Thought I renewed correctly through dns. Still shows as expired

eddwinn · October 7, 2020, 4:28pm

domain : www.tipvote.com
Behind DO balance loader so attempted through DNS

Command I ran sudo certbot -d tipvote.com -d www.tipvote.com --nginx --preferred-challenges dns certonly
Response

Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/tipvote.com-0002/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/tipvote.com-0002/privkey.pem
Your cert will expire on 2021-01-05. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew all of your certificates, run
"certbot renew"
If you like Certbot, please consider supporting our work by:

Errors

certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/tipvote.com-0001.conf produced an unexpected error: expected /etc/letsencrypt/live/tipvote.com-0001/privkey.pem to be a symlink. Skipping.
Renewal configuration file /etc/letsencrypt/renewal/tipvote.com.conf produced an unexpected error: expected /etc/letsencrypt/live/tipvote.com/cert.pem to be a symlink. Skipping.
Renewal configuration file /etc/letsencrypt/renewal/www.tipvote.com-0001.conf produced an unexpected error: expected /etc/letsencrypt/live/www.tipvote.com-0001/chain.pem to be a symlink. Skipping.
Renewal configuration file /etc/letsencrypt/renewal/www.tipvote.com.conf produced an unexpected error: expected /etc/letsencrypt/live/www.tipvote.com/cert.pem to be a symlink. Skipping.

I tried ...

I deleted the live files and tried recreating a symlink with
root@ubuntu-:/etc/letsencrypt/live/www.tipvote.com-0001# ln -s /etc/letsencrypt/archive/tipvote.com/cert1.pem /etc/letsencrypt/live/tipvote.com-0001/cert.pem
root@ubuntu-s-1:/etc/letsencrypt/live/www.tipvote.com-0001# ln -s /etc/letsencrypt/archive/www.tipvote.com/cert1.pem /etc/letsencrypt/live/www.tipvote.com-0001/cert.pem

Now getting an invalid certificate upon going to the site. Please help!

eddwinn · October 7, 2020, 4:33pm

I noticed i got /etc/letsencrypt/live# ls
README tipvote.com-0001 tipvote.com-0002 www.tipvote.com-0001

Files now

Osiris · October 7, 2020, 4:39pm

That shouldn't be possible. The nginx authenticator plugin doesn't support the dns-01 challenge. When I run that exact same command, my output is:

server ~ # certbot -d tipvote.com -d www.tipvote.com --nginx --preferred-challenges dns certonly
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx (1.8.0.dev0), Installer nginx (1.8.0.dev0)
Obtaining a new certificate
Generating 2048 bits RSA key
Performing the following challenges:
None of the preferred challenges are supported by the selected plugin
server ~ #

Something is terribly wrong with your /etc/letsencrypt directory. This only happens if the directory is manually tampered with.

Here you're mixing up to different so called 'lineages' or 'certificate names': the directory tipvote.com is a different certificate with different configuration files than the tipvote.com-0001 certificate! Also, you seem to have a tipvote.com-0002 certificate, looking at the first certbot output..

You should fix the symbolic links again but now pointing to the correct certificates. Also, you probably want to use the tipvote.com-0002 certificate in your webserver configuration.

Seems to be working for me by the way. Certificate installed is valid until Jan 5 next year.

eddwinn · October 7, 2020, 4:54pm

I am not sure if its working or not I have 3 VMs behind a load balancer. One seems to be off as I get the error every few times I check.

eddwinn · October 7, 2020, 4:55pm

Almost debating deleting it all and starting again. Only time i messed with directory was to remove symlinks today

griffin · October 7, 2020, 5:10pm

Cached authorization? Judging by the lack of a trail of challenge history that's my guess. No idea how it happened before though.

griffin · October 7, 2020, 5:13pm

Welcome to the Let's Encrypt Community, Edwin

Let's see if we can get your certs cleaned up a bit.

Firstly, can you please run:
sudo certbot certificates

eddwinn · October 7, 2020, 5:14pm

root@ubuntu-s-1vcpu-1gb-nyc3-02:/etc/letsencrypt/archive# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/tipvote.com.conf produced an unexpected error: expected /etc/letsencrypt/live/tipvote.com/cert.pem to be a symlink. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
      Certificate Name: tipvote.com-0001
        Domains: tipvote.com www.tipvote.com
        Expiry Date: 2021-01-03 15:37:04+00:00 (VALID: 87 days)
        Certificate Path: /etc/letsencrypt/live/tipvote.com-0001/fullchain.pem
        Private Key Path: /etc/letsencrypt/live/tipvote.com-0001/privkey.pem
      Certificate Name: tipvote.com-0002
        Domains: tipvote.com
        Expiry Date: 2021-01-05 15:37:10+00:00 (VALID: 89 days)
        Certificate Path: /etc/letsencrypt/live/tipvote.com-0002/fullchain.pem
        Private Key Path: /etc/letsencrypt/live/tipvote.com-0002/privkey.pem
      Certificate Name: www.tipvote.com
        Domains: www.tipvote.com
        Expiry Date: 2021-01-05 15:06:08+00:00 (VALID: 89 days)
        Certificate Path: /etc/letsencrypt/live/www.tipvote.com/fullchain.pem
        Private Key Path: /etc/letsencrypt/live/www.tipvote.com/privkey.pem

    The following renewal configurations were invalid:
      /etc/letsencrypt/renewal/tipvote.com.conf

eddwinn · October 7, 2020, 5:16pm

 sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/tipvote.com-0001.conf produced an unexpected error: expected /etc/letsencrypt/live/tipvote.com-0001/privkey.pem to be a symlink. Skipping.
Renewal configuration file /etc/letsencrypt/renewal/tipvote.com.conf produced an unexpected error: expected /etc/letsencrypt/live/tipvote.com/cert.pem to be a symlink. Skipping.
Renewal configuration file /etc/letsencrypt/renewal/www.tipvote.com-0001.conf produced an unexpected error: expected /etc/letsencrypt/live/www.tipvote.com-0001/chain.pem to be a symlink. Skipping.
Renewal configuration file /etc/letsencrypt/renewal/www.tipvote.com.conf produced an unexpected error: expected /etc/letsencrypt/live/www.tipvote.com/cert.pem to be a symlink. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: tipvote.com-0002
    Domains: tipvote.com www.tipvote.com
    Expiry Date: 2021-01-05 15:22:17+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/tipvote.com-0002/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/tipvote.com-0002/privkey.pem
  Certificate Name: tipvote.com-0003
    Domains: tipvote.com
    Expiry Date: 2021-01-05 15:51:07+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/tipvote.com-0003/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/tipvote.com-0003/privkey.pem
  Certificate Name: www.tipvote.com-0002
    Domains: www.tipvote.com
    Expiry Date: 2021-01-05 15:44:25+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/www.tipvote.com-0002/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.tipvote.com-0002/privkey.pem
My other VM
The following renewal configurations were invalid:
  /etc/letsencrypt/renewal/tipvote.com-0001.conf
  /etc/letsencrypt/renewal/tipvote.com.conf
  /etc/letsencrypt/renewal/www.tipvote.com-0001.conf
  /etc/letsencrypt/renewal/www.tipvote.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

eddwinn · October 7, 2020, 5:20pm

Those are my 2 troubled vm's. I believe I did fix it and the symlinks dont matter? Also thank you guys for the moral support. Invalid certificates are a scary thing!

griffin · October 7, 2020, 5:21pm

Thanks for that.

To start, your complete certificate history can always be found here:

You've been busy...

eddwinn · October 7, 2020, 5:24pm

I am a bit new the ssl certs. I am embarressed and humbled lol

griffin · October 7, 2020, 5:27pm

No worries my friend. Not too long ago I was new too. We all are at some point. We'll get you straightened out.

It looks like you may have changed which certificate you are utilizing since Osiris's last comment.

03:32:60:66:79:77:e3:d6:af:c0:c7:a4:d0:52:19:17:8e:f6

eddwinn · October 7, 2020, 5:30pm

When i switchted the tag from --manuel to --nginx it seemed to work easily with my nginx config. I did one last update 10 mins ago as I wasnt sure it was right.

griffin · October 7, 2020, 5:31pm

That makes sense. I'm not seeing the new certificate being served. Let me reset my cache. Back in a second.

eddwinn · October 7, 2020, 5:32pm

please keep in mind I have 3 VM's on a load balancer

griffin · October 7, 2020, 5:34pm

Are you certifying from the VMs or the load balancer?

eddwinn · October 7, 2020, 5:36pm

From the individual vm through dns

griffin · October 7, 2020, 5:39pm

You're using http-01 validation if you're using --nginx.

Try this for me if you would:

sudo certbot run --cert-name tipvote --nginx -d "tipvote.com,www.tipvote.com" --dry-run

eddwinn · October 7, 2020, 5:40pm

sudo certbot run --cert-name tipvote --nginx -d "tipvote.com,www.tipvote.com" --dry-run
[sudo] password for :
--dry-run currently only works with the 'certonly' or 'renew' subcommands ('run')