Unable to renew

nenad.cizmic · February 12, 2021, 5:46pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
reports.togetherall.com

I ran this command:
sudo certbot renew

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

No renewals were attempted.

My web server is (include version):
Sisense Server Version: L8.2.6.400

The operating system my web server runs on is (include version):
Ubuntu 18.04

My hosting provider, if applicable, is:
AWS

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.31.0

Note: I'm running the renew command from the folder that contains the cert files.

Osiris · February 12, 2021, 5:55pm

This might mean it's not yet time to renew. Or there are no certificates at all. Please show the output of:

certbot certificates

The location from where you run certbot should not matter in this case.

nenad.cizmic · February 12, 2021, 6:10pm

Thanks for your reply Osiris.

It's time to renew alright, it's 10 days left (out of 90). It feels like the cert is somehow invisible to certbot.

The output from the command above is:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

No certs found.

But the cert is there and is actively used...

Osiris · February 12, 2021, 6:11pm

How did you get the certificate in the first place? Which command did you run? With --csr perhaps?

nenad.cizmic · February 12, 2021, 6:50pm

Something like this:
certbot certonly --manual --preferred-challenges=dns --email xxxxxxxxxxx@togetherall.com --server https://acme-v02.api.letsencrypt.org/directory --agree-tos --config-dir certs --work-dir certs --logs-dir certs -d reports.togetherall.com

Osiris · February 12, 2021, 6:57pm

Is there a reason why you've used --config-dir, --work-dir and --logs-dir? Those are usually not set for normal operation.

Also, I notice you've used the manual plugin. As the manual plugin without an authentication script (which would have been used with aid of --manual-auth-hook) requires manual intervention and as certbot renew assumes no manual intervention at all, this won't work anyway. Is there also a reason why you're using the dns challenge? Isn't it possible to use the http-01 challenge? You're not requesting a wildcard certificate which mandates the dns-01 challenge. Perhaps due to the use of Sisense Server?

You might succesfully renew when you use those directory options in combination with the renew subcommand, but that won't work due to the use of the manual plugin without an authentication script.

Perhaps you can use the webroot plugin in combination with Sisense Server?

nenad.cizmic · February 12, 2021, 7:19pm

Hi Osiris,

Thanks a lot.
I possess a very basic knowledge of certbot and its plugins. I'm not the author of the certbot command above.
I don't know why manual is used. I believe we can do without it after reading its description.
dns challenge is used cause of Sisense Server, but I assume it's not a stopper for renewal?
I think the best thing to do now is to create a new cert, preferably with options/plugins that don't prevent renewal.
I'll check webroot plugin out.

Best,
Nenad

Osiris · February 12, 2021, 7:31pm

If the Sisense Server isn't able to serve a random file (i.e., a token file generated by certbot) from a certain directory on your website, you'll need the dns challenge indeed.

If you can't automate the adding and removing of the TXT records through a script or a DNS plugin and you're limited by the dns challenge due to your webserver, you won't be able to fully automate renewal. You're stuck with running certbot manually every time you need to renew.

Depending on the possibilities of your Sisense server you might not be able to use webroot, but it's best to check it out indeed.

If you don't have the possibiliy to automate the adding and removing of the TXT records to your DNS zone, you might want to have a look at acme-dns which is, among others, build for such situations.

system · March 14, 2021, 7:31pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.