Help renewing LetsEncrypt certificate.

[Jailer]

How do you test to check it works?

Add the --dry-run switch to your command and check your letsencrypt log for errors.

What user did you run the Cron task as in freenas GUI.. I just put www

The cron task should be run as root.

 

[Kevin Horton]

How do you test to check it works?

What user did you run the Cron task as in freenas GUI.. I just put www

Add the --dry-run switch to your command and check your letsencrypt log for errors.

The cron task should be run as root.

I took a slightly different tack. My script logs the output of certbot to a log file:

Code:

#!/bin/sh
date >> /root/renew_certs.log
/usr/local/bin/certbot renew >> /root/renew_certs.log

I review the log to determine if everything is working OK. You can also check the expiry date of the SSL certificates using a web browser if you are using them for a web site.

 

[Jailer]

I took a slightly different tack. My script logs the output of certbot to a log file:

Certbot does that by default.

 

[Kevin Horton]

Certbot does that by default.

True, but I find the logs in /var/log/letsencrypt don't give me the level of detail I would prefer. For example, if no certificates are renewed because none were due, the normal logs don't contain the list of certificates that were not renewed. So it isn't possible to confirm that the expected certificates were checked.

Perhaps there is some setting change that would give me the detail I want, but I'm happy with the way my setup up is working now, so I'm not going to dig through the docs looking for it.

 

[JohnDigital]

To revisit this post for anyone in the future who comes here for help. So my certs came up for renewal and a couple of my domains were erroring out for unknown reasons, most likely do to my fancy virtualhosting, password protection, reverse proxying, etc. But I can report that doing it as standalone works like a dream. Make sure to stop your webserver before doing it this way. From the jail all I did was run service apache24 stop and then simply certbot renew and selected option 2 "standalone". Then after it renewed them all simply started apache again. Worked wonderfully. Im sure this can be scripted up to run this way from cron. Ill write it up and post it if anyone else is having these similar issues.

 

[JohnDigital]

Ok so it is this easy. Only having to care every 3 months and im out of practice.
/usr/local/bin/certbot renew --standalone --pre-hook "service apache24 stop" --post-hook "service apache24 start"

 

[danb35]

Ok so it is this easy.

Indeed it is, but it depends on the renewal working perfectly the one and only chance it will have to run before your cert expires.

Edit: If you used standalone when you originally obtained the cert, you shouldn't need to specify it with the renew command-- renew will use whatever options were originally used to obtain the cert it's renewing.

Edit 2: You may want to investigate using the DNS-01 challenge for validation--that would allow you to run the renew job more frequently, and without stopping your apache server.

 

[jag131990]

Indeed it is, but it depends on the renewal working perfectly the one and only chance it will have to run before your cert expires.

What is this renew window out of curiosity?

24hrs before expiration?

 

[Kevin Horton]

Indeed it is, but it depends on the renewal working perfectly the one and only chance it will have to run before your cert expires.

Not necessarily. I've set up a cron job that runs every 5 days to attempt to renew the certs. They will renew if they expire within 30 days, so there should be at least 5 chances to renew. I get the renewal logs via email, so I have 5 chances to catch the problem before the certs expire. Mind you, I haven't yet hit the 30 day window with the cron job since I first set it up, so the logs are only showing that no renewal was attempted because no certs were due.

 

[danb35]

Not necessarily. I've set up a cron job that runs every 5 days to attempt to renew the certs.

My remark was specific to the scenario @John Digital gave--running a cron job once every three months that stops apache, runs certbot renew, and then restarts apache. Since his environment appears (at least to him) to require stopping apache and letting certbot operate in standalone mode, this may be the best way to go, but there is a potential drawback.

Certainly, the renewal job can be run much more frequently (mine runs daily), but that wasn't the scenario I was responding to.

 

[danb35]

What is this renew window out of curiosity?

When you run certbot renew, it will check your existing certificate(s), and will only run the actual renewal if they have less than (by default) 30 days left. You can adjust that window in your config file, but 30 days is the default.

 

[JohnDigital]

I do have this set to run once per month and started getting an email that said it was failing so I went in and did it manually. So there is more room for error.

Doing in standalone is preferable to me now because so many of my directories are locked down with passwords and reverse proxying, it was causing the acme challenge to fail. For high traffic or heavily used sites you can gracefully stop and restart apache. My websites are only used by a handful of people so this is the easiest one line command to fire and forget the update process.

 

[adrianwi]

I'm still on 9.3 and have a problem with this now as the certbot renew command results in the following:

Code:

Cert is due for renewal, auto-renewing...																						   
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.	 
The error was: PluginError('Running manual mode non-interactively is not supported',)											   
Attempting to renew cert from /usr/local/etc/letsencrypt/renewal/www.domain.co.uk.conf produced an unexpected error: The manu
al plugin is not working; there may be problems with your existing configuration.												   
The error was: PluginError('Running manual mode non-interactively is not supported',). Skipping.	   

Tried updating certbot, but it doesn't want to work either from ports or packages. Even tried creating a new jail just to run the letsencrypt stuff in, but can't install certbot in that either. Looks like this could be the thing forcing me to 9.10 :-(

Any ideas which is the last version of 9.10 where virtualbox still works?

 

[Kevin Horton]

I'm still on 9.3 and have a problem with this now as the certbot renew command results in the following:

Code:

Cert is due for renewal, auto-renewing...																						  
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.	
The error was: PluginError('Running manual mode non-interactively is not supported',)											  
Attempting to renew cert from /usr/local/etc/letsencrypt/renewal/www.domain.co.uk.conf produced an unexpected error: The manu
al plugin is not working; there may be problems with your existing configuration.												  
The error was: PluginError('Running manual mode non-interactively is not supported',). Skipping.	  

Tried updating certbot, but it doesn't want to work either from ports or packages. Even tried creating a new jail just to run the letsencrypt stuff in, but can't install certbot in that either. Looks like this could be the thing forcing me to 9.10 :-(

Any ideas which is the last version of 9.10 where virtualbox still works?

Did you try a manual installation, using certbot-auto? I'd be surprised if that wouldn't get it working on 9.3.

 

[adrianwi]

To be honest, I've started encountering issues in other jails due to FreeBSD 9 no longer being supported, so I need to get around to upgrading.

That said, I don't want to lose the virtualbox functionality until I've got my head around the alternatives.

A quick google search suggests that 9.10.2 was the version that broke virtualbox, so I'm hoping updating to 9.10.1-U4 should be ok? Given the Corral fiasco, I'm kind of glad I'd stopped updating FreeNAS on a regular basis, although now the path appears to be a continuation of 9.10 > 11 updating to 9.10.n probably makes sense. That and the fact I'm between contracts so have a little time on my hand to fix anything that breaks

 

[JohnDigital]

Are you missing security/py-acme?

 

[JohnDigital]

To be honest, I've started encountering issues in other jails due to FreeBSD 9 no longer being supported, so I need to get around to upgrading.

That said, I don't want to lose the virtualbox functionality until I've got my head around the alternatives.

A quick google search suggests that 9.10.2 was the version that broke virtualbox, so I'm hoping updating to 9.10.1-U4 should be ok? Given the Corral fiasco, I'm kind of glad I'd stopped updating FreeNAS on a regular basis, although now the path appears to be a continuation of 9.10 > 11 updating to 9.10.n probably makes sense. That and the fact I'm between contracts so have a little time on my hand to fix anything that breaks :)

I remember when that update broke VB. HERE is the thread Kam wrote to get it working again. Mine is still working to this day. I never bothered with Corral as I have everything running jailed I could ever need. I am on the latest version of FN 9.10. It should also be noted that I am only running a single Ubuntu (Musicbrainz) VM, so your mileage may vary. But I can absolutely vouch that if you want Virtualbox to work, it can be made to work.

One last note. I have never done any updates on that jail. So the versions that were available in that quarter are what im running to this day with no issues on 9.10.2-U3.