LetsEncrypt Renewal Failure (+ possible insights...)

I know there’s been a bunch of renewal problems on here, so I’m hoping this one might give some greater insight as to what the root cause is…

[1] I got an email from LetsEncrypt saying the certificate would expire in 19 days time (first notification from them, nothing from ee). This is the first renewal for this domain. So I tried manually: sudo ee site update mydomain.com --letsencrypt=renew

I tried a number of times but all failed. tail /var/log/ee/ee.log:

2017-07-20 01:28:21,162 (DEBUG) ee : Running command: date -d “openssl x509 -in /etc/letsencrypt/live/mydomain.com/cert.pem -text -noout|grep “Not After”|cut -c 25-” +%s 2017-07-20 01:28:21,171 (DEBUG) ee : Command Output: 1502237940, Command Error: 2017-07-20 01:28:21,172 (ERROR) ee : Your current cert will expire within 19 days.

[2] So I moved on to trying certbot directly with: /opt/letsencrypt/certbot-auto certonly --webroot --webroot-path=/var/www/mydomain.com/htdocs -d mydomain.com

This gave screens of:

rm: cannot remove ‘/home/myuser/.local/share/letsencrypt/pip-selfcheck.json’: Permission denied rm: cannot remove ‘/home/myuser/.local/share/letsencrypt/lib/python2.7/os.pyc’: Permission denied etc

And sure enough everything in /home/myuser/.local/share/letsencrypt/ and below is owned by root.

[3] So I tried running as sudo: sudo /opt/letsencrypt/certbot-auto certonly --webroot --webroot-path=/var/www/mydomain.com/htdocs -d mydomain.com

This gave directory ownership errors:

The directory ‘/home/myuser/.cache/pip/http’ or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing pip with sudo, you may want sudo’s -H flag. The directory ‘/home/myuser/.cache/pip’ or its parent directory is not owned by the current user and caching wheels has been disabled. check the permissions and owner of that directory. If executing pip with sudo, you may want sudo’s -H flag.

[4] For the heck of it, I decided to try sudo with the -H flag (sets home as target user): sudo -H /opt/letsencrypt/certbot-auto certonly --webroot --webroot-path=/var/www/mydomain.com/htdocs -d mydomain.com

This renewed successfully:

IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/mydomain.com-0001/fullchain.pem.

However, this updated certificate was not showing in the web browser (i.e. the expiry date had not changed).

[5] Checking /var/www/mydomain.com/conf/nginx/ssl.conf showed:

ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem;

So certbot has created a new directory for the renewal! I manually updated these paths to point to /mydomain.com-0001/ (as reported by certbot) instead of /mydomain.com/ and restarted nginx… now the browser does see the new certificate just fine. (I guess I could copy the new certificates over the old ones…?)

Note

I’m not recommending anyone do this however. Firstly, ee doesn’t know about the new expiry (ee site info still shows the old one). Secondly, amending ssl.conf is probably a bad idea generally.

Question Is…

What’s the proper fix for this? It seems to me that certificates are being created with the wrong file permissions, which makes renewals fail?

Hello @marty, there are currently several issues with renewal of letsencrypt with EE due to all previous modification in the renewal process and letsencrypt client.

1) At first, all command used with letsencrypt should be done as root. 2) If you don’t use the same client than EE to renew your certificates, you may have another certificate name the the previous one.

3) There is no issue with editing ssl.conf file, I’m working on a tutorial to explain how to replace EE letsencrypt client and how to renew automatically your certificates.

Currently the first part of my guide is available here : https://kb.virtubox.net/knowledgebase/install-ssl-certificate-lets-encrypt-manually/

So further to everything I wrote above, and virtubox’s help… if your auto renewal hasn’t worked and you need to run it manually… just do this:-

sudo bash ee site update mysite.com --letsencrypt=renew [note: no ‘sudo’ on this as you’re running it as root]

Just did this today for the above site and confirm it works. I had to point my ssl.conf back to the original directory, but only because I changed it as detailed above.