LetsEncrypt certificate renewal failure

Question

I tried to renew the certificate of my server. The current one has expired 1 month ago, but I didn't took care of it until now.

I tried to use the letsencrypt-auto renew command but got a failure:

Note: I changed the domain/user/server names.

user@vps:~/letsencrypt# ./letsencrypt-auto renew
Updating letsencrypt and virtual environment dependencies.......
Running with virtualenv: sudo /home/user/.local/share/letsencrypt/bin/letsencrypt renew
Processing /etc/letsencrypt/renewal/www.example.com.conf
2016-04-02 07:07:00,862:WARNING:letsencrypt.cli:Attempting to renew cert from /etc/letsencrypt/renewal/www.example.com.conf produced an unexpected error: You've asked to renew/replace a seemingly valid certificate with a test certificate (domains: www.example.com, example.com). We will not do that unless you use the --break-my-certs flag!. Skipping.

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/www.example.com/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

I stupidly tried the command with the --break-my-certs flag:

user@vps:~/letsencrypt# ./letsencrypt-auto renew --break-my-certs
Updating letsencrypt and virtual environment dependencies...You are using pip version 7.1.2, however version 8.1.1 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
....
Running with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt renew --break-my-certs
Processing /etc/letsencrypt/renewal/www.example.com.conf
new certificate deployed with reload of apache server; fullchain is /etc/letsencrypt/live/www.example.com/fullchain.pem

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/www.example.com/fullchain.pem (success)

I thought it was it, but when I tried to connect to my website, I got an error telling me that the certificate was issued by an untrusted party. (However, the validity dates are OK.)

So I tried the first command again:

user@vps:~/letsencrypt# ./letsencrypt-auto renew
Updating letsencrypt and virtual environment dependencies.......
Running with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt renew
Processing /etc/letsencrypt/renewal/www.example.com.conf

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/www.example.com/fullchain.pem (skipped)
No renewals were attempted.

But as you can see, it doesn't work.

Well, you _did_ request a certificate for an example domain! — Michael Hampton, Apr 02 '16 at 15:57

score 8 · Answer 1 · edited Apr 11 '16 at 18:04

Keep in mind that renewal procedure using letsencrypt-auto will only work fine if your previous certificate was issued using letsencrypt-auto 0.4.0 or above. If your certificate was issued with older letsencrypt-auto version then you need to issue again the certificate in the same way and with the same options and params as you did it the first time and after that, letsencrypt-auto renew will work as expected.

Anyway, the first message you received when tried to renew your domain was:

You've asked to renew/replace a seemingly valid certificate with a test certificate (domains: www.example.com, example.com). We will not do that unless you use the --break-my-certs flag!. Skipping.

And that means that you had a valid certificate for your domain but the renew command detected that you were trying to renew the certificate with staging server instead of production server (note: staging server is part of letsencrypt infrastructure and allows to test the process to issue certificates for your domain but issued by a fake CA, if you check your cert you could see that the issuer is Fake LE Intermediate X1).

So, as you repeated the renew process but using the flag --break-my-certs you now have a certificate issued by a fake CA that none of the clients that will connect to your site will trust.

I suppose you were playing with some conf in /etc/letsencrypt/cli.{conf,ini}, /etc/letsencrypt/renewal/yourdomain.conf or whatever config file you used to issue the first certificate and in some conf you specified the flag staging so letsencrypt-auto is trying to renew your cert using it instead of production.

Execute this command against your renewal conf file:

grep -E 'server\ =|config_file\ =' /etc/letsencrypt/renewal/yourdomain.conf

Note: if you issued several certificates for your domain and you added or removed domains from the subset of FQDNs included in the certificate, instead of yourdomain.conf you could have yourdomain-0001.conf, yourdomain-0002.conf and so on.

config_file will show if you are using a config file for your domain, if you don't use any config file you will see the word None.

server will show if you are issuing your certificates against staging or production server.

If it's staging you will see this:

server = https://acme-staging.api.letsencrypt.org/directory

if it's production you will see:

server = https://acme-v01.api.letsencrypt.org/directory

If you see that server is pointing to staging, edit the renewal config file for your domain and change it to production https://acme-v01.api.letsencrypt.org/directory

Also, if you have a config_file, you should check that config file to be sure that server option is pointing to production and there is no option like staging, staging = True, test-cert or test-cert = True

Once you have removed the staging options and changed the server to production one in config_file and renewal config file you could try to renew again your cert.

./letsencrypt-auto renew --force-renewal

If you finally get the certificate for your domain, pay attention to congratulations message, that message will tell you the dir where your certs are saved, keep that in mind to configure your web server, mail server, whatever with the right paths to your certs.

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/yourdomain/fullchain.pem. Your cert
   will expire on xxxx-xx-xx. To obtain a new version of the
   certificate in the future, simply run Let's Encrypt again.

score 1 · Answer 2 · answered Nov 22 '16 at 21:09

I hade the same problem as OP using the latest certbot. Turns out, it wasn't certbot's fault at all - it works perfectly - you just need to remember to restart/reload your webserver so it pulls the updated cert! So, just how LetsEncrypt suggests to put certbot renew --quiet in your cron, remember to add a webserver reload few minutes after, in case of nginx /etc/init.d/nginx reload

score 0 · Answer 3 · edited Jun 21 '17 at 10:09

0

I had the same issue, you have to restart your web server ( Apache or nginx ).
I used certbot renew --quiet to renew.

edited Jun 21 '17 at 10:09

Thomas

4,155
5
21
28

answered Jun 20 '17 at 17:38

user2271660

1

LetsEncrypt certificate renewal failure

3 Answers3