Error Renewing SSL

[rsthomas]

The following message appears when trying to run the Let's Encrypt SSL certificate renewal script -- /opt/letsencrypt/letsencrypt-auto renew

------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/rsthost.com.conf
------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for rsthost.com
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/rsthost.com.conf produced an unexpected error: Problem binding to port 443: Could not bind to IPv4 or IPv6.. Skipping.
-------------------

This is what is in the above /etc/letsencrypt/renewal/rsthost.com.conf file:
--------------------
# renew_before_expiry = 30 days
version = 0.14.0
archive_dir = /etc/letsencrypt/archive/rsthost.com
cert = /etc/letsencrypt/live/rsthost.com/cert.pem
privkey = /etc/letsencrypt/live/rsthost.com/privkey.pem
chain = /etc/letsencrypt/live/rsthost.com/chain.pem
fullchain = /etc/letsencrypt/live/rsthost.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = standalone
installer = None
account = c46d1c485ad1c9a8ccbb0aaddb1384f8
--------------------

This is what is currently in the Sentora Vhost configuration file for the domain in question:
-------------------
# DOMAIN: rsthost.com
<virtualhost *:443>
ServerName rsthost.com
ServerAlias www.rsthost.com
ServerAdmin sales@rstmarine.com
DocumentRoot "/var/sentora/hostdata/rsthost/public_html/"
php_admin_value open_basedir "/var/sentora/hostdata/rsthost/public_html/:/var/sentora/temp/"
php_admin_value suhosin.executor.func.blacklist "passthru, show_source, shell_exec, system, pcntl_exec, popen, pclose, proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, escapeshellcmd, escapeshellarg, exec"
ErrorLog "/var/sentora/logs/domains/rsthost/rsthost.com-error.log"
CustomLog "/var/sentora/logs/domains/rsthost/rsthost.com-access.log" combined
CustomLog "/var/sentora/logs/domains/rsthost/rsthost.com-bandwidth.log" common
<Directory "/var/sentora/hostdata/rsthost/public_html/">
Options +FollowSymLinks -Indexes
AllowOverride All
Require all granted
</Directory>
AddType application/x-httpd-php .php3 .php
ErrorDocument 500 /_errorpages/500.html
ErrorDocument 510 /_errorpages/510.html
ErrorDocument 404 /_errorpages/404.html
ErrorDocument 403 /_errorpages/403.html
DirectoryIndex index.html index.htm index.php index.asp index.aspx index.jsp index.jspa index.shtml index.shtm
# Custom Global Settings (if any exist)

# Custom VH settings (if any exist)
SSLEngine on^M
SSLProtocol ALL -SSLv2 -SSLv3^M
SSLHonorCipherOrder On^M
SSLCipherSuite ECDH+AESGCMH+AESGCM:ECDH+AES256H+AES256:ECDH+AES128H+AES:ECDH+3DESH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS^M
SSLCertificateFile /etc/letsencrypt/live/rsthost.com/cert.pem^M
SSLCertificateKeyFile /etc/letsencrypt/live/rsthost.com/privkey.pem^M
SSLCertificateChainFile /etc/letsencrypt/live/rsthost.com/chain.pem^M
# Keeping bellow for future upgrades.^M
# Requires Apache >= 2.4^M
SSLCompression off
</virtualhost>
# END DOMAIN: rsthost.com
##################################################

# DOMAIN: rsthost.com
# PORT FORWARD FROM 80 TO: 443
<virtualhost *:80>
ServerName rsthost.com
ServerAlias www.rsthost.com
ServerAdmin sales@rstmarine.com
RewriteEngine on
ReWriteCond %{SERVER_PORT} !^443$
RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R,L]
</virtualhost>
# END DOMAIN: rsthost.com
-------------------

Three different questions:

1.) Have I done something wrong with the above, or have I missed something?

2.) Why do I get a "site not secure" message when using the https://www.rsthost.com/ URL? I have an DNS A Record for www. https://rsthost.com/ works fine.

3.) How do I remove an SSL certificate from a domain?

[TGates]

Using that method, you need to stop apache first, then do the renewal and then restart apache. (Uses same port for checking the certificates as Apache uses.)

About the insecure warning, apparently you did not read it
There are some images or parts of your site that you link to that are not using SSL.
Basically, you need to make sure everything on your site is located within your https domain.

[rsthomas]

Hi Tom,

1.) Thank you so much for the tip about stopping apache in order to automatically renew ssl certificates! I added the stop and restart commands to my script, and it worked great.

2.) Sorry, but I don't follow the comment about getting the insecure warning when trying to access the domain via https://www.rsthost.com/. FireFox seems to offer a more descriptive message than MS Edge:
----------------------
www.rsthost.com uses an invalid security certificate.

The certificate is only valid for rsthost.com
----------------------

From the Vhost configuration file (see above), I have:
----------------------
ServerName rsthost.com
ServerAlias http://www.rsthost.com
----------------------

Does the ServerAlias need to be changed to https? If so, is the only way to change it by manually editing the httpd-vhosts.conf file? In case it matters, I am using the external DNS Manager from DreamHost.

Also, this is not the main Sentora login domain, but one configured for domains using http://docs.sentora.org/?node=103.

3.) Again, How do I remove a no longer needed SSL certificate from a domain?


By the way, I think Sentora is GREAT; I'm glad I discovered it, and highly recommend it!! I just made a $10.00 donation to you, hope it helps.

[americanninja]

Using that method, you need to stop apache first, then do the renewal and then restart apache. (Uses same port for checking the certificates as Apache uses.)

About the insecure warning, apparently you did not read it
There are some images or parts of your site that you link to that are not using SSL.
Basically, you need to make sure everything on your site is located within your https domain.

Thanks TGates for your reply on this thread! I came across the same problem when my let's encrypt cert expired for the first time. All that was needed was to add the stop and start commands for apache. However, I have a question, is there another way to do this without stopping and restarting the Apache server? I run this check every week for all the certs on my site and I would prefer to not have my apache server go down, even if for only a few seconds each week, if there is an alternative solution. Could you please advise if there is another solution?

My script prior to seeing this thread (which resulted in the error message of (Attempting to renew cert (websitename.com) from /etc/letsencrypt/renewal/websitename.com.conf produced an unexpected error: Problem binding to port 443: Could not bind to IPv4 or IPv6.. Skipping):

#!/bin/bash
# run letsencrypt certificate renew function
letsencrypt-auto renew

My updated script:

#!/bin/bash
# run letsencrypt certificate renew function
/etc/init.d/apache2 stop
letsencrypt-auto renew
/etc/init.d/apache2 start

[TGates]

Yes, there is a new way to renew certificates and it is much easier. I'm on my phone so I do not have the proper information for you. But it involves switching from standalone to webroot auth. Believe it or not, this is easier than it sounds. I have done it on my server and on another sentora members server I help maintain . It's a basic file edit and a change of the cron. I no longer worry about auto renew anymore.

About removing them, you need to check their docs. You first need to revoke the certificate. I will eventually write a tutorial on how to switch to webroot and how to revoke/remove certificates.

I was building a certificate module, but that worked for a month or so until they changed servers and how certificates got authorized. Back to the drawing board on that module.

---

Also, about the www thing. The new way is much easier to register both www.domain.com and domain.com as one certificate. More ro come on this subject.

[americanninja]

Yes, there is a new way to renew certificates and it is much easier. I'm on my phone so I do not have the proper information for you. But it involves switching from standalone to webroot auth. Believe it or not, this is easier than it sounds. I have done it on my server and on another sentora members server I help maintain . It's a basic file edit and a change of the cron. I no longer worry about auto renew anymore.

About removing them, you need to check their docs. You first need to revoke the certificate. I will eventually write a tutorial on how to switch to webroot and how to revoke/remove certificates.

I was building a certificate module, but that worked for a month or so until they changed servers and how certificates got authorized. Back to the drawing board on that module.

---

Also, about the www thing. The new way is much easier to register both www.domain.com and domain.com as one certificate. More ro come on this subject.

Thanks Tgates! I look forward to this "I will eventually write a tutorial on how to switch to webroot and how to revoke/remove certificates. " I will wait for this or wait until I have enough time to research it a bit myself and do this. For now, I will use the script which shutdowns the server and brings it back up. Thanks again!

[TGates]

This isn't the tutorial yet, but the commands to use the webroot version of Let's Encrypt:

Create certificates:

Code:

sudo certbot certonly --webroot -w /var/sentora/hostdata/[client]/public_html/domain_com -d domain.com -d www.domain.com

Test certificates FIRST to check for any errors:

Code:

sudo certbot renew --dry-run

Update certificates after running the above with no errors:

Code:

sudo certbot renew

Revoke a certificate:

Code:

sudo certbot revoke --cert-path /etc/letsencrypt/archive/domain.com/cert1.pem

(It will ask if you want to delete the related certificates, select Y and hit enter.)