Unable to renew - no certs found


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: nlp.ontologyportal.org

I ran this command: certbot certificates

It produced this output: no certs found

My web server is (include version): tomcat 8.5.23

The operating system my web server runs on is (include version): Ubuntu 16.04.4 LTS

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

I was first trying to renew my certificate after getting notice from the Let’s Encrypt expiry bot but when I tried “certbot renew” it didn’t renew (sorry I don’t have the response message). After the certificate expired I tried getting a new certificate following my own (previously successful) notes at https://github.com/ontologyportal/sigmakee/blob/master/Security.txt . I can see files for my keystore, request.csr and pem files as follows:

-rwxrwxrwx 1 root root 2175 Apr 7 04:31 0000_cert.pem
-rwxrwxrwx 1 root root 1647 Apr 7 04:31 0000_chain.pem
-rwxrwxrwx 1 root root 3822 Apr 7 04:31 0001_chain.pem
-rwxrwxrwx 1 root root 4959 Apr 7 04:32 .keystore
-rwxrwxrwx 1 root root 1121 Apr 7 04:30 request.csr

but “certbot certificates” responds “no certs found” and my site isn’t working. What do you recommend?

all the best,
Adam


#2

I think that’s because of the use of --csr. This command is rather “unique” and unfortunately the behaviour isn’t (very well) documented. I wouldn’t be surprised if certbot doesn’t even generate a renewal configuration file when a certificate is issued with --csr. It would be very helpful if the behaviour of --csr would be documented properly.

One of the ways to “renew” certificates issued with the --csr command is to “re-issue” the certificate the same way as you issued it in the first place. I don’t think certbot renew will be useful at all, as there isn’t a configuration file in /etc/letsencrypt/renewal/ for those --csr certificates.


#3

Many thanks for the quick response but I actually tried doing the whole sequence again ( https://github.com/ontologyportal/sigmakee/blob/master/Security.txt ) for a new certificate and I get the same problem - my site no longer works and I get “no certs found” when running “certbot certificates”. Could you advise further?


#4

That’s not possible. You said certbot certificates resulted in “No certificates”, but the guide you mention doesn’t use that command. The guide says to use certbot certonly --csr request.csr.

Please elaborate about the exact problem you’re having and which error messages you’re getting. Did you run certbot certonly --csr request.csr again? What output did it give? Why wasn’t that the response you expected? Where are you running into trouble during the guide?

The fact certbot certificates doesn’t give you an output I already explained above. I’m not sure why you expect certbot to tell you anything different after the explanation. Perhaps I should mention that certbot certificates gets it’s information from those renewal configuration files which aren’t generated with --csr.

To be blunt: if you use --csr, certbot has NO idea about the certificate it just generated. It’s a sort of “fire and forget” kinda idea. You get the certificate, but that’s it. Don’t expect anything else from certbot, unless you tell it exactly to do something like running the certonly --csr command a second time.

Like I said, this behaviour isn’t officially documented in any way unfortunately.

The same advise as I’ve given earlier. But perhaps more clear: don’t use certbot renew or certbot certificates, it won’t help you, because certbot doesn’t have any “memory” of the certificate it generated earlier with --csr. Just run certbot certonly --csr request.csr for a second time and follow the guide from that point on again to import the newly generated certificate.


#5

sorry for my confusion. I understand that using the --csr option means that “certbot certificates” will not work. But, I don’t know how to modify my command sequence to get a new certificate or how to diagnose what is going wrong. The process that I’ve reference worked twice, once in October 2017 when I originally set up the site, and then in January 2018 when I needed to renew the certificate. However, when I try it now, my site gives me the browser error -

" This site can’t be reached nlp.ontologyportal.org took too long to respond."

If I re-run the sequence I’ve referenced. The step with the --csr option functions as expected. Here’s the ouput

sudo certbot certonly --csr request.csr
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?

1: Apache Web Server plugin - Beta (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)

Select the appropriate number [1-3] then [enter] (press ‘c’ to cancel): 3
Performing the following challenges:
http-01 challenge for nlp.ontologyportal.org

Select the webroot for nlp.ontologyportal.org:

1: Enter a new webroot

Press 1 [enter] to confirm the selection (press ‘c’ to cancel): 1
Input the webroot for nlp.ontologyportal.org: (Enter ‘c’ to cancel): /var/www/html
Waiting for verification…
Cleaning up challenges
Server issued certificate; certificate written to /home/apease/0000_cert.pem
Cert chain written to
Cert chain written to

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /home/apease/0001_chain.pem
    Your cert will expire on 2018-07-06. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew all of your certificates, run
    “certbot renew”

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

Do you recommend running a different command? Could you help me correct my command with --csr to something more likely to succeed? Is there another tool or process I could use to help diagnose what might be wrong? I’d be grateful for any further help.


#6

Seems to work, right? You got the certificate!

Why would you change a winning team? You got the certificate from certbot. Now you should follow the guide from that point on.


#7

Sorry I may not be explaining well. I have continued and followed the guide from that point on. But my site no longer works. At the command line all steps in the sequence https://github.com/ontologyportal/sigmakee/blob/master/Security.txt give me the expected result. But after restarting my Tomcat web server my site times out. Can you suggest what I might try to diagnose the issue? I’m a bit at a loss.


#8

Seems to me that’s more a Tomcat issue then. I have absolutely 0.0 experience with Tomcat, so I’m no use there, sorry.


#9

Could you recommend how to modify the command

sudo certbot certonly --csr request.csr

so that it no longer uses the --csr option, and therefore I could at least use “certbot certificates” to verify that it’s generated a valid certificate?


#10

The guide seems to use a CSR generated with keytool, specifically for/from Tomcat. I don’t know if it’s fully mandatory to use this CSR. certbot generates its own CSRs when used in “normal” mode (without --csr), but I have no Tomcat experience and no experience with keytool to know if Tomcat will accept any ordinary certificate chain within its keychain.


#11

ok, thanks @Osiris

Can anyone else advise to help me resolve this?


#12

I’m not sure that we have any indication that there’s a certificate-related problem here (because your certificate was created properly). Does Tomcat create any logs that you could look at? Do you know of a Tomcat-specific problem where you could ask for help with diagnosing Tomcat problems?


#13

It’s possible that I might be missing something, but my tomcat configuration hasn’t changed and the whole setup was working before the certificate expired, so my best assessment is that it’s not a Tomcat issue. Tomcat does create a logs/catalina.out file but there are no error messages about security or certificates that might indicate it’s a tomcat issue, which also leads me to believe it’s an issue with the certificate. Given that I created the certificate with the --csr option, is there another option than “certbot certificates” to show the active certificates and their attributes?


#14

correction, there is an error in the Tomcat log

Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect

but I have matched the tomcat password with the keystore password so I’m still stuck


#15

So, you entirely recreated the keystore with a matching set of files after your certificate renewal?


#16

I wasn’t able to renew the certificate. I get the message “No renewals were attempted.” and the log says

2018-04-07 23:15:59,144:DEBUG:certbot.main:certbot version: 0.22.2
2018-04-07 23:15:59,145:DEBUG:certbot.main:Arguments: []
2018-04-07 23:15:59,145:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2018-04-07 23:15:59,153:DEBUG:certbot.log:Root logging level set at 20
2018-04-07 23:15:59,153:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2018-04-07 23:15:59,154:DEBUG:certbot.renewal:no renewal failures

So, I tried the process of creating a certificate from scratch with the process described at https://github.com/ontologyportal/sigmakee/blob/master/Security.txt

which means running the following commands after deleting all .pem files and the keystore

sudo keytool -genkey -alias tomcat -keyalg RSA -keystore ~/.keystore -keysize 2048
sudo keytool -certreq -alias tomcat -file request.csr -keystore ~/.keystore
sudo certbot certonly --csr request.csr
sudo keytool -import -trustcacerts -alias tomcat -file 0001_chain.pem -keystore ~/.keystore


#17

Are there any further thoughts on what I might try to debug the problem? Is there another way to verify that the certificates are in the keystore even when created with the --csr option? I’d be grateful for further help.


#18

I think you’re stepping away from the territory most people here would have experience with, and more towards Tomcat-specific issues. You did successfully obtain a new certificate (in fact, you got two new certificates: https://crt.sh/?id=381406991 and https://crt.sh/?id=381386828) but for some reason your Tomcat isn’t using them properly. I don’t know of anyone on the LE forums who has much Tomcat experience to guide you with, unfortunately.


#19

Hi Jared,
Many thanks for the reply. Independently of Tomcat, is there a way
to validate that those certificates are in my keystore, given that they
were created with the --csr option?

all the best,
Adam


#20

keytool -list -v -keystore /path/to/keystore