Unable to Renew SSL Certificate

nakulmehra · April 5, 2022, 4:05pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: survtapp.com

I ran this command:

It produced this output:

My web server is (include version): Ubuntu 20.04

The operating system my web server runs on is (include version): Apache

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Hi, I tried renewing the certificate with the following command:

sudo certbot certonly -manual

How would you like to authenticate with the ACME CA?

1: Apache Web Server plugin (apache)

2: Spin up a temporary webserver (standalone)

3: Place files in webroot directory (webroot)

Selected 1. Result:

Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for survtapp.com
http-01 challenge for www.survtapp.com
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:

Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/survtapp.com-0001/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/survtapp.com-0001/privkey.pem
Your cert will expire on 2022-07-04. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew all of your certificates, run
"certbot renew"

If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: Donate - Let's Encrypt
Donating to EFF: Support EFF's Work on Let's Encrypt | Electronic Frontier Foundation

Next I tried to run:

certbot renew

Result:

The following certs are not due for renewal yet:

/etc/letsencrypt/live/survtapp.com-0001/fullchain.pem expires on 2022-07-04 (skipped)

All renewal attempts failed. The following certs could not be renewed:

/etc/letsencrypt/live/survtapp.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

root@ip-172-31-4-161:/home/ubuntu# certbot certificates

Saving debug log to /var/log/letsencrypt/letsencrypt.log

I tried running:

certbot certificates

Result:

Found the following certs:
Certificate Name: survtapp.com-0001
Domains: survtapp.com www.survtapp.com
Expiry Date: 2022-07-04 13:20:19+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/survtapp.com-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/survtapp.com-0001/privkey.pem
Certificate Name: survtapp.com
Domains: survtapp.com *.survtapp.com
Expiry Date: 2022-01-07 17:14:13+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/survtapp.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/survtapp.com/privkey.pem

Please advise how do I renew the certificate and also how can I enable auto-renew?

Thank you.

MikeMcQ · April 5, 2022, 7:57pm

At one time you used the DNS challenge to get a wildcard cert. That is the certificate name survtapp.com (note the *.survtapp.com domain name in it).

Since then you changed to using the HTTP challenge and getting a cert with only the names survtapp.com and www.survtapp.com. That is the valid cert that your server is sending out.

The renewal is failing for the wildcard cert. You can delete it since you no longer use it with:

sudo certbot delete --cert-name survtapp.com

rg305 · April 6, 2022, 12:13am

Generally, certbot will automatically add a task to auto renew.
You can check to see if there is already one in place with these:

crontab -l
systemctl list-timers | grep certbot

nakulmehra · April 6, 2022, 12:19am

It's resolved, thank you so much!

nakulmehra · April 6, 2022, 12:21am

I tried:

crontab -l

Result:

usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: unrecognized arguments: -l

Also tried:

systemctl list-timers | grep certbot`

Result:

Wed 2022-04-06 09:26:10 UTC 9h left Tue 2022-04-05 22:22:50 UTC 1h 56min ago certbot.timer certbot.service

nakulmehra · April 6, 2022, 12:40am

Will the new setting work for both - survtapp.com as well as www.survtapp.com ?

rg305 · April 6, 2022, 12:43am

I wrote "crontab".
The error message shown is from "certbot".

Anywho, it looks like there is a systemd-timer to auto-renew your certbot certificates.

MikeMcQ · April 6, 2022, 12:53am

It should. You can test it now with:

sudo certbot renew --dry-run

system · May 6, 2022, 12:53am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.