Help renewing LetsEncrypt certificate.

[Jailer]

Looks good. Run it manually and check your access log to see if it worked.

 

[JohnDigital]

NICE..!!!!!!!!!!! I AM SO HAPPYY..!!! THANKS guys..!

@Jailer
after adding that section, changing the websites, and some more edits, i got the certbot certonly CONGRATULATIONS screen..! :)

@John Digital
THANKS MAN..! i really appreaciate all the help you provided, between you and jailer did it..! I LOVE YOU BOTH.!

now, one last question, how can i make it so that once a month the certificate is renewed? Thanks..

You are welcome, but the thanks is owed to @Jailer, he got you there. One of my next projects im going to spin up a nginx server so I can learn a little more about it. Cheers bud, glad it worked out for you.

 

[rodofrn]

@John Digital
Believe me, you helped out a ton as well, and showed a bunch of things i didnt know about webroot and nginx, THANKS..! AGAIN..! I am still really new to all this!
You should setup [Nextcloud (nginx) + https (letsencrypt) + fail2ban] and let us know about it (make a guide maybe :) ]

@Jailer
ok will do..! THANKS

 

[elie]

With certbot certonly choose option 2. But before doing that stop apache or nginx than run the command

Sent from my HTC_PN071 using Tapatalk

 

[Jailer]

@Jailer
OK, this is how i did it, is it correct? If I understand it right, it should run the command at 9:00am and 8:00pm....

Ok this didn't work after all but a script file does. You can create it in the root of your jail and call it from cron.

To create the script from the shell (preferably not the one in the GUI) log into your jail and run the following

ee /renew.sh

Paste the following and save and exit.

Code:

#!/bin/sh
/usr/local/bin/certbot renew --quiet

Then change your cron entry to the following.

jexec nameofyourjail csh /renew.sh

Sorry for the dubious information I posted earlier. :(

 

[rodofrn]

@Jailer

Done and Done..! Thanks. Its fine dude, dont worry about it..! thank god you tested and found a fix lol
THANKS..!

 

[Kevin Horton]

For other users, there is another option. I managed to install the certificates using nginx, but something had changed by the time I tried to renew. I gave up fighting with nginx, and renewed the certs using certbot's built-in web server. The renew command looks like:

certbot renew -a standalone --server https://acme-v01.api.letsencrypt.org/directory --pre-hook "service nginx stop" --post-hook "service nginx start

This command first stops nginx, then renews using certbot's own web server, then restarts nginx. It is only a workable option if it is acceptable for the web service that uses nginx to be unavailable for a few seconds during the renewal process.

 

[rodofrn]

@Jailer
after doing the cron job the other way you told me, i get this email:

[Subject:] Cron <root@freenas> PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/root/bin" jexec ownCloud csh /renew.sh > /dev/null

[Inside the email:] /renew.sh: No such file or directory.

what is wrong? its like it cant find the file....

 

[JohnDigital]

I suspect it may be because the file is not executable and also be sure the script file is in the root of the jail. From the owncloud jails root chmod +x renew.sh

 

[Jailer]

[Inside the email:] /renew.sh: No such file or directory.

Did you create the file in the root of the jail like I described in my previous post?

 

[rodofrn]

Did you create the file in the root of the jail like I described in my previous post?

I followed, EXACLTY what you posted, when you say root of the jail, what does that mean? because when i jexec into it, I see this:

[root@freenas] ~# jexec 14 csh
root@ownCloud:/ # ll
total 172
-rw-r--r-- 2 root wheel 966 Mar 24 2016 .cshrc
-rw-r--r-- 2 root wheel 254 Mar 24 2016 .profile
-r--r--r-- 1 root wheel 6197 Mar 24 2016 COPYRIGHT
drwxr-xr-x 2 root wheel 47 Mar 24 2016 bin/
drwxr-xr-x 8 root wheel 50 Mar 24 2016 boot/
dr-xr-xr-x 28 root wheel 512 Jan 5 14:12 dev/
drwxr-xr-x 23 root wheel 109 Jan 5 14:12 etc/
drwxr-xr-x 3 root wheel 52 Mar 24 2016 lib/
drwxr-xr-x 3 root wheel 5 Mar 30 2016 libexec/
drwxrwxrwx 6 1002 wheel 6 Jan 3 11:51 media/
drwxr-xr-x 3 root wheel 3 May 10 2016 mnt/
dr-xr-xr-x 1 root wheel 0 Jan 9 11:38 proc/
-rw-r--r-- 1 root wheel 56 Jan 9 08:57 renew.sh
drwxr-xr-x 2 root wheel 146 Mar 24 2016 rescue/
drwxr-xr-x 2 root wheel 9 May 10 2016 root/
drwxr-xr-x 2 root wheel 132 Mar 24 2016 sbin/
lrwxr-xr-x 1 root wheel 11 Mar 24 2016 sys@ -> usr/src/sys
drwxrwxrwt 6 root wheel 99 Jan 9 10:23 tmp/
drwxr-xr-x 16 root wheel 16 May 18 2016 usr/
drwxr-xr-x 26 root wheel 26 Jan 5 14:12 var/
root@ownCloud:/ #

I am assuming that IS the root of the jail....

 

[JohnDigital]

I suspect it may be because the file is not executable and also be sure the script file is in the root of the jail. From the owncloud jails root chmod +x renew.sh

File not executable. I have almost identical setup and it works. Only difference is my script is named differently.

 

[JohnDigital]

Code:

#!/bin/sh
/usr/local/bin/certbot renew --post-hook "apachectl -k graceful" --quiet

For any Apache users out there.

 

[Jailer]

File not executable. I have almost identical setup and it works. Only difference is my script is named differently.

Odd I have the same permissions and mine works. I also have a script in another jail for a rsync task with the same permissions and it runs just fine too.

 

[JohnDigital]

Hmm ill test this a bit further. Maybe it doesnt need be +x. I do it out of habit I guess.

 

[JohnDigital]

Ok. Some results. If it isnt +x it returns permission denied.

Code:

root@apache:/ # mv cert_renewal.sh renew.sh
root@apache:/ # chmod -x renew.sh
root@apache:/ # /renew.sh
/renew.sh: Permission denied.
root@apache:/ # chmod +x renew.sh
root@apache:/ # nano renew.sh 

Here I remove the "--quiet" from the script.

Code:

root@apache:/ # /renew.sh
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /usr/local/etc/letsencrypt/renewal/owncloud.xxxx.org.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal

-------------------------------------------------------------------------------
Processing /usr/local/etc/letsencrypt/renewal/xxxx.xxxx.org.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal

-------------------------------------------------------------------------------
Processing /usr/local/etc/letsencrypt/renewal/xxxx.org.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal

-------------------------------------------------------------------------------
Processing /usr/local/etc/letsencrypt/renewal/xxxx.club.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal

-------------------------------------------------------------------------------
Processing /usr/local/etc/letsencrypt/renewal/xxxx.xxxx.org.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal

-------------------------------------------------------------------------------
Processing /usr/local/etc/letsencrypt/renewal/xxxx.net.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal

The following certs are not due for renewal yet:
  /usr/local/etc/letsencrypt/live/owncloud.xxxx.org/fullchain.pem (skipped)
  /usr/local/etc/letsencrypt/live/xxxx.xxxx.org/fullchain.pem (skipped)
  /usr/local/etc/letsencrypt/live/xxxx.org/fullchain.pem (skipped)
  /usr/local/etc/letsencrypt/live/xxxx.club/fullchain.pem (skipped)
  /usr/local/etc/letsencrypt/live/xxxx.xxxx.org/fullchain.pem (skipped)
  /usr/local/etc/letsencrypt/live/xxxx.net/fullchain.pem (skipped)
No renewals were attempted.
No renewals attempted, so not running post-hook

 

[rodofrn]

WORKING NOW, nevermid....

THANKS AGAIN GUYS, i think it is done,.....will keep you guys posted..!

how can i check if the renewal process is working??????????

When i ran /renew.sh, i didnt get an error, just a little wait time....and then i could input commands again (dont know how to call that wait time where there little square thingy just hangs there)

 

[JohnDigital]

Code:

root@apache:/ # tail /var/log/letsencrypt/letsencrypt.log
2017-01-09 20:22:33,823:DEBUG:certbot.main:Arguments: ['--post-hook', 'apachectl -k graceful']
2017-01-09 20:22:33,824:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoint#standalone)
2017-01-09 20:22:33,842:INFO:certbot.renewal:Cert not yet due for renewal
2017-01-09 20:22:33,848:INFO:certbot.renewal:Cert not yet due for renewal
2017-01-09 20:22:33,853:INFO:certbot.renewal:Cert not yet due for renewal
2017-01-09 20:22:33,859:INFO:certbot.renewal:Cert not yet due for renewal
2017-01-09 20:22:33,864:INFO:certbot.renewal:Cert not yet due for renewal
2017-01-09 20:22:33,870:INFO:certbot.renewal:Cert not yet due for renewal
2017-01-09 20:22:33,870:DEBUG:certbot.renewal:no renewal failures
2017-01-09 20:22:33,870:INFO:certbot.hooks:No renewals attempted, so not running post-hook

 

[Jailer]

how can i check if the renewal process is working??????????

If the cert isn't up for renewal it will just run and exit without doing anything. For testing purposes change the command in the script to certbot renew --dry-run and it will output the results in the terminal window.

 

[rodofrn]

@Jailer @John Digital

DONE..! FINALLY..! Thanks guys, I really really really appreciate all the help..! You guys ROCK..!