[solved] Please help to renew

topphy · November 1, 2017, 3:39am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: sabaideegroup1.com

I ran this command:

It produced this output:

My web server is (include version): apache 2.4.10

The operating system my web server runs on is (include version): debian 8.8

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Please Help
First sorry for my poor english, my server can’t renew , my cert was expired.(Oct 31 2017)
my stupid to delete /etc/letsencrypt/live/sabaideegroup1.com and /etc/letsencrypt/live/www.sabaideegroup1.com
because i think can create new when use certbot --apache -d sabaideegroup1.com -d www.sabaideegroup1.com
but not. I find solution and i try to create link from /etc/letsencrypt/achive/sabaideegroup1.com/cert4.pem --> /etc/letsencrypt/live/sabaideegroup1.com/cert.pem and same which files chain.pem, fullchain.pem, privkey.pem
and check config file /etc/apache2/sites-available/000-default-le-ssl.conf point to correct path
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/sabaideegroup1.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/sabaideegroup1.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
and try certbot renew --dry-run every thing look good.
i use ssl-cert-check -c cert.pem
status is valid and Expires : Jan 30 2018
i restart apache but browser always show in secure.
in https://globalsign.ssllabs.com/analyze.html?d=sabaideegroup1.com show EXPIRED
i want enable ssl to sabaideegroup1.com and alias name www.sabaideegroup1.com
Please help.

schoen · November 1, 2017, 4:25am

Hi @topphy,

Could you run certbot certificates to see if you have other certificates managed by Certbot?

topphy · November 1, 2017, 5:11am

thanks schoen this is result for certbot certificates

Found the following certs:
  Certificate Name: www.sabaideegroup1.com
    Domains: www.sabaideegroup1.com
    Expiry Date: 2018-01-29 15:43:25+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/www.sabaideegroup1.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.sabaideegroup1.com/privkey.pem
  Certificate Name: sabaideegroup1.com
    Domains: sabaideegroup1.com www.sabaideegroup1.com
    Expiry Date: 2018-01-30 01:45:44+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/sabaideegroup1.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/sabaideegroup1.com/privkey.pem

gotham · November 1, 2017, 5:17am

@topphy,

You set it to open as www.sabaideegroup1.com

so change ssl configs :

SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/www.sabaideegroup1.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.sabaideegroup1.com/privkey.pem

restart apache

If the above changes didn't work, do the following

Please run this command
" certbot delete --cert-name sabaideegroup1.com "
" certbot delete --cert-name www.sabaideegroup1.com

Remove ssl configs from apache
Note : check whether the configuration file and folders are deleted
config file : /etc/letsencrypt/renewal/sabaideegroup1.com.conf
folders : /etc/letsencrypt/archive/sabaideegroup1.com
/etc/letsencrypt/live/sabaideegroup1.com

Now
"certbot certonly -a webroot --webroot-path="document root" -d sabaideegroup1.com -d www.sabaideegroup1.com "

Manually add ssl parameters inside apache config,Restart apache.

topphy · November 1, 2017, 5:45am

Thanks you very much gotham. I following your guide.
Now i have only one folder sabaideegroup1.com in /etc/letsencrypt/live
l run certbot certificates the result is
-----------------------------------------------------------------------------------------------------
Found the following certs:
Certificate Name: sabaideegroup1.com
Domains: sabaideegroup1.com www.sabaideegroup1.com
Expiry Date: 2018-01-30 04:33:15+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/sabaideegroup1.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/sabaideegroup1.com/privkey.pem
-----------------------------------------------------------------------------------------------------
change apache ssl config path to sabaideegroup1.com and restart apache too.
It look good but why browser still show not secure. what i miss?

gotham · November 1, 2017, 6:19am

please post outputs of :
ls -lh /etc/letsencrypt/archive/sabaideegroup1.com/
and
ls -lh /etc/letsencrypt/live/sabaideegroup1.com/

topphy · November 1, 2017, 6:22am

ls -lh /etc/letsencrypt/archive/sabaideegroup1.com/
total 16K
-rw-r--r-- 1 root root 1.8K Nov 1 12:33 cert1.pem
-rw-r--r-- 1 root root 1.7K Nov 1 12:33 chain1.pem
-rw-r--r-- 1 root root 3.5K Nov 1 12:33 fullchain1.pem
-rw-r--r-- 1 root root 1.7K Nov 1 12:33 privkey1.pem

ls -lh /etc/letsencrypt/live/sabaideegroup1.com/
total 4.0K
-rw-r--r-- 1 root root 543 Nov 1 12:33 README
lrwxrwxrwx 1 root root 42 Nov 1 12:33 cert.pem -> ../../archive/sabaideegroup1.com/cert1.pem
lrwxrwxrwx 1 root root 43 Nov 1 12:33 chain.pem -> ../../archive/sabaideegroup1.com/chain1.pem
lrwxrwxrwx 1 root root 47 Nov 1 12:33 fullchain.pem -> ../../archive/sabaideegroup1.com/fullchain1.pem
lrwxrwxrwx 1 root root 45 Nov 1 12:33 privkey.pem -> ../../archive/sabaideegroup1.com/privkey1.pem

rg305 · November 1, 2017, 6:29am

This is not something to modify yourself, certbot handles all the links for you.

topphy · November 1, 2017, 6:31am

my /etc/apache2/sites-available/000-default-le-ssl.conf

ServerAdmin webmaster@localhost DocumentRoot /var/www/html ServerName sabaideegroup1.com ServerAlias www.sabaideegroup1.com

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    SSLEngine on
    SSLCertificateFile    /etc/letsencrypt/live/sabaideegroup1.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/sabaideegroup1.com/privkey.pem
    Include /etc/letsencrypt/options-ssl-apache.conf

vim: syntax=apache ts=4 sw=4 sts=4 sr noet

topphy · November 1, 2017, 6:37am

@rg305 yes it’s my mistake.

rg305 · November 1, 2017, 6:38am

Are you still having trouble?
You have issued 7 cert in the last 2 days. (https://crt.sh/?q=sabaideegroup1.com)
You need to stop trying to issue new certs and correct the problem that it is not using the newly created certs.
@gotham suggested that you delete the certs and create new ones.
Have you followed that advice?

gotham · November 1, 2017, 6:47am

 <VirtualHost *:80>
    ServerName sabaideegroup1.com
    ServerAlias www.sabaideegroup1.com
    DocumentRoot /var/www/html
    RewriteEngine on
    RewriteCond %{SERVER_PORT} !^443$
    RewriteRule ^(.*)$ https://%{HTTP_HOST} [R=301,L]

    <Directory /var/www/html>
            Options  FollowSymLinks MultiViews
            AllowOverride All
            Require all granted
    </Directory>
    ErrorLog /var/www/html/sabaideegroup1.log
    LogLevel warn
  </VirtualHost>

<VirtualHost *:443>
  ServerName sabaideegroup1.com
    ServerAlias www.sabaideegroup1.com
    DocumentRoot /var/www/html
    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/sabaideegroup1.com/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/sabaideegroup1.com/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/sabaideegroup1.com/fullchain.pem



  <Directory /var/www/html>
            Options  FollowSymLinks MultiViews
            AllowOverride All
            Require all granted
    </Directory>
    ErrorLog /var/www/html/sabaideegroup1.log
    LogLevel warn
</VirtualHost>

Disable old config files and copy this config in a single file [ check document root and Directory] and enable it and check .

topphy · November 1, 2017, 7:06am

Ok gotham. Now i have 2 config file

000-default.conf (80)
000-default-le-ssl.conf (443)
I need to disable 000-default-le-ssl.conf (use a2disconf ?)
and replace 000-default.conf with your config above right ?

gotham · November 1, 2017, 7:18am

do not replace anything . disable 1,2 . create a new test.conf inside sites-available . paste the configs inside it . a2ensite test.conf . service apache2 restart . kindly check document root and Directory and change according to your path.

topphy · November 1, 2017, 7:47am

@gotham I did it now in /etc/apache2/sites-enabled have only one file test.conf
I enable and restart apache but still have problem. Maybe we solved it but it not active because of
i create many cert @rg305 say , limit? i need to wait?

rg305 · November 1, 2017, 7:59am

No need to wait.
You have good certs and private keys.
But the site is still using the expired cert.

gotham · November 1, 2017, 8:02am

no problem with letsencrypt cert creation . no problem with config .no problem with dry-run .
According to the config i have given above , it should open https://sabaideegroup1.com . But it is still opening with https://www.sabaideegroup1.com . Is there any internal redirects or .htaccess configs you have configured?
Can you post the log here.as we have configured in the config.
ErrorLog /var/www/html/sabaideegroup1.log

topphy · November 1, 2017, 8:12am

@gotham we have sabaideegroup1.log and it empty.
I have index.php file in /var/www/html and redirect page

<?php header("Location:https://www.sabaideegroup1.com/site/public/"); die(); ?>

it’s a problem?

now i change index.php to show “OK” no redirect and no .htaccess in /var/www/html

gotham · November 1, 2017, 8:16am

why are you forcing the url there in header? May i know your document root ?is it laravel ?

topphy · November 1, 2017, 8:21am

My customer want to see www infront of site address for both type sabaideegroup1.com and www.sabaideegroup1.com.
I think it easy way to redirect at index file. yes in /site/public its laravel.