Renewal does not work


#1

Hi,

[edit : after like 10 minutes it started to work, can someone explain me why ??? ]

I keep having issues with a perfectly good ceritficate

https://www.carrefourclubforyou.beneficio.be/ gives SEC_ERROR_UNKNOWN_ISSUER

I first use --cert-test then once it’s ok I go for the real one with a --force-renewal

dont know if it’s the correct way so far …

sudo certbot certonly -n --webroot -d www.carrefourclubforyou.beneficio.be -w /var/www/html/beneficio/carrefourclubforyou --cert-path /etc/letsencrypt/live/www.carrefourclubforyou.beneficio.be/ --key-path /etc/letsencrypt/live/www.carrefourclubforyou.beneficio.be --force-renewal
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewal conf file /etc/letsencrypt/renewal/notifications.edenred.be.conf is broken. Skipping.
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.carrefourclubforyou.beneficio.be
Using the webroot path /var/www/html/beneficio/carrefourclubforyou for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0008_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0008_csr-certbot.pem

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/www.carrefourclubforyou.beneficio.be/fullchain.pem.
   Your cert will expire on 2017-08-09. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

here is the apache config

  <VirtualHost *:443>

                ServerName www.carrefourclubforyou.beneficio.be
                
                DocumentRoot /................

                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined

                SSLEngine on

                SSLCertificateFile    /etc/letsencrypt/live/www.carrefourclubforyou.beneficio.be/fullchain.pem
                SSLCertificateKeyFile /etc/letsencrypt/live/www.carrefourclubforyou.beneficio.be/privkey.pem

                <FilesMatch "\.(cgi|shtml|phtml|php)$">
                                SSLOptions +StdEnvVars
                </FilesMatch>
                <Directory /usr/lib/cgi-bin>
                                SSLOptions +StdEnvVars
                                Options -Indexes
                </Directory>
                <Directory "/...................">
                				allow from all
                                SSLOptions +StdEnvVars
                                Options -Indexes
                </Directory>

                BrowserMatch "MSIE [2-6]" \
                                nokeepalive ssl-unclean-shutdown \
                                downgrade-1.0 force-response-1.0
                # MSIE 7 and newer should be able to use keepalive
                BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

                SSLProtocol all -SSLv2 -SSLv3
                SSLHonorCipherOrder on
                SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"

        </VirtualHost>

thanks


Cerbtot Hitting Authorization Rate Limits
#2

Certificate is fine

If you are wanting further assitance then please spend 5 minuts explaining what you are observing, what other tests you have ran etc.

My feeling is that information provided is not sufficient to advise.

Andrei


#3

I suggested in another thread that if this error recurs you could save a copy of the cert from the browser and then upload it here, so that we could see what cert it was and what the browser might have found objectionable about it.


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.