We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now

x

Let's Encrypt Certbot did NOT Renew Cert as Expected - HELP!

Tessando
Tessando asked
on
Medium Priority
283 Views
Last Modified: 2020-05-13
I am running AWS Linux and have Let's Encrypt installed. The Certificate for my site expired overnight and I am unable to figure out how to renew it.

When I checked the CronTab, it shows the renewal, but I don't see Certbot running as an active service. Should I be seeing that? When I check services (e.g. "service certbot status") I get "certbot: unrecognized service".

What the heck is going on here?

Also, I went to attempt to check out the log files at "/var/log" and they seem to be locked down as tight as the Pentagon, as even a SUDO command in the line gives me "command not found".

Please help me get this up and running. It's important I get this handled today.
Comment
Watch Question

David FavorFractional CTO
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Note: You must be logged in as root to do any of this. Try this to start a root shell...

sudo bash

Open in new window

If your cert expired, then you'll have to generate a new one, so renew won't work.

Try something like this...

certbot certonly --dry-run -m $email --agree-tos --rsa-key-size 4096 --webroot -w /your-site-docroot -d $site.com,www.$site

Open in new window


Once you get this working, then just remove the --dry-run option.

Big Note: Always, always, always, use --dry-run first.

If you run a command repeatedly getting failures, you'll eventually exceed your hourly command limit, then LetsEncrypt will rate limit (block) commands for an hour.

Use --dry-run till you have a successful run, then remove --dry-run

Tip: If you have some permission problem, disable your site + run against /var/www/html or whatever your Webserver default directory might be for your install. This works around some oddball problem (I've never figured out) where an incorrect permission problem is reported from certbot sometimes.
TessandoIT Administrator

Author

Commented:
Thank you, David. When I run the command you mentioned as root I get " bash: certbot: command not found".

I get the same result when I replace "Certbot" with "LetsEncrypt".

(From now on out, I'm running on the Server as Root. Thank you for that reminder).

I then wanted to see if Certbot was even running and when I run "service certbot status" it says " certbot: unrecognized service".

I did no changes to this site but have sent along a screenshot from Firefox showing that it was literally overnight that this expired.

It's important to note too that the Cron Job is present:

[root@ip-10-0-0-10 letsencrypt]# crontab -l
39      1,13    *       *       *       root    certbot renew --no-self-upgrade

When I look at the logfiles located at "/var/log/letsencrypt" I see only until 2020-02-10, which may have been the last time I did something with Let's Encrypt.

At the bottom of the log file these instructions are present:

/etc/letsencrypt/live/site.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/site.com/privkey.pem
Your cert will expire on 2020-05-10. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew *all* of your certificates, run "certbot-auto renew".

When I run "cerbot-auto renew" I get the same as before "command not found".

Hopefully this will provide a clue as how to fix this. Thanks again for your help!

~~~~~~~~~~~~~~~

TessandoIT Administrator

Author

Commented:
BTW - "certbot auto" is showing in the root directory at the of of the hierarchy. This must have been where I installed it. Is there a way to start this service again? I tried all the typical commands and I'm still getting "certbot not recognized". This is pretty strange.

CERTIFIED EXPERT

Commented:
Thank you, David. When I run the command you mentioned as root I get " bash: certbot: command not found".

Try using the full file path for certbot  
/usr/bin/certbot

Open in new window


If certbot isn't located in "/usr/bin/" you can try running whereis certbot or locate certbot to find where it is
TessandoIT Administrator

Author

Commented:
Thank you, Kenfcamp - I'm getting the same results when I replace the full path:

bash: /usr/bin/certbot: No such file or directory
TessandoIT Administrator

Author

Commented:
I found that there are two installations of Certbot. One at the Root (as shown in the screenshot above) and one located at:

/home/ec2-user

I did drudge up these directions [1] which are pretty much exactly what I did, with the exception of download v2 as opposed to v1 (per this URL: https://acme-v0 2.api.letsencrypt.org/directory)

Could having two installations be damaging? I'm leery to change any config files because this worked flawlessly until this first renewal cycle. Does it make sense for me to install again, since all configs are setup and running?

[1] https://medium.com/@mohan08p/install-and-renew-lets-encrypt-ssl-on-amazon-ami-6d3e0a61693
nociSoftware Engineer
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
The crontab entry probably never worked correctly. You may need to look into that as well (the "root" probably should not be there...).
What is this certbot-auto:
ls -l certbot-auto
file certbot-auto

From that directory try ./certbot-auto renew If it is the original script.
TessandoIT Administrator

Author

Commented:
I am consistently getting the following error and after doing some Google-Fu it appears to be related to AWS Linux specifically (although I will say that all CentOS commands are working as expected).

Does this give any clues or ring any bells for anyone:

Error: couldn't get currently installed version for /opt/eff.org/certbot/venv/bin/letsencrypt: 
Traceback (most recent call last):
  File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 7, in <module>
    from certbot.main import main
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/certbot/main.py", line 2, in <module>
    from certbot._internal import main as internal_main
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/certbot/_internal/main.py", line 11, in <module>
    import zope.component
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/zope/component/__init__.py", line 23, in <module>
    from zope.component.interfaces import IComponentArchitecture
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/zope/component/interfaces.py", line 21, in <module>
    import zope.deferredimport
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/zope/deferredimport/__init__.py", line 1, in <module>
    from zope.deferredimport.deferredmodule import initialize
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/zope/deferredimport/deferredmodule.py", line 18, in <module>
    import zope.proxy
ImportError: No module named proxy
I have tried like all heck today to upgrade Python to a different version, specifically Python-3.7.4 - which is on this system but can't seem to "upgrade". I just don't know enough about Python to upgrade properly and the links I'm finding are all failing me.
IT Administrator
Commented:
Thank you all for your participation and contribution. I found many articles stating that AWS and LE don't place nicely together... and even after a botched upgrade to Python (which was only installed for LE) I went ahead and cried "uncle" going out to purchase an SSL. Thanks for your help. Perhaps when they get more configurable together I will revisit using LE.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
David FavorFractional CTO
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Tip: Best way to get certbot to work, is to install the latest version yourself.
TessandoIT Administrator

Author

Commented:
Thanks for your fast and clear responses,   guys! I appreciate your expertise and will keep coming back.
David FavorFractional CTO
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
You're welcome!
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.