Renewal is failing

Help
1

My domain is: beehaw.org

I ran this command:sudo certbot renew

It produced this output:

Renewal configuration file /etc/letsencrypt/renewal/beehaw.org.conf is broken.
The error was: expected /etc/letsencrypt/live/beehaw.org/cert.pem to be a symlink
Skipping.

Failed to renew certificate www.beehaw.org with error: Some challenges have failed.

All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/www.beehaw.org/fullchain.pem (failure)

1 renew failure(s), 1 parse failure(s)

My web server is (include version):

Nginx

The operating system my web server runs on is (include version):

Ubuntu 20.04 LTS

My hosting provider, if applicable, is:

DO

I can login to a root shell on my machine (yes or no, or I don't know):

Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

1.26.0

2

Please post the output of the following command:

sudo ls -l /etc/letsencrypt/live/beehaw.org/

It seems something messed up the structure in /etc/letsencrypt/. Did you by any chance modify the directory yourself? Copy it somehow, e.g. from server A to B, without preserving symbolic links?

2 Likes
3 
total 24
-rw-r--r-- 1 root root  692 Jan 26 22:53 README
-rw-r--r-- 1 root root 1830 Jan 26 22:53 cert.pem
-rw-r--r-- 1 root root 3749 Jan 26 22:53 chain.pem
-rw-r--r-- 1 root root 5579 Jan 26 22:53 fullchain.pem
-rw-r--r-- 1 root root 1704 Jan 26 22:53 privkey.pem

Copy it somehow, e.g. from server A to B, without preserving symbolic links?

Possibly, but I can't remember.

4

Those files should be symbolic links to the corresponding (latest) files in the /archive/ directory.

Also, it seems you've got two certificates in Certbot: one for just www.beehaw.org and one for www.beehaw.org as wel as beehaw.org. (See crt.sh | beehaw.org, both certs issued on 2022-01-29.

One of those is redundant.

Please show the output of:

sudo certbot certificates

2 Likes
5 
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/beehaw.org.conf produced an unexpected error: expected /etc/letsencrypt/live/beehaw.org/cert.pem to be a symlink. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: www.beehaw.org
    Serial Number: 3473f076c39ab3189b3affb9068462a7263
    Key Type: RSA
    Domains: beehaw.org www.beehaw.org
    Expiry Date: 2022-04-29 21:51:47+00:00 (VALID: 15 days)
    Certificate Path: /etc/letsencrypt/live/www.beehaw.org/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.beehaw.org/privkey.pem

The following renewal configurations were invalid:
  /etc/letsencrypt/renewal/beehaw.org.conf
6

So the working certificate (sort of, renewal failed according to your output earlier) is actually the correct certificate. The invalid certificate is actually a redundant cert for just the www subdomain.

Which certificate is your webserver (and other services using a certificate) using? The files at etc/letsencrypt/live/beehaw.org/ or at etc/letsencrypt/live/www.beehaw.org/?

2 Likes
7

I don't know. How would I figure that out?

8

The following command could shed some light on the situation:

sudo grep -Ri letsencrypt /etc/nginx/

2 Likes
9 
/etc/nginx/sites-available/default:    ssl_certificate /etc/letsencrypt/live/www.beehaw.org/fullchain.pem; # managed by Certbot
/etc/nginx/sites-available/default:    ssl_certificate_key /etc/letsencrypt/live/www.beehaw.org/privkey.pem; # managed by Certbot
/etc/nginx/sites-available/default:    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
/etc/nginx/sites-available/default:    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
/etc/nginx/sites-enabled/lemmy.conf:#    ssl_certificate /etc/letsencrypt/live/beehaw.org/fullchain.pem;
/etc/nginx/sites-enabled/lemmy.conf:#    ssl_certificate_key /etc/letsencrypt/live/beehaw.org/privkey.pem;
/etc/nginx/sites-enabled/lemmy.conf:    ssl_certificate /etc/letsencrypt/live/www.beehaw.org/fullchain.pem; # managed by Certbot
/etc/nginx/sites-enabled/lemmy.conf:    ssl_certificate_key /etc/letsencrypt/live/www.beehaw.org/privkey.pem; # managed by Certbot
/etc/nginx/sites-enabled/default:    ssl_certificate /etc/letsencrypt/live/www.beehaw.org/fullchain.pem; # managed by Certbot
/etc/nginx/sites-enabled/default:    ssl_certificate_key /etc/letsencrypt/live/www.beehaw.org/privkey.pem; # managed by Certbot
/etc/nginx/sites-enabled/default:    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
/etc/nginx/sites-enabled/default:    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
10

I've set up a DNS redirect for www to reroute to beehaw.org if that helps.

11

Ok, so your nginx already uses the correct certificate, that's good. That means you don't actually need the failing certificate, and you can delete it if you didn't install it manually anywhere else on your server. You can delete the unnecessary files by running:

sudo rm -r /etc/letsencrypt/live/beehaw.org/
sudo rm -r /etc/letsencrypt/archive/beehaw.org/
sudo rm /etc/letsencrypt/renewal/beehaw.org.conf

Before you do the above, please make a backup of the /etc/letsencrypt/ directory to be sure.

After that, you can try sudo certbot renew again and see what happens. It looks like your "working" certificate isn't actually able to renew, but we'll see about that later.

2 Likes
12

Do you know how to make a backup through the command line?

13

The cp command has the -a (for archive) option which preserves as much of the metadata as possible, which is probably a good method for small, temporary backups.

2 Likes
14

OK. So, what would that command look like?

15

cp -a /etc/letsencrypt/

?

16

Using simple commands like cp is reeeaallly out of the scope of this Community.

Please see the command man cp for more information about how to use this utility.

2 Likes
17 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.beehaw.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for beehaw.org and www.beehaw.org

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: www.beehaw.org
  Type:   unauthorized
  Detail: Invalid response from https://beehaw.org [137.184.145.108]: "\n           <!DOCTYPE html>\n           <html  lang=\"en\">\n           <head>\n           <script>window.isoData = {\"path\":\"\\u002F\","

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Failed to renew certificate www.beehaw.org with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/www.beehaw.org/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
18

I don't need a cert for WWW

19

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.