Unable to renew certificate

Keywords: General - AWS - Technical issue - Secure Connections (SSL/HTTPS)
bnsupport ID: a01707c2-29f4-5f84-793b-9a5376ca3c54
Description:
Hey community,
I was trying to renew my certificate following this document (https://docs.bitnami.com/aws/how-to/generate-install-lets-encrypt-ssl/). I started from the fifth step but I realized that I didn’t have the “lego” installed, so I started again from step.1 to step.4. From my understanding, I have generated a new certificate for my domain after finishing step1~4. I tried to run the renewal command line showing below and the result was not fail due to the remaining 89 days until expired. Then I went to the browser to check the certificate, it showed there are only 19 days until expired, which means I didn’t successfully renew the certificate. So now I’m confused about this, the server is not allowing me to renew it but the browser says it’s about to expire. Could anyone please help me on this issue? Thank you!

More info here:
I checked files in the /opt/bitnami/apache2/conf directory and seems like there are two certificates:

bitnami
easycookasia.de.crt
extra
magic
modsecurity.conf
pagespeed.conf
php-fpm-apache.conf
server.crt
server.csr.old
server.key.old
deflate.conf
easycookasia.de.key
httpd.conf
mime.types
original
pagespeed_libraries.conf
privkey.pem
server.crt.old
server.key
ssi.conf

Hi @cherngen_yang,

I just checked that you are currently using the easycookasia.de.crt and easycookasia.de.key certificates. That means that you used the generate-certificate.sh script to generate them. More information here:

https://www.youtube.com/watch?v=Ru0t9P-aP0I&list=PLGgVZHi3XQNm-dQwUU0K83kMKIdCILGy7

This script should have configured a crontab job to regenerate the certificates every month. Could you please check if this is the case?

sudo crontab -l
sudo crontab -l -u bitnami

Thanks

Hey jota,
Thanks for helping me out!
Here’s the output:

$ sudo crontab -l
no crontab for root

$ sudo crontab -l -u bitnami
0 0 1 * * sudo /opt/bitnami/letsencrypt/lego --path="/opt/bitnami/letsencrypt" --email="hello@easycookasia.de" --domains=easycookasia.de --domains=www.easycookasia.de renew && sudo /opt/bitnami/apache2/bin/httpd -f /opt/bitnami/apache2/conf/httpd.conf -k graceful

I forgot what I’ve set up but it seems the certificate is not automatically generated.
Thanks!

@cherngen_yang,

Can you run this command and share the output of it with us?

sudo /opt/bitnami/letsencrypt/lego --path="/opt/bitnami/letsencrypt" --email="hello@easycookasia.de" --domains=easycookasia.de --domains=www.easycookasia.de renew && sudo /opt/bitnami/apache2/bin/httpd -f /opt/bitnami/apache2/conf/httpd.conf -k graceful

@jota
$ sudo /opt/bitnami/letsencrypt/lego --path="/opt/bitnami/letsencrypt" --email="hello@easycookasia.de" --domains=easycookasia.de --domains=www.easycookasia.de renew && sudo /opt/bitnami/apache2/bin/httpd -f /opt/bitnami/apache2/conf/httpd.conf -k graceful

2019/04/09 10:30:43 [INFO] [easycookasia.de] acme: Trying renewal with 455 hours remaining
2019/04/09 10:30:43 [INFO] [easycookasia.de, www.easycookasia.de] acme: Obtaining bundled SAN certificate
2019/04/09 10:30:44 [INFO] [easycookasia.de] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/KbW5Kiz0j6MR75WFjm5e150qJ-G_5RBwcBd5c0K-hCQ
2019/04/09 10:30:44 [INFO] [www.easycookasia.de] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/pLarj6FGoSjYzdPAEVQAqlrI_celQKSJ1KAUhLzcxVo
2019/04/09 10:30:44 [INFO] [easycookasia.de] acme: Trying to solve TLS-ALPN-01
2019/04/09 10:30:44 [INFO] [www.easycookasia.de] acme: Trying to solve HTTP-01
2019/04/09 10:30:44 acme: Error -> One or more domains had a problem:
[easycookasia.de] [easycookasia.de] error presenting token: could not start HTTPS server for challenge -> listen tcp :443: bind: address already in use
[www.easycookasia.de] [www.easycookasia.de] error presenting token: could not start HTTP server for challenge -> listen tcp :80: bind: address already in use

Thanks!

Hi @cherngen_yang,

It seems that the version 1.x of the lego tool need to use the ports 80 and 443 when renewing the certificate. Can you follow this steps to fix the issue for future renews?

  • Create a new file (/etc/lego/renew-certificate.sh) with the following content
#!/bin/bash

sudo /opt/bitnami/ctlscript.sh stop apache
sudo /opt/bitnami/letsencrypt/lego --path="/opt/bitnami/letsencrypt" --email="hello@easycookasia.de" --domains=easycookasia.de --domains=www.easycookasia.de renew
sudo /opt/bitnami/ctlscript.sh start apache
  • Make the script executable:
chmod +x /etc/lego/renew-certificate.sh
  • Verify that the script works properly
sudo /etc/lego/renew-certificate.sh

Note: Let us know if it updates the certificate properly

  • Modify the crontab job
sudo crontab -u bitnami -e

and substitute this line

0 0 1 * * sudo /opt/bitnami/letsencrypt/lego --path="/opt/bitnami/letsencrypt" --email="hello@easycookasia.de" --domains=easycookasia.de --domains=www.easycookasia.de renew && sudo /opt/bitnami/apache2/bin/httpd -f /opt/bitnami/apache2/conf/httpd.conf -k graceful

with this one

0 0 1 * * sudo /etc/lego/renew-certificate.sh 2> /dev/null

Happy to help!


Was my answer helpful? Click on :heart:

2 Likes

Hey @jota
Thank you very much for the help!
The script works perfectly and the certificate has been renewed.

I have another question:
In the future if I wanna renew the certificate, is it correct that I only have to use this command line?
sudo /etc/lego/renew-certificate.sh

Thank you again!

Hi @cherngen_yang,

Yes, you can run the script to renew the certificates from now on but that won’t be necessary if you configured the cron job as I mentioned earlier.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.