Renewal Errors for Docker

I'm using a mattermost docker installation. My certificate expired for the second time - once after 90 days, and today, after 180 days. I did the standard renewal. The output says the certificate has been renewed. But sslchecker says it is not. And I still get untrusted certificate error. What am I doing wrong? Please help.

My domain is: matter.takshashila.org.in

I ran this command:
./scripts/issue-certificate.sh -d matter.takshashila.org.in -o /root/docker/certs

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewing an existing certificate for matter.takshashila.org.in

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/matter.takshashila.org.in-0001/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/matter.takshashila.org.in-0001/privkey.pem
This certificate expires on 2023-01-24.
These files will be updated when the certificate renews.

NEXT STEPS:
- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.

Someone, please help. This is a production environment, and I cannot understand why the certificate isn't getting applied despite the renewal. Thanks!

When I see -0001 in the cert file names it usually means there was a problem getting certs and a second set was created. I think your nginx system is probably still configured to use the original certificate set.

There are a couple ways to resolve this. Looking at your nginx config will help. Can you upload the .txt file resulting from this command?

nginx -T >forum.txt
3 Likes

Thanks @MikeMcQ. It didn't work as desired. So I'm pasting the docker-compose.nginx.yml file. Hopefully that gives an idea about my config.

version: "2.4"
  
services:
  nginx:
    depends_on:
      - mattermost
    container_name: nginx_mattermost
    image: nginx:${NGINX_IMAGE_TAG}
    restart: ${RESTART_POLICY}
    security_opt:
      - no-new-privileges:true
    pids_limit: 100
    read_only: true
    tmpfs:
      - /var/run
      - /var/cache
      - /var/log/nginx
    volumes:
      - ${NGINX_CONFIG_PATH}:/etc/nginx/conf.d:ro
      - ${NGINX_DHPARAMS_FILE}:/dhparams4096.pem
      - ${CERT_PATH}:/cert.pem:ro
      - ${KEY_PATH}:/key.pem:ro
      - shared-webroot:/usr/share/nginx/html
    environment:
      # timezone inside container
      - TZ
    ports:
      - ${HTTPS_PORT}:443
      - ${HTTP_PORT}:80

# Shared volume for Let's Encrypt certificate renewal with a webroot
volumes:
  shared-webroot:
    name: shared-webroot

# This network name is being used for Let's Encrypt certificate renewal
networks:
  default:
    name: mattermost
1 Like

And this is the nginx.conf file I'm using.
onf.txt (1.5 KB)

Is it possible and advisable to delete the existing certificates and start a new chain?

Update: I think this info might help. I'm attaching the log file. It doesn't seem to be normal.
logfile.txt (3.6 KB)

The nginx conf file (onf.txt) you uploaded is not complete. It does not show the certificate lines.

And, yes, your certbot log shows a problem with that config too. Can you show result of this command?

certbot certificates
3 Likes

What is this script?:

3 Likes

It was a standard docker script which invokes certbot. Attaching it.
issue_certificate.txt (2.1 KB)

This was the result of "certbot certificates"

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/matter.takshashila.org.in.conf produced an unexpected error: renewal config file {} is missing a required file reference. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following renewal configurations were invalid:
  /etc/letsencrypt/renewal/matter.takshashila.org.in.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Can you show the contents of that file?

Also, show result of this command:

ls -l /etc/letsencrypt/{renewal,live}
3 Likes

Hi @MikeMcQ. So there are two conf files in that directory. I'm pasting the contents below.

for *-001.conf

# renew_before_expiry = 30 days
version = 1.26.0
archive_dir = /etc/letsencrypt/archive/matter.takshashila.org.in-0001
cert = /etc/letsencrypt/live/matter.takshashila.org.in-0001/cert.pem
privkey = /etc/letsencrypt/live/matter.takshashila.org.in-0001/privkey.pem
chain = /etc/letsencrypt/live/matter.takshashila.org.in-0001/chain.pem
fullchain = /etc/letsencrypt/live/matter.takshashila.org.in-0001/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = 4ad0cb51bc9ff2069d23f1372f201e7d
authenticator = standalone
server = https://acme-v02.api.letsencrypt.org/directory
key_type = rsa

for matter.takshashila.org.in.conf

# renew_before_expiry = 30 days
version = 1.26.0
archive_dir = /etc/letsencrypt/archive/matter.takshashila.org.in
cert = /etc/letsencrypt/live/matter.takshashila.org.in/cert.pem
privkey = /etc/letsencrypt/live/matter.takshashila.org.in/privkey.pem
chain = /etc/letsencrypt/live/matter.takshashila.org.in/chain.pem
fullchain = /etc/letsencrypt/live/matter.takshashila.org.in/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = 4ad0cb51bc9ff2069d23f1372f201e7d
authenticator = webroot
server = https://acme-v02.api.letsencrypt.org/directory
key_type = rsa
webroot_path = /usr/share/nginx/html,
[[webroot_map]]
webroot_path = /usr/share/nginx/html,
[[webroot_map]]
webroot_path = /usr/share/nginx/html,
[[webroot_map]]
webroot_path = /usr/share/nginx/html,
[[webroot_map]]
webroot_path = /usr/share/nginx/html,
[[webroot_map]]
webroot_path = /usr/share/nginx/html,
[[webroot_map]]
webroot_path = /usr/share/nginx/html,
[[webroot_map]]
webroot_path = /usr/share/nginx/html,
[[webroot_map]]
webroot_path = /usr/share/nginx/html,
[[webroot_map]]

Output of the ls command
/root/docker/certs/etc/letsencrypt/live:
total 12
-rw-r--r-- 1 root root 740 Apr 28 16:51 README
drwxr-xr-x 2 root root 4096 Jul 28 10:13 matter.takshashila.org.in
drwxr-xr-x 2 root root 4096 Oct 26 13:56 matter.takshashila.org.in-0001

/root/docker/certs/etc/letsencrypt/renewal:

total 8
-rw-r--r-- 1 root root  609 Oct 26 13:32 matter.takshashila.org.in-0001.conf
-rw-r--r-- 1 root root 1067 Oct 26 13:32 matter.takshashila.org.in.conf

Sorry. I should have asked to see this

ls -lR /etc/letsencrypt/live

Also, for your original cert you used the webroot method. For your -0001 cert you used standalone. Was there a reason the webroot method quit working?

3 Likes

Here it is:

total 12
-rw-r--r-- 1 root root  692 Apr 28 16:51 README
lrwxrwxrwx 1 root root   49 Oct 27 04:06 cert.pem -> ../../archive/matter.takshashila.org.in/cert4.pem
lrwxrwxrwx 1 root root   50 Oct 27 04:06 chain.pem -> ../../archive/matter.takshashila.org.in/chain4.pem
lrwxrwxrwx 1 root root   54 Oct 27 04:06 fullchain.pem -> ../../archive/matter.takshashila.org.in/fullchain4.pem
-rw-r--r-- 1 root root 5619 Jul 28 10:02 fullchain.pem.backup
lrwxrwxrwx 1 root root   52 Oct 27 04:06 privkey.pem -> ../../archive/matter.takshashila.org.in/privkey4.pem

certs/etc/letsencrypt/live/matter.takshashila.org.in-0001:
total 4
-rw-r--r-- 1 root root 692 Jul 28 10:25 README
lrwxrwxrwx 1 root root  54 Oct 26 13:32 cert.pem -> ../../archive/matter.takshashila.org.in-0001/cert3.pem
lrwxrwxrwx 1 root root  55 Oct 26 13:32 chain.pem -> ../../archive/matter.takshashila.org.in-0001/chain3.pem
lrwxrwxrwx 1 root root  59 Oct 26 13:32 fullchain.pem -> ../../archive/matter.takshashila.org.in-0001/fullchain3.pem
lrwxrwxrwx 1 root root  57 Oct 26 13:32 privkey.pem -> ../../archive/matter.takshashila.org.in-0001/privkey3.pem

No, I didn't change anything sepcifically about the webroot or standalone options.

That's a high number.

Why is that file in that directory?

2 Likes

You issued two new certs today (and two yesterday) and your server is sending out the latest one from today (Oct27) (see here).

Do you still need help? You still might have two methods for getting certs. If you want help removing the unused one can you show result of these:

certbot certificates --cert-name matter.takshashila.org.in
certbot certificates --cert-name matter.takshashila.org.in-0001
3 Likes

Thanks @MikeMcQ I still need help to ensure that this doesn't repeat three months from now. As I mentioned in the original post, I was able to generate certificates, but I was still getting the untrusted certificate error.

Here is the output of the commands:

certbot certificates --cert-name matter.takshashila.org.in
Renewal configuration file /etc/letsencrypt/renewal/matter.takshashila.org.in.conf produced an unexpected error: renewal config file {} is missing a required file reference. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following renewal configurations were invalid:
  /etc/letsencrypt/renewal/matter.takshashila.org.in.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
certbot certificates --cert-name matter.takshashila.org.in-0001
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/matter.takshashila.org.in.conf produced an unexpected error: renewal config file {} is missing a required file reference. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following renewal configurations were invalid:
  /etc/letsencrypt/renewal/matter.takshashila.org.in.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 Like

How did you get fresh certs? Because both of your certbot renewal files look faulty. I don't see how that can work to get a cert.

The output you show for certbot certificates --cert-name matter.takshashila.org.in-0001 looks wrong. The info names your other renewal file and not the -0001 file. Did you copy/paste that wrong?

certbot certificates --cert-name matter.takshashila.org.in-0001
Renewal configuration file /etc/letsencrypt/renewal/matter.takshashila.org.in.conf produced an unexpected error: renewal config file {} is missing a required file reference. Skipping.

Your nginx system needs to be reloaded after getting a fresh cert. That may be why you did not see a new cert in SSL Checker. But, the latest cert is being used now.

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.