Let's Encrypt overwrites certificate even though renewal is disabled (?)

tfhelp · October 30, 2021, 11:39am

After a few situations where I thought this happened, but weren’t sure, I just found a perfect example.

Sometimes, we use let’s Encrypt for a temporary SSL certificate. After a few hours/days, we replace it by installing a new (other) certificate. So far so good. The checkbox “Automatically renew certificate?” is being disabled by this, so I expect that Let’s Encrypt stops renewing/interfering with the SSL certificate.

Even though, I found out that Let’s Encrypt runs sometimes and replaces my manually installed certificate, even though I didn’t expect it.

I guess this is a bug.

I have an example live/running now, Virtualmin/Let’s Encrypt tries to install a new certificate every x hours. Because of a .htaccess-file this won’t work and because of this I found errors in my syslog.
This confirms my suspicion. How can I solve/fix this bug?

Ilia · October 30, 2021, 11:25pm

Hi,

Perhaps, SSL certificate is being shared with another domain? @Jamie what would happen in this case?

What if you not just replace ssl.* files manually but use SSL Certificate page to install a new certificate?

Jamie · October 31, 2021, 5:41am

If an SSL cert is shared with another domain, Virtualmin will only let you setup cert renewal on the primary domain. This will renew for all the shared domains though.

tfhelp · October 31, 2021, 10:54am

Hi, thank you for your answers!
As far as I can think of (and find), there is no other domain that uses the same SSL certificate. Is there some way to be 100% sure? (there are 10 domains on this server, I’ve checked them all)

The Let’s Encrypt SSL certificate has been automatically replaced by the virtualmin API. Is it possible that this doesn’t disable Let’s Encrypt 100%?

Jamie · October 31, 2021, 5:10pm

Do you perhaps have Let’s Encrypt’s built-in SSL cert renewal enabled?

Check at Webmin → System → Scheduled Cron Jobs for any command that runs certbot , and disable it.

tfhelp · November 1, 2021, 2:04pm

Yes, there seems to be 1 cronjob present:

test -x /usr/bin/certbot -a ! -d /run/systemd/system && perl -e ‘sleep int(rand(43200))’ && certbot -q renew

I’ve never created/enabled this cronjob on purpose, so I guess it is a default setting of Virtualmin to enable this cronjob.

Based on the certbot manual, I guess that this command will renew all certificates it has once requested. How should certbot/virtualmin interact so that the Virtualmin setting (no automatic renewal for this domain) is leading and certbot stops renewing this certificate?

trocster · November 4, 2021, 3:24pm

you can check if the renewal config has been left behind under
/etc/letsencrypt/renewal/example.com.conf
?

If so, (backup first) and try the correct way to remove the cert from certbot:
certbot delete --cert-name example.com

tfhelp · November 4, 2021, 4:20pm

Yes, that’s it!! Found! Thank you very much!

Should Virtualmin remove this file automatically after installing your own certificate? Or is there some parameter/command I should do when installing the certificate by API? Because it seems to me like ‘normal’ to not prolong Let’s Encrypt when installing another certificate (and disabling the auto-renewal checkbox by doing this, because that seems to happen automatically).

The command we use:
https://www.virtualmin.com/install_cert/

incl. domain / cert / ca / (sometimes) new-key

tfhelp · November 13, 2021, 3:13pm

Can I submit this as a bug and/or how can I prevent this from happening in the future?

system · January 12, 2022, 3:13pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.