Renewal conf file ... is broken


#1

The Situation:

There is a cert that has worked for over 80 days and ends in a few days.

$ list-certificates
common name: example.com
issuer: Let’s Encrypt Authority X3
valid until: 2016-10-17 10:54:00 CEST
will be removed in 4 days.
alternative name: example.com
alternative name: blog.example.com
alternative name: www.example.com

A few weeks ago, the subdomain blog.example.com was removed from Webhost / cli.ini.

There is a letsencrypt-renew script with crontab wich works on other accounts by this webhost.


1.) renew-script run first time

I become a email with this message:

WARNING:letsencrypt.client:Non-standard path(s), might not work with crontab installed by your operating system package manager
archive directory exists for example.com-0001

This happened:

new files created/updated:
/archive/example.com/full_cert2.pem (updated)
/csr/0007_csr-letsencrypt.pem (new with 4kb)
/keys/0007_key-letsencrypt.pem (new 4kb)
/renewal/example.com-0001.conf (new 0kb, empty)


2.) renew-script run second time

I become a email with this message:

WARNING:letsencrypt.cli:Renewal conf file /home/xxx/.config/letsencrypt/renewal/example.com-0001.conf is broken. Skipping.
2016-10-12 12:02:33,743:WARNING:letsencrypt.client:Non-standard path(s), might not work with crontab installed by your operating system package manager
IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at
    /home/xxx/.config/letsencrypt/live/example.com-0002/fullchain.pem.
    Your cert will expire on 2017-01-10. To obtain a new version of the
    certificate in the future, simply run Let’s Encrypt again.

IMPORTANT NOTES are a lie?

$ list-certificates
common name: example.com
issuer: Let’s Encrypt Authority X3
valid until: 2016-10-17 10:54:00 CEST
will be removed in 4 days.
alternative name: example.com
alternative name: blog.example.com
alternative name: www.example.com

new files/folders created:

archive/example.com-0002/ (new with 4 files)
/csr/0008_csr-letsencrypt.pem (new with 4kb)
/keys/0008_key-letsencrypt.pem (new 4kb)
live/example.com-0002/ (new with 4 symlinks to archive/example.com-0002/)
/renewal/example.com-0002.conf (new with 2kb, the subdomain blog.example.com was deleted in the domain-row)


The Problem:

Let’s have created a new .conf file (-0002.conf) in the /renewal folder.
This new -0002.conf file is yet the actually .conf file for the renew-script for the crontab. But Let’s don’t change the path in the renew-script. logical.
By other files, the old files becomes a number, not the actually (or every the 1) ?

What can you do there?


#2

If I understand correctly, you had an original ( and current ) cert for
alternative name: example.com
alternative name: blog.example.com
alternative name: www.example.com

You have then modified it to remove blog.example.com ?

What commands did you use for removing blog.example.com ?
As I understand it you need either --expand to add new domains or --allow-subset-of-names ro reduce the number of domains. Otherwise it creates a new config set with -000X as it thinks its a new cert ( not a renewal)

Personally I’d probably remove all, and recreate the cert with just the domains you want in it ( and get away from the -0001 and -0002 accounts).


#3

Yes, it’s correctly.

No, i haven’t modified the cert. I have modified only the webhost-settings for domains AND the domains in the domain-row in the /home/xxx/.config/letsencrypt/cli.ini. There I removed respectively the subdomain blog.example.com.

A script is used to renew the cert (with a crontab):

#!/bin/bash
PATH=/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin

# sleep for a random time so not all certificates get renewed at the same time
sleep 142

openssl x509 -checkend 864000 -in ~/.config/letsencrypt/live/example.com/cert.pem /dev/null

if [ $? != 0 ]; then
# run let's encrypt
letsencrypt certonly
# import certificate
add-certificate -k ~/.config/letsencrypt/live/example.com/privkey.pem -c ~/.config/letsencrypt/live/example.com/cert.pem
fi

This works fine in other webhost-accounts.

Questions:

1.) How can i add a domain/subdomain in the current cert?

–expand ???
Must only the new be specified, or all? And if so, how?
Please write an example.

2.) How can i delete a domain/subdomain in the current cert?

The certbot manpage write this:

–expand tells Certbot to update an existing certificate with a new certificate that contains all of the old domains and one or more additional new domains.

Here is nothing write to remove a domain/subdomain, only “new domains”.

I know for this. There is on this time not the solution.

The general problem: When Let’s changes the foldernames for the current cert, than all renew-scripts have a problem.


#4

I suspect this is where it all started to go wrong - when you manually edited the config file.

to modify what domains are included in the certificate see https://certbot.eff.org/docs/using.html#re-running-certbot to expand or reduce the number of domains use;

–expand tells Certbot to update an existing certificate with a new
certificate that contains all of the old domains and one or more additional
new domains.
–allow-subset-of-names tells Certbot to continue with cert generation if
only some of the specified domain authorazations can be obtained. This may
be useful if some domains specified in a certificate no longer point at this
system.

see the dorumentation at https://certbot.eff.org/docs/using.html#re-running-certbot

The next line in the documentation -

–allow-subset-of-names tells Certbot to continue with cert generation if
only some of the specified domain authorazations can be obtained. This may
be useful if some domains specified in a certificate no longer point at this
system.

The reason it changed the folder names, was because of your edit of the config file I think. The domain names did not then match, hence it created a new folder name for the certificate. If you use “expand” or “allow-subset-of-names” as described in the documentation, then you don’t get that issue. Hence why I suggested starting from a clean folder and starting again, expanding or reducing using certbot as required in the future.


#5

OK. --expand I get there. It also works.
But exactly the already existing domains / subdomains + the new must be specified, and probably also in the correct order. This is probably very sensitive. Otherwise a new .conf file and new folders are created.

letsencrypt certonly --expand -d example.com -d www.example.com -d blog.example.com

(certbot = letsencrypt)

However, I now have a little chaos in the letsencrypt folder. And the rate-limit reached.

–allow-subset-of-names I did not get.

Additional info: The webhost provider does not use original certbot. It has its own implication because of the root privileges.


#6

For testing use the --test-cert or --staging flag, then you won’t affect the rate limits.

Is this just an older version of certbot/letsencrypt ? or a modified version ? (i.e. I don’t know if it has the same options as the official version, or works in the same way).

Do you have root access ? or is this a shared server ? if so, you may be better with one of the alternate clients


#7
$ letsencrypt --version
letsencrypt 0.4.2

There is a modified version. (info from webhoster)

I have no root. damned! :wink:
it’s a virtual shared webhost.
but, i have SSH Shell.

Please write a correctly example command line for --allow-subset-of-names. I’m unsure.


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.