Letsencrypt script creates another certificate instead of renewal

there is a strange behavior of letsencrypt script. I guess this is no bug, but maybe some config issue:

Using a working installation of ODroid-NAS/NCP V1.13.1/NC letsencrypt certificate.
Have to use dual stack (IPv4/IPv6) for other usecases.
In this config the letsencrypt script fails with timeout (maybe IPv6 problem).

So I switch to IPv4 ONLY in my router and do manual certificate renewal with script from web interface.
Then script say “success”, but certificate has still old expiration date.
(Dual stack is then switched on again.)

Looking into the content of “/etc/letsencrypt/live/” shows:
/etc/letsencrypt/live/domain.myfritz.net (contains almost expired certificate)
/etc/letsencrypt/live/domain.myfritz.net-0001 (contains new certificate)

Replacing the old and almost expired certificate with the new ones from “-0001”-folder. After restart, the new certificate is used.
Before the new certificate is outdated, I repeat this procedure, of course.

So next time content of “/etc/letsencrypt/live/” increases again:
(…and so on and on)

Question: Do someone know the root cause or how to fix this?

Hint: This is the log from successful certificate renewal. Is the outdated cerbot the problem?

[ letsencrypt ]
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Attempting to parse the version 0.33.1 renewal configuration file found at /etc/letsencrypt/renewal/domain.myfritz.net-0001.conf with version 0.28.0 of Certbot. This might not work.
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for domain.myfritz.net
Using the webroot path /var/www/nextcloud for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Running deploy-hook command: /etc/letsencrypt/renewal-hooks/deploy/ncp

  • Congratulations! Your certificate and chain have been saved at:
    Your key file has been saved at:
    Your cert will expire on 2019-09-02. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew all of your certificates, run
    “certbot renew”
  • If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

System config value trusted_domains => 4 set to string domain.myfritz.net
System config value overwrite.cli.url set to string https://domain.myfritz.net/

Similar has been reported before, and was resolved by renaming /etc/letsencrypt:

/live to /live_old
/archive to /archive_old
/renewal to /renewal_old

and running letsencrypt again.

1 Like

Thank you - this works - even when dual stack is activated.

1 Like

Hey guys, one more conlusion/solution to this topic:

For weeks now it was reproducible that the dual stack is root cause.
How to do it right:

  1. Disable IPv4/6 dual stack
  2. WAIT until modem/router has reconnected… :slight_smile:
  3. login to NCP admin
  4. start letsencrypt script and wait until finished.
  5. reactivate dual stack.

If you did this without disabling IPv6, then use OliverV’s solution and next time my way.