Certificate is expired but not renewed

letsencrypt
ncp
#1

Hello, i have a problem with my NextcloudPi instance.
My letsencrypt certificate is expired (as shown by my webbrowser) and is not automatically renewed.
I tried to use ncp-config to get manually a new certificate but the output is

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert not yet due for renewal
Keeping the existing certificate

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not yet due for renewal; no action taken.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
System config value trusted_domains => 4 set to string MY_WEBADRESS_XXXXXX
System config value overwrite.cli.url set to string https://MY_WEBADRESS_XXXXXX

The output of /var/log/letsencrypt/letsencrypt.log is:

2019-03-21 20:23:54,678:DEBUG:certbot.main:certbot version: 0.32.0
2019-03-21 20:23:54,679:DEBUG:certbot.main:Arguments: ['-n', '--no-self-upgrade', '--webroot', '-w', '/var/www/nextcloud', '--hsts', '--agree-tos', '-m', 'MY_EMAIL_XXXXXXX', '-d', 'MY_WEBADRESS_XXXXXX']
2019-03-21 20:23:54,679:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-03-21 20:23:54,741:DEBUG:certbot.log:Root logging level set at 20
2019-03-21 20:23:54,743:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-03-21 20:23:54,744:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2019-03-21 20:23:54,760:DEBUG:certbot.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
Initialized: <certbot.plugins.webroot.Authenticator object at 0xb5b5db30>
Prep: True
2019-03-21 20:23:54,762:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.webroot.Authenticator object at 0xb5b5db30> and installer None
2019-03-21 20:23:54,762:INFO:certbot.plugins.selection:Plugins selected: Authenticator webroot, Installer None
2019-03-21 20:23:54,772:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(status=None, terms_of_service_agreed=None, agreement=None, only_return_existing=None, contact=(), key=None, external_account_binding=None), uri=u'https://acme-v02.api.letsencrypt.org/acme/acct/52792675', new_authzr_uri=None, terms_of_service=None), fd6b2d2242fc0118cd16be53307c8686, Meta(creation_host=u'nextcloudpi', creation_dt=datetime.datetime(2019, 3, 6, 19, 59, 57, tzinfo=<UTC>)))>
2019-03-21 20:23:54,775:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2019-03-21 20:23:54,779:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2019-03-21 20:23:55,570:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 658
2019-03-21 20:23:55,572:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 658
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Thu, 21 Mar 2019 20:23:55 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 21 Mar 2019 20:23:55 GMT
Connection: keep-alive

{
  "aM8P1gz_H18": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2019-03-21 20:23:55,577:DEBUG:certbot.cert_manager:Renewal conf file /etc/letsencrypt/renewal/WEBADDRESS_XXXXXXXXXXXX is broken. Skipping.
2019-03-21 20:23:55,578:DEBUG:certbot.cert_manager:Traceback was:
Traceback (most recent call last):
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/cert_manager.py", line 383, in _search_lineages
    candidate_lineage = storage.RenewableCert(renewal_file, cli_config)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/storage.py", line 444, in __init__
    "file reference".format(self.configfile))
CertStorageError: renewal config file {} is missing a required file reference

2019-03-21 20:23:55,592:INFO:certbot.renewal:Cert not yet due for renewal
2019-03-21 20:23:55,592:INFO:certbot.main:Keeping the existing certificate

nc-info gives me

Running nc-info
Gathering information...
NextCloudPi version  v1.10.4
NextCloudPi image    NextCloudPi_09-29-18
distribution         Debian GNU/Linux 9 \n \l
automount            yes
USB devices          sda
datadir              /media/myCloudDrive/ncdata
data in SD           no
data filesystem      btrfs
data disk usage      195G/1.9T
rootfs usage         5.1G/29G
swapfile             /var/swap
dbdir                /var/lib/mysql
Nextcloud check      ok
Nextcloud version    15.0.5.3
HTTPD service        up
PHP service          up
MariaDB service      up
Redis service        up
Postfix service      up
internet check       ok
port check 80        open
port check 443       open
IP                   192.168.178.46
gateway              192.168.178.1
interface            XXXXXXXXXXX
certificates         MY_WEBADDRESS_XXXXX
NAT loopback         no
uptime               1day

Any ideas?

Certbot certificate renewal error
Problem with certificate
#2

Looks like a config issue with your config. File corrupted, or perhaps error in config or access issue.
Hard to know from a distance. Looks very specific to lets encrypt setup. Perhaps best to reach out on lets encrypt forums.

#3

Currently experiencing the same issue. My cert just expired not 40 minutes ago, but I cant seem to update it.

[ letsencrypt ]
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert not yet due for renewal
Keeping the existing certificate

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not yet due for renewal; no action taken.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

recurver

#4

i was digging around a little more. It looks like i have two certificates but i think i should have only one.

ls /etc/letsencrypt/live gives me

WEB_ADDRESS  WEB_ADDRESS-0001  README

so there seem to be two certificates for my web_address one of which ends with “-0001” , no idea what that means.

sudo ./certbot-auto certificates

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/WEB_ADDRESS.conf produced an unexpected error: renewal config file {} is missing a required file reference. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: WEB_ADDRESS.eu-0001
    Domains: WEB_ADDRESS
    Expiry Date: 2019-06-04 19:02:09+00:00 (VALID: 70 days)
    Certificate Path: /etc/letsencrypt/live/WEB_ADDRESS-0001/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/WEB_ADDRESS-0001/privkey.pem

The following renewal configurations were invalid:
  /etc/letsencrypt/renewal/WEB_ADDRESS.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Is it possible that one certificate is used by nextcloud which is expired (and which seems to be corrupt) and the other one is ok but is not used and not yet up for renewal?

#5

Also having this issue. I know there was a similar (though I’m guessing not the same) issue earlier last year. I’ll see if I can summon up Nacho to see if he’s heard of this yet.

For what it’s worth I’m gettting the exact same text:

and am using the curl install script on debian off a random low power machine. Not using the docker, pre-made image, or new VM.

#6

@nachoparker This is exacerbated by HSTS being turned on, we cannot manually accept the certificate if we wanted to. Is this something that could perhaps be added to the ncp web panel? I understand it is a great security feature, but when we don’t have an option to manage certificates ourselves it can become an issue.

Alternatively if there was something to manage certificates, that would be neat. If you use cloudflare for DNS they’ll just hand you free SSL certificates, so if I could upload my own wildcard I’d really like that.

#7

Looks like we are on to something. Why is this invalid? did you check the contents? Did you google this?

Let’s see if we can understand how this happen and fix it / detect it.

#8

Hola!
I had the same problem. My News app started complaining about the certificate and when I went to my website I got the following message:

# Your connection is not private

Attackers might be trying to steal your information from  **mycoolsite.org**  (for example, 
passwords, messages, or credit cards). [Learn more](chrome-error://chromewebdata/#)

NET::ERR_CERT_DATE_INVALID


mycoolsite.org normally uses encryption to protect your information. When Chromium tried to 
connect to mycoolsite.org this time, the website sent back unusual and incorrect credentials. 
This may happen when an attacker is trying to pretend to be mycoolsite.org, or a Wi-Fi sign-in 
screen has interrupted the connection. Your information is still secure because Chromium 
stopped the connection before any data was exchanged.

You cannot visit mycoolsite.org right now because the website uses HSTS. Network errors and 
attacks are usually temporary, so this page will probably work later.

I remembered that the certificate automatically got updated (successfully) not that long ago (I think when I did an update of the whole NCP system).
But I thought I just try it again via ncp-config and got the following:

Running letsencrypt
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert not yet due for renewal
Keeping the existing certificate

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not yet due for renewal; no action taken.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
mkdir: cannot create directory '/etc/letsencrypt/renewal-hooks/deploy/ncp': File exists
System config value trusted_domains => 4 set to string mycoolsite.org
System config value overwrite.cli.url set to string https://mycoolsite.org/
Done. Press any key...

Then after reading this thread and a few other things on the net, I first made a copy of the /etc/letsencrypt folder and then tried a few things.
What finally got it working for me was to copy the .pem files from the mycoolsite.org-0001 folder to the mycoolsite.org one:

root@nextcloudpi:/etc/letsencrypt/archive/mycoolsite.org# mkdir old_pems
root@nextcloudpi:/etc/letsencrypt/archive/mycoolsite.org# mv *pem old_pems/
root@nextcloudpi:/etc/letsencrypt/archive/mycoolsite.org# cp ../mycoolsite.org-0001/* .

This is obviously just a quick-and-dirty hack and doesn’t fix whatever caused this issue.

1 Like
#9

probably removing (renaming) mycoolsite and then renaming/moving mycoolsite.001 to mycoolsite would have been better, to account for that mysterious broken config file.

#10

OK, I did that.
Do you know yet what caused this?
Is the site-0001 folder suppose to be there or is that part of the problem?

#11

I am not sure because didn’t happen to me, but it looks to me like there is a bad config file (see above in the thread) and letsencrypt reacts by starting over in a new folder ending in 001

Why the bad config? I can’t guess without somebody sharing it

#12

What config are we talking about? The one in the renewal folder?
Let me know what you need to see to figure this out and I am happy to post it here.

#13

@marcelicious see above

thanks!

#14

The config for the original site seems to be empty. Here’s the output of the 0001 config file:

root@nextcloudpi:/etc/letsencrypt/renewal# ll
total 4.0K
-rw-r--r-- 1 root root 635 Mar 26 18:10 mycoolsite.org-0001.conf
-rw-r--r-- 1 root root   0 Mar 26 18:10 mycoolsite.org.conf
root@nextcloudpi:/etc/letsencrypt/renewal# cat mycoolsite.org-0001.conf 
# renew_before_expiry = 30 days
version = 0.30.2
archive_dir = /etc/letsencrypt/archive/mycoolsite.org-0001
cert = /etc/letsencrypt/live/mycoolsite.org-0001/cert.pem
privkey = /etc/letsencrypt/live/mycoolsite.org-0001/privkey.pem
chain = /etc/letsencrypt/live/mycoolsite.org-0001/chain.pem
fullchain = /etc/letsencrypt/live/mycoolsite.org-0001/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = webroot
account = 9pSOMEHASH8y
webroot_path = /var/www/nextcloud,
server = https://acme-v02.api.letsencrypt.org/directory
[[webroot_map]]
mycoolsite.org = /var/www/nextcloud
root@nextcloudpi:/etc/letsencrypt/renewal#

Is the problem that the config for the original site is empty?
Would it help if I copy the lines from the 0001 site config over (minus the -0001)?

Let me know if you need anything else.

#15

I have checked the *.conf files
The file /etc/letsencrypt/renewal/WEB_ADDRESS.conf is completely empty

The file /etc/letsencrypt/renewal/WEB_ADDRESS-0001.conf contains

# renew_before_expiry = 30 days
version = 0.30.2
archive_dir = /etc/letsencrypt/archive/WEB_ADDRESS-0001
cert = /etc/letsencrypt/live/WEB_ADDRESS-0001/cert.pem
privkey = /etc/letsencrypt/live/WEB_ADDRESS-0001/privkey.pem
chain = /etc/letsencrypt/live/WEB_ADDRESS-0001/chain.pem
fullchain = /etc/letsencrypt/live/WEB_ADDRESS-0001/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = webroot
account = somethingSomethingSomething
webroot_path = /var/www/nextcloud,
server = https://acme-v02.api.letsencrypt.org/directory
[[webroot_map]]
WEB_ADDRESS = /var/www/nextcloud
#16

This likely fixes the issue: NCP: problem obtaining letsencrypt certificate

Basically a reinstall. It won’t fix the root cause whatever that may be or have been.
Not a real solution, but may get you going for another while.

#17

Thank you @RdedR

  1. Approach:

Unfortunately i could not delete /etc/letsencrypt/* (as suggested in the answer) because there is also the cerbot-auto program and no cerbot is otherwise installed.

  1. Approach:
    I tried then to remove the certificates by removing the contents of letsencrypt/live and letsencrypt/renewal and renamed the letsencrypt/archive folder. Then i used ncp-config to get new certificates. Which seemed to work. There were new certificates installed in the letsencrypt/live and letsencrypt/renewal folders but again two certificates. One named WEB_ADDRESS and one named WEB_ADDRESS-0001.
    Also i encountered various other problems after that like HTTPD service was down and my ports 80 and 443 were reported closed (even though they are open).

Needless to say i reversed all the actions and i’m back at the original problem from my first post.

#18

ok, so the issue is that there is an empty cfg file.

Anybody has an idea of what could have caused this? maybe there’s a clue in /var/log/letsencrypt

Everybody here has something in common that happened to them that caused this, can anybody think of a reason or a clue?

#19

Hello!

Nothing really new in the /var/log/letsencrypt/letsencrypt.log file.

It simply says that the /etc/letsencrypt/renewal/nc.net.conf is broken and:

CertStorageError: renewal config file {} is missing a required file reference

Complete log content:

2019-03-27 21:14:27,044:DEBUG:certbot.main:certbot version: 0.32.0
2019-03-27 21:14:27,048:DEBUG:certbot.main:Arguments: ['-n', '--no-self-upgrade', '--webroot', '-w', '/var/www/nextcloud', '--hsts', '--agree-tos', '-m', 'me@mine.org', '-d', 'nc.ddns.net']
2019-03-27 21:14:27,048:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-03-27 21:14:27,153:DEBUG:certbot.log:Root logging level set at 20
2019-03-27 21:14:27,157:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-03-27 21:14:27,160:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2019-03-27 21:14:27,189:DEBUG:certbot.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
Initialized: <certbot.plugins.webroot.Authenticator object at 0x75c6eb10>
Prep: True
2019-03-27 21:14:27,193:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x75c6eb10> and installer None
2019-03-27 21:14:27,193:INFO:certbot.plugins.selection:Plugins selected: Authenticator webroot, Installer None
2019-03-27 21:14:27,216:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(status=None, terms_of_service_agreed=None, agreement=None, only_return_existing=None, contact=(), key=None, external_account_binding=None), uri=u'https://acme-v0$
2019-03-27 21:14:27,221:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2019-03-27 21:14:27,230:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2019-03-27 21:14:27,659:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 658
2019-03-27 21:14:27,662:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 658
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 27 Mar 2019 20:14:27 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 27 Mar 2019 20:14:27 GMT
Connection: keep-alive

{
  "WK0mIkDPqcw": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2019-03-27 21:14:27,677:DEBUG:certbot.cert_manager:Renewal conf file /etc/letsencrypt/renewal/nc.net.conf is broken. Skipping.
2019-03-27 21:14:27,684:DEBUG:certbot.cert_manager:Traceback was:
Traceback (most recent call last):
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/cert_manager.py", line 383, in _search_lineages
    candidate_lineage = storage.RenewableCert(renewal_file, cli_config)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/storage.py", line 444, in __init__
    "file reference".format(self.configfile))
CertStorageError: renewal config file {} is missing a required file reference

2019-03-27 21:14:27,711:INFO:certbot.renewal:Cert not yet due for renewal
2019-03-27 21:14:27,712:INFO:certbot.main:Keeping the existing certificate

Yours
SMichel

#20

Some months ago i installed a new NCP instance on a new SD card and then used the ncp restore function. I do not remember if i had to get a new certificate.

Does anyone else here has that history and got that problem afterwards?