Related

How do I apply SSL certificate generated by DigitalOcean to my domain? Question Question
SSL through their built in "Let's Encrypt" feature. Question Question

Question

Lets Encrypt SSL no renewals were attempted

Posted October 28, 2019 8.8k views
Let's EncryptUbuntu 18.04

I’m trying to renewal my SSL certificate on my sit, when I run:

certbot renew

I get “No renewals were attempted” and when I run certbot certificates, I get “no certs found”.

I can see files in the /etc/letsencrypt for the site.com and www.site.com/

Add a comment
graemeb401f102bf96424ef668
By:
graemeb401f102bf96424ef668
Add a comment

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
7 answers
bobbyiliev November 6, 2019

Hi all,

As this turned out to be a long discussion, I will summarize it so that it is easier for anyone else who comes across this to find the solution:

  • The problem affected the Ghose droplets created from the DigitalOcean Marketplace

  • The problem was an outdated acme.sh script. The error that we were getting was:

Could not get nonce, let's try again.
  • To fix the issue we had to update the script from the dev branch of the acme repo:
sudo /etc/letsencrypt/acme.sh  --upgrade -b dev
  • After that, we noticed that the updated script was stored at:
/root/.acme.sh/acme.sh
  • To renew the SSL certificate we had to run:
/root/.acme.sh/acme.sh --force --renew --home /etc/letsencrypt --domain yourdomain.com --webroot /var/www/ghost/system/nginx-root --reloadcmd "nginx -s reload" --accountemail yourmail@yourdomain.com
  • We also had to adjust the cronjob so that the certificate could be renewed automatically, so we had to change the path from /etc/letsencrypt/acme.sh to /root/.acme.sh/acme.sh, to do that just run:
crontab -e

Find the acme.sh cronjob and change the path accordingly.

Hope that this helps anyone who comes across the same issue!
Regards,
Bobby

Reply Report
  • lostinthefilm December 3, 2019

    Thanks for this, I was hitting this on a Ghost droplet too and couldn’t figure out why my usual certbot renew-fu wasn’t working.

    If you’re lazy like me and don’t want to update your cronfile, you can just move the old acme.sh script aside and symlink the new one in place:

    chmod +x /root/.acme.sh/acme.sh
mv /etc/letsencrypt/acme.sh /etc/letsencrypt/acme.sh.bak
ln -s /root/.acme.sh/acme.sh /etc/letsencrypt/acme.sh
    Reply Report
bobbyiliev October 28, 2019

Hello,

I could suggest a couple of things here:

  • Check the /etc/letsencrypt/renewal log

  • Try running the command with -v for more information, and then check the log again

  • Try running certbot renew --dry-run and check the output

  • Share your Nginx/Apache Vhost here so that I could advise you further

Regards,
Bobby

Reply Report
  • graemeb401f102bf96424ef668 October 28, 2019

    Thanks Bobby, im using a ubuntu ghost droplet, sorry im not sure what you mean by share vhost.

    This is what appears in renewal log

    019-10-28 13:40:23,642:DEBUG:certbot.main:Arguments: [’-v’]
    2019-10-28 13:40:23,643:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
    2019-10-28 13:40:23,654:DEBUG:certbot.log:Root logging level set at 10
    2019-10-28 13:40:23,655:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
    2019-10-28 13:40:41,553:DEBUG:certbot.main:certbot version: 0.23.0
    2019-10-28 13:40:41,554:DEBUG:certbot.main:Arguments: [’–dry-run’]
    2019-10-28 13:40:41,554:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
    2019-10-28 13:40:41,566:DEBUG:certbot.log:Root logging level set at 20
    2019-10-28 13:40:41,566:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
    2019-10-28 13:40:41,568:DEBUG:certbot.renewal:no renewal failures

    Reply Report
    • bobbyiliev October 29, 2019

      Hello,

      You can find your Nginx server block at /etc/nginx/sites-enabled. To see the content run:

      cat /etc/nginx/sites-enabled/your-domain.conf

      Just change the your-domain part with your actual domain name.

      Regards,
      Bobby

      Reply Report
      • graemeb401f102bf96424ef668 October 29, 2019

        Bobby this is my your-domain.conf file, within the server {

        listen 80;
        listen [::]:80;

        server_name www.yourdomain.com;
root /var/www/ghost/system/nginx-root;

location / {
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Host $http_host;
    proxy_pass http://127.0.0.1:2369;
    return 301 https://www.yourdomain.com$request_uri;
}

location ~ /.well-known {
    allow all;
}

client_max_body_size 50m;
        Reply Report
        • bobbyiliev November 1, 2019

          Hello,

          Thanks for sharing the config! It actually looks absolutely correct, this part here is exactly what I thought you were missing:

          location ~ /.well-known {
    allow all;
}

          When does your SSL certificate expire? Maybe you still have a few weeks to go so that the renewal is not kicking in.

          Regards,
          Bobby

          Reply Report
          • graemeb401f102bf96424ef668 November 1, 2019

            Hello Bobby, the SSL certificate expires on the 4th, so in a few days time

            Reply Report
          • bobbyiliev November 1, 2019

            Hello,

            Are there any other config file sin your /etc/nginx/sites-enabled/ directory?

            If so can you share the content here again?

            If no, I would recommend trying to issue a new SSL for the domain name with:

            sudo certbot --nginx -d example.com -d www.example.com

            Let me know how it goes!
            Regards,
            Bobby

            Reply Report
graemeb401f102bf96424ef668 November 1, 2019

Hello Bobby, in total i have 5 configs in that folder.

ip.config
www.yourdomain.com.conf
www.yourdomain.com-ssl.conf
yourdomain.com.conf
yourdomain.com-ssl.conf

www.yourdomain.conf and yourdomain.com.conf are the same

but yourdomain-ssl.conf and yourdomain.com-sll.conf differ with the top added

 listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name yourdomain.com;
    root /var/www/ghost/system/nginx-root;

    ssl_certificate /etc/letsencrypt/yourdomain.com/fullchain.cer;
    ssl_certificate_key /etc/letsencrypt/yourdomain.com/yourdomain.com.key;
    include /etc/nginx/snippets/ssl-params.conf;

sudo certbot --nginx -d example.com -d www.example.com

When I run the above command, i get the following message:
The requested nginx plugin does not appear to be installed

Reply Report
  • paulkeller November 4, 2019

    i am having the exact same problem (replicated all the steps above) and by now my certificate has expired. any help would be much appreciated. /Paul

    Reply Report
    • graemeb401f102bf96424ef668 November 5, 2019

      Yeah my cert has now expired, not sure what to do. @bobbyiliev Should I manually remove all the certs that I have and try to install again that way?

      Just to add, I setup the certs via ghost. By ghost setup nginx ssl, and I can see them on # /etc/letsencrypt/acme.sh –home “/etc/letsencrypt” –list

      Reply Report
      • bobbyiliev November 5, 2019

        Hi @graemeb401f102bf96424ef668 and @paulkeller

        Can you try renewing the certificate with the following command:

        sudo /etc/letsencrypt/acme.sh --force --renew --home /etc/letsencrypt --domain yourdomain.com --webroot /var/www/ghost/system/nginx-root --reloadcmd "nginx -s reload" --accountemail yourmail@yourdomain.com

        Let me know how it goes!
        Regards,
        Bobby

        Reply Report
      • bobbyiliev November 5, 2019

        Also make sure that you have the following cron job:

        Edit your crontab:

        crontab -e

        Add the following if it does not exist:

        51 0 * * * "/etc/letsencrypt"/acme.sh --cron --home "/etc/letsencrypt" > /dev/null
        Reply Report
paulkeller November 5, 2019

i have that cron job (although it starts with a 52 not 51). When i run the other command i get the following: 

root@reframe-digital:~# sudo /etc/letsencrypt/acme.sh --force --renew --home /etc/letsencrypt --domain shared-digital.eu --webroot /var/www/ghost/system/nginx-root --reloadcmd "nginx -s reload" --accountemail paul.keller@gmail.com
[Tue Nov  5 13:09:49 UTC 2019] Renew: 'shared-digital.eu'
[Tue Nov  5 13:09:50 UTC 2019] Single domain='shared-digital.eu'
[Tue Nov  5 13:09:50 UTC 2019] Getting domain auth token for each domain
[Tue Nov  5 13:09:50 UTC 2019] Getting webroot for domain='shared-digital.eu'
[Tue Nov  5 13:09:50 UTC 2019] Getting new-authz for domain='shared-digital.eu'
[Tue Nov  5 13:09:50 UTC 2019] Could not get nonce, let's try again.
[Tue Nov  5 13:09:54 UTC 2019] Could not get nonce, let's try again.

this continues until i terminate the process

Reply Report
paulkeller November 5, 2019

no luck. i get this in response: 

root@reframe-digital:~# sudo /etc/letsencrypt/acme.sh  --upgrade -b dev
[Tue Nov  5 19:42:32 UTC 2019] Installing from online archive.
[Tue Nov  5 19:42:32 UTC 2019] Downloading https://github.com/Neilpang/acme.sh/archive/dev.tar.gz
[Tue Nov  5 19:42:33 UTC 2019] Extracting dev.tar.gz
[Tue Nov  5 19:42:33 UTC 2019] It is recommended to install socat first.
[Tue Nov  5 19:42:33 UTC 2019] We use socat for standalone server if you use standalone mode.
[Tue Nov  5 19:42:33 UTC 2019] If you don't use standalone mode, just ignore this warning.
[Tue Nov  5 19:42:33 UTC 2019] Installing to /root/.acme.sh
[Tue Nov  5 19:42:33 UTC 2019] Installed to /root/.acme.sh/acme.sh
[Tue Nov  5 19:42:33 UTC 2019] Good, bash is found, so change the shebang to use bash as preferred.
[Tue Nov  5 19:42:34 UTC 2019] OK
[Tue Nov  5 19:42:34 UTC 2019] Install success!
[Tue Nov  5 19:42:34 UTC 2019] Upgrade success!

but the “Could not get nonce, let’s try again.” remains

Reply Report
  • bobbyiliev November 5, 2019

    Hi @paulkeller

    Seems like it got installed at /root/.acme.sh/acme.sh. Can you try with the following command:

    /root/.acme.sh/acme.sh --force --renew --home /etc/letsencrypt --domain yourdomain.com --webroot /var/www/ghost/system/nginx-root --reloadcmd "nginx -s reload" --accountemail yourmail@yourdomain.com

    Let me know if that works!
    Regards,
    Bobby

    Reply Report
paulkeller November 5, 2019

yes that solved it! whoever you are, you are a hero, thanks for helping with this! Do you have any idea if the cert will now auto renew going forward?

Reply Report
graemeb401f102bf96424ef668 November 5, 2019

Thank you @bobbyiliev, you deserve a good Christmas bonus this year!

I needed to make sure I had renewed by www cert and then it showed. Fingers crossed it will auto renew aswell

Reply Report
Submit an Answer

Related

Looking for something else?

Ask a new question Search for more help