Tried to renew - now too many certificates error

hi,
I use a bitnami moodle stack with centOS apache, using lego for handling the certifictes
when I installed the certificate it worked, now 3 month later it ran out and I tried to renew it,
I had to run lego a couple times because of misspelled parameters.

now the certifcate is still not renewed and I get these error messages:

[root@localhost ~]# sudo /opt/bitnami/ctlscript.sh stop
Syntax OK
/opt/bitnami/apache2/scripts/ctl.sh : httpd stopped
/opt/bitnami/php/scripts/ctl.sh : php-fpm stopped
/opt/bitnami/mysql/scripts/ctl.sh : mysql stopped
[root@localhost ~]# lego --email=bert.feustel@me.com --domains=online-akademie.mind-systems.eu --domains=www.online-akademie.mind-systems.eu --path=/etc/lego renew
2018/12/13 20:10:35 [INFO] [online-akademie.mind-systems.eu] acme: Trying renewal with 2132 hours remaining
2018/12/13 20:10:35 [INFO] [online-akademie.mind-systems.eu, www.online-akademie.mind-systems.eu] acme: Obtaining bundled SAN certificate
2018/12/13 20:10:36 [INFO] [online-akademie.mind-systems.eu] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/50Aq9-FjD4v8LJG4dMHy3d-QVlTA4VGVVc3RMzGlpK4
2018/12/13 20:10:36 [INFO] [www.online-akademie.mind-systems.eu] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/qg3JBSTOS0QTOKlGV_tzqFD3rj6Y_Ze8iNDR-iIja8U
2018/12/13 20:10:36 [INFO] [online-akademie.mind-systems.eu] acme: Authorization already valid; skipping challenge
2018/12/13 20:10:36 [INFO] [www.online-akademie.mind-systems.eu] acme: Authorization already valid; skipping challenge
2018/12/13 20:10:36 [INFO] [online-akademie.mind-systems.eu, www.online-akademie.mind-systems.eu] acme: Validations succeeded; requesting certificates
2018/12/13 20:10:36 acme: Error -> One or more domains had a problem:
[www.online-akademie.mind-systems.eu] acme: Error 429 - urn:ietf:params:acme:error:rateLimited - Error finalizing order :: too many certificates already issued for exact set of domains: online-akademie.mind-systems.eu,www.online-akademie.mind-systems.eu: see https://letsencrypt.org/docs/rate-limits/
[online-akademie.mind-systems.eu] acme: Error 429 - urn:ietf:params:acme:error:rateLimited - Error finalizing order :: too many certificates already issued for exact set of domains: online-akademie.mind-systems.eu,www.online-akademie.mind-systems.eu: see https://letsencrypt.org/docs/rate-limits/

when I check my domain with chrome: online-akademie.mind-systems.eu
I still get the message : not secure - Expired: Sunday, 9. December 2018 .
please help - I don´t know what to do .
thanks

It is renewed, but you haven't configured Apache to use the renewed certificate.

lego list

grep -Ri SSLCertificateFile /opt/bitnami/apache2

openssl x509 -in <path to certificate file> -noout -dates

ok - I thought it would do it by itself after the renew.
ok here is what I did and what happened when I used those

[root@localhost ~]# grep -Ri SSLCertificateFile /opt/bitnami/apache2

/opt/bitnami/apache2/conf/extra/httpd-ssl.conf:# Point SSLCertificateFile at a PEM encoded certificate. If

/opt/bitnami/apache2/conf/extra/httpd-ssl.conf: SSLCertificateFile "/opt/bitnami/apache2/conf/server.crt"

/opt/bitnami/apache2/conf/extra/httpd-ssl.conf:# SSLCertificateFile "/opt/bitnami/apache2/conf/server-dsa.crt"

/opt/bitnami/apache2/conf/extra/httpd-ssl.conf:# SSLCertificateFile "/opt/bitnami/apache2/conf/server-ecc.crt"

/opt/bitnami/apache2/conf/extra/httpd-ssl.conf:# the referenced file can be the same as SSLCertificateFile

/opt/bitnami/apache2/conf/original/extra/httpd-ssl.conf:# Point SSLCertificateFile at a PEM encoded certificate. If

/opt/bitnami/apache2/conf/original/extra/httpd-ssl.conf: SSLCertificateFile "/opt/bitnami/apache2/conf/server.crt"

/opt/bitnami/apache2/conf/original/extra/httpd-ssl.conf:# SSLCertificateFile "/opt/bitnami/apache2/conf/server-dsa.crt"

/opt/bitnami/apache2/conf/original/extra/httpd-ssl.conf:# SSLCertificateFile "/opt/bitnami/apache2/conf/server-ecc.crt"

/opt/bitnami/apache2/conf/original/extra/httpd-ssl.conf:# the referenced file can be the same as SSLCertificateFile

/opt/bitnami/apache2/conf/bitnami/bitnami.conf: SSLCertificateFile /etc/letsencrypt/live/online-akademie.mind-systems.eu/fullchain.pem

Binary file /opt/bitnami/apache2/modules/mod_ssl.so matches

[root@localhost ~]# openssl x509 -in /opt/bitnami/apache2/conf -noout -dates

unable to load certificate

140588595840688:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:708:Expecting: TRUSTED CERTIFICATE

[root@localhost ~]#

from the bitnami tutorial on how to renew it just had these 3 commands:

renew lets encrypt cert:

sudo /opt/bitnami/ctlscript.sh stop
lego --email=bert.feustel@me.com --domains=online-akademie.mind-systems.eu --domains=www.online-akademie.mind-systems.eu --path=/etc/lego renew
sudo /opt/bitnami/ctlscript.sh start

This command needs to run differently

openssl x509 -in /opt/bitnami/apache2/conf/server.crt -noout -dates -issuer

also, you seem to be using the certificate from Certbot rather than from Lego … which would probably explain your expiry problem:

openssl x509 -in /etc/letsencrypt/live/online-akademie.mind-systems.eu/fullchain.pem -noout -dates -issuer

and please include the output for:

lego list

thanks for your patients,
this is what I got

[root@localhost ~]#

[root@localhost ~]# openssl x509 -in /opt/bitnami/apache2/conf/server.crt -noout -dates -issuer

notBefore=Dec 12 16:43:23 2018 GMT

notAfter=Mar 12 16:43:23 2019 GMT

issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

[root@localhost ~]# openssl x509 -in /etc/letsencrypt/live/online-akademie.mind-systems.eu/fullchain.pem -noout -dates -issuer

notBefore=Sep 10 20:21:00 2018 GMT

notAfter=Dec 9 20:21:00 2018 GMT

issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

[root@localhost ~]# lego list

No help topic for 'list'

[root@localhost ~]#

I tired to install and use certbot - but it seams to not work.

Just change this file (/opt/bitnami/apache2/conf/bitnami/bitnami.conf) to say

SSLCertificateFile /opt/bitnami/apache2/conf/server.crt
SSLCertificateKeyFile /opt/bitnami/apache2/conf/server.key

You're currently using your old Certbot certificate which is now expired, and it's overriding your valid one.

great !!

I did it - than I stoped and restarted the services - now the certificate is updated and valid.

so to renew it in march I run this :

sudo /opt/bitnami/ctlscript.sh stop
lego --email=bert.feustel@me.com --domains=online-akademie.mind-systems.eu --domains=www.online-akademie.mind-systems.eu --path=/etc/lego renew
sudo /opt/bitnami/ctlscript.sh start

also : chrome still says not secure - why is that ?

Do you mean this?

That's not a problem with the certificate, it just means you're accessing the page over an insecure connection.

If you add an https:// to the front of the address, it should disappear.

You can add an HTTP-to-HTTPS redirect to always use HTTPS, but you'll need to search how to do that in Bitnami yourself.

on chrome : I have a red crossed out https:// in front of the url

image.png958×58 11.1 KB

Have you tried closing and opening Chrome again? If you already had that tab open before you fixed the problem, it might not update. I can’t see a reason why it’d do that.

yes - of course

funny - close and open again.

whenever I give others tech support on issues I am knowledgable (unfortunately not linux servers , yet) -
that’s what I say first

thanks again .

last question - was it correct to use the 3 commands form the last post to renew next time ?

Yes, I think so. The problem that was stopping you only needed to be fixed one time.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.