Renewal E-Mail has wrong date, renew fails

chrisisbd · June 18, 2021, 6:21pm

My domain is: zelmastrip.com

I ran this command: certbot renew

It produced this output:
Processing /etc/letsencrypt/renewal/zelmastrip.com.conf

Certificate not yet due for renewal

My web server is (include version): apache2 version 2.4.41

The operating system my web server runs on is (include version): Ubuntu 20.04

My hosting provider, if applicable, is: Gandi

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.16.0

I have three domains running as apache2 virtual hosts on a Gandi VPS. I just received an E-Mail saying one (zelmastrip.com) needs its certificate updating, but it fails as above because it apparently doesn't need updating yet.

I do have some other problems with this too. Certbot doesn't seem to handle my apache configuration right as it broke it when I first ran it. Also one of my certificates appears not to have a proper configuration:-

Failed to renew certificate isbd.uk with error: Account at /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/ce46a27d073073754dde1c5eacad168f does not exist

I'd really like to get this configured so that certbot works well. I'm happy to delete everything and start again if necessary.

So what's the neatest way to handle a basically simple host with three virtual domains? All very low traffic and no need for 100% uptime, just ease of maintenance is my main priority.

Osiris · June 18, 2021, 6:32pm

Please read the expiry e-mail documentation linked in the e-mail you received more closely. It explains why you're getting the e-mail while the certificate in your certbot isn't due for renewal yet.

The ACMEv1 API is deprecated. I think this error might be due to the fact certbot tries to use your ACMEv1 account data on the ACMEv2 API. I thought the ACMEv1 accounts were transfered to the ACMEv2 API on the Let's Encrypt servers, but I could be wrong there.

If you don't require separate accounts for your separate certificates, you might be able to see which account hash (the line account = 1a2b3c4e5f6 where the "1a2b3c4e5f6" part differs per account) is used in the renewal configuration file (in /etc/letsencrypt/renewal/) of a working certificate and use that account hash for your isbd.uk certificate as well.

chrisisbd · June 19, 2021, 4:28pm

OK, thanks Osiris.

I'd be happiest with all three domains using the same certificate really, or do I mean three certificates on the same account, I'm afraid I'm not quite clear about that.

I just want the simplest to maintain system possible!

Up until a few months ago I just had one domain with a certificate and used to renew that with the old LetsEncrypt methods, i.e. by running the command "letsencrypt-auto renew" but when I added two more domains I converted to Certbot and haven't got it properly sorted out yet.

The letsencrypt entries in the apache configuration are:-

SSLCertificateFile /etc/letsencrypt/live/isbd.uk/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/isbd.uk/privkey.pem

SSLCertificateFile /etc/letsencrypt/live/zelmastrip.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/zelmastrip.com/privkey.pem

SSLCertificateFile /etc/letsencrypt/live/radiotelescope.net/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/radiotelescope.net/privkey.pem

... and the contents of those directories look pretty straightforward and OK:-

root@isbd:/etc/letsencrypt/live# ls -l
total 16
-rw-r--r-- 1 root root  740 Apr 16 20:59 README
drwxr-xr-x 2 root root 4096 Apr 23 21:06 isbd.uk
drwxr-xr-x 2 root root 4096 Apr 20 22:14 radiotelescope.net
drwxr-xr-x 2 root root 4096 Apr 20 14:22 zelmastrip.com
root@isbd:/etc/letsencrypt/live# ls -l isbd.uk
total 0
lrwxrwxrwx 1 root root 32 Apr 23 21:06 cert.pem -> ../../archive/isbd.uk/cert26.pem
lrwxrwxrwx 1 root root 33 Apr 23 21:06 chain.pem -> ../../archive/isbd.uk/chain26.pem
lrwxrwxrwx 1 root root 37 Apr 23 21:06 fullchain.pem -> ../../archive/isbd.uk/fullchain26.pem
lrwxrwxrwx 1 root root 35 Apr 23 21:06 privkey.pem -> ../../archive/isbd.uk/privkey26.pem
root@isbd:/etc/letsencrypt/live# ls -l radiotelescope.net
total 4
-rw-r--r-- 1 root root 692 Apr 20 22:14 README
lrwxrwxrwx 1 root root  42 Apr 20 22:14 cert.pem -> ../../archive/radiotelescope.net/cert1.pem
lrwxrwxrwx 1 root root  43 Apr 20 22:14 chain.pem -> ../../archive/radiotelescope.net/chain1.pem
lrwxrwxrwx 1 root root  47 Apr 20 22:14 fullchain.pem -> ../../archive/radiotelescope.net/fullchain1.pem
lrwxrwxrwx 1 root root  45 Apr 20 22:14 privkey.pem -> ../../archive/radiotelescope.net/privkey1.pem
root@isbd:/etc/letsencrypt/live# ls -l zelmastrip.com
total 4
-rw-r--r-- 1 root root 692 Apr 16 20:59 README
lrwxrwxrwx 1 root root  38 Apr 20 14:22 cert.pem -> ../../archive/zelmastrip.com/cert2.pem
lrwxrwxrwx 1 root root  39 Apr 20 14:22 chain.pem -> ../../archive/zelmastrip.com/chain2.pem
lrwxrwxrwx 1 root root  43 Apr 20 14:22 fullchain.pem -> ../../archive/zelmastrip.com/fullchain2.pem
lrwxrwxrwx 1 root root  41 Apr 20 14:22 privkey.pem -> ../../archive/zelmastrip.com/privkey2.pem

What should I do to make things as simple as possible?

Osiris · June 19, 2021, 5:00pm

Using one certificate per site might even make things easier when you decide to shut down one of the sites. So I'd keep it that way if I were you.

You just need to "upgrade" the failing certificate to use the account from the ACMEv2 API.

chrisisbd · June 20, 2021, 9:00am

You just need to "upgrade" the failing certificate to use the account
from the ACMEv2 API.

OK, so leave things as they are with three certificates. But how do I
"upgrade" the failing certificate to use the account from the ACMEv2
API?

I can see from the certbot help that there's a command:-

certbot update_account [-d domain]

Is that what I need to do? (with "-d isbd.uk)

I'm sorry I'm taking so long to understand and do this.

While I'm at it I just tried "certbot certificates" and it gave me the
following output which looks a bit wrong to me:-

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: isbd.uk
    Serial Number: 31b61f0012fa15988e5b0c79fda2030ec4e
    Key Type: RSA
    Domains: isbd.uk
    Expiry Date: 2021-07-03 21:22:39+00:00 (VALID: 13 days)
    Certificate Path: /etc/letsencrypt/live/isbd.uk/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/isbd.uk/privkey.pem
  Certificate Name: radiotelescope.net
    Serial Number: 44409832c72340c9ed43c1cba1bc35073d7
    Key Type: RSA
    Domains: radiotelescope.net
    Expiry Date: 2021-09-17 21:26:03+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/radiotelescope.net/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/radiotelescope.net/privkey.pem
  Certificate Name: zelmastrip.com
    Serial Number: 4b882ce8d19acf6b756bd402d33dafe98fb
    Key Type: RSA
    Domains: isbd.uk www.zelmastrip.com zelmastrip.com
    Expiry Date: 2021-09-17 21:26:14+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/zelmastrip.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/zelmastrip.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

It looks like there are two certificates for isbd.uk, is there a way to remove
isbd.uk from the zelmastrip.com certificate?

Osiris · June 20, 2021, 10:03am

Not sure actually. The documentation is quite sparse about that subcommand. And if I run it, it just says it updated my account to my current e-mail address associated with the account? Which was the same e-mail already? I think that just updates an account at the ACME server and not the account associated with a certificate locally.

Yes, but unfortunate not in an easy way. You'd think certbot has some kind of "remove the following hostname from a certain certificate", but it doesn't. Currently (hopefully this will change in the future), the only way to update the hostnames in a certain certificate is to request a new certificate with the same name, while adding the hostnames you actually do want on the command line too. I.e., if you'd like to remove isdb.uk from your zelmastrip.com certificate, you'd need to re-rerun certbot with:

certbot --other-options-you've-previously-used --cert-name zelmastrip.com -d zelmastrip.com -d www.zelmastrip.com

Please read my previous post about that:

griffin · June 20, 2021, 10:09am

could also be written this way:

-d "zelmastrip.com,www.zelmastrip.com"

Osiris · June 20, 2021, 10:10am

Whoops, you're right. Or with the extra -d I just edited in (I'm used to using that method).

griffin · June 20, 2021, 10:11am

I updated mine too.

I like the quotes as practice to avoid those pesky *s that sometimes get expanded in unfortunate ways. Not a concern here since this isn't a wildcard certificate.

chrisisbd · June 20, 2021, 4:37pm

If you don't require separate accounts for your separate certificates, you might be able to see which account hash (the line account = 1a2b3c4e5f6 where the " 1a2b3c4e5f6 " part differs per account) is used in the renewal configuration file (in /etc/letsencrypt/renewal/ ) of a working certificate and use that account hash for your isbd.uk certificate as well.

Excellent, yes, I did this and then ran "certbot certonly -d isbd.uk" and all is now well with the isbd.uk certificate.

Thank you

chrisisbd · June 20, 2021, 4:39pm

Will this delete/overwite the old certificate or do I need to do anything else first?

Osiris · June 20, 2021, 6:18pm

If you use the --cert-name option, certbot will overwrite the certificate with the name you gave the option. You could also specify a new name, so the older cert won't get overwritten, but then you'd have two certificates in stead of just one.

chrisisbd · June 20, 2021, 8:09pm

Excellent, that seems to have sorted things out.

Thank you for your help and patience.

Osiris · June 20, 2021, 8:22pm

If you have chosen to use a new/different name, note that your old certificate will still try to renew when the command certbot renew is used. You can delete older certificates you're not using any longer with certbot delete --cert-name name_of_cert where name_of_cert is the name of the certificate you want to delete. But make absolutely sure that the certificate isn't in use in any service any longer, such as Apache/nginx/Postfix/Dovecot et cetera! Because certbot won't/can't check that and it will delete the cert, even if it's in use! That would lead to non-working services.

system · July 20, 2021, 8:23pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.