Just been renewing a certificate that expired in December but having a few issues, the autorenewal scripts are completing and showing the “Congratulations!” message, but the certificate expiry is the same, 2016-12-03…
Both of which are completing but not renewing the cert.
Output from renew command:
Processing /etc/letsencrypt/renewal/pollys.place.conf
Cert is due for renewal, auto-renewing…
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for pollys.place
tls-sni-01 challenge for admin.pollys.place
tls-sni-01 challenge for api.pollys.place
tls-sni-01 challenge for telephony.pollys.place
tls-sni-01 challenge for www.pollys.place
Waiting for verification…
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0036_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0036_csr-certbot.pem
Output from certonly command:
Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/pollys.place/fullchain.pem. Your cert will
expire on 2016-12-03. To obtain a new or tweaked version of this
certificate in the future, simply run letsencrypt-auto again. To
non-interactively renew all of your certificates, run
"letsencrypt-auto renew"
My operating system is Debian 8.6
My web server is Nginx/1.6.2
I can root into the machine, and all commands have been run as root.
and of course, after trying a couple of times, I’m now being rate limited:
Attempting to renew cert from /etc/letsencrypt/renewal/pollys.place.conf produced an unexpected error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new cert :: Too many certificates already issued for exact set of domains: admin.pollys.place,api.pollys.place,pollys.place,telephony.pollys.place,www.pollys.place. Skipping.
Could you run ls -l /etc/letsencrypt/live/pollys.place and ls -l /etc/letsencrypt/archive/pollys.place and paste the output of both commands here?
It sounds like the symlinks in the /live directory have been replaced by actual files or something like that. In all likelihood, the renewed certificates and the corresponding keys are available somewhere in /archive.
As you say, looks like there are some issues with regards the symlinks. Unfortunately, symlinking not a strongpoint in my nix knowledge. The *2.pem’s look like the new ones, is there any way of me resolving this so that future renewals won’t require manual intervention? (i.e. clean everything up, repoint)
It looks like you might have a second certificate lineage (pollys.place-0001), and for some reason the symlinks point to that directory rather than the one without -0001. That’s not something the client should do; perhaps this was the result of an attempt to merge the new lineage (which might have been created when you tried to add a subdomain without providing the --expand flag) with the old one manually?
Usually, I would recommend backing up and deleting /etc/letsencrypt entirely to start from scratch and just request the certificates again, but since you’re being rate-limited right now, that’s not really an option right now. You could update all the symlinks in /live to the corresponding most recent file in /archive via:
You’ll probably want to disable any renewal cronjobs for now and still delete /etc/letsencrypt and re-issue all certificates in a week once the rate-limiting period has expired; trying to manually fix these issues while getting renewal to work tends to be rather error-prone.
is most definitely broken. From the command line, it seems to indicate all is well. And the certs appear to increment to the next number. But the certs themselves are not actually updated. I had to manually delete all the subdirectories under
/etc/letsencrypt/ # (except the account directory)