certbot renewal

Subject:

https://community.letsencrypt.org/t/create-new-certificate-error/51300/16 

as described in the other thread, Let’s Encrypt has discontinued support for TLS-SNI-01 authentication (which was an authentication method that used port 443 to prove your control of a domain name). There is an ongoing process to update Certbot and other software to better support the other authentication methods.

In this case I think you’re encountering a weird case which a few other people have encountered, which is that the means by which Let’s Encrypt implemented the change has made --dry-run much less realistic than before. This is because the main server still exceptionally allowed people to use the TLS-SNI-01 method for renewals only, but the staging (test) server used by --dry-run typically does not allow it at all. Therefore, --dry-run tests can show failed related to TLS-SNI-01 that do not necessarily correspond to failures when performing the actual renewal. It may be valid to run the ordinary certbot renew, because an exception has been made that can allow TLS-SNI-01 in this case.

Seeing this error also commonly means that your Certbot hasn’t yet been updated to a version that will refrain from trying to use the TLS-SNI-01 method. Such a version was released last week, hence my question to @joohoi about whether it’s available in the PPA yet.

 

2018-02-05 16:47:15gstlouis

using certbot certificates will show you the certificates and their expiry date

gstlouis
vote
2018-05-14 07:15:30

on my centos7 I have used certbot renew

gstlouis
vote
2018-05-14 07:55:03

I did a cleanup of the certbot certificates on centos7.  This link someone over there was very helpful.

Yes, you can issue a new cert covering all your domains:

1.- As root, make a backup of /etc/letsencrypt/ dir:

cd && tar zcvf backup_etc_letsencrypt-2018_04_11.tar.gz /etc/letsencrypt/

2.- Issue a new certificate for all your domains, in this case we will specify the parameter --cert-name to let certbot know which is the certificate we want to expand and also we will add all the certificates needed (including the ones that the current cert has):

certbot --apache --expand --cert-name smbservices.ca -d smbservices.ca,www.smbservices.ca,anotherone.ca,www.anotherone.ca,yet-anotherone.ca,www.yet-anotherone.ca

  • reboot apache

That should create a certificate for all your domains. Then you should check that apache conf files (SSL directives) for your domains are pointing to the right path /etc/letsencrypt/live/smbservices.ca/

  • this means you go into /etc/httpd/conf/http.conf or /etc/httpd/conf/http-le-ssl.conf and verify if the directive example below are all piopnting to the right folder path.

    SSLCertificateFile /etc/letsencrypt/live/smbservices.ca/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/smbservices.ca/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/smbservices.ca/chain.pem

You can now delete the old certificates using certbot delete, which will ask you which one you want to delete (just make sure you don't delete the one you just created or update/overwritten)

gstlouis
vote
2018-05-22 14:07:06

The first thing you need to do is check what is the name of the certificate you want to expand:

certbot certificates

and you will see the list of your certificates, then you need to check the cert name of the certificate that contains the right list of domains.

Let’s say the cert name is smbservices.ca and this is the list of current domains covered by that cert:

adaginc.ca,brilox.ca,cal.smbservices.ca,converterlookup.ca,forum.smbservices.ca,mysandbox.ca,ridesonthego.ca,smbservices.ca,trackmystat.ca,www.adaginc.ca,www.smbservices.ca,www.trackmystat.ca

Now, if you want to add virtual.smbservices.ca you need to add it to the list.

certbot --apache --expand --cert-name smbservices.ca -d adaginc.ca,brilox.ca,cal.smbservices.ca,converterlookup.ca,forum.smbservices.ca,mysandbox.ca,ridesonthego.ca,smbservices.ca,trackmystat.ca,www.adaginc.ca,www.smbservices.ca,www.trackmystat.ca,virtual.smbservices.ca

gstlouis
vote
2018-05-28 12:18:56

I ran into a problem with re-directing and certbot

when running certbot as above examples, it will ask you if you want to auto re-direct.  If you choose yes, it will look into the httpd.conf file for the domain with directive <VirtualHost ip:80> to add rewrite rules to redirect this to its <VirtualHost ip:443> counterpart.  If the <VirtualHost ip:80> is not found this can cause a problem and cerbot will tell you when executing certbot adding https to domains saying: 

Failed redirect for smbservices.ca
Unable to set enhancement redirect for smbservices.ca
Unable to find corresponding HTTP vhost; Unable to create one as intended addresses conflict; Current configuration does not support automated redirection

You need to go into the httpd.conf file and add the <VirtualHost ip:80> container with a similar <VirtualHost ip:80> container from a working domain.  You have to ensure it has the re-write rules that will re-direct the <VirtualHost ip:80> to its counterpart.  This can ever be in the same file httpd.conf, but certbot difrienciates these files as httpd.conf for port 80's and httpd-le-ssl.conf for port 443's.

gstlouis
vote
2018-05-28 15:05:49