How can I run certbot to re-issue a specific (or all) certificate(s), if configuration is broken. E.g. if the content of folder letsencrypt/live was deleted accidentally.
Using renew I get an error and certbot skips. Is there an option like force-reinstall-if-broken ?
Using certbot certonly with the actual configuration should work.
certbot certonly --config /path/to/config.conf
Being config.conf a Letsencrypt config file like this:
domains = url.com, www.url.com
rsa-key-size = 4096
# the current closed beta (as of 2015-Nov-07) is using this server
server = https://acme-v01.api.letsencrypt.org/directory
email = user#email.com
text = True
# authenticate by placing a file in the webroot (under .well-known/acme-challenge/)
# and then letting LE fetch it
authenticator = webroot
webroot-path = /path/to/webroot
Note that I am using the webroot plugin to generate the cert, so I can avoid any downtime in my server.
When writing a script to create and automatize my certs I had to reissue the certifications many times and this command worked for me without having to delete anything extra.
If you are still in trouble, try to symbolic link in renew to the latest .pem certificate archives of your server:
lrwxrwxrwx 1 root root 38 mar 11 01:02 cert.pem -> ../../archive/[SERVER]/cert8.pem
lrwxrwxrwx 1 root root 39 mar 11 01:02 chain.pem -> ../../archive/[SERVER]/chain8.pem
lrwxrwxrwx 1 root root 43 mar 11 01:02 fullchain.pem -> ../../archive/[SERVER]/fullchain8.pem
lrwxrwxrwx 1 root root 41 mar 11 01:02 privkey.pem -> ../../archive/[SERVER]/privkey8.pem
certbot certificates
Find the path to the fullchain certificate you wish to reinstall
certbot revoke --cert-path /etc/letsencrypt/live/...
path to the cert from above
certbot delete --cert-name yourdomain.com
rm -Rf /etc/apache2/sites-available/000-default-le-ssl.conf
or whatever the name of the apache conf you had it configured on
rm -Rf 000-default-le-ssl.conf
or whatever the name of the apache conf you had it configured on
sudo apache2ctl restart
certbot
follow the guide to setup the new certificate
Related
When I do
certbot certonly --force-renew -d mywebsite.com
It creates a new cert into the wrong folder, adding -0001. And it says:
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/mywebsite.com-0001/fullchain.pem
Key is saved at: /etc/letsencrypt/live/mywebsite.com-0001/privkey.pem
And of course the folder /etc/letsencrypt/live/mywebsite.com is not updated.
How can I force certbot to renew in the good folder?
Of course after service nginx reload, when I check the cert in Chrome on mywebsite.com there is no change.
In the NGinx conf, I have:
server {
server_name mywebsite.com;
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/mywebsite.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mywebsite.com/privkey.pem;
It seems that you are certonly when you should be using renew. And it is installing a duplicate certificate not renewing the existing.
When you get the initial certificate you can get it using the above command. It is interactive to the user (or you can make it --non-interactive)
Renewal process is automatic. certbot renew command will check for all certificates that are about to expire in /etc/letsencrypt/ (or whatever directory you tell certbot to use) and it will renew those that are nearing expiry. You run the renew command from cron and it's ok to run it daily or so - it will not really renew anything until certificates are about to expire.
root#vultr:~# systemctl status nginx
● nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2021-07-28 02:16:44 UTC; 23min ago
Docs: man:nginx(8)
Main PID: 12999 (nginx)
Tasks: 2 (limit: 1148)
Memory: 8.2M
CGroup: /system.slice/nginx.service
├─12999 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
└─13000 nginx: worker process
Jul 28 02:16:44 vultr.guest systemd[1]: Starting A high performance web server and a reverse proxy server...
Jul 28 02:16:44 vultr.guest systemd[1]: nginx.service: Failed to parse PID from file /run/nginx.pid: Invalid argument
Jul 28 02:16:44 vultr.guest systemd[1]: Started A high performance web server and a reverse proxy server.
The nginx is in good status.
I want to create and write certificate.crt with acme:
sudo su -l -s /bin/bash acme
curl https://get.acme.sh | sh
export CF_Key="xxxx"
export CF_Email="yyyy#yahoo.com"
CF_Key is my global api key in cloudflare,CF_Email is the register email to login cloudflare.
acme#vultr:~$ acme.sh --issue --dns dns_cf -d domain.com --debug 2
The output content is so long that i can't post here,so i upload into the termbin.com ,we share the link below:
https://termbin.com/taxl
Please open the webpage,you can get the whole output info,and check which result in error,there are two main issues:
1.My nginx server is in good status,acme.sh can't detect it.
2.How can set the config file?
[Wed Jul 28 03:04:38 UTC 2021] config file is empty, can not read CA_EAB_KEY_ID
[Wed Jul 28 03:04:38 UTC 2021] config file is empty, can not read CA_EAB_HMAC_KEY
[Wed Jul 28 03:04:38 UTC 2021] config file is empty, can not read CA_EMAIL
To write key into specified directory:
acme.sh --install-cert -d domain.com
--key-file /usr/local/etc/certfiles/private.key
--fullchain-file /usr/local/etc/certfiles/certificate.crt
It encounter problem:
[Tue Jul 27 01:12:15 UTC 2021] Installing key to:/usr/local/etc/certfiles/private.key
cat: /home/acme/.acme.sh/domain.com/domain.com.key: No such file or directory
To check files in /usr/local/etc/certfiles/
ls /usr/local/etc/certfiles/
private.key
No certificate.crt in /usr/local/etc/certfiles/.
How to fix then?
From acme.sh v3.0.0, acme.sh is using Zerossl as default ca, you must
register the account first(one-time) before you can issue new certs.
Here is how ZeroSSL compares with LetsEncrypt.
With ZeroSSL as CA
You must register at ZeroSSL before issuing a certificate. To register run the below command (assuming yyyy#yahoo.com is email with which you want to register)
acme.sh --register-account -m yyyy#yahoo.com
Now you can issue a new certificate (assuming you have set CF_Key & CF_Email or CF_Token & CF_Account_ID)
acme.sh --issue --dns dns_cf -d domain.com
Without ZeroSSL as CA
If you don't want to use ZeroSSL and say want to use LetsEncrypt instead, then you can provide the server option to issue a certificate
acme.sh --issue --dns dns_cf -d domain.com --server letsencrypt
Here are more options for the CA server.
I'm building an app in Laravel that has a single codebase that will serve multiple domain names, a new domain can be added in the CMS, and all that should have to be done for that new domain to work is have it's records pointed to the server. The CMS itself will then display the appropriate pages for that domain, based on the request()->getHost(); function.
The app is being managed with Laravel Forge.
My question is regarding nginx, and LetsEncrypt: I would like all new domains added in this way to be secured via SSL, would every new domain need to be added to forge manually, or is there some way to allow a wildcard TLD in the certificate? (And if so, is that a security risk?).
Will nginx require some specific configuration to work with wildcard TLDs?
My aim is to avoid additional configuration and have it automatic, with the domain name simply being added to the backend.
Thanks!
Please follow the Steps. Hope it will work for you.
1 - First clone Letsencrypt/Certbot repo from Github
cd /opt
git clone https://github.com/certbot/certbot.git
2 - Now enter new created directory and run certificate bot
cd certbot
./letsencrypt-auto certonly --manual --preferred-challenges=dns --email mymail#gmail.com --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d *.mywebsite.com
3 - Now Certbot will ask for a DNS record to check that if you really have rights at this domain.
------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.mywebsite.com with the following value:
5GFgEqWd7AQrvHteRtfT5V-XXXXXXXXXXXXXX
Before continuing, verify the record is deployed.
------------------------------------------------------------------
Press Enter to Continue
4 - After adding this DNS TXT record to your domain and wait for few seconds press enter and continue.
5 - Your certificate is ready!
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/mywebsite.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/mywebsite.com/privkey.pem
Your cert will expire on 2018-08-22. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
6 - Now we will copy our fullchain.pem and privkey.pem to our Nginx folder and add this to our Nginx server configuration. For example;
server {
listen 443 ssl;
server_name test.mywebsite.com;
ssl_certificate /etc/nginx/ssl/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/privkey.pem;
ssl_trusted_certificate /etc/nginx/ssl/fullchain.pem;
...
Hope it will helpful.
Question: how to create simple nginx config that will read folders structure as domains (test.local, myblog.local) and shows the page from this folders, including PHP?
Information:
Windows 10 x64 build
Vagrant 1.9.5
VirtualBox 5.0.22 (latest)
Guest OS: Ubuntu Xenial x64 latest
So, i want to create simple nginx config, that will recreate folder structure. See
my config file on pastebin.
Also here is a Vagrantfile config, which use SMB to mount a folder.
The structure of folders:
├───devhost.local
│ ├───log
│ └───public
│ index.html
│ index.php
│
└───test.local
├───log
└───public
index.html
The rights for files and folders for devhost:
ubuntu#ubuntu-xenial:~$ ls -la /var/www/html/devhost.local/
total 4
drwxr-xr-x 2 ubuntu www-data 0 Jun 7 11:17 .
drwxr-xr-x 2 ubuntu www-data 4096 Jun 7 12:44 ..
drwxr-xr-x 2 ubuntu www-data 0 Jun 7 11:17 log
drwxr-xr-x 2 ubuntu www-data 0 Jun 6 14:13 public
My hosts file in Windows:
192.168.33.10 devhost.local
So, when i have default config in my sites-enabled folder i can open guest machine through 192.168.33.10 and i see html page of nginx, but when i remove this default config and enable my wildcard config (see link my config file) so i cannot access my domains. The sudo nginx -t says that everything is ok, also i tried to restart my guest machine, reload/restart nginx service. Also, i disable Windows 10 Firewall (i dont know if its disabled fully, but says that its disabled). Also, the log files is empty and even not created, both access log and error log.
Where is my mistake? If need more information, please, ask me, i will give.
Thanks a lot!
following nginx setup should help.
server {
listen 80 default_server;
root /var/www/html/$host;
index index.html index.php;
location ~ \.php {
# ... fastcgi details
}
}
I found the solution.
First of all, when i keep only one file with config, my nginx doesnt listen port 80, i check sudo netstat -ntlp | grep LISTEN but there wasnt port 80. So i Google, and found another question on stackoverflow (see link at the end).
Solution: recreate the simlink to my file with config, after that when i run sudo nginx -t i see a few errors. So its seems that before this files was empty or something like that, but i didnt notice this because i edit file directly in sites-available folder.
Thanks to everybody!
This question helps me to solve the problem: nginx not listening to port 80
I have multiple domains with multiple certificates:
$ ll /etc/letsencrypt/live/
> domain1.com
> domain2.com
> domain3.com
> ...
I need to renew only domain1.com, but the command certbot renew renews certificates for all domains. How can I renew certain certificate explicitly?
Renew a single certificate using renew with the --cert-name option.
(certonly creates a certificate for one or more domains, replacing it if exists).
Example
certbot renew --cert-name domain1.com --dry-run
Remove --dry-run to actually renew.
Cert-name != Domain name
Note that the value supplied to --cert-name option is a certificate name (not a domain name) found using
certbot certificates
Returning a list like
-------------------------------------------------------------------------------
Found the following certs:
Certificate Name: myfundomains.com
Domains: myfundomains.com
Expiry Date: 2018-05-04 04:28:05+00:00 (VALID: 67 days)
Certificate Path: /etc/letsencrypt/live/myfundomains.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/myfundomains.com/privkey.pem
Certificate Name: ask.myfundomain.com
Domains: ask.myfundomain.com
Expiry Date: 2018-03-13 18:59:40+00:00 (VALID: 16 days)
Certificate Path: /etc/letsencrypt/live/ask.myfundomain.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/ask.myfundomain.com/privkey.pem
Certificate Name: forums.myfundomain.com
Domains: forums.myfundomain.com forum.myfundomain.com
Expiry Date: 2018-04-11 16:39:18+00:00 (VALID: 45 days)
Certificate Path: /etc/letsencrypt/live/forums.myfundomain.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/forums.myfundomain.com/privkey.pem
-------------------------------------------------------------------------------
Notice how the third Certificate name (forums.myfundomain.com) contains multiple domains:
forums.myfundomains.com
forum.myfundomains.com
Restart Apache / nginx
-------------------------------------------------------------------------------
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/ask.myfundomain.com/fullchain.pem
-------------------------------------------------------------------------------
Remember to restart your webserver to make use of the new certificate.
You can use this command (for Apache server):
certbot --apache certonly -n -d domain1.com
--apache for apache server, use --nginx flag for nginx server
-n option execute the command without prompt
-d domain1.com to execute only for domain1.com
You can test with --dry-run, and you can use --pre-hook and --post-hook like with certbot renew
Source : https://certbot.eff.org/docs/using.html#renewing-certificates
You can use this command on Nginx server
Stop Nginx server
sudo systemctl stop nginx
Renew certbot
sudo certbot certonly --force-renew -d domain1.com
Start Nginx server
sudo systemctl start nginx
Check current certs
sudo certbot certificates
Results:
Found the following certs: Certificate Name: domain1.com Serial
Number: 4564f55f3fe993964f8bbc65249a7ed4c91 Key Type: RSA Domains:
domain1.com Expiry Date: 2022-12-19 01:34:25+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/domain1.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/domain1.com/privkey.pem