[Solved] Renewal is rate limited, but certificate expired in August

schoen · October 24, 2017, 11:40pm

You have an inconsistent lineage name between couchpotato.jcconnell.com and couchpotato.jcconnell.com-0001 and between plex.jcconnell.com and plex.jcconnell.com-0001. This is usually a sign of having renamed files in /etc/letsencrypt and is fairly likely to be part of what’s breaking the renewals.

jcconnell · October 24, 2017, 11:44pm

Interesting.

Here’s what one of the functional domains looks like:

ls -l /etc/letsencrypt/live/unifi.jcconnell.com
total 7
-rw-r--r-- 1 root root 543 May 14 17:37 README
lrwxrwxrwx 1 root root  43 Sep 18 00:00 cert.pem -> ../../archive/unifi.jcconnell.com/cert3.pem
lrwxrwxrwx 1 root root  44 Sep 18 00:00 chain.pem -> ../../archive/unifi.jcconnell.com/chain3.pem
lrwxrwxrwx 1 root root  48 Sep 18 00:00 fullchain.pem -> ../../archive/unifi.jcconnell.com/fullchain3.pem
lrwxrwxrwx 1 root root  46 Sep 18 00:00 privkey.pem -> ../../archive/unifi.jcconnell.com/privkey3.pem

So the difference is in the cert3.pem vs. cert0001.pem, etc? What’s the best way to fix this?

schoen · October 24, 2017, 11:50pm

Can you show us the output of this command?

ls -l /etc/letsencrypt/{live,archive,renewal}/*

jcconnell · October 24, 2017, 11:52pm

It’s very long, would you prefer it pasted here or in something like a pastbin?

schoen · October 24, 2017, 11:53pm

Either way is OK with me.

jcconnell · October 24, 2017, 11:53pm

-rw-r--r-- 1 root root 601 Aug 25 21:19 /etc/letsencrypt/renewal/cloud.jcconnell.com.conf
-rw-r--r-- 1 root root 649 May 14 17:49 /etc/letsencrypt/renewal/couchpotato.jcconnell.com.conf
-rw-r--r-- 1 root root 567 Sep 18 00:00 /etc/letsencrypt/renewal/gitlab.jcconnell.com.conf
-rw-r--r-- 1 root root 588 Sep 18 00:00 /etc/letsencrypt/renewal/guacamole.jcconnell.com.conf
-rw-r--r-- 1 root root 612 Oct 14 12:38 /etc/letsencrypt/renewal/guacamole.mobileeyecare.com.conf
-rw-r--r-- 1 root root 553 Oct 14 12:38 /etc/letsencrypt/renewal/hass.jcconnell.com.conf
-rw-r--r-- 1 root root 581 Sep 18 00:00 /etc/letsencrypt/renewal/owncloud.jcconnell.com.conf
-rw-r--r-- 1 root root 553 Oct 23 00:42 /etc/letsencrypt/renewal/plex.jcconnell.com.conf
-rw-r--r-- 1 root root 617 Oct 24 16:28 /etc/letsencrypt/renewal/proxmox.jcconnell.com.conf
-rw-r--r-- 1 root root 560 Sep 18 00:00 /etc/letsencrypt/renewal/unifi.jcconnell.com.conf
-rw-r--r-- 1 root root 595 Sep 18 00:00 /etc/letsencrypt/renewal/zoneminder.jcconnell.com.conf

/etc/letsencrypt/archive/cloud.jcconnell.com:
total 18
-rw-r--r-- 1 root root 1805 Aug 25 21:19 cert1.pem
-rw-r--r-- 1 root root 1647 Aug 25 21:19 chain1.pem
-rw-r--r-- 1 root root 3452 Aug 25 21:19 fullchain1.pem
-rw-r--r-- 1 root root 1704 Aug 25 21:19 privkey1.pem

/etc/letsencrypt/archive/couchpotato.jcconnell.com-0001:
total 18
-rw-r--r-- 1 root root 1826 May 14 17:36 cert1.pem
-rw-r--r-- 1 root root 1647 May 14 17:36 chain1.pem
-rw-r--r-- 1 root root 3473 May 14 17:36 fullchain1.pem
-rw-r--r-- 1 root root 1704 May 14 17:36 privkey1.pem

/etc/letsencrypt/archive/gitlab.jcconnell.com:
total 54
-rw-r--r-- 1 root root 1809 May 14 17:37 cert1.pem
-rw-r--r-- 1 root root 1809 Jul 14 00:00 cert2.pem
-rw-r--r-- 1 root root 1809 Sep 18 00:00 cert3.pem
-rw-r--r-- 1 root root 1647 May 14 17:37 chain1.pem
-rw-r--r-- 1 root root 1647 Jul 14 00:00 chain2.pem
-rw-r--r-- 1 root root 1647 Sep 18 00:00 chain3.pem
-rw-r--r-- 1 root root 3456 May 14 17:37 fullchain1.pem
-rw-r--r-- 1 root root 3456 Jul 14 00:00 fullchain2.pem
-rw-r--r-- 1 root root 3456 Sep 18 00:00 fullchain3.pem
-rw-r--r-- 1 root root 1704 May 14 17:37 privkey1.pem
-rw-r--r-- 1 root root 1704 Jul 14 00:00 privkey2.pem
-rw-r--r-- 1 root root 1704 Sep 18 00:00 privkey3.pem

/etc/letsencrypt/archive/guacamole.jcconnell.com:
total 54
-rw-r--r-- 1 root root 1818 May 14 17:36 cert1.pem
-rw-r--r-- 1 root root 1818 Jul 14 00:00 cert2.pem
-rw-r--r-- 1 root root 1818 Sep 18 00:00 cert3.pem
-rw-r--r-- 1 root root 1647 May 14 17:36 chain1.pem
-rw-r--r-- 1 root root 1647 Jul 14 00:00 chain2.pem
-rw-r--r-- 1 root root 1647 Sep 18 00:00 chain3.pem
-rw-r--r-- 1 root root 3465 May 14 17:36 fullchain1.pem
-rw-r--r-- 1 root root 3465 Jul 14 00:00 fullchain2.pem
-rw-r--r-- 1 root root 3465 Sep 18 00:00 fullchain3.pem
-rw-r--r-- 1 root root 1704 May 14 17:36 privkey1.pem
-rw-r--r-- 1 root root 1704 Jul 14 00:00 privkey2.pem
-rw-r--r-- 1 root root 1704 Sep 18 00:00 privkey3.pem

/etc/letsencrypt/archive/guacamole.mobileeyecare.com:
total 54
-rw-r--r-- 1 root root 1830 Jun  5 12:02 cert1.pem
-rw-r--r-- 1 root root 1830 Aug 15 12:42 cert2.pem
-rw-r--r-- 1 root root 1830 Oct 14 12:38 cert3.pem
-rw-r--r-- 1 root root 1647 Jun  5 12:02 chain1.pem
-rw-r--r-- 1 root root 1647 Aug 15 12:42 chain2.pem
-rw-r--r-- 1 root root 1647 Oct 14 12:38 chain3.pem
-rw-r--r-- 1 root root 3477 Jun  5 12:02 fullchain1.pem
-rw-r--r-- 1 root root 3477 Aug 15 12:42 fullchain2.pem
-rw-r--r-- 1 root root 3477 Oct 14 12:38 fullchain3.pem
-rw-r--r-- 1 root root 1708 Jun  5 12:02 privkey1.pem
-rw-r--r-- 1 root root 1704 Aug 15 12:42 privkey2.pem
-rw-r--r-- 1 root root 1704 Oct 14 12:38 privkey3.pem

/etc/letsencrypt/archive/hass.jcconnell.com:
total 54
-rw-r--r-- 1 root root 1805 May 29 19:18 cert1.pem
-rw-r--r-- 1 root root 1805 Aug 15 12:42 cert2.pem
-rw-r--r-- 1 root root 1805 Oct 14 12:38 cert3.pem
-rw-r--r-- 1 root root 1647 May 29 19:18 chain1.pem
-rw-r--r-- 1 root root 1647 Aug 15 12:42 chain2.pem
-rw-r--r-- 1 root root 1647 Oct 14 12:38 chain3.pem
-rw-r--r-- 1 root root 3452 May 29 19:18 fullchain1.pem
-rw-r--r-- 1 root root 3452 Aug 15 12:42 fullchain2.pem
-rw-r--r-- 1 root root 3452 Oct 14 12:38 fullchain3.pem
-rw-r--r-- 1 root root 1704 May 29 19:18 privkey1.pem
-rw-r--r-- 1 root root 1704 Aug 15 12:42 privkey2.pem
-rw-r--r-- 1 root root 1708 Oct 14 12:38 privkey3.pem

/etc/letsencrypt/archive/netdata.jcconnell.com:
total 18
-rw-r--r-- 1 root root 1814 Jun  2 13:16 cert1.pem
-rw-r--r-- 1 root root 1647 Jun  2 13:16 chain1.pem
-rw-r--r-- 1 root root 3461 Jun  2 13:16 fullchain1.pem
-rw-r--r-- 1 root root 1704 Jun  2 13:16 privkey1.pem

/etc/letsencrypt/archive/owncloud.jcconnell.com:
total 54
-rw-r--r-- 1 root root 1818 May 14 17:39 cert1.pem
-rw-r--r-- 1 root root 1814 Jul 14 00:00 cert2.pem
-rw-r--r-- 1 root root 1814 Sep 18 00:00 cert3.pem
-rw-r--r-- 1 root root 1647 May 14 17:39 chain1.pem
-rw-r--r-- 1 root root 1647 Jul 14 00:00 chain2.pem
-rw-r--r-- 1 root root 1647 Sep 18 00:00 chain3.pem
-rw-r--r-- 1 root root 3465 May 14 17:39 fullchain1.pem
-rw-r--r-- 1 root root 3461 Jul 14 00:00 fullchain2.pem
-rw-r--r-- 1 root root 3461 Sep 18 00:00 fullchain3.pem
-rw-r--r-- 1 root root 1704 May 14 17:39 privkey1.pem
-rw-r--r-- 1 root root 1704 Jul 14 00:00 privkey2.pem
-rw-r--r-- 1 root root 1704 Sep 18 00:00 privkey3.pem

/etc/letsencrypt/archive/plex.jcconnell.com:
total 36
-rw-r--r-- 1 root root 1805 May 12 13:25 cert1.pem
-rw-r--r-- 1 root root 1805 Oct 23 00:42 cert2.pem
-rw-r--r-- 1 root root 1647 May 12 13:25 chain1.pem
-rw-r--r-- 1 root root 1647 Oct 23 00:42 chain2.pem
-rw-r--r-- 1 root root 3452 May 12 13:25 fullchain1.pem
-rw-r--r-- 1 root root 3452 Oct 23 00:42 fullchain2.pem
-rw-r--r-- 1 root root 1704 May 12 13:25 privkey1.pem
-rw-r--r-- 1 root root 1704 Oct 23 00:42 privkey2.pem

/etc/letsencrypt/archive/plex.jcconnell.com-0001:
total 18
-rw-r--r-- 1 root root 1805 May 14 17:44 cert1.pem
-rw-r--r-- 1 root root 1647 May 14 17:44 chain1.pem
-rw-r--r-- 1 root root 3452 May 14 17:44 fullchain1.pem
-rw-r--r-- 1 root root 1704 May 14 17:44 privkey1.pem

/etc/letsencrypt/archive/proxmox.jcconnell.com:
total 18
-rw-r--r-- 1 root root 1814 Oct 24 16:28 cert1.pem
-rw-r--r-- 1 root root 1647 Oct 24 16:28 chain1.pem
-rw-r--r-- 1 root root 3461 Oct 24 16:28 fullchain1.pem
-rw-r--r-- 1 root root 1704 Oct 24 16:28 privkey1.pem

/etc/letsencrypt/archive/unifi.jcconnell.com:
total 54
-rw-r--r-- 1 root root 1809 May 14 17:37 cert1.pem
-rw-r--r-- 1 root root 1805 Jul 14 00:00 cert2.pem
-rw-r--r-- 1 root root 1805 Sep 18 00:00 cert3.pem
-rw-r--r-- 1 root root 1647 May 14 17:37 chain1.pem
-rw-r--r-- 1 root root 1647 Jul 14 00:00 chain2.pem
-rw-r--r-- 1 root root 1647 Sep 18 00:00 chain3.pem
-rw-r--r-- 1 root root 3456 May 14 17:37 fullchain1.pem
-rw-r--r-- 1 root root 3452 Jul 14 00:00 fullchain2.pem
-rw-r--r-- 1 root root 3452 Sep 18 00:00 fullchain3.pem
-rw-r--r-- 1 root root 1704 May 14 17:37 privkey1.pem
-rw-r--r-- 1 root root 1708 Jul 14 00:00 privkey2.pem
-rw-r--r-- 1 root root 1708 Sep 18 00:00 privkey3.pem

/etc/letsencrypt/archive/zoneminder.jcconnell.com:
total 54
-rw-r--r-- 1 root root 1822 May 14 17:38 cert1.pem
-rw-r--r-- 1 root root 1822 Jul 14 00:00 cert2.pem
-rw-r--r-- 1 root root 1822 Sep 18 00:00 cert3.pem
-rw-r--r-- 1 root root 1647 May 14 17:38 chain1.pem
-rw-r--r-- 1 root root 1647 Jul 14 00:00 chain2.pem
-rw-r--r-- 1 root root 1647 Sep 18 00:00 chain3.pem
-rw-r--r-- 1 root root 3469 May 14 17:38 fullchain1.pem
-rw-r--r-- 1 root root 3469 Jul 14 00:00 fullchain2.pem
-rw-r--r-- 1 root root 3469 Sep 18 00:00 fullchain3.pem
-rw-r--r-- 1 root root 1704 May 14 17:38 privkey1.pem
-rw-r--r-- 1 root root 1704 Jul 14 00:00 privkey2.pem
-rw-r--r-- 1 root root 1708 Sep 18 00:00 privkey3.pem

/etc/letsencrypt/live/cloud.jcconnell.com:
total 7
-rw-r--r-- 1 root root 543 Aug 25 21:19 README
lrwxrwxrwx 1 root root  43 Aug 25 21:19 cert.pem -> ../../archive/cloud.jcconnell.com/cert1.pem
lrwxrwxrwx 1 root root  44 Aug 25 21:19 chain.pem -> ../../archive/cloud.jcconnell.com/chain1.pem
lrwxrwxrwx 1 root root  48 Aug 25 21:19 fullchain.pem -> ../../archive/cloud.jcconnell.com/fullchain1.pem
lrwxrwxrwx 1 root root  46 Aug 25 21:19 privkey.pem -> ../../archive/cloud.jcconnell.com/privkey1.pem

/etc/letsencrypt/live/couchpotato.jcconnell.com:
total 7
-rw-r--r-- 1 root root 543 May 14 17:36 README
lrwxrwxrwx 1 root root  54 May 14 17:36 cert.pem -> ../../archive/couchpotato.jcconnell.com-0001/cert1.pem
lrwxrwxrwx 1 root root  55 May 14 17:36 chain.pem -> ../../archive/couchpotato.jcconnell.com-0001/chain1.pem
lrwxrwxrwx 1 root root  59 May 14 17:36 fullchain.pem -> ../../archive/couchpotato.jcconnell.com-0001/fullchain1.pem
lrwxrwxrwx 1 root root  57 May 14 17:36 privkey.pem -> ../../archive/couchpotato.jcconnell.com-0001/privkey1.pem

/etc/letsencrypt/live/gitlab.jcconnell.com:
total 7
-rw-r--r-- 1 root root 543 May 14 17:37 README
lrwxrwxrwx 1 root root  44 Sep 18 00:00 cert.pem -> ../../archive/gitlab.jcconnell.com/cert3.pem
lrwxrwxrwx 1 root root  45 Sep 18 00:00 chain.pem -> ../../archive/gitlab.jcconnell.com/chain3.pem
lrwxrwxrwx 1 root root  49 Sep 18 00:00 fullchain.pem -> ../../archive/gitlab.jcconnell.com/fullchain3.pem
lrwxrwxrwx 1 root root  47 Sep 18 00:00 privkey.pem -> ../../archive/gitlab.jcconnell.com/privkey3.pem

/etc/letsencrypt/live/guacamole.jcconnell.com:
total 7
-rw-r--r-- 1 root root 543 May 14 17:36 README
lrwxrwxrwx 1 root root  47 Sep 18 00:00 cert.pem -> ../../archive/guacamole.jcconnell.com/cert3.pem
lrwxrwxrwx 1 root root  48 Sep 18 00:00 chain.pem -> ../../archive/guacamole.jcconnell.com/chain3.pem
lrwxrwxrwx 1 root root  52 Sep 18 00:00 fullchain.pem -> ../../archive/guacamole.jcconnell.com/fullchain3.pem
lrwxrwxrwx 1 root root  50 Sep 18 00:00 privkey.pem -> ../../archive/guacamole.jcconnell.com/privkey3.pem

/etc/letsencrypt/live/guacamole.mobileeyecare.com:
total 7
-rw-r--r-- 1 root root 543 Jun  5 12:02 README
lrwxrwxrwx 1 root root  51 Oct 14 12:38 cert.pem -> ../../archive/guacamole.mobileeyecare.com/cert3.pem
lrwxrwxrwx 1 root root  52 Oct 14 12:38 chain.pem -> ../../archive/guacamole.mobileeyecare.com/chain3.pem
lrwxrwxrwx 1 root root  56 Oct 14 12:38 fullchain.pem -> ../../archive/guacamole.mobileeyecare.com/fullchain3.pem
lrwxrwxrwx 1 root root  54 Oct 14 12:38 privkey.pem -> ../../archive/guacamole.mobileeyecare.com/privkey3.pem

/etc/letsencrypt/live/hass.jcconnell.com:
total 7
-rw-r--r-- 1 root root 543 May 29 19:18 README
lrwxrwxrwx 1 root root  42 Oct 14 12:38 cert.pem -> ../../archive/hass.jcconnell.com/cert3.pem
lrwxrwxrwx 1 root root  43 Oct 14 12:38 chain.pem -> ../../archive/hass.jcconnell.com/chain3.pem
lrwxrwxrwx 1 root root  47 Oct 14 12:38 fullchain.pem -> ../../archive/hass.jcconnell.com/fullchain3.pem
lrwxrwxrwx 1 root root  45 Oct 14 12:38 privkey.pem -> ../../archive/hass.jcconnell.com/privkey3.pem

/etc/letsencrypt/live/owncloud.jcconnell.com:
total 7
-rw-r--r-- 1 root root 543 May 14 17:39 README
lrwxrwxrwx 1 root root  46 Sep 18 00:00 cert.pem -> ../../archive/owncloud.jcconnell.com/cert3.pem
lrwxrwxrwx 1 root root  47 Sep 18 00:00 chain.pem -> ../../archive/owncloud.jcconnell.com/chain3.pem
lrwxrwxrwx 1 root root  51 Sep 18 00:00 fullchain.pem -> ../../archive/owncloud.jcconnell.com/fullchain3.pem
lrwxrwxrwx 1 root root  49 Sep 18 00:00 privkey.pem -> ../../archive/owncloud.jcconnell.com/privkey3.pem

/etc/letsencrypt/live/plex.jcconnell.com:
total 7
-rw-r--r-- 1 root root 543 May 14 17:44 README
lrwxrwxrwx 1 root root  47 Oct 23 00:42 cert.pem -> ../../archive/plex.jcconnell.com-0001/cert1.pem
lrwxrwxrwx 1 root root  48 Oct 23 00:42 chain.pem -> ../../archive/plex.jcconnell.com-0001/chain1.pem
lrwxrwxrwx 1 root root  52 Oct 23 00:42 fullchain.pem -> ../../archive/plex.jcconnell.com-0001/fullchain1.pem
lrwxrwxrwx 1 root root  50 Oct 23 00:42 privkey.pem -> ../../archive/plex.jcconnell.com-0001/privkey1.pem

/etc/letsencrypt/live/proxmox.jcconnell.com:
total 7
-rw-r--r-- 1 root root 543 Oct 24 16:28 README
lrwxrwxrwx 1 root root  45 Oct 24 16:28 cert.pem -> ../../archive/proxmox.jcconnell.com/cert1.pem
lrwxrwxrwx 1 root root  46 Oct 24 16:28 chain.pem -> ../../archive/proxmox.jcconnell.com/chain1.pem
lrwxrwxrwx 1 root root  50 Oct 24 16:28 fullchain.pem -> ../../archive/proxmox.jcconnell.com/fullchain1.pem
lrwxrwxrwx 1 root root  48 Oct 24 16:28 privkey.pem -> ../../archive/proxmox.jcconnell.com/privkey1.pem

/etc/letsencrypt/live/unifi.jcconnell.com:
total 7
-rw-r--r-- 1 root root 543 May 14 17:37 README
lrwxrwxrwx 1 root root  43 Sep 18 00:00 cert.pem -> ../../archive/unifi.jcconnell.com/cert3.pem
lrwxrwxrwx 1 root root  44 Sep 18 00:00 chain.pem -> ../../archive/unifi.jcconnell.com/chain3.pem
lrwxrwxrwx 1 root root  48 Sep 18 00:00 fullchain.pem -> ../../archive/unifi.jcconnell.com/fullchain3.pem
lrwxrwxrwx 1 root root  46 Sep 18 00:00 privkey.pem -> ../../archive/unifi.jcconnell.com/privkey3.pem

/etc/letsencrypt/live/zoneminder.jcconnell.com:
total 7
-rw-r--r-- 1 root root 543 May 14 17:38 README
lrwxrwxrwx 1 root root  48 Sep 18 00:00 cert.pem -> ../../archive/zoneminder.jcconnell.com/cert3.pem
lrwxrwxrwx 1 root root  49 Sep 18 00:00 chain.pem -> ../../archive/zoneminder.jcconnell.com/chain3.pem
lrwxrwxrwx 1 root root  53 Sep 18 00:00 fullchain.pem -> ../../archive/zoneminder.jcconnell.com/fullchain3.pem
lrwxrwxrwx 1 root root  51 Sep 18 00:00 privkey.pem -> ../../archive/zoneminder.jcconnell.com/privkey3.pem

schoen · October 24, 2017, 11:57pm

Thanks! Could you also paste the contents of /etc/letsencrypt/renewal/couchpotato.jcconnell.com.conf and /etc/letsencrypt/renewal/plex.jcconnell.com.conf?

jcconnell · October 24, 2017, 11:59pm

Thank you!!! I really appreciate your time.

cat /etc/letsencrypt/renewal/couchpotato.jcconnell.com.conf
# renew_before_expiry = 30 days
version = 0.12.0
archive_dir = /etc/letsencrypt/archive/couchpotato.jcconnell.com
cert = /etc/letsencrypt/live/couchpotato.jcconnell.com/cert.pem
privkey = /etc/letsencrypt/live/couchpotato.jcconnell.com/privkey.pem
chain = /etc/letsencrypt/live/couchpotato.jcconnell.com/chain.pem
fullchain = /etc/letsencrypt/live/couchpotato.jcconnell.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = webroot
installer = None
account = a946a2b3f6d26f9291781bdfc6ab0181
webroot_path = /var/www/ssl-proof/couchpotato,
[[webroot_map]]
couchpotato.jcconnell.com = /var/www/ssl-proof/couchpotato

cat /etc/letsencrypt/renewal/plex.jcconnell.com.conf
# renew_before_expiry = 30 days
version = 0.17.0
archive_dir = /etc/letsencrypt/archive/plex.jcconnell.com
cert = /etc/letsencrypt/live/plex.jcconnell.com/cert.pem
privkey = /etc/letsencrypt/live/plex.jcconnell.com/privkey.pem
chain = /etc/letsencrypt/live/plex.jcconnell.com/chain.pem
fullchain = /etc/letsencrypt/live/plex.jcconnell.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = webroot
installer = None
account = a946a2b3f6d26f9291781bdfc6ab0181
[[webroot_map]]
plex.jcconnell.com = /var/www/ssl-proof/plex

schoen · October 25, 2017, 12:08am

OK, one other thing: which version of those certificates is your web server configuration currently pointed at?

jcconnell · October 25, 2017, 12:13am

Here are some snippets from the Nginx config. I wasn’t sure what you meant by what version so I’m hoping this helps.

plex.conf

root /var/www/plex-certbot-webroot;
....
#Use letsencrypt.org to get a free and trusted ssl certificate
ssl_certificate /etc/letsencrypt/live/plex.jcconnell.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/plex.jcconnell.com/privkey.pem;

...

location /.well-known {
	root /var/www/ssl-proof/plex/;
}

couchpotato.conf

root /var/www/couchpotato-certbot-webroot;

# The public and private parts of the certificate are linked here
ssl_certificate /etc/letsencrypt/live/couchpotato.jcconnell.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/couchpotato.jcconnell.com/privkey.pem;

location /.well-known {
    root /var/www/ssl-proof/couchpotato/;
}

schoen · October 25, 2017, 6:39pm

Hi @jcconnell,

It seems to me that @sahsanu helped someone in a similar situation in this thread:

Can you understand the effects of these commands and how they would apply to your situation? If so, you could try this approach to change the destination of the symlinks.

If you don’t understand what this is doing, I can try to offer more specific advice.

@sahsanu’s advice at the beginning to make a backup is also very appropriate.

jcconnell · October 25, 2017, 9:33pm

Thank you for that link, I followed the directions for both domains after creating a backup. It seems both domains are still rate limited so it might be a few days before I know it’s it’s successful.

schoen · October 25, 2017, 11:58pm

Great!

certbot certificates might give a partial indication of whether the cleanup worked (just looking at your local filesystem).

jcconnell · October 26, 2017, 12:02am

Here’s what I’m seeing as the result of that command now. My mistake, those two lines are not new.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Revocation status for /etc/letsencrypt/live/plex.jcconnell.com/cert.pem is unknown
Revocation status for /etc/letsencrypt/live/couchpotato.jcconnell.com/cert.pem is unknown

-------------------------------------------------------------------------------
Found the following certs:
  Certificate Name: proxmox.jcconnell.com
    Domains: proxmox.jcconnell.com
    Expiry Date: 2018-01-22 19:28:09+00:00 (VALID: 88 days)
    Certificate Path: /etc/letsencrypt/live/proxmox.jcconnell.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/proxmox.jcconnell.com/privkey.pem
  Certificate Name: plex.jcconnell.com
    Domains: plex.jcconnell.com
    Expiry Date: 2017-08-12 20:45:00+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/plex.jcconnell.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/plex.jcconnell.com/privkey.pem
  Certificate Name: cloud.jcconnell.com
    Domains: cloud.jcconnell.com
    Expiry Date: 2018-01-23 03:31:09+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/cloud.jcconnell.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/cloud.jcconnell.com/privkey.pem
  Certificate Name: guacamole.jcconnell.com
    Domains: guacamole.jcconnell.com
    Expiry Date: 2017-12-17 03:01:00+00:00 (VALID: 52 days)
    Certificate Path: /etc/letsencrypt/live/guacamole.jcconnell.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/guacamole.jcconnell.com/privkey.pem
  Certificate Name: hass.jcconnell.com
    Domains: hass.jcconnell.com
    Expiry Date: 2018-01-12 15:38:12+00:00 (VALID: 78 days)
    Certificate Path: /etc/letsencrypt/live/hass.jcconnell.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/hass.jcconnell.com/privkey.pem
  Certificate Name: zoneminder.jcconnell.com
    Domains: zoneminder.jcconnell.com
    Expiry Date: 2017-12-17 03:01:00+00:00 (VALID: 52 days)
    Certificate Path: /etc/letsencrypt/live/zoneminder.jcconnell.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/zoneminder.jcconnell.com/privkey.pem
  Certificate Name: guacamole.mobileeyecare.com
    Domains: guacamole.mobileeyecare.com
    Expiry Date: 2018-01-12 15:38:17+00:00 (VALID: 78 days)
    Certificate Path: /etc/letsencrypt/live/guacamole.mobileeyecare.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/guacamole.mobileeyecare.com/privkey.pem
  Certificate Name: owncloud.jcconnell.com
    Domains: owncloud.jcconnell.com
    Expiry Date: 2017-12-17 03:01:00+00:00 (VALID: 52 days)
    Certificate Path: /etc/letsencrypt/live/owncloud.jcconnell.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/owncloud.jcconnell.com/privkey.pem
  Certificate Name: couchpotato.jcconnell.com
    Domains: couchpotato.jcconnell.com
    Expiry Date: 2017-08-12 20:37:00+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/couchpotato.jcconnell.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/couchpotato.jcconnell.com/privkey.pem
  Certificate Name: gitlab.jcconnell.com
    Domains: gitlab.jcconnell.com
    Expiry Date: 2017-12-17 03:01:00+00:00 (VALID: 52 days)
    Certificate Path: /etc/letsencrypt/live/gitlab.jcconnell.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/gitlab.jcconnell.com/privkey.pem
  Certificate Name: unifi.jcconnell.com
    Domains: unifi.jcconnell.com
    Expiry Date: 2017-12-17 03:01:00+00:00 (VALID: 52 days)
    Certificate Path: /etc/letsencrypt/live/unifi.jcconnell.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/unifi.jcconnell.com/privkey.pem
-------------------------------------------------------------------------------

schoen · October 26, 2017, 12:14am

That doesn’t definitively show that everything is fixed, but it’s encouraging!

jcconnell · October 26, 2017, 12:18am

I ran the original and the new one in a diff tool and nothing immediately stood out to me. I’m trying to better understand everything here. Could you tell me what you see that makes you optimistic?

schoen · October 26, 2017, 12:40am

First, there are no lineages mentioned with -0001 names (so everything has been consolidated in the right direction), and second, it can still parse all of the PEM files, which means that the links in live point to files that actually exist.

jcconnell · October 26, 2017, 12:54am

Thanks again! I’ll keep an eye on the certificates and follow-up here in a week or so. I believe this coming Saturday, 10/28 is when a new Plex certificate may be issued.

jcconnell · November 6, 2017, 3:41pm

Just wanted to follow up here to let everyone know that it’s working again. Thank you all for your help!

system · December 6, 2017, 3:41pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.