I’m trying to renewal my SSL certificate on my sit, when I run:
certbot renew
I get “No renewals were attempted” and when I run certbot certificates, I get “no certs found”.
I can see files in the /etc/letsencrypt for the site.com and www.site.com/
Hi all,
As this turned out to be a long discussion, I will summarize it so that it is easier for anyone else who comes across this to find the solution:
The problem affected the Ghose droplets created from the DigitalOcean Marketplace
The problem was an outdated acme.sh script. The error that we were getting was:
Could not get nonce, let's try again.
sudo /etc/letsencrypt/acme.sh --upgrade -b dev
/root/.acme.sh/acme.sh
/root/.acme.sh/acme.sh --force --renew --home /etc/letsencrypt --domain yourdomain.com --webroot /var/www/ghost/system/nginx-root --reloadcmd "nginx -s reload" --accountemail yourmail@yourdomain.com
/etc/letsencrypt/acme.sh to /root/.acme.sh/acme.sh, to do that just run:crontab -e
Find the acme.sh cronjob and change the path accordingly.
Hope that this helps anyone who comes across the same issue!
Regards,
Bobby
Thanks for this, I was hitting this on a Ghost droplet too and couldn’t figure out why my usual certbot renew-fu wasn’t working.
If you’re lazy like me and don’t want to update your cronfile, you can just move the old acme.sh script aside and symlink the new one in place:
chmod +x /root/.acme.sh/acme.sh
mv /etc/letsencrypt/acme.sh /etc/letsencrypt/acme.sh.bak
ln -s /root/.acme.sh/acme.sh /etc/letsencrypt/acme.sh
That is a good point! Thank you for sharing this with the community.
Regards,
Bobby
Hello,
I could suggest a couple of things here:
Check the /etc/letsencrypt/renewal log
Try running the command with -v for more information, and then check the log again
Try running certbot renew --dry-run and check the output
Share your Nginx/Apache Vhost here so that I could advise you further
Regards,
Bobby
Thanks Bobby, im using a ubuntu ghost droplet, sorry im not sure what you mean by share vhost.
This is what appears in renewal log
019-10-28 13:40:23,642:DEBUG:certbot.main:Arguments: [’-v’]
2019-10-28 13:40:23,643:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-10-28 13:40:23,654:DEBUG:certbot.log:Root logging level set at 10
2019-10-28 13:40:23,655:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-10-28 13:40:41,553:DEBUG:certbot.main:certbot version: 0.23.0
2019-10-28 13:40:41,554:DEBUG:certbot.main:Arguments: [’–dry-run’]
2019-10-28 13:40:41,554:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-10-28 13:40:41,566:DEBUG:certbot.log:Root logging level set at 20
2019-10-28 13:40:41,566:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-10-28 13:40:41,568:DEBUG:certbot.renewal:no renewal failures
Hello,
You can find your Nginx server block at /etc/nginx/sites-enabled. To see the content run:
cat /etc/nginx/sites-enabled/your-domain.conf
Just change the your-domain part with your actual domain name.
Regards,
Bobby
Bobby this is my your-domain.conf file, within the server {
listen 80;
listen [::]:80;
server_name www.yourdomain.com;
root /var/www/ghost/system/nginx-root;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_pass http://127.0.0.1:2369;
return 301 https://www.yourdomain.com$request_uri;
}
location ~ /.well-known {
allow all;
}
client_max_body_size 50m;
Hello,
Thanks for sharing the config! It actually looks absolutely correct, this part here is exactly what I thought you were missing:
location ~ /.well-known {
allow all;
}
When does your SSL certificate expire? Maybe you still have a few weeks to go so that the renewal is not kicking in.
Regards,
Bobby
Hello Bobby, the SSL certificate expires on the 4th, so in a few days time
Hello,
Are there any other config file sin your /etc/nginx/sites-enabled/ directory?
If so can you share the content here again?
If no, I would recommend trying to issue a new SSL for the domain name with:
sudo certbot --nginx -d example.com -d www.example.com
Let me know how it goes!
Regards,
Bobby
Hello Bobby, in total i have 5 configs in that folder.
ip.config
www.yourdomain.com.conf
www.yourdomain.com-ssl.conf
yourdomain.com.conf
yourdomain.com-ssl.conf
www.yourdomain.conf and yourdomain.com.conf are the same
but yourdomain-ssl.conf and yourdomain.com-sll.conf differ with the top added
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name yourdomain.com;
root /var/www/ghost/system/nginx-root;
ssl_certificate /etc/letsencrypt/yourdomain.com/fullchain.cer;
ssl_certificate_key /etc/letsencrypt/yourdomain.com/yourdomain.com.key;
include /etc/nginx/snippets/ssl-params.conf;
sudo certbot --nginx -d example.com -d www.example.com
When I run the above command, i get the following message:
The requested nginx plugin does not appear to be installed
i am having the exact same problem (replicated all the steps above) and by now my certificate has expired. any help would be much appreciated. /Paul
Yeah my cert has now expired, not sure what to do. @bobbyiliev Should I manually remove all the certs that I have and try to install again that way?
Just to add, I setup the certs via ghost. By ghost setup nginx ssl, and I can see them on # /etc/letsencrypt/acme.sh –home “/etc/letsencrypt” –list
Hi @graemeb401f102bf96424ef668 and @paulkeller
Can you try renewing the certificate with the following command:
sudo /etc/letsencrypt/acme.sh --force --renew --home /etc/letsencrypt --domain yourdomain.com --webroot /var/www/ghost/system/nginx-root --reloadcmd "nginx -s reload" --accountemail yourmail@yourdomain.com
Let me know how it goes!
Regards,
Bobby
Also make sure that you have the following cron job:
Edit your crontab:
crontab -e
Add the following if it does not exist:
51 0 * * * "/etc/letsencrypt"/acme.sh --cron --home "/etc/letsencrypt" > /dev/null
i have that cron job (although it starts with a 52 not 51). When i run the other command i get the following:
root@reframe-digital:~# sudo /etc/letsencrypt/acme.sh --force --renew --home /etc/letsencrypt --domain shared-digital.eu --webroot /var/www/ghost/system/nginx-root --reloadcmd "nginx -s reload" --accountemail paul.keller@gmail.com
[Tue Nov 5 13:09:49 UTC 2019] Renew: 'shared-digital.eu'
[Tue Nov 5 13:09:50 UTC 2019] Single domain='shared-digital.eu'
[Tue Nov 5 13:09:50 UTC 2019] Getting domain auth token for each domain
[Tue Nov 5 13:09:50 UTC 2019] Getting webroot for domain='shared-digital.eu'
[Tue Nov 5 13:09:50 UTC 2019] Getting new-authz for domain='shared-digital.eu'
[Tue Nov 5 13:09:50 UTC 2019] Could not get nonce, let's try again.
[Tue Nov 5 13:09:54 UTC 2019] Could not get nonce, let's try again.
this continues until i terminate the process
@bobbyiliev I get the same “Could not get nonce, let’s try again” error, I have that cron job on 27, but i updated it to use 51.
Hi @graemeb401f102bf96424ef668 and @paulkeller,
Thanks for sharing the error. After some research I think that you just have to update the ‘acme.sh’ script and it should fix this error.
To do so run:
sudo /etc/letsencrypt/acme.sh --upgrade
And then try the renewal command from my previous comment again.
Let me know how it goes!
Regards,
Bobby
@bobbyiliev @paulkeller Hey Im still getting the same error, even though I updated the acme.sh
Hi @paulkeller and @graemeb401f102bf96424ef668,
Could you try the updating from the dev branch:
sudo /etc/letsencrypt/acme.sh --upgrade -b dev
It is reported here that it fixed the issue for a few people.
Let me know how it goes!
Regards,
Bobby
no luck. i get this in response:
root@reframe-digital:~# sudo /etc/letsencrypt/acme.sh --upgrade -b dev
[Tue Nov 5 19:42:32 UTC 2019] Installing from online archive.
[Tue Nov 5 19:42:32 UTC 2019] Downloading https://github.com/Neilpang/acme.sh/archive/dev.tar.gz
[Tue Nov 5 19:42:33 UTC 2019] Extracting dev.tar.gz
[Tue Nov 5 19:42:33 UTC 2019] It is recommended to install socat first.
[Tue Nov 5 19:42:33 UTC 2019] We use socat for standalone server if you use standalone mode.
[Tue Nov 5 19:42:33 UTC 2019] If you don't use standalone mode, just ignore this warning.
[Tue Nov 5 19:42:33 UTC 2019] Installing to /root/.acme.sh
[Tue Nov 5 19:42:33 UTC 2019] Installed to /root/.acme.sh/acme.sh
[Tue Nov 5 19:42:33 UTC 2019] Good, bash is found, so change the shebang to use bash as preferred.
[Tue Nov 5 19:42:34 UTC 2019] OK
[Tue Nov 5 19:42:34 UTC 2019] Install success!
[Tue Nov 5 19:42:34 UTC 2019] Upgrade success!
but the “Could not get nonce, let’s try again.” remains
Hi @paulkeller
Seems like it got installed at /root/.acme.sh/acme.sh. Can you try with the following command:
/root/.acme.sh/acme.sh --force --renew --home /etc/letsencrypt --domain yourdomain.com --webroot /var/www/ghost/system/nginx-root --reloadcmd "nginx -s reload" --accountemail yourmail@yourdomain.com
Let me know if that works!
Regards,
Bobby
yes that solved it! whoever you are, you are a hero, thanks for helping with this! Do you have any idea if the cert will now auto renew going forward?
Thank you @bobbyiliev, you deserve a good Christmas bonus this year!
I needed to make sure I had renewed by www cert and then it showed. Fingers crossed it will auto renew aswell
Hi @graemeb401f102bf96424ef668 and @paulkeller
Thanks for the kind words guys! I am happy to hear that it’s working now!
Regarding the renewal, you might have to adjust your cronjob so that it uses the updated script at /root/.acme.sh/acme.sh and not the default one /etc/letsencrypt/acme.sh.
Regards,
Bobby