Let's Encrypt: Certificate expired

Thank you sir! :slight_smile:

I still have the problem.
One of my certificates expires tomorrow mar/02, but my site already have the privacy error.
I try every single solution posted in here, but still no results.

Certificate file /etc/nginx/ssl/letsencrypt/xxxxx.cert already exists
Generating certificate for xxxxx.xxxx
Error while generating certificate for  xxxxx.xxxx
Parsing account key...
Parsing CSR...
Registering account...
Already registered!
Verifying orei.org...
Traceback (most recent call last):
  File "/usr/local/letsencrypt/acme_tiny.py", line 198, in <module>
    main(sys.argv[1:])
  File "/usr/local/letsencrypt/acme_tiny.py", line 194, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca)
  File "/usr/local/letsencrypt/acme_tiny.py", line 123, in get_crt
    wellknown_path, wellknown_url))
ValueError: Wrote file to /srv/www/letsencrypt/LIAgjwgNlBXLrmnfNys_a8i1sFIsNLj_ac2rHZ374BM, but couldn't download http:// xxxxx.xxxx/.well-known/acme-challenge/LIAgjwgNlBXLrmnfNys_a8i1sFIsNLj_ac2rHZ374BM

Any clue?

How recent is your Trellis version?

It might be fastest to back up your database and uploads and try reprovisioning your server with a fresh copy of Trellis (and all your configs, of course).

Hereā€™s a quick overview of how I update Trellis. There are better ways but this is fast:

Copy the following out of your Trellis directory:

.vault_pass
ansible.cfg
/group_vars
/deploy-hooks
/hosts
/nginx-includes

Delete everything in your Trellis directory
Clone Trellis from source into your Trellis directory
Copy back in and overwrite the following:

.vault_pass
ansible.cfg
/group_vars/development
/group_vars/staging
/group_vars/production
/group_vars/all/mail.yml
/group_vars/all/vault.yml
/deploy-hooks
/hosts

Then back up your database and uploads again!!! and rebuild and reprovision your server.

5 Likes

It was not me that make the installation and i never used trellis beforeā€¦
One off my problems is that the ansible-playbook server.yml -e env=production -K --tags letsencrypt not run cause do not find the server.yml. Where i run this command?

About the version, how i get this information?

And thereā€™s no way to install a fresh copy of trellis right now

Thaks!

Hello everyone, I got an issue.
My SSL renewal crashed yesterday.
I was able to do it manually today with this command which works perfectly ansible-playbook server.yml -e env=production -K --tags letsencrypt
However, Iā€™m still interested in the automatic renewal!
I found out in the log that the process might have failed because of this -> ocsp.int-x3.letsencrypt.org could not be resolved (110: Operation timed out) while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org
When I tried to access the folder (as root and web users) /var/lib/letsencrypt, the response was ā€˜Permission deniedā€™.
Can someone help me with this? Please ask me if you need more details.
Thanks a lot,

@MWDelaney is this still a valid option to update trellis?
i saw that it is an old post (2017) but if it is still a valid option, i will try this way because it sounds straightforward to me.
thanks

1 Like

I am also wondering if this is still valid. I have some rather projects from the last 6 months to a year where the LE SSL is not being auto-renewed.

I would also like to know if the way @MWDelaney guides on trellis updating is still valid. Iā€™d be happy to simply replace my current trellis files with a new one, just want to confirm which files are too be kept and restored.

1 Like

If you havenā€™t customized any other files within Trellis (which ideally you shouldnā€™t) then yes that process is basically correct and the easiest way.

Thanks @swalkinshaw for confirming this.
Iā€™ll be attempting this over the weekend on a project.

I stumbled upon this issue today. A client notified me that the certificate was about to expire, so I went to investigate.

Seems like Iā€™ve already applied the fix, but that it failed to run the cron job:

cat /etc/cron.d/letsencrypt-certificate-renewal
#Ansible: letsencrypt certificate renewal
30 4 1,11,21 * * root cd /var/lib/letsencrypt && ./renew-certs.py && /usr/sbin/service nginx reload

Running it manually (as root), I had no issues:
cd /var/lib/letsencrypt && ./renew-certs.py && /usr/sbin/service nginx reload
Certificate file /etc/nginx/ssl/letsencrypt/domain.tld-933ed6e-bundled.cert already exists
Generating certificate for domain.tld
Created certificate for domain.tld

Is it possible that the cron job simply is not running? How can I debug?

Make sure youā€™ve reprovisioned the server since updating Trellis. That should fix the cron job, too.