Renewal and ssltest


#1

Hello,

Today i got a mail from Letsencrypt to renew the certificate:

“Your certificate (or certificates) for the names listed below will expire in 15 days (on 10 Mar 16 18:04 +0000)”

I have 2 questions about it.

I did the renewal:

./letsencrypt-auto --server https://acme-v01.api.letsencrypt.org/directory certonly --agree-tos --email ‘mail@mydomain.nl’ --webroot --webroot-path ‘/home/myuser/domains/mydomain.nl/public_html/’ -d mydomain.nl -d www.mydomain.nl --force-renew --debug
service httpd restart

The output was:

  • Congratulations! Your certificate and chain have been saved at
    /etc/letsencrypt/live/domain.nl-0001/fullchain.pem. Your
    cert will expire on 2016-05-24. To obtain a new version of the
    certificate in the future, simply run Let’s Encrypt again.

I see: /etc/letsencrypt/live/domain.nl-0001/fullchain.pem
But before it was: /etc/letsencrypt/live/domain.nl/fullchain.pem

And i am using Symlinks with: /etc/letsencrypt/live/domain.nl/fullchain.pem

Why it’s now: “domain.nl-0001”?
And what can i do about it?

And the other question. If i go to for example: https://ssldecoder.org and i admit my domain.nl i am getting:

Certificate for 'domain.nl
Valid Until - Fri, 01 Apr 2016 14:06:00 +0000

Why they are saying it’s valid till “01 Apr 2016” while the mail from Letsencrypt is saying that the certificate will expire on “10 Mar 16”?

Thanks in advance!


#2

Hi Hendrik,

Are you sure that your webserver actually uses the certificate you think it uses?

It seems like you haven’t renewed you certificate, but created a completely new one. Renewal is (usually) done with the “renew” command. This command will update not only the certificate, but also the symlinks that you probably use in your webserver configuration.

Hans


#3

Yeah it looks like that. Now i don’t know which one is active, because there is:

/etc/letsencrypt/live/domain.nl

and

/etc/letsencrypt/live/domain.nl-0001

Can i check that somehow? And for the renewal i did again:

./letsencrypt-auto --server https://acme-v01.api.letsencrypt.org/directory certonly --agree-tos --email ‘mail@mydomain.nl’ --webroot --webroot-path ‘/home/myuser/domains/mydomain.nl/public_html/’ -d mydomain.nl -d www.mydomain.nl --force-renew --debug
service httpd restart

On:

https://raymii.org/s/articles/Lets_Encrypt_Directadmin.html

They are saying:

“When the 90 days are almost up, come back to this page and execute the Let’s Encrypt command again with the correct domain and webroot options. You’ll be asked if you want to renew, agree, and the certificate will be renewed. Then restart the webserver via a service httpd restart. Repeat is for all certificates.”

They are saying i can just run the command again? Or do i really have to use the renew command? I can just do:

./letsencrypt-auto renew --force-renew --debug

Or is that not totally correct?


#4

Hi,

If you use certonly, you’ll have to configure your webserver manually to use the correct files. I can’t help you with DirectAdmin (never used it), but this is what you should do without DirectAdmin.

Check your webserver’s configuration. Looks like you’re on Fedora, in which case you can find it somewhere under /etc/httpd. Check for a config file with these directives

SSLCertificateFile
SSLCertificateKeyFile and
SSLCertificateChainFile

Those should be pointing to files under /etc/letsencrypt/live/domain.nl-0001, which, in turn, should be symlinks to the actual files in /etc/letsencrypt/archive/domain.nl-0001.

Your webserver could be using files under /etc/letsencrypt/live/domain.nl, but seeing that the e-mail you received mentions a different date than ssldecoder, I assume you’re using yet an other certificate :slight_smile:

Ideally, if you’ve created and installed a certificate, all you have to do to renew it, is

letsencrypt renew

I wouldn’t use --force-renew unless you want letsencrypt to renew even if your certificate isn’t going to expire soon.


#5

Thanks! I am on CentOS if that’s what you mean, but i know the locations of the files:

/etc/letsencrypt/live/domain.nl/cert.pem
/etc/letsencrypt/live/domain.nl/privkey.pem
/etc/letsencrypt/live/domain.nl/chain.pem

I can check the content of the files. Which files are changing with the renewal? All of them? And do i have to compare the content of the files with a tool like:

https://ssldecoder.org

Now there are 2 directories: domain.nl and domain-0001 (and in /etc/letsencrypt/archive also)

And if i do:

letsencrypt renew

i am getting: command not found…i think i have to do it with something like ./letsencrypt-auto renew ? I know it’s better to skip --force-renew but i am adding that for testing now…then i can check if it’s really updated.


#6

I just did some tests. There are the following files:

cert.pem
privkey.pem
chain.pem
fullchain.pem

After the renewal the content chain.pem is still the same and the content of the others are changing, is that correct?

With for example:

https://ssldecoder.org

i can compare the content of chain.pem, but that’s not changing anyway with the renewal, so i still don’t know how to check if it’s really updated and which one is active (domain.nl or domain.nl-0001).

As a test i did again:

./letsencrypt-auto --server https://acme-v01.api.letsencrypt.org/directory certonly --agree-tos --email ‘mail@mydomain.nl’ --webroot --webroot-path ‘/home/myuser/domains/mydomain.nl/public_html/’ -d mydomain.nl -d www.mydomain.nl --force-renew --debug

But then letsencrypt is saying again:

  • Congratulations! Your certificate and chain have been saved at
    /etc/letsencrypt/live/mydomain.nl-0001/fullchain.pem. Your
    cert will expire on 2016-05-26. To obtain a new version of the
    certificate in the future, simply run Let’s Encrypt again.

So while i know for sure that i put mydomain.nl in the command…letsencrypt is making mydomain.nl-0001 of it?

I used --force-renew to test some things, but now i reached the limit, so i have to wait for a while (i think a week) to do some more tests.


#7

Oh oh oh stupid programmers ;). I was all day checking everything and at the end i found the problem. Something went wrong with a unix command. I had to create symlinks for Directadmin and the output was:

ln: creating symbolic link `PATH’: File exists

So i thought…okay the file exists, but the symbolic link was created. But is was not! Unix can not output that it is an error and that the symbolic link was not created!!! Maybe they can programm it logically, but they also have to think more about the logic of users who are also just thinking logically, but never worked with unix.


#8

Not really sure what you mean.

If you create a certificate (with certonly or run), letsencrypt creates 4 files for you: a chain, a full chain, a key and a certificate. It places them under /etc/letsencrypt/archive/<domain> and creates symlinks to them under /etc/letsencrypt/live/<domain>. You then configure your webserver to use the symlinks under live.

If you renew, letsencrypt will create new files under /etc/letsencrypt/archive/<domain> and add -0001 to them. Next time it will add -0002 and so on. Renew will also update the symlinks under /etc/letsencryp/live/<domain>, so that your webserver will always use the latest files under archive.

If you create a new certificate for an already existing domain, letsencrypt will do the same trick for the directory: it will create /etc/letsencrypt/archive/<domain>-0001 etc.

The question ‘which certificate is active’ is answered by checking your webserver config. The certificate that is loaded by the webserver, is ‘active’. You can check which certificate was created most recently with “ls -l”: that will show you the date the files were last modified. It will also show you where symlinks point to, btw.


#9

I don’t think it’s true what you’re saying. For example:

/etc/letsencrypt/live/DOMAIN.EXT/cert.pem

It is a symlink to:

/etc/letsencrypt/archive/DOMAIN.EXT/cert1.pem

If you renew then it still will be:

/etc/letsencrypt/live/DOMAIN.EXT/cert.pem

But now it’s a symlink to:

/etc/letsencrypt/archive/DOMAIN.EXT/cert2.pem

I think it’s working like that and it also makes more sence. Why they would create a lot of different directories while they can also work with 1 directory and just changing the files in the directory to 1, 2 etcetera instead of the directory itself. But in 5 days or something i can force renewal again, so i can do some more tests. I still don’t know why it was creating -0001, but before there went something wrong with creating my other symlinks in directadmin, so maybe it had to do with that. Later on i’ve tested already everything with another domain and everything went well, also with the renewal. But i think it’s working like i am saying here above and not like you are saying with DOMAIN.EXT-0001 , -0002 etcetera.