Replace a seemingly valid certificate with a test certificate

Karely90 · November 25, 2021, 7:16pm

Hi,
My certificate expires in a few days and I am trying to renew it but it is giving me errors. As an important note, the certificate was not made by me

My domain is: dominio.com

I ran this command: certbot renew

It produced this output:

/usr/lib64/python2.7/site-packages/cryptography/__init__.py:39: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in a future release.
  CryptographyDeprecationWarning,
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Attempting to renew cert (dominio.com) from /etc/letsencrypt/renewal/dominio.conf produced an unexpected error: You've asked to renew/replace a seemingly valid certificate with a test certificate (domains: dominio.com). We will not do that unless you use the --break-my-certs flag!. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/dominio.com/fullchain.pem (failure)

My web server is (include version): Apache

The operating system my web server runs on is (include version): openSUSE Leap 15.1

My hosting provider, if applicable, is: Godaddy

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.0.0

My document cli.ini

# Use a 4096 bit RSA key instead of 2048
rsa-key-size = 4096

# The staging/testing server
# server = https://acme-staging.api.letsencrypt.org/directory
# The production server.
# server = https://acme-v01.api.letsencrypt.org/directory
 server = https://acme-staging-v02.api.letsencrypt.org/directory
# Uncomment and update to register with the specified e-mail address
email = email@dominio.com
# Uncomment and update to generate certificates for the specified
# domains.
 domains = dominio.com

# Uncomment to use a text interface instead of ncurses
# text = True

# Uncomment
# agree-eula = True
agree-tos = True
renew-by-default = True

# Uncomment to use the standalone authenticator on port 443
# If you want to use port 443, you must use standalone-supported-challenges
# If you want to use port 80, you must use preferred-challenges = http-01
authenticator = webroot
# standalone-supported-challenges = tls-sni-01
# preferred-challenges = tls-sni-01
preferred-challenges = http-01

# Uncomment to use the webroot authenticator. Replace webroot-path with the
# path to the public_html / webroot folder being served by your web server.
authenticator = webroot
# webroot-path = /usr/share/nginx/html
webroot-path = /srv/www/htdocs

Osiris · November 25, 2021, 7:45pm

Thank you for posting your cli.ini straight away, very helpful!

The problem is in the part I've quoted above: someone has set the staging server as default server! This is of course not what you want. My suggestion is to remove the server configuration values altogether, as you don't want the staging server configures and the other shown (commented out) option is the default anyway..

Osiris · November 25, 2021, 7:47pm

Also, please remove the above option immediately! That option should NOT be used by default, because it can lead to you running into rate limits and will probably impart unnecessary load on the Let's Encrypt infrastructure!

To show you what I mean, please see all the certs for this hostname: crt.sh | nsba.telsurcallcenter.com

That doesn't look like it neatly renews every 60 days, but way, WAY more frequent! Look at all those uselessly renewed certificates! Shame...

I don't know who set up your setup, but it doesn't look like they knew they were doing.... Speaking about that.. Python 2.7? For real?

Karely90 · November 25, 2021, 8:06pm

Thanks for the answer, I already removed these lines from the cli.ini
renew-by-default = True
server = https://acme-v01.api.letsencrypt.org/directory
server = https://acme-staging-v02.api.letsencrypt.org/directory

and now it gives me a different error:
nsba:~ # certbot renew
/usr/lib64/python2.7/site-packages/cryptography/init.py:39: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in a future release.
CryptographyDeprecationWarning,
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Attempting to renew cert (dominio.com) from /etc/letsencrypt/renewal/dominio.com.conf produced an unexpected error: urn:ietf:params:acme:error:serverInternal :: The server experienced an internal error :: Error creating new order. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/dominio.com/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/dominio.com/fullchain.pem (failure)

Karely90 · November 25, 2021, 8:07pm

Before it was someone else who was in charge, now I'm trying to find out what he did

Osiris · November 25, 2021, 8:22pm

This is most likely due to the current issue: https://letsencrypt.status.io/

Karely90 · November 25, 2021, 8:35pm

I'll try later then, thank you very much for the help.

system · December 25, 2021, 8:36pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.