Let's encrypt renew failed

7 posts / 0 new
Last post
#1 Mon, 09/23/2019 - 13:43
bobemoe

Let's encrypt renew failed

Some of my certs started to expire and were unable to renew.

I logged in and checked certbot certificates where I found certificates for several domains that had been deleted from the server. I manually deleted the certs.

I also notices several certs with -0001 appended to them. After checking they were not in use I deleted them.

My list of certs is now concise and correct. I also did a certbot renew which renewed some expiring certs. All sites are working fine with valid certs.

Now virtualmin is mailing me with lots of fail mails:

"You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry."

Why is virtualmin attempting to renew non-expiring certs? certbot renew says none are due for renewal. Do i need to rescan or associate the certs with virtualmin somehow?

Thanks

Sun, 09/29/2019 - 02:09
bobemoe

So it was just 2 certs that were the remaining problem. I deleted them in certbot and recreated them in virtualmin admin. This seems to have fixed the issue. Not sure how it all got out of sync. I think it would be a good idea if someone checks the process and makes sure virtualmin cleans up after itself when a site/domain is deleted.

Sun, 09/29/2019 - 02:10
bobemoe

Just to note, everything was originally created and managed in virtualmin up until this point where I had to step in and start using certbot manually.

Fri, 10/04/2019 - 08:23
bobemoe

So now another domains/site has started doing this. I could delete and recreate this cert too, but I expect I'm going to keep having to do this each time virtualmin thinks one has expired, where is it keeping track of this? How can I sync it back up with the real expiry dates?

Fri, 10/04/2019 - 08:29
bobemoe

Reported it as a bug here https://www.virtualmin.com/node/67383

Sat, 10/05/2019 - 10:10
Jfro

and maybe also this to take care of https://www.virtualmin.com/node/67390

Sat, 10/05/2019 - 10:46
Jfro

Also if using certbot with for example apache the reload...?

What do the configuration file(s) in /etc/letsencrypt/renewal/ contain?

Certbot can be configured to automatically gracefully reload Apache after renewing certificates. If you use certbot --apache without certonly when creating the certificate, Certbot will configure Apache to use it, and will also automatically reload Apache when renewing. You can also set up a deploy hook to do so, for example by using the --deploy-hook command line option when initially creating the certificate, or by putting a script in /etc/letsencrypt/renewal-hooks/deploy/.

You can check some more info abour LE certs here on this site, also the advanced option is nice there.

https://crt.sh/