Let's encrypt renew failed

Some of my certs started to expire and were unable to renew.

I logged in and checked certbot certificates where I found certificates for several domains that had been deleted from the server. I manually deleted the certs.

I also notices several certs with -0001 appended to them. After checking they were not in use I deleted them.

My list of certs is now concise and correct. I also did a certbot renew which renewed some expiring certs. All sites are working fine with valid certs.

Now virtualmin is mailing me with lots of fail mails:

“You have an existing certificate that has exactly the same domains or certificate name you requested and isn’t close to expiry.”

Why is virtualmin attempting to renew non-expiring certs? certbot renew says none are due for renewal. Do i need to rescan or associate the certs with virtualmin somehow?


So it was just 2 certs that were the remaining problem. I deleted them in certbot and recreated them in virtualmin admin. This seems to have fixed the issue. Not sure how it all got out of sync. I think it would be a good idea if someone checks the process and makes sure virtualmin cleans up after itself when a site/domain is deleted.

Just to note, everything was originally created and managed in virtualmin up until this point where I had to step in and start using certbot manually.

So now another domains/site has started doing this. I could delete and recreate this cert too, but I expect I’m going to keep having to do this each time virtualmin thinks one has expired, where is it keeping track of this? How can I sync it back up with the real expiry dates?

Reported it as a bug here https://www.virtualmin.com/node/67383

and maybe also this to take care of

Also if using certbot with for example apache the reload…?

What do the configuration file(s) in /etc/letsencrypt/renewal/ contain?

Certbot can be configured to automatically gracefully reload Apache after renewing certificates. If you use certbot --apache without certonly when creating the certificate, Certbot will configure Apache to use it, and will also automatically reload Apache when renewing. You can also set up a deploy hook to do so, for example by using the --deploy-hook command line option when initially creating the certificate, or by putting a script in /etc/letsencrypt/renewal-hooks/deploy/.

You can check some more info abour LE certs here on this site, also the advanced option is nice there.