Let's encrypt autorenewal not updating certs

I noticed my certificates hadn’t renewed so I ran certbot manually and it said the certificates were “not yet due for renewal”. I checked the directories and could confirm that the certificates were up-to-date in /etc/letsencrypt/live/domain/* but not in /home/domainaccount/ssl*.

I copied the fullchain.pem over ssl.cert and privkey.pem over ssl.key, restarted apache and it started working, but I would like to understand why the autorenewal didn’t upgrade the files being used by apache. Maybe I have something broken in my configuration?

The issue seems similar to Letsencrypt ssl.cert/key in /etc/webmin not in /home/user but I am using Debian 9.

OS version: Debian GNU/Linux 9.13

so it seems that webmin is simply not updating the certificates. I can see in the admin page:

|Time since last renewal |3.03 months|
|Last successful renewal |12/29/2020 12:59:32 PM|

even though I have 2 month automatic renewals enabled.

How can I debug this?

Also, the “Only update renewal” button does nothing (nothing shows up in the logs either apart from the access log entry in /var/webmin/miniserv.log). The only thing that works is to Request a new certificate.

Webmin version 1.962
Usermin version 1.812
Virtualmin version 6.14

Might be related to Let's Encrypt certificates not renewing anymore - #35 by kbch even though it seems “Only update renewal” is working for most people there? That is not my case.

There are a number of posts regarding this, I believe it was fixed in Vmin 6.15 - you need to update.

“Only update renewal” button - this does not renew the cert but just applies a change made to the ‘Automatically renew certificate?’ section.

Ah I thought “Only update renewal” would force a renewal of the certificate with the current configuration and “Request a new certificate” would trigger a different type of request with Let’s Encrypt, with potentially a different configuration, instead of a normal renewal.

I will try upgrading vmin. Thanks for letting me know

@andresp it would be really helpful and useful if would tell us what distro you are running, what distro version you are on and on to of that, what versions of virtualmin and webmin you are running as recent update fixed all issues regarding your problem. please try again.

Please upgrade to the latest Webmin 1.973 and Virtualmin 6.16, as updates address issues you’re having a trouble with.

Hello. We have similar problem…

  1. Webmin 1.973
  2. Virtualmin 6.16
  3. I just tried to set up a new cron to renew one of our server certificate. The cron went well. Based on the log the certificate was created and is visible in the log. See below.
  4. If I check the validity of the cert in virtualmin or some external service then it is not updated at all.
  5. Using the manual option to update it is working fine.

Do you have any ideas what’s wrong?

Thank you.

2021-04-07 11:25:07,400:DEBUG:acme.client:Storing nonce: drgdfsg

2021-04-07 11:25:07,402:DEBUG:certbot._internal.storage:Writing new private key to /etc/letsencrypt/archive/xxx.zzz.com/privkey11.pem.

2021-04-07 11:25:07,402:DEBUG:certbot._internal.storage:Writing certificate to /etc/letsencrypt/archive/xxx.zzz.com/cert11.pem.

2021-04-07 11:25:07,403:DEBUG:certbot._internal.storage:Writing chain to /etc/letsencrypt/archive/xxx.zzz.com/chain11.pem.

2021-04-07 11:25:07,403:DEBUG:certbot._internal.storage:Writing full chain to /etc/letsencrypt/archive/xxx.zzz.com/fullchain11.pem.

2021-04-07 11:25:07,427:DEBUG:certbot._internal.cli:Var rsa_key_size=2048 (set by user).

2021-04-07 11:25:07,427:DEBUG:certbot._internal.cli:Var authenticator=webroot (set by user).

2021-04-07 11:25:07,427:DEBUG:certbot._internal.cli:Var webroot_path=/home/zzz-xxx/public_html (set by user).

2021-04-07 11:25:07,427:DEBUG:certbot._internal.cli:Var webroot_path=/home/zzz-xxx/public_html (set by user).

2021-04-07 11:25:07,427:DEBUG:certbot._internal.cli:Var webroot_map={‘webroot_path’} (set by user).

2021-04-07 11:25:07,427:DEBUG:certbot._internal.storage:Writing new config /etc/letsencrypt/renewal/xxx.zzz.com.conf.new.

2021-04-07 11:25:07,429:DEBUG:certbot._internal.reporter:Reporting to user: Congratulations! Your certificate and chain have been saved at:

/etc/letsencrypt/live/xxx.zzz.com/fullchain.pem

Your key file has been saved at:

/etc/letsencrypt/live/xxx.zzz.com/privkey.pem

Your certificate will expire on 2021-07-06. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew all of your certificates, run “certbot renew”

2021-04-07 11:25:07,430:DEBUG:certbot._internal.reporter:Reporting to user: If you like Certbot, please consider supporting our work by:

Hm, I am checking other domains on our server and I don’t get it.

  1. log info:
    2021-04-07 02:52:54,227:DEBUG:certbot.display.util:Notifying user: The following certificates are not due for renewal yet:
    etc/letsencrypt/live/maxikovakuchynka.cz/fullchain.pem expires on 2021-07-05 (skipped)

  2. info in virtualmin:
    SSL certificate file home/maxik/ssl.cert
    SSL private key file home/maxik/ssl.key
    Web server hostname maxikovakuchynka.cz Issuer name R3
    Issuer organization Let’s Encrypt Expiry date May 6 11:03:53 2021 GMT
    Certificate type Signed by CA
    Time until expiry 29 days until expiry

Is there some problem with the certification location or why it says in the log that everything is fine but in virtualmin it is not and then it’s pretty problematic if it expires?

Thank you.
Karel

We do not recommend using custom Cron jobs to update Let’s Encrypt certificates as it is all setup and done automatically using Webmin/Virtualmin.

Simply choose an option to automatically renew certificates on virtual-server.com - Server Configuration ⇾ SSL Certificate / Let's Encrypt page:

I don’t mean a custom cron. We use clearly just webmin + virtualmin settings and it’s all set up just there and that’s not working as describe above…

I meant scheduled function by the “cron”.

Perhaps something is out of sync? If you’re really running the latest Virtualmin 6.16 (and above), then go to Edit Virtual Server page and disable SSL website feature. Afterwards, go to SSL Certificate page and delete existing SSL certificates by clicking the button at the bottom of the page. Later, get back to Edit Virtual Server page and re-enable SSL website feature. All should be fine then.

Ehmmm. Ok, just did that.

If I disable SSL apache feature then going to the site is automatically redirecting to another domain on the server, no idea why.

Certs deleted, SSL restarted. And now I can see this in SSL certificate page:
|SSL certificate file|/home/maxik/ssl.cert|
|SSL private key file|/home/maxik/ssl.key|
|Web server hostname|*.maxikovakuchynka.cz|
Expiry date Apr 6 11:37:09 2026 GMT
Organization maxikovakuchynka.cz
Issuer name *.maxikovakuchynka.cz
Issuer organization maxikovakuchynka.cz
Certificate type Self-signed

Is that even possible to have it for for 5 years? I am not aware of having any self-signed certificates, even the hosting for the domain is just till 2022.

It’s all weird. I could try to install again let’s encrypt but should I? Or is this cert made somehow for 5 years by webmin??

Thanks for answering.

Edit:
Or, should I change the SSL cert path in webmin SSL options to make it the same as it is for let’s encrypt which is I think in the root directory of the server and not in the folder as visible above?

Karel

This is self-signed certificate.

It’s all weird.

It is expected.

I could try to install again Let’s Encrypt but should I?

Yes, you must re-request Let’s Encrypt certificate once again.

Should I change the SSL cert path in webmin SSL options to make it the same as it is for let’s encrypt which is I think in the root directory of the server and not in the folder as visible above?

No!