[Solved] Renewal is rate limited, but certificate expired in August

jcconnell · October 25, 2017, 12:13am

Here are some snippets from the Nginx config. I wasn’t sure what you meant by what version so I’m hoping this helps.

plex.conf

root /var/www/plex-certbot-webroot;
....
#Use letsencrypt.org to get a free and trusted ssl certificate
ssl_certificate /etc/letsencrypt/live/plex.jcconnell.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/plex.jcconnell.com/privkey.pem;

...

location /.well-known {
	root /var/www/ssl-proof/plex/;
}

couchpotato.conf

root /var/www/couchpotato-certbot-webroot;

# The public and private parts of the certificate are linked here
ssl_certificate /etc/letsencrypt/live/couchpotato.jcconnell.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/couchpotato.jcconnell.com/privkey.pem;

location /.well-known {
    root /var/www/ssl-proof/couchpotato/;
}

schoen · October 25, 2017, 6:39pm

Hi @jcconnell,

It seems to me that @sahsanu helped someone in a similar situation in this thread:

Can you understand the effects of these commands and how they would apply to your situation? If so, you could try this approach to change the destination of the symlinks.

If you don’t understand what this is doing, I can try to offer more specific advice.

@sahsanu’s advice at the beginning to make a backup is also very appropriate.

jcconnell · October 25, 2017, 9:33pm

Thank you for that link, I followed the directions for both domains after creating a backup. It seems both domains are still rate limited so it might be a few days before I know it’s it’s successful.

schoen · October 25, 2017, 11:58pm

Great!

certbot certificates might give a partial indication of whether the cleanup worked (just looking at your local filesystem).

jcconnell · October 26, 2017, 12:02am

Here’s what I’m seeing as the result of that command now. My mistake, those two lines are not new.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Revocation status for /etc/letsencrypt/live/plex.jcconnell.com/cert.pem is unknown
Revocation status for /etc/letsencrypt/live/couchpotato.jcconnell.com/cert.pem is unknown

-------------------------------------------------------------------------------
Found the following certs:
  Certificate Name: proxmox.jcconnell.com
    Domains: proxmox.jcconnell.com
    Expiry Date: 2018-01-22 19:28:09+00:00 (VALID: 88 days)
    Certificate Path: /etc/letsencrypt/live/proxmox.jcconnell.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/proxmox.jcconnell.com/privkey.pem
  Certificate Name: plex.jcconnell.com
    Domains: plex.jcconnell.com
    Expiry Date: 2017-08-12 20:45:00+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/plex.jcconnell.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/plex.jcconnell.com/privkey.pem
  Certificate Name: cloud.jcconnell.com
    Domains: cloud.jcconnell.com
    Expiry Date: 2018-01-23 03:31:09+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/cloud.jcconnell.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/cloud.jcconnell.com/privkey.pem
  Certificate Name: guacamole.jcconnell.com
    Domains: guacamole.jcconnell.com
    Expiry Date: 2017-12-17 03:01:00+00:00 (VALID: 52 days)
    Certificate Path: /etc/letsencrypt/live/guacamole.jcconnell.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/guacamole.jcconnell.com/privkey.pem
  Certificate Name: hass.jcconnell.com
    Domains: hass.jcconnell.com
    Expiry Date: 2018-01-12 15:38:12+00:00 (VALID: 78 days)
    Certificate Path: /etc/letsencrypt/live/hass.jcconnell.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/hass.jcconnell.com/privkey.pem
  Certificate Name: zoneminder.jcconnell.com
    Domains: zoneminder.jcconnell.com
    Expiry Date: 2017-12-17 03:01:00+00:00 (VALID: 52 days)
    Certificate Path: /etc/letsencrypt/live/zoneminder.jcconnell.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/zoneminder.jcconnell.com/privkey.pem
  Certificate Name: guacamole.mobileeyecare.com
    Domains: guacamole.mobileeyecare.com
    Expiry Date: 2018-01-12 15:38:17+00:00 (VALID: 78 days)
    Certificate Path: /etc/letsencrypt/live/guacamole.mobileeyecare.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/guacamole.mobileeyecare.com/privkey.pem
  Certificate Name: owncloud.jcconnell.com
    Domains: owncloud.jcconnell.com
    Expiry Date: 2017-12-17 03:01:00+00:00 (VALID: 52 days)
    Certificate Path: /etc/letsencrypt/live/owncloud.jcconnell.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/owncloud.jcconnell.com/privkey.pem
  Certificate Name: couchpotato.jcconnell.com
    Domains: couchpotato.jcconnell.com
    Expiry Date: 2017-08-12 20:37:00+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/couchpotato.jcconnell.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/couchpotato.jcconnell.com/privkey.pem
  Certificate Name: gitlab.jcconnell.com
    Domains: gitlab.jcconnell.com
    Expiry Date: 2017-12-17 03:01:00+00:00 (VALID: 52 days)
    Certificate Path: /etc/letsencrypt/live/gitlab.jcconnell.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/gitlab.jcconnell.com/privkey.pem
  Certificate Name: unifi.jcconnell.com
    Domains: unifi.jcconnell.com
    Expiry Date: 2017-12-17 03:01:00+00:00 (VALID: 52 days)
    Certificate Path: /etc/letsencrypt/live/unifi.jcconnell.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/unifi.jcconnell.com/privkey.pem
-------------------------------------------------------------------------------

schoen · October 26, 2017, 12:14am

That doesn’t definitively show that everything is fixed, but it’s encouraging!

jcconnell · October 26, 2017, 12:18am

I ran the original and the new one in a diff tool and nothing immediately stood out to me. I’m trying to better understand everything here. Could you tell me what you see that makes you optimistic?

schoen · October 26, 2017, 12:40am

First, there are no lineages mentioned with -0001 names (so everything has been consolidated in the right direction), and second, it can still parse all of the PEM files, which means that the links in live point to files that actually exist.

jcconnell · October 26, 2017, 12:54am

Thanks again! I’ll keep an eye on the certificates and follow-up here in a week or so. I believe this coming Saturday, 10/28 is when a new Plex certificate may be issued.

jcconnell · November 6, 2017, 3:41pm

Just wanted to follow up here to let everyone know that it’s working again. Thank you all for your help!

system · December 6, 2017, 3:41pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.