Tessando
asked on
Let's Encrypt Certbot did NOT Renew Cert as Expected - HELP!
I am running AWS Linux and have Let's Encrypt installed. The Certificate for my site expired overnight and I am unable to figure out how to renew it.
When I checked the CronTab, it shows the renewal, but I don't see Certbot running as an active service. Should I be seeing that? When I check services (e.g. "service certbot status") I get "certbot: unrecognized service".
What the heck is going on here?
Also, I went to attempt to check out the log files at "/var/log" and they seem to be locked down as tight as the Pentagon, as even a SUDO command in the line gives me "command not found".
Please help me get this up and running. It's important I get this handled today.
When I checked the CronTab, it shows the renewal, but I don't see Certbot running as an active service. Should I be seeing that? When I check services (e.g. "service certbot status") I get "certbot: unrecognized service".
What the heck is going on here?
Also, I went to attempt to check out the log files at "/var/log" and they seem to be locked down as tight as the Pentagon, as even a SUDO command in the line gives me "command not found".
Please help me get this up and running. It's important I get this handled today.
ASKER
Thank you, David. When I run the command you mentioned as root I get "bash: certbot: command not found".
I get the same result when I replace "Certbot" with "LetsEncrypt".
(From now on out, I'm running on the Server as Root. Thank you for that reminder).
I then wanted to see if Certbot was even running and when I run "service certbot status" it says "certbot: unrecognized service".
I did no changes to this site but have sent along a screenshot from Firefox showing that it was literally overnight that this expired.
It's important to note too that the Cron Job is present:
When I look at the logfiles located at "/var/log/letsencrypt" I see only until 2020-02-10, which may have been the last time I did something with Let's Encrypt.
At the bottom of the log file these instructions are present:
When I run "cerbot-auto renew" I get the same as before "command not found".
Hopefully this will provide a clue as how to fix this. Thanks again for your help!
~~~~~~~~~~~~~~~
I get the same result when I replace "Certbot" with "LetsEncrypt".
(From now on out, I'm running on the Server as Root. Thank you for that reminder).
I then wanted to see if Certbot was even running and when I run "service certbot status" it says "certbot: unrecognized service".
I did no changes to this site but have sent along a screenshot from Firefox showing that it was literally overnight that this expired.
It's important to note too that the Cron Job is present:
[root@ip-10-0-0-10 letsencrypt]# crontab -l
39 1,13 * * * root certbot renew --no-self-upgrade
When I look at the logfiles located at "/var/log/letsencrypt" I see only until 2020-02-10, which may have been the last time I did something with Let's Encrypt.
At the bottom of the log file these instructions are present:
/etc/letsencrypt/live/site.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/site.com/privkey.pem
Your cert will expire on 2020-05-10. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew *all* of your certificates, run "certbot-auto renew".
When I run "cerbot-auto renew" I get the same as before "command not found".
Hopefully this will provide a clue as how to fix this. Thanks again for your help!
~~~~~~~~~~~~~~~
ASKER
Thank you, David. When I run the command you mentioned as root I get " bash: certbot: command not found".
Try using the full file path for certbot
/usr/bin/certbot
If certbot isn't located in "/usr/bin/" you can try running whereis certbot or locate certbot to find where it is
ASKER
Thank you, Kenfcamp - I'm getting the same results when I replace the full path:
bash: /usr/bin/certbot: No such file or directory
ASKER
I found that there are two installations of Certbot. One at the Root (as shown in the screenshot above) and one located at:
I did drudge up these directions [1] which are pretty much exactly what I did, with the exception of download v2 as opposed to v1 (per this URL: https://acme-v02.api.letsencrypt.org/directory)
Could having two installations be damaging? I'm leery to change any config files because this worked flawlessly until this first renewal cycle. Does it make sense for me to install again, since all configs are setup and running?
[1] https://medium.com/@mohan08p/install-and-renew-lets-encrypt-ssl-on-amazon-ami-6d3e0a61693
/home/ec2-user
I did drudge up these directions [1] which are pretty much exactly what I did, with the exception of download v2 as opposed to v1 (per this URL: https://acme-v02.api.letsencrypt.org/directory)
Could having two installations be damaging? I'm leery to change any config files because this worked flawlessly until this first renewal cycle. Does it make sense for me to install again, since all configs are setup and running?
[1] https://medium.com/@mohan08p/install-and-renew-lets-encrypt-ssl-on-amazon-ami-6d3e0a61693
The crontab entry probably never worked correctly. You may need to look into that as well (the "root" probably should not be there...).
What is this certbot-auto:
ls -l certbot-auto
file certbot-auto
From that directory try ./certbot-auto renew If it is the original script.
What is this certbot-auto:
ls -l certbot-auto
file certbot-auto
From that directory try ./certbot-auto renew If it is the original script.
ASKER
I am consistently getting the following error and after doing some Google-Fu it appears to be related to AWS Linux specifically (although I will say that all CentOS commands are working as expected).
Does this give any clues or ring any bells for anyone:
Does this give any clues or ring any bells for anyone:
Error: couldn't get currently installed version for /opt/eff.org/certbot/venv/bin/letsencrypt:
Traceback (most recent call last):
File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 7, in <module>
from certbot.main import main
File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/certbot/main.py", line 2, in <module>
from certbot._internal import main as internal_main
File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/certbot/_internal/main.py", line 11, in <module>
import zope.component
File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/zope/component/__init__.py", line 23, in <module>
from zope.component.interfaces import IComponentArchitecture
File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/zope/component/interfaces.py", line 21, in <module>
import zope.deferredimport
File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/zope/deferredimport/__init__.py", line 1, in <module>
from zope.deferredimport.deferredmodule import initialize
File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/zope/deferredimport/deferredmodule.py", line 18, in <module>
import zope.proxy
ImportError: No module named proxy
I have tried like all heck today to upgrade Python to a different version, specifically Python-3.7.4 - which is on this system but can't seem to "upgrade". I just don't know enough about Python to upgrade properly and the links I'm finding are all failing me.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Tip: Best way to get certbot to work, is to install the latest version yourself.
ASKER
Thanks for your fast and clear responses, guys! I appreciate your expertise and will keep coming back.
You're welcome!
Open in new window
If your cert expired, then you'll have to generate a new one, so renew won't work.Try something like this...
Open in new window
Once you get this working, then just remove the --dry-run option.
Big Note: Always, always, always, use --dry-run first.
If you run a command repeatedly getting failures, you'll eventually exceed your hourly command limit, then LetsEncrypt will rate limit (block) commands for an hour.
Use --dry-run till you have a successful run, then remove --dry-run
Tip: If you have some permission problem, disable your site + run against /var/www/html or whatever your Webserver default directory might be for your install. This works around some oddball problem (I've never figured out) where an incorrect permission problem is reported from certbot sometimes.