Renewed certificates, but apache and the live link cert is not the current one

ok, as per above updated permissions to 777

Here is output:

ls -l /usr/local/etc/certbot/certs/{live,archive}/mfno.org
/usr/local/etc/certbot/certs/archive/mfno.org:
total 104
drwxrwxrwx+ 19 chris wheel 608 13 Jan 08:55 Holding
-rwxrwxrwx+ 1 chris wheel 1476 12 Oct 2023 cert1.pem
-rwxrwxrwx+ 1 chris wheel 1261 10 Jan 16:53 cert2.pem
-rw-r--r-- 1 chris wheel 1273 13 Jan 10:13 cert3.pem
-rwxrwxrwx+ 1 chris wheel 3749 12 Oct 2023 chain1.pem
-rwxrwxrwx+ 1 chris wheel 1566 10 Jan 16:53 chain2.pem
-rw-r--r-- 1 chris wheel 1566 13 Jan 10:13 chain3.pem
-rwxrwxrwx+ 1 chris wheel 5225 12 Oct 2023 fullchain1.pem
-rwxrwxrwx+ 1 chris wheel 2827 10 Jan 16:53 fullchain2.pem
-rw-r--r-- 1 chris wheel 2839 13 Jan 10:13 fullchain3.pem
-rwxrwxrwx+ 1 chris wheel 241 12 Oct 2023 privkey1.pem
-rwxrwxrwx+ 1 chris wheel 241 10 Jan 16:53 privkey2.pem
-rw-rwxr-- 1 chris wheel 241 13 Jan 10:13 privkey3.pem

/usr/local/etc/certbot/certs/live/mfno.org:
total 8
-rwxrwxrwx+ 1 chris wheel 692 29 Oct 20:17 README
lrwxr-xr-x 1 chris wheel 32 13 Jan 10:13 cert.pem -> ../../archive/mfno.org/cert3.pem
lrwxr-xr-x 1 chris wheel 33 13 Jan 10:13 chain.pem -> ../../archive/mfno.org/chain3.pem
lrwxr-xr-x 1 chris wheel 37 13 Jan 10:13 fullchain.pem -> ../../archive/mfno.org/fullchain3.pem
lrwxr-xr-x 1 chris wheel 35 13 Jan 10:13 privkey.pem -> ../../archive/mfno.org/privkey3.pem

You'll notice there is a holding directory. I didn't want to just blow away things and just moved them out of normal paths in case needed to put back. I'll remove that holding directory when all done

That's fine to make backups but please do not make them within the Certbot structure. Think of those as its database. Besides, backups are best done with the entire structure as they are interrelated. The backup method should preserve the symlinks too.

Have you reloaded Apache yet? Because I still see it using the older mfno cert from Oct29

no not yet, didn't realize we were ready, ok. reloaded.

Good on the reload. I see mfno now using the cert from today.

Let's get rid of these broken cert renewal profile sets. The below command is the usual way but Certbot may reject it given their errors. In which case we can remove them manually.

Try this first

certbot delete --cert-name mfno.org-0001
certbot delete --cert-name mfno.org-0002

It allowed, gone.

Terrific. In your first post you showed a mfno-0011 folder in .../archive/

You should delete that manually. There is no certbot renewal profile for that so it is just a stray folder.

Do you understand enough of what we did to do all the others yourself? If not, we can walk through another one. Some have slightly different groups of renewal profiles (-0001, -0004, ...) but the corrective steps are the same. That is, clean up the base profile and get rid of the extras.

If you ever start seeing -0001, ... folders again something has gone wrong.

Yes I can rinse and repeat ok I think. I'll double check the actual "good Cert" before choosing which of the 2,3,4 etc to remove. I do think however they're all 2's.

My final question would be, is the command I'm using to renew the correct one or am I short some arguments: % certbot certonly --manual --preferred-challenges dns

Thank you very much for your help. I'd like to have this take care of itself without the something going wrong so as long as the renewal cert process works self scripted this will be great.

oh and of course once prompted I then enter *.mfno.org, mfno.org correct?

Yeah, if you can automate your DNS Challenge you could just do certbot renew and it would do all of them as they approached expiration. Very nice.

But, the manual method requires redoing your initial command each time. You could do something like this which should ensure you don't create alternate profiles:

certbot certonly --manual --preferred-challenges dns --cert-name mfno.org -d mfno.org -d "*.mfno.org"

Maybe create a script that has one command for each of your domains.

Thanks again Mike for all the help Greatly appreciated. Yes I'll work on some scripts later after I get all this cleaned up. Have a great week.

Sorry to bother you again Mike, I updated all the domains which went well until I got to one. mcklpoa.ca. I cleaned up the directories, got the link to cert2.pem and such all setup, but then running the command gives the following error:

certbot certonly --manual --preferred-challenges dns --cert-name mcklpoa.ca -d mcklpoa.ca -d “.mcklpoa.ca”
zsh: no matches found: “.mcklpoa.ca”

I've check permissions, directories look good, sym links are all good....

ls -l /usr/local/etc/certbot/certs/{live,archive}/mcklpoa.ca
/usr/local/etc/certbot/certs/archive/mcklpoa.ca:
total 72
-rwxrwxr-x+ 1 chris wheel 1480 3 Aug 2023 cert1.pem
-rwxrwxr-x+ 1 chris wheel 1265 10 Jan 16:55 cert2.pem
-rwxrwxr-x+ 1 chris wheel 3749 3 Aug 2023 chain1.pem
-rwxrwxr-x+ 1 chris wheel 1566 10 Jan 16:55 chain2.pem
-rwxrwxr-x+ 1 chris wheel 5229 3 Aug 2023 fullchain1.pem
-rwxrwxr-x+ 1 chris wheel 2831 10 Jan 16:55 fullchain2.pem
-rwxrwxr-x+ 1 chris wheel 241 3 Aug 2023 privkey1.pem
-rwxrwxr-x+ 1 chris wheel 241 10 Jan 16:55 privkey2.pem

/usr/local/etc/certbot/certs/live/mcklpoa.ca:
total 8
-rwxrwxr-x+ 1 chris wheel 692 29 Oct 20:17 README
lrwxr-xr-x 1 chris wheel 34 13 Jan 16:16 cert.pem -> ../../archive/mcklpoa.ca/cert2.pem
lrwxr-xr-x 1 chris wheel 35 13 Jan 16:16 chain.pem -> ../../archive/mcklpoa.ca/chain2.pem
lrwxr-xr-x 1 chris wheel 39 13 Jan 16:16 fullchain.pem -> ../../archive/mcklpoa.ca/fullchain2.pem
lrwxr-xr-x 1 chris wheel 37 13 Jan 16:17 privkey.pem -> ../../archive/mcklpoa.ca/privkey2.pem

Any ideas why it's spitting out the error?

Found it, never mind - thanks

You beat me by 2 minutes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.