Question

Lets Encrypt SSL no renewals were attempted

Posted October 28, 2019 4.5k views
Let's EncryptUbuntu 18.04

I’m trying to renewal my SSL certificate on my sit, when I run:

certbot renew

I get “No renewals were attempted” and when I run certbot certificates, I get “no certs found”.

I can see files in the /etc/letsencrypt for the site.com and www.site.com/

Add a comment
graemeb401f102bf96424ef668
By:
graemeb401f102bf96424ef668
Add a comment

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
7 answers
bobbyiliev November 6, 2019

Hi all,

As this turned out to be a long discussion, I will summarize it so that it is easier for anyone else who comes across this to find the solution:

  • The problem affected the Ghose droplets created from the DigitalOcean Marketplace

  • The problem was an outdated acme.sh script. The error that we were getting was:

Could not get nonce, let's try again.
  • To fix the issue we had to update the script from the dev branch of the acme repo:
sudo /etc/letsencrypt/acme.sh  --upgrade -b dev
  • After that, we noticed that the updated script was stored at:
/root/.acme.sh/acme.sh
  • To renew the SSL certificate we had to run:
/root/.acme.sh/acme.sh --force --renew --home /etc/letsencrypt --domain yourdomain.com --webroot /var/www/ghost/system/nginx-root --reloadcmd "nginx -s reload" --accountemail yourmail@yourdomain.com
  • We also had to adjust the cronjob so that the certificate could be renewed automatically, so we had to change the path from /etc/letsencrypt/acme.sh to /root/.acme.sh/acme.sh, to do that just run:
crontab -e

Find the acme.sh cronjob and change the path accordingly.

Hope that this helps anyone who comes across the same issue!
Regards,
Bobby

Reply Report
  • lostinthefilm December 3, 2019

    Thanks for this, I was hitting this on a Ghost droplet too and couldn’t figure out why my usual certbot renew-fu wasn’t working.

    If you’re lazy like me and don’t want to update your cronfile, you can just move the old acme.sh script aside and symlink the new one in place:

    chmod +x /root/.acme.sh/acme.sh
mv /etc/letsencrypt/acme.sh /etc/letsencrypt/acme.sh.bak
ln -s /root/.acme.sh/acme.sh /etc/letsencrypt/acme.sh
    Reply Report
bobbyiliev October 28, 2019

Hello,

I could suggest a couple of things here:

  • Check the /etc/letsencrypt/renewal log

  • Try running the command with -v for more information, and then check the log again

  • Try running certbot renew --dry-run and check the output

  • Share your Nginx/Apache Vhost here so that I could advise you further

Regards,
Bobby

Reply Report
  • graemeb401f102bf96424ef668 October 28, 2019

    Thanks Bobby, im using a ubuntu ghost droplet, sorry im not sure what you mean by share vhost.

    This is what appears in renewal log

    019-10-28 13:40:23,642:DEBUG:certbot.main:Arguments: [’-v’]
    2019-10-28 13:40:23,643:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
    2019-10-28 13:40:23,654:DEBUG:certbot.log:Root logging level set at 10
    2019-10-28 13:40:23,655:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
    2019-10-28 13:40:41,553:DEBUG:certbot.main:certbot version: 0.23.0
    2019-10-28 13:40:41,554:DEBUG:certbot.main:Arguments: [’–dry-run’]
    2019-10-28 13:40:41,554:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
    2019-10-28 13:40:41,566:DEBUG:certbot.log:Root logging level set at 20
    2019-10-28 13:40:41,566:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
    2019-10-28 13:40:41,568:DEBUG:certbot.renewal:no renewal failures

    Reply Report
    • bobbyiliev October 29, 2019

      Hello,

      You can find your Nginx server block at /etc/nginx/sites-enabled. To see the content run:

      cat /etc/nginx/sites-enabled/your-domain.conf

      Just change the your-domain part with your actual domain name.

      Regards,
      Bobby

      Reply Report
      • graemeb401f102bf96424ef668 October 29, 2019

        Bobby this is my your-domain.conf file, within the server {

        listen 80;
        listen [::]:80;

        server_name www.yourdomain.com;
root /var/www/ghost/system/nginx-root;

location / {
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Host $http_host;
    proxy_pass http://127.0.0.1:2369;
    return 301 https://www.yourdomain.com$request_uri;
}

location ~ /.well-known {
    allow all;
}

client_max_body_size 50m;
        Reply Report
        • bobbyiliev November 1, 2019

          Hello,

          Thanks for sharing the config! It actually looks absolutely correct, this part here is exactly what I thought you were missing:

          location ~ /.well-known {
    allow all;
}

          When does your SSL certificate expire? Maybe you still have a few weeks to go so that the renewal is not kicking in.

          Regards,
          Bobby

          Reply Report
          • graemeb401f102bf96424ef668 November 1, 2019

            Hello Bobby, the SSL certificate expires on the 4th, so in a few days time

            Reply Report
          • bobbyiliev November 1, 2019

            Hello,

            Are there any other config file sin your /etc/nginx/sites-enabled/ directory?

            If so can you share the content here again?

            If no, I would recommend trying to issue a new SSL for the domain name with:

            sudo certbot --nginx -d example.com -d www.example.com

            Let me know how it goes!
            Regards,
            Bobby

            Reply Report
graemeb401f102bf96424ef668 November 1, 2019

Hello Bobby, in total i have 5 configs in that folder.

ip.config
www.yourdomain.com.conf
www.yourdomain.com-ssl.conf
yourdomain.com.conf
yourdomain.com-ssl.conf

www.yourdomain.conf and yourdomain.com.conf are the same

but yourdomain-ssl.conf and yourdomain.com-sll.conf differ with the top added

 listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name yourdomain.com;
    root /var/www/ghost/system/nginx-root;

    ssl_certificate /etc/letsencrypt/yourdomain.com/fullchain.cer;
    ssl_certificate_key /etc/letsencrypt/yourdomain.com/yourdomain.com.key;
    include /etc/nginx/snippets/ssl-params.conf;

sudo certbot --nginx -d example.com -d www.example.com

When I run the above command, i get the following message:
The requested nginx plugin does not appear to be installed

Reply Report
  • paulkeller November 4, 2019

    i am having the exact same problem (replicated all the steps above) and by now my certificate has expired. any help would be much appreciated. /Paul

    Reply Report
    • graemeb401f102bf96424ef668 November 5, 2019

      Yeah my cert has now expired, not sure what to do. @bobbyiliev Should I manually remove all the certs that I have and try to install again that way?

      Just to add, I setup the certs via ghost. By ghost setup nginx ssl, and I can see them on # /etc/letsencrypt/acme.sh –home “/etc/letsencrypt” –list

      Reply Report
      • bobbyiliev November 5, 2019

        Hi @graemeb401f102bf96424ef668 and @paulkeller

        Can you try renewing the certificate with the following command:

        sudo /etc/letsencrypt/acme.sh --force --renew --home /etc/letsencrypt --domain yourdomain.com --webroot /var/www/ghost/system/nginx-root --reloadcmd "nginx -s reload" --accountemail yourmail@yourdomain.com

        Let me know how it goes!
        Regards,
        Bobby

        Reply Report
      • bobbyiliev November 5, 2019

        Also make sure that you have the following cron job:

        Edit your crontab:

        crontab -e

        Add the following if it does not exist:

        51 0 * * * "/etc/letsencrypt"/acme.sh --cron --home "/etc/letsencrypt" > /dev/null
        Reply Report
paulkeller November 5, 2019

i have that cron job (although it starts with a 52 not 51). When i run the other command i get the following: 

root@reframe-digital:~# sudo /etc/letsencrypt/acme.sh --force --renew --home /etc/letsencrypt --domain shared-digital.eu --webroot /var/www/ghost/system/nginx-root --reloadcmd "nginx -s reload" --accountemail paul.keller@gmail.com
[Tue Nov  5 13:09:49 UTC 2019] Renew: 'shared-digital.eu'
[Tue Nov  5 13:09:50 UTC 2019] Single domain='shared-digital.eu'
[Tue Nov  5 13:09:50 UTC 2019] Getting domain auth token for each domain
[Tue Nov  5 13:09:50 UTC 2019] Getting webroot for domain='shared-digital.eu'
[Tue Nov  5 13:09:50 UTC 2019] Getting new-authz for domain='shared-digital.eu'
[Tue Nov  5 13:09:50 UTC 2019] Could not get nonce, let's try again.
[Tue Nov  5 13:09:54 UTC 2019] Could not get nonce, let's try again.

this continues until i terminate the process

Reply Report
paulkeller November 5, 2019

no luck. i get this in response: 

root@reframe-digital:~# sudo /etc/letsencrypt/acme.sh  --upgrade -b dev
[Tue Nov  5 19:42:32 UTC 2019] Installing from online archive.
[Tue Nov  5 19:42:32 UTC 2019] Downloading https://github.com/Neilpang/acme.sh/archive/dev.tar.gz
[Tue Nov  5 19:42:33 UTC 2019] Extracting dev.tar.gz
[Tue Nov  5 19:42:33 UTC 2019] It is recommended to install socat first.
[Tue Nov  5 19:42:33 UTC 2019] We use socat for standalone server if you use standalone mode.
[Tue Nov  5 19:42:33 UTC 2019] If you don't use standalone mode, just ignore this warning.
[Tue Nov  5 19:42:33 UTC 2019] Installing to /root/.acme.sh
[Tue Nov  5 19:42:33 UTC 2019] Installed to /root/.acme.sh/acme.sh
[Tue Nov  5 19:42:33 UTC 2019] Good, bash is found, so change the shebang to use bash as preferred.
[Tue Nov  5 19:42:34 UTC 2019] OK
[Tue Nov  5 19:42:34 UTC 2019] Install success!
[Tue Nov  5 19:42:34 UTC 2019] Upgrade success!

but the “Could not get nonce, let’s try again.” remains

Reply Report
  • bobbyiliev November 5, 2019

    Hi @paulkeller

    Seems like it got installed at /root/.acme.sh/acme.sh. Can you try with the following command:

    /root/.acme.sh/acme.sh --force --renew --home /etc/letsencrypt --domain yourdomain.com --webroot /var/www/ghost/system/nginx-root --reloadcmd "nginx -s reload" --accountemail yourmail@yourdomain.com

    Let me know if that works!
    Regards,
    Bobby

    Reply Report
paulkeller November 5, 2019

yes that solved it! whoever you are, you are a hero, thanks for helping with this! Do you have any idea if the cert will now auto renew going forward?

Reply Report
graemeb401f102bf96424ef668 November 5, 2019

Thank you @bobbyiliev, you deserve a good Christmas bonus this year!

I needed to make sure I had renewed by www cert and then it showed. Fingers crossed it will auto renew aswell

Reply Report
Submit an Answer

Related

Looking for something else?

Ask a new question Search for more help