Lets Encrypt SSL no renewals were attempted

October 28, 2019 417 views
Let's Encrypt Ubuntu 18.04

I’m trying to renewal my SSL certificate on my sit, when I run:

certbot renew

I get “No renewals were attempted” and when I run certbot certificates, I get “no certs found”.

I can see files in the /etc/letsencrypt for the site.com and www.site.com/

7 Answers

Hi all,

As this turned out to be a long discussion, I will summarize it so that it is easier for anyone else who comes across this to find the solution:

  • The problem affected the Ghose droplets created from the DigitalOcean Marketplace

  • The problem was an outdated acme.sh script. The error that we were getting was:

Could not get nonce, let's try again.
  • To fix the issue we had to update the script from the dev branch of the acme repo:
sudo /etc/letsencrypt/acme.sh  --upgrade -b dev
  • After that, we noticed that the updated script was stored at:
/root/.acme.sh/acme.sh
  • To renew the SSL certificate we had to run:
/root/.acme.sh/acme.sh --force --renew --home /etc/letsencrypt --domain yourdomain.com --webroot /var/www/ghost/system/nginx-root --reloadcmd "nginx -s reload" --accountemail yourmail@yourdomain.com
  • We also had to adjust the cronjob so that the certificate could be renewed automatically, so we had to change the path from /etc/letsencrypt/acme.sh to /root/.acme.sh/acme.sh, to do that just run:
crontab -e

Find the acme.sh cronjob and change the path accordingly.

Hope that this helps anyone who comes across the same issue!
Regards,
Bobby

Hello,

I could suggest a couple of things here:

  • Check the /etc/letsencrypt/renewal log

  • Try running the command with -v for more information, and then check the log again

  • Try running certbot renew --dry-run and check the output

  • Share your Nginx/Apache Vhost here so that I could advise you further

Regards,
Bobby

  • Thanks Bobby, im using a ubuntu ghost droplet, sorry im not sure what you mean by share vhost.

    This is what appears in renewal log

    019-10-28 13:40:23,642:DEBUG:certbot.main:Arguments: [’-v’]
    2019-10-28 13:40:23,643:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
    2019-10-28 13:40:23,654:DEBUG:certbot.log:Root logging level set at 10
    2019-10-28 13:40:23,655:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
    2019-10-28 13:40:41,553:DEBUG:certbot.main:certbot version: 0.23.0
    2019-10-28 13:40:41,554:DEBUG:certbot.main:Arguments: [’–dry-run’]
    2019-10-28 13:40:41,554:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
    2019-10-28 13:40:41,566:DEBUG:certbot.log:Root logging level set at 20
    2019-10-28 13:40:41,566:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
    2019-10-28 13:40:41,568:DEBUG:certbot.renewal:no renewal failures

    • Hello,

      You can find your Nginx server block at /etc/nginx/sites-enabled. To see the content run:

      cat /etc/nginx/sites-enabled/your-domain.conf
      

      Just change the your-domain part with your actual domain name.

      Regards,
      Bobby

      • Bobby this is my your-domain.conf file, within the server {

        listen 80;
        listen [::]:80;

        server_name www.yourdomain.com;
        root /var/www/ghost/system/nginx-root;
        
        location / {
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header Host $http_host;
            proxy_pass http://127.0.0.1:2369;
            return 301 https://www.yourdomain.com$request_uri;
        }
        
        location ~ /.well-known {
            allow all;
        }
        
        client_max_body_size 50m;
        
        • Hello,

          Thanks for sharing the config! It actually looks absolutely correct, this part here is exactly what I thought you were missing:

          location ~ /.well-known {
              allow all;
          }
          

          When does your SSL certificate expire? Maybe you still have a few weeks to go so that the renewal is not kicking in.

          Regards,
          Bobby

          • Hello Bobby, the SSL certificate expires on the 4th, so in a few days time

          • Hello,

            Are there any other config file sin your /etc/nginx/sites-enabled/ directory?

            If so can you share the content here again?

            If no, I would recommend trying to issue a new SSL for the domain name with:

            sudo certbot --nginx -d example.com -d www.example.com
            

            Let me know how it goes!
            Regards,
            Bobby

Hello Bobby, in total i have 5 configs in that folder.

ip.config
www.yourdomain.com.conf
www.yourdomain.com-ssl.conf
yourdomain.com.conf
yourdomain.com-ssl.conf

www.yourdomain.conf and yourdomain.com.conf are the same

but yourdomain-ssl.conf and yourdomain.com-sll.conf differ with the top added

 listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name yourdomain.com;
    root /var/www/ghost/system/nginx-root;

    ssl_certificate /etc/letsencrypt/yourdomain.com/fullchain.cer;
    ssl_certificate_key /etc/letsencrypt/yourdomain.com/yourdomain.com.key;
    include /etc/nginx/snippets/ssl-params.conf;
sudo certbot --nginx -d example.com -d www.example.com

When I run the above command, i get the following message:
The requested nginx plugin does not appear to be installed

  • i am having the exact same problem (replicated all the steps above) and by now my certificate has expired. any help would be much appreciated. /Paul

    • Yeah my cert has now expired, not sure what to do. @bobbyiliev Should I manually remove all the certs that I have and try to install again that way?

      Just to add, I setup the certs via ghost. By ghost setup nginx ssl, and I can see them on # /etc/letsencrypt/acme.sh –home “/etc/letsencrypt” –list

      • Hi @graemeb401f102bf96424ef668 and @paulkeller

        Can you try renewing the certificate with the following command:

        sudo /etc/letsencrypt/acme.sh --force --renew --home /etc/letsencrypt --domain yourdomain.com --webroot /var/www/ghost/system/nginx-root --reloadcmd "nginx -s reload" --accountemail yourmail@yourdomain.com
        

        Let me know how it goes!
        Regards,
        Bobby

      • Also make sure that you have the following cron job:

        Edit your crontab:

        crontab -e
        

        Add the following if it does not exist:

        51 0 * * * "/etc/letsencrypt"/acme.sh --cron --home "/etc/letsencrypt" > /dev/null
        

i have that cron job (although it starts with a 52 not 51). When i run the other command i get the following:

root@reframe-digital:~# sudo /etc/letsencrypt/acme.sh --force --renew --home /etc/letsencrypt --domain shared-digital.eu --webroot /var/www/ghost/system/nginx-root --reloadcmd "nginx -s reload" --accountemail paul.keller@gmail.com
[Tue Nov  5 13:09:49 UTC 2019] Renew: 'shared-digital.eu'
[Tue Nov  5 13:09:50 UTC 2019] Single domain='shared-digital.eu'
[Tue Nov  5 13:09:50 UTC 2019] Getting domain auth token for each domain
[Tue Nov  5 13:09:50 UTC 2019] Getting webroot for domain='shared-digital.eu'
[Tue Nov  5 13:09:50 UTC 2019] Getting new-authz for domain='shared-digital.eu'
[Tue Nov  5 13:09:50 UTC 2019] Could not get nonce, let's try again.
[Tue Nov  5 13:09:54 UTC 2019] Could not get nonce, let's try again.

this continues until i terminate the process

no luck. i get this in response:

root@reframe-digital:~# sudo /etc/letsencrypt/acme.sh  --upgrade -b dev
[Tue Nov  5 19:42:32 UTC 2019] Installing from online archive.
[Tue Nov  5 19:42:32 UTC 2019] Downloading https://github.com/Neilpang/acme.sh/archive/dev.tar.gz
[Tue Nov  5 19:42:33 UTC 2019] Extracting dev.tar.gz
[Tue Nov  5 19:42:33 UTC 2019] It is recommended to install socat first.
[Tue Nov  5 19:42:33 UTC 2019] We use socat for standalone server if you use standalone mode.
[Tue Nov  5 19:42:33 UTC 2019] If you don't use standalone mode, just ignore this warning.
[Tue Nov  5 19:42:33 UTC 2019] Installing to /root/.acme.sh
[Tue Nov  5 19:42:33 UTC 2019] Installed to /root/.acme.sh/acme.sh
[Tue Nov  5 19:42:33 UTC 2019] Good, bash is found, so change the shebang to use bash as preferred.
[Tue Nov  5 19:42:34 UTC 2019] OK
[Tue Nov  5 19:42:34 UTC 2019] Install success!
[Tue Nov  5 19:42:34 UTC 2019] Upgrade success!

but the “Could not get nonce, let’s try again.” remains

  • Hi @paulkeller

    Seems like it got installed at /root/.acme.sh/acme.sh. Can you try with the following command:

    /root/.acme.sh/acme.sh --force --renew --home /etc/letsencrypt --domain yourdomain.com --webroot /var/www/ghost/system/nginx-root --reloadcmd "nginx -s reload" --accountemail yourmail@yourdomain.com
    

    Let me know if that works!
    Regards,
    Bobby

yes that solved it! whoever you are, you are a hero, thanks for helping with this! Do you have any idea if the cert will now auto renew going forward?

Thank you @bobbyiliev, you deserve a good Christmas bonus this year!

I needed to make sure I had renewed by www cert and then it showed. Fingers crossed it will auto renew aswell

  • Hi @graemeb401f102bf96424ef668 and @paulkeller

    Thanks for the kind words guys! I am happy to hear that it’s working now!

    Regarding the renewal, you might have to adjust your cronjob so that it uses the updated script at /root/.acme.sh/acme.sh and not the default one /etc/letsencrypt/acme.sh.

    Regards,
    Bobby

Have another answer? Share your knowledge.