Tried to renew - now too many certificates error


#1

hi,
I use a bitnami moodle stack with centOS apache, using lego for handling the certifictes
when I installed the certificate it worked, now 3 month later it ran out and I tried to renew it,
I had to run lego a couple times because of misspelled parameters.

now the certifcate is still not renewed and I get these error messages:

[root@localhost ~]# sudo /opt/bitnami/ctlscript.sh stop
Syntax OK
/opt/bitnami/apache2/scripts/ctl.sh : httpd stopped
/opt/bitnami/php/scripts/ctl.sh : php-fpm stopped
/opt/bitnami/mysql/scripts/ctl.sh : mysql stopped
[root@localhost ~]# lego --email=bert.feustel@me.com --domains=online-akademie.mind-systems.eu --domains=www.online-akademie.mind-systems.eu --path=/etc/lego renew
2018/12/13 20:10:35 [INFO] [online-akademie.mind-systems.eu] acme: Trying renewal with 2132 hours remaining
2018/12/13 20:10:35 [INFO] [online-akademie.mind-systems.eu, www.online-akademie.mind-systems.eu] acme: Obtaining bundled SAN certificate
2018/12/13 20:10:36 [INFO] [online-akademie.mind-systems.eu] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/50Aq9-FjD4v8LJG4dMHy3d-QVlTA4VGVVc3RMzGlpK4
2018/12/13 20:10:36 [INFO] [www.online-akademie.mind-systems.eu] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/qg3JBSTOS0QTOKlGV_tzqFD3rj6Y_Ze8iNDR-iIja8U
2018/12/13 20:10:36 [INFO] [online-akademie.mind-systems.eu] acme: Authorization already valid; skipping challenge
2018/12/13 20:10:36 [INFO] [www.online-akademie.mind-systems.eu] acme: Authorization already valid; skipping challenge
2018/12/13 20:10:36 [INFO] [online-akademie.mind-systems.eu, www.online-akademie.mind-systems.eu] acme: Validations succeeded; requesting certificates
2018/12/13 20:10:36 acme: Error -> One or more domains had a problem:
[www.online-akademie.mind-systems.eu] acme: Error 429 - urn:ietf:params:acme:error:rateLimited - Error finalizing order :: too many certificates already issued for exact set of domains: online-akademie.mind-systems.eu,www.online-akademie.mind-systems.eu: see https://letsencrypt.org/docs/rate-limits/
[online-akademie.mind-systems.eu] acme: Error 429 - urn:ietf:params:acme:error:rateLimited - Error finalizing order :: too many certificates already issued for exact set of domains: online-akademie.mind-systems.eu,www.online-akademie.mind-systems.eu: see https://letsencrypt.org/docs/rate-limits/

when I check my domain with chrome: online-akademie.mind-systems.eu
I still get the message : not secure - Expired: Sunday, 9. December 2018 .
please help - I don´t know what to do .
thanks


#2

It is renewed, but you haven’t configured Apache to use the renewed certificate.

lego list

grep -Ri SSLCertificateFile /opt/bitnami/apache2

openssl x509 -in <path to certificate file> -noout -dates

#3

ok - I thought it would do it by itself after the renew.
ok here is what I did and what happened when I used those

[root@localhost ~]# grep -Ri SSLCertificateFile /opt/bitnami/apache2

/opt/bitnami/apache2/conf/extra/httpd-ssl.conf:# Point SSLCertificateFile at a PEM encoded certificate. If

/opt/bitnami/apache2/conf/extra/httpd-ssl.conf: SSLCertificateFile “/opt/bitnami/apache2/conf/server.crt”

/opt/bitnami/apache2/conf/extra/httpd-ssl.conf:# SSLCertificateFile “/opt/bitnami/apache2/conf/server-dsa.crt”

/opt/bitnami/apache2/conf/extra/httpd-ssl.conf:# SSLCertificateFile “/opt/bitnami/apache2/conf/server-ecc.crt”

/opt/bitnami/apache2/conf/extra/httpd-ssl.conf:# the referenced file can be the same as SSLCertificateFile

/opt/bitnami/apache2/conf/original/extra/httpd-ssl.conf:# Point SSLCertificateFile at a PEM encoded certificate. If

/opt/bitnami/apache2/conf/original/extra/httpd-ssl.conf: SSLCertificateFile “/opt/bitnami/apache2/conf/server.crt”

/opt/bitnami/apache2/conf/original/extra/httpd-ssl.conf:# SSLCertificateFile “/opt/bitnami/apache2/conf/server-dsa.crt”

/opt/bitnami/apache2/conf/original/extra/httpd-ssl.conf:# SSLCertificateFile “/opt/bitnami/apache2/conf/server-ecc.crt”

/opt/bitnami/apache2/conf/original/extra/httpd-ssl.conf:# the referenced file can be the same as SSLCertificateFile

/opt/bitnami/apache2/conf/bitnami/bitnami.conf: SSLCertificateFile /etc/letsencrypt/live/online-akademie.mind-systems.eu/fullchain.pem

Binary file /opt/bitnami/apache2/modules/mod_ssl.so matches

[root@localhost ~]# openssl x509 -in /opt/bitnami/apache2/conf -noout -dates

unable to load certificate

140588595840688:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:708:Expecting: TRUSTED CERTIFICATE

[root@localhost ~]#

from the bitnami tutorial on how to renew it just had these 3 commands:

renew lets encrypt cert:

sudo /opt/bitnami/ctlscript.sh stop
lego --email=bert.feustel@me.com --domains=online-akademie.mind-systems.eu --domains=www.online-akademie.mind-systems.eu --path=/etc/lego renew
sudo /opt/bitnami/ctlscript.sh start


#4

This command needs to run differently

openssl x509 -in /opt/bitnami/apache2/conf/server.crt -noout -dates -issuer

also, you seem to be using the certificate from Certbot rather than from Lego … which would probably explain your expiry problem:

openssl x509 -in /etc/letsencrypt/live/online-akademie.mind-systems.eu/fullchain.pem -noout -dates -issuer

and please include the output for:

lego list

#5

thanks for your patients,
this is what I got

[root@localhost ~]#

[root@localhost ~]# openssl x509 -in /opt/bitnami/apache2/conf/server.crt -noout -dates -issuer

notBefore=Dec 12 16:43:23 2018 GMT

notAfter=Mar 12 16:43:23 2019 GMT

issuer= /C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3

[root@localhost ~]# openssl x509 -in /etc/letsencrypt/live/online-akademie.mind-systems.eu/fullchain.pem -noout -dates -issuer

notBefore=Sep 10 20:21:00 2018 GMT

notAfter=Dec 9 20:21:00 2018 GMT

issuer= /C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3

[root@localhost ~]# lego list

No help topic for ‘list’

[root@localhost ~]#

I tired to install and use certbot - but it seams to not work.


#6

Just change this file (/opt/bitnami/apache2/conf/bitnami/bitnami.conf) to say

SSLCertificateFile /opt/bitnami/apache2/conf/server.crt
SSLCertificateKeyFile /opt/bitnami/apache2/conf/server.key

You’re currently using your old Certbot certificate which is now expired, and it’s overriding your valid one.


#7

great !!

I did it - than I stoped and restarted the services - now the certificate is updated and valid.

so to renew it in march I run this :

sudo /opt/bitnami/ctlscript.sh stop
lego --email=bert.feustel@me.com --domains=online-akademie.mind-systems.eu --domains=www.online-akademie.mind-systems.eu --path=/etc/lego renew
sudo /opt/bitnami/ctlscript.sh start

also : chrome still says not secure - why is that ?


#8

Do you mean this?

That’s not a problem with the certificate, it just means you’re accessing the page over an insecure connection.

If you add an https:// to the front of the address, it should disappear.

You can add an HTTP-to-HTTPS redirect to always use HTTPS, but you’ll need to search how to do that in Bitnami yourself.


#9

on chrome : I have a red crossed out https:// in front of the url


#10

Have you tried closing and opening Chrome again? If you already had that tab open before you fixed the problem, it might not update. I can’t see a reason why it’d do that.


#11

:smiley:

yes - of course

funny - close and open again.

whenever I give others tech support on issues I am knowledgable (unfortunately not linux servers , yet) -
that’s what I say first :slight_smile:

thanks again .

last question - was it correct to use the 3 commands form the last post to renew next time ?


#12

Yes, I think so. The problem that was stopping you only needed to be fixed one time.


#13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.