Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
The operating system my web server runs on is (include version): Ubuntu 16.04.4 LTS
My hosting provider, if applicable, is: AWS
I can login to a root shell on my machine (yes or no, or I donāt know): yes
Iām using a control panel to manage my site (no, or provide the name and version of the control panel): no
I was first trying to renew my certificate after getting notice from the Letās Encrypt expiry bot but when I tried ācertbot renewā it didnāt renew (sorry I donāt have the response message). After the certificate expired I tried getting a new certificate following my own (previously successful) notes at https://github.com/ontologyportal/sigmakee/blob/master/Security.txt . I can see files for my keystore, request.csr and pem files as follows:
I think that's because of the use of --csr. This command is rather "unique" and unfortunately the behaviour isn't (very well) documented. I wouldn't be surprised if certbot doesn't even generate a renewal configuration file when a certificate is issued with --csr. It would be very helpful if the behaviour of --csr would be documented properly.
One of the ways to "renew" certificates issued with the --csr command is to "re-issue" the certificate the same way as you issued it in the first place. I don't think certbot renew will be useful at all, as there isn't a configuration file in /etc/letsencrypt/renewal/ for those --csr certificates.
Many thanks for the quick response but I actually tried doing the whole sequence again ( https://github.com/ontologyportal/sigmakee/blob/master/Security.txt ) for a new certificate and I get the same problem - my site no longer works and I get āno certs foundā when running ācertbot certificatesā. Could you advise further?
That's not possible. You said certbot certificates resulted in "No certificates", but the guide you mention doesn't use that command. The guide says to use certbot certonly --csr request.csr.
Please elaborate about the exact problem you're having and which error messages you're getting. Did you run certbot certonly --csr request.csr again? What output did it give? Why wasn't that the response you expected? Where are you running into trouble during the guide?
The fact certbot certificates doesn't give you an output I already explained above. I'm not sure why you expect certbot to tell you anything different after the explanation. Perhaps I should mention that certbot certificates gets it's information from those renewal configuration files which aren't generated with --csr.
To be blunt: if you use --csr, certbot has NO idea about the certificate it just generated. It's a sort of "fire and forget" kinda idea. You get the certificate, but that's it. Don't expect anything else from certbot, unless you tell it exactly to do something like running the certonly --csr command a second time.
Like I said, this behaviour isn't officially documented in any way unfortunately.
The same advise as I've given earlier. But perhaps more clear: don't use certbot renew or certbot certificates, it won't help you, because certbot doesn't have any "memory" of the certificate it generated earlier with --csr. Just run certbot certonly --csr request.csr for a second time and follow the guide from that point on again to import the newly generated certificate.
sorry for my confusion. I understand that using the --csr option means that ācertbot certificatesā will not work. But, I donāt know how to modify my command sequence to get a new certificate or how to diagnose what is going wrong. The process that Iāve reference worked twice, once in October 2017 when I originally set up the site, and then in January 2018 when I needed to renew the certificate. However, when I try it now, my site gives me the browser error -
If I re-run the sequence Iāve referenced. The step with the --csr option functions as expected. Hereās the ouput
sudo certbot certonly --csr request.csr
Saving debug log to /var/log/letsencrypt/letsencrypt.log
How would you like to authenticate with the ACME CA?
1: Apache Web Server plugin - Beta (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
Select the appropriate number [1-3] then [enter] (press ācā to cancel): 3
Performing the following challenges:
http-01 challenge for nlp.ontologyportal.org
Press 1 [enter] to confirm the selection (press ācā to cancel): 1
Input the webroot for nlp.ontologyportal.org: (Enter ācā to cancel): /var/www/html
Waiting for verificationā¦
Cleaning up challenges
Server issued certificate; certificate written to /home/apease/0000_cert.pem
Cert chain written to
Cert chain written to
IMPORTANT NOTES:
Congratulations! Your certificate and chain have been saved at:
/home/apease/0001_chain.pem
Your cert will expire on 2018-07-06. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew all of your certificates, run
ācertbot renewā
If you like Certbot, please consider supporting our work by:
Do you recommend running a different command? Could you help me correct my command with --csr to something more likely to succeed? Is there another tool or process I could use to help diagnose what might be wrong? Iād be grateful for any further help.
Sorry I may not be explaining well. I have continued and followed the guide from that point on. But my site no longer works. At the command line all steps in the sequence https://github.com/ontologyportal/sigmakee/blob/master/Security.txt give me the expected result. But after restarting my Tomcat web server my site times out. Can you suggest what I might try to diagnose the issue? Iām a bit at a loss.
so that it no longer uses the --csr option, and therefore I could at least use ācertbot certificatesā to verify that itās generated a valid certificate?
The guide seems to use a CSR generated with keytool, specifically for/from Tomcat. I donāt know if itās fully mandatory to use this CSR. certbot generates its own CSRs when used in ānormalā mode (without --csr), but I have no Tomcat experience and no experience with keytool to know if Tomcat will accept any ordinary certificate chain within its keychain.
Iām not sure that we have any indication that thereās a certificate-related problem here (because your certificate was created properly). Does Tomcat create any logs that you could look at? Do you know of a Tomcat-specific problem where you could ask for help with diagnosing Tomcat problems?
Itās possible that I might be missing something, but my tomcat configuration hasnāt changed and the whole setup was working before the certificate expired, so my best assessment is that itās not a Tomcat issue. Tomcat does create a logs/catalina.out file but there are no error messages about security or certificates that might indicate itās a tomcat issue, which also leads me to believe itās an issue with the certificate. Given that I created the certificate with the --csr option, is there another option than ācertbot certificatesā to show the active certificates and their attributes?
Are there any further thoughts on what I might try to debug the problem? Is there another way to verify that the certificates are in the keystore even when created with the --csr option? Iād be grateful for further help.
I think youāre stepping away from the territory most people here would have experience with, and more towards Tomcat-specific issues. You did successfully obtain a new certificate (in fact, you got two new certificates: https://crt.sh/?id=381406991 and https://crt.sh/?id=381386828) but for some reason your Tomcat isnāt using them properly. I donāt know of anyone on the LE forums who has much Tomcat experience to guide you with, unfortunately.
Hi Jared,
Many thanks for the reply. Independently of Tomcat, is there a way
to validate that those certificates are in my keystore, given that they
were created with the --csr option?