Site still missing the cert

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.slidepipe.com

I ran this command: sudo certbot-auto renew

It produced this output:
The following certs are not due for renewal yet:
/etc/letsencrypt/live/slidepipe.com/fullchain.pem expires on 2020-05-08 (skipped)
/etc/letsencrypt/live/www.slidepipe.com/fullchain.pem expires on 2020-05-08 (skipped)
No renewals were attempted.

My web server is (include version):nginx

I renewed the cert but in the web is still missing it.
Renewal output

renew_before_expiry = 30 days

version = 1.2.0
archive_dir = /etc/letsencrypt/archive/slidepipe.com
cert = /etc/letsencrypt/live/slidepipe.com/cert.pem
privkey = /etc/letsencrypt/live/slidepipe.com/privkey.pem
chain = /etc/letsencrypt/live/slidepipe.com/chain.pem
fullchain = /etc/letsencrypt/live/slidepipe.com/fullchain.pem

Options used in the renewal process

[renewalparams]
authenticator = nginx
account = 2eb7b708af1bf4815e897cfabe830f21
server = https://acme-v02.api.letsencrypt.org/directory

2

Your renewal configuration file is ‘missing’ an installer line. Perhaps you’ve used certbot-auto with the certonly method, which gives you a renewable certificate, but needs you to install the cert manually into the webserver. In that case, after renewal, nginx isn’t reloaded automatically. Most users use a deploy-hook to reload their webserver after renewal.

1 Like
3

Hi @facildeanotar

you have created two certificate, one per domain name (non-www and www):

Issuer not before not after Domain names LE-Duplicate next LE
Let's Encrypt Authority X3 2020-02-08 2020-05-08 www.slidepipe.com - 1 entries duplicate nr. 1
Let's Encrypt Authority X3 2020-02-08 2020-05-08 slidepipe.com - 1 entries duplicate nr. 1

So install both with one command per domain name:

certbot --reinstall -i nginx slidepipe.com
certbot --reinstall -i nginx www.slidepipe.com

Certbot should find the matching certificate and should try to install it. Then restart your nginx.

4

I'm pretty sure reloading is the prefered method compaired to restarting. With reloading there is no downtime.

1 Like
5

Hi @JuergenAuer

Thanks a lot for your help.

I tried to run:
certbot --reinstall -i nginx slidepipe.com
certbot --reinstall -i nginx www.slidepipe.com

get the output: sudo: certbot: command not found

Can you help me?

6

Use your certbot-auto.

7

I’m sorry to ask a lot. But can’t still do it:

root@slidepipe-master:/etc/letsencrypt/live/slidepipe.com# sudo certbot-auto -i nginx slidepipe.com
/usr/local/bin/certbot-auto has insecure permissions!
To learn how to fix them, visit Certbot-auto deployment best practices
usage:
certbot-auto [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] …

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: unrecognized arguments: slidepipe.com

8

Yes, a -d flag is missing.

9

This is the output:

:/etc/letsencrypt/live# sudo certbot-auto certonly -n -d slidepipe.com -d www.slidepipe.com
/usr/local/bin/certbot-auto has insecure permissions!
To learn how to fix them, visit Certbot-auto deployment best practices
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Missing command line flags. For non-interactive execution, you will need to specify a plugin on the command line.

10

@facildeanotar This isn’t going to work. From my perspective, it looks like you’re randomly mixing command line options without actually doing what @JuergenAuer recommends. For example, where does the certonly come from? That is exactly the opposite of -i nginx. Or the -n?

11

honestly Im lost. I trying to solve the question, but I cant

12

As your nginx currently only serves the www subdomain certificate, which isn’t very good if someone would try to connect to https://slidepipe.com, I would suggest just getting a brand new certificate covering both your hostnames:

sudo certbot-auto --nginx -d slidepipe.com -d www.slidepipe.com
1 Like
13

how can I thank you?

worked!!! thank you so much!!!

14

a question: how do you know that my nginx just serves the subdomain certificate?

15

It did that, but now that you've got a certificate with both hostnames, there's no certificate issue any longer. Also, your HTTP site redirected all non-encrypted traffic to the www subdomain with HTTPS, so normally users wouldn't be bothered by a warning, as normally users would not end up to the HTTPS non-www hostname.

I tested the above with the command:

openssl s_client -connect slidepipe.com:443 -servername slidepipe.com | openssl x509 -noout -text

Which shows the contents of the certificate provided by the webserver for the hostname earlier in the command.

17

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.