jb20wggIiMA0G
CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC0GRW0PsM9A/J3Ayf/1gx2dEvyUxQZ
QvYWzz0/2fo5DEgwKUb4chtdLbyw0a0wurNGro0mJfbiaOFQ2MyC2D24n6Lh+QbQ
0EW/Amz7Igp5Zf084kLvS8fMw/Ucpcmc3Fg9yR4kQRn8zYtnkajzH2ZRBSSqu0Aq
Fhyt1z7BlYBzex85W5nT5EX/dTXolf4ha5id3s+8EFvnquxzAb1Tkf7zJQMefH8z
B99LDCOgURALxE5UcQpELo5k+T2iTJNmmfmini4EL3+Am5ub7yDX0s6NHbrs4p2y
qLN2LE/lO7IFQRwIOcbHK2kbiShqLWdbt4tgpPe7krqKiCEN8P9qpoUEL9zgFNIA
cg2gPsnuXzvNLw3k
DQEBCwUAA4ICAQA39sA7xyJRbC7Q2by9HZWMHp6FyUpeKwP241Woy3dlwKspHS04
v9fpoAhzGRB9QpisWkrsO3HomdgbshXTHOJWbC0blqiJVg6yKejA0BDS4ljqL25F
hEdTXCmjFn3963pHmDo6bGNDqRpp0TiCrJmZ6DDZXRzvNnE4ZnngOQpS8mBX6xqz
OOEg/t532yIC9vsOm5p2GWTJNJeTMvIMTOoZGCsvS2oNn18/rKXXAcgakz7Co+ZK
1JvEy2VxTIK8cSlq2hM7bOKjjgTRpLwHHKOMadZAjYbpRGTq9yNX67eZbPJzIO2k
BJsyabUqXgjjp2LzTdxqCTgX+dLIZTYAG/25ZQpmf77e+AAt9LAgDHVKtSeyWRbs
Tzo8Y+21T9pQveGcUUE2MTFgFRUFgaAiGGvTk9z9VUvRt5XuWNIEvH0kjWixzEIf
CP6Bh+bIft3m/8GFdOjikxI1zg0ecsLMbxBHQDhyt/KQ/0F8z2hNg37xssWOjKbF
Uw8DiqPRdXoSP5xxevxx2srLA9HzX1sVO4Lk8D07WJZDCYYwVgpdAkzHxw68zglS
SpkeUohPGVy/WIg+s/YlAKTJQYPAKXhPRfN4JJJr2hTIYXH9xyEpDPkO6ihoxn6q
nMfkPkr/yeGFf27k1f1zytx8XiLopwzAjv/JGs7U5vF/j6yd0FIZiM/PMw==
-----END CERTIFICATE REQUEST-----
Retina:letsencrypt imac$ sudo cat /etc/letsencrypt/keys/cert.pem
cat: /etc/letsencrypt/keys/cert.pem: No such file or directory
Retina:letsencrypt imac$ sudo cat /etc/letsencrypt/live/www.elitedesignevents.xyz/fullchain.pem
-----BEGIN CERTIFICATE-----
MIIGHTCCBQWgAwIBAgISA5hXIyVgYhms4+4SiHQ3A6bLMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzA0MTAyMjM3MDBaFw0x
NzA3MDkyMjM3MDBaMBwxGjAYBgNVBAMTEW51ZGVzZXh3ZWJjYW0uY29tMIICIjAN
BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtBkVtD7DPQPydwMn/9YMdnRL8lMU
GUL2Fs89P9n6OQxIMClG+HIbXS28sNGtMLqzRq6NJiX24mjhUNjMgtg9uJ+i4fkG
0NBFvwJs+yIKeWX9POJC70vHzMP1HKXJnNxYPckeJEEZ/M2LZ5Go8x9mUQUkqrtA
KhYcrdc+wZWAc3sfOVuZ0+RF/3U16JX+IWuYnd7PvBBb56rscwG9U5H+8yUDHnx/
MwffSwwjoFEQC8ROVHEKRC6OZPk9okyTZpn5op4uBC9/gJubm+8g19LOjR267OKd
sqizdixP5TuyBUEcCDnGxytpG4koai1nW7eLYKT3u5K6ioghDfD/aqaFBC/c4BTS
AHINoD7J7l87zS8N5HPi/yM9ug59GRCeLZk4x13+lPAQjsao+IwIyDp0BobW1so3
A7mZg3GWJNA+AboXP6bPzGCzdbN8H5nfRxBuI6Xsfavnls3g0wbj96b7cD+eUxL3
3Hc+D1gPszP8A0aqUzqN5/oFNZuXrxV6KVV8IyfUVwNUNgNtf5qm1VGGVwnk/dGg
P7Dmsv1dy4G3OIuqp0PxW2hs+aVnMLCrCvHEKHBaRx1JPOSyUxhhrC/u8j8wcXrn
JwMmorSCzO/bQLtLE6GVLtZx8t+8EyTKaIL54PUpQIfs0GeUI2C6qDE8/kWcnmyv
AmzURM7uf3a44CsCAwEAAaOCAikwggIlMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUE
aW50LXgzLmxldHNlbmNyeXB0Lm9yZy8wMwYDVR0RBCwwKoIRbnVkZXNleHdlYmNh
bS5jb22CFXd3dy5udWRlc2V4d2ViY2FtLmNvbTCB/gYDVR0gBIH2MIHzMAgGBmeB
DAECATCB5gYLKwYBBAGC3xMBAQEwgdYwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMu
bGV0c2VuY3J5cHQub3JnMIGrBggrBgEFBQcCAjCBngyBm1RoaXMgQ2VydGlmaWNh
dGUgbWF5IG9ubHkgYmUgcmVsaWVkIHVwb24gYnkgUmVseWluZyBQYXJ0aWVzIGFu
ZCBvbmx5IGluIGFjY29yZGFuY2Ugd2l0aCB0aGUgQ2VydGlmaWNhdGUgUG9saWN5
IGZvdW5kIGF0IGh0dHBzOi8vbGV0c2VuY3J5cHQub3JnL3JlcG9zaXRvcnkvMA0G
CSqGSIb3DQEBCwUAA4IBAQBGpufvmJb0DUA0cX7sbfCUzr3SY4JKdaT5Q58+3XUe
GFIhTV2uLncTT2wohnZFSjRWvnX9imC2Rmq1B3iPlb/I2WZr83J3TTjtJn0Y9o9i
85xxz+/Rqzoy3IHZBJdRT+O6zQGz+LUfUVtp757wvcA68L58MWMcsCH09YcFdHzl
2NzAwcP5VT2SCzc4KPaaX3JVBe355Xnz50yFWko6XEG7Bpw5OkB92nHqvmQnMsNn
b287MhUdVEthvFb5Ad4Huf2F4Q8tK3NPSrI+pd9c3DlnPAygPcyRXvICf7I8dq1V
2elBjVvJFZf6Kh4V5XLS5mBtbC2IxNrctVo9o6MpH/4B
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAO
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
Retina:letsencrypt imac$ sudo cat /etc/letsencrypt/csr/0005_key-privkey.pem
Password:
cat: /etc/letsencrypt/csr/0005_key-privkey.pem: No such file or directory
Retina:letsencrypt imac$ ls -lh
total 400
-rw-r--r--   1 imac  staff    14K Mar 27 03:31 CHANGELOG.md
-rw-r--r--   1 imac  staff   276B Mar 27 03:31 CHANGES.rst
-rw-r--r--   1 imac  staff   1.4K Mar 27 03:31 CONTRIBUTING.md
-rw-r--r--   1 imac  staff   635B Mar 27 03:31 Dockerfile
-rw-r--r--   1 imac  staff   2.9K Mar 27 03:31 Dockerfile-dev
-rw-r--r--   1 imac  staff   2.9K Mar 27 03:31 Dockerfile-old
-rw-r--r--   1 imac  staff   428B Mar 27 03:31 ISSUE_TEMPLATE.md
-rw-r--r--   1 imac  staff    11K Mar 27 03:31 LICENSE.txt
-rw-r--r--   1 imac  staff   205B Mar 27 03:31 MANIFEST.in
-rw-r--r--   1 imac  staff   7.4K Mar 27 03:31 README.rst
drwxr-xr-x  11 imac  staff   374B Mar 27 03:31 acme
drwxr-xr-x  30 imac  staff   1.0K Mar 27 03:31 certbot
drwxr-xr-x   9 imac  staff   306B Mar 27 03:31 certbot-apache
-rwxr-xr-x   1 imac  staff    46K Mar 27 03:31 certbot-auto
drwxr-xr-x  13 imac  staff   442B Mar 27 03:31 certbot-compatibility-test
drwxr-xr-x  10 imac  staff   340B Mar 27 03:31 certbot-nginx
-rw-r--r--   1 imac  staff   856B Apr  5 03:00 certbot.log
-rw-r--r--   1 imac  staff   360B Mar 27 03:31 docker-compose.yml
drwxr-xr-x  19 imac  staff   646B Mar 27 03:31 docs
drwxr-xr-x   8 imac  staff   272B Mar 27 03:31 examples
-rwxr-xr-x   1 imac  staff    46K Apr 11 02:01 letsencrypt-auto
drwxr-xr-x  14 imac  staff   476B Mar 27 03:31 letsencrypt-auto-source
drwxr-xr-x   9 imac  staff   306B Mar 27 03:31 letshelp-certbot
-rw-r--r--   1 imac  staff   813B Mar 27 03:31 linter_plugin.py
-rw-r--r--   1 imac  staff   494B Mar 27 03:31 readthedocs.org.requirements.txt
-rw-r--r--   1 imac  staff   139B Mar 27 03:31 setup.cfg
-rw-r--r--   1 imac  staff   4.0K Mar 27 03:31 setup.py
drwxr-xr-x  12 imac  staff   408B Mar 27 03:31 tests
drwxr-xr-x  11 imac  staff   374B Mar 27 03:31 tools
-rwxr-xr-x   1 imac  staff   1.3K Mar 27 03:31 tox.cover.sh
-rw-r--r--   1 imac  staff   5.4K Mar 27 03:31 tox.ini

The renew command updates everything, including the private keys.

You pasted a private key! On the forum! You need to revoke it (which will make it stop working, sometimes) and issue a new certificate with a new key.

./letsencrypt-auto revoke --cert-path /etc/letsencrypt/live/www.elitedesignevents.xyz/cert.pem --reason keycompromise

(assuming that's still the certificate associated with that private key)

Ignore that private key path. If the full chain path is /etc/letsencrypt/live/www.elitedesignevents.xyz/fullchain.pem, the private key is at /etc/letsencrypt/live/www.elitedesignevents.xyz/privkey.pem. Certbot will update the files (symlinks, actually) at those paths so they always refer to the current... certificate and private key after renewing.

2 Likes

Agreed with @mnordhoff’s explanation (including the need to revoke the certificate with the private key you pasted here). I suspect the trouble you’ve been having is that the private key is in a separate file from the fullchain, while the output from Certbot upon renewal only mentions the fullchain as having been updated.

In fact, Certbot has updated 4 different files in association with the renewal but only decided to tell you about one of them, which is basically because of other kinds of confusion that some users faced in the opposite direction when they were running Certbot directly on their servers, rather than on their personal computers. I’m afraid this message wasn’t really optimized for your situation; it didn’t assume you would be copying the files onto another machine, so it didn’t mention the privkey.pem which was also, nonetheless, updated at the same time.

1 Like

I tried opening the sudo cat /etc/letsencrypt/keys/privkey.pem and it cannot find it, the renewed ones, with this file name “0005_key-certbot.pem” are the only ones that I can read. I tried replacing certbot.pem with privkey.pem and CSR instead of the KEY too, but they are all not found. So basically I am missing privkey. Thats one problem.

The other one: Is there a way to just run a command and the certificates renew themselves? Without me having to copy/paste all 3 necessary files and pasting them to cpanel? Its not a big deal for a few domains but its very time consuming for many domains, it almost trumps the “free” label and I consider just paying $9/ year and thats that.

[quote="razclud, post:6, topic:31816, full:true"]
I tried opening the sudo cat /etc/letsencrypt/keys/privkey.pem and it cannot find it, the renewed ones, with this file name "0005_key-certbot.pem" are the only ones that I can read. I tried replacing certbot.pem with privkey.pem and CSR instead of the KEY too, but they are all not found. So basically I am missing privkey. Thats one problem.[/quote]

It's not /etc/letsencrypt/keys, it's

/etc/letsencrypt/live/www.elitedesignevents.xyz/privkey.pem

We should probably make Certbot not mention /etc/letsencrypt/keys at all; it was basically meant as a backup in case of catastrophes (I'm not sure I know of a situation in which someone has found it useful).

Running Certbot on your laptop instead of your web server is almost always going to produce a fair amount of annoyance and inconvenience. It's preferable to run it on your web server directly because then the certificates can be updated directly in-place where they are used (with no separate upload step). For cPanel users, there is a cPanel feature called AutoSSL which is preferable to Certbot for most users.

This directly obtains and configures the certificate on cPanel-managed sites.

While people are welcome to run Certbot in whatever configuration or use case they like, the main intended audience is system administrators who directly manage their own web server. For people on shared hosting, we definitely encourage them to ask the hosting provider to arrange for some kind of official Let's Encrypt integration on the hosting provider's end, rather than leaving it to customers to do this for themselves.

I am on a shared hosting like most of the letsencrypt users. There has to be a way to make it simpler. Updating the cpanel is not in our control, to be able to have AutoSSL. Without root ssh, this is the only way to install certificates.

I cannot believe that there is not an easy way to renew multiple domains SSL certificates. It beats the advantage of being free, for webmasters that own more domains.

I will try again tomorrow and see if I can get the privkey.pem

I will let you guys know,

Thank you very much for your replies

The ease of installing certificates on a shared hosting environment is almost totally outside of our control. The hosting provider decides everything about the interface and features that are available in that environment.

A lot of providers have made it work well:

What will probably help most with the other providers is pressure from their customers.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.