Let's Encrypt not renewing automatically? Try this

Hello,

If you’re facing the issue of your Let’s Encrypt certificates not renewing automatically, here’s what you can do.

(Tested on Google Cloud Compute instance running Ubuntu 16.04 LTS)

  1. Ensure you’re not using TLS-SNI-01 challenges for renewal. These are now disabled for most new certificate issuances.

    You can check this by viewing the contents of /etc/letsencrypt/renewal/<your domain here>.conf

    If it mentions the following, you’re using TLS-SNI-01 challenges:

     standalone_supported_challenges = "tls-sni-01"
    

    To fix this and use the newer Nginx plugin instead, run the following command and follow the prompts to force-update to a newer certificate for all your relevant domains:

     sudo /opt/certbot-auto --nginx
    

    (Note: If you’re using a different executable than certbot-auto, use that instead)

    You can use the following command to verify that this works:

      sudo /opt/certbot-auto renew --dry-run
    

    Additionally, you can verify that the relevant .conf files have been updated to use nginx as authenticator.

  2. The following cron job works for me on Ubuntu 16.04 (Use sudo crontab -e to set this):

     PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
     @monthly /opt/certbot-auto renew && systemctl restart nginx # Renew lets-encrypt every month
    

    It is essential to set path in crontab, because the nginx executable needs to be discovered by certbot for functioning.

  3. (Optional) Ensure that your server uses appropriate timezone, so that cron job doesn’t end up running at a crucial time:
    https://www.wikihow.com/Change-the-Timezone-in-Linux

Hope this helps.

11 Likes

Many thanks for posting this :grinning:

1 Like

Thanks. I will test it out. It will save us the headache of every three three months renewal

1 Like

To add to this post, there’s a way mentioned in the below link in the last section of the wiki article.

https://github.com/frappe/erpnext/wiki/Setting-up-TLS-SSL-certificates-Let’s-Encrypt-for-ERPNext-sites

1 Like

This is the latest link https://github.com/frappe/bench/wiki/Setup-Wildcard-SSL-certificate

FYI, above command is required for auto renewal irrespective of TLS-SNI-01 challenge issued mentioned above

Hi,

im getting an error when trying to renew ssl, any idea where things went wrong


Running setup.py install for zope.component: started
Running setup.py install for zope.component: finished with status ‘done’
Exception:
Traceback (most recent call last):
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/pip/_internal/cli/base_command.py”, line 176, in main
status = self.run(options, args)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/pip/_internal/commands/install.py”, line 393, in run
use_user_site=options.use_user_site,
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/pip/_internal/req/init.py”, line 57, in install_given_reqs
**kwargs
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/pip/_internal/req/req_install.py”, line 919, in install
use_user_site=use_user_site, pycompile=pycompile,
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/pip/_internal/req/req_install.py”, line 445, in move_wheel_files
warn_script_location=warn_script_location,
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/pip/_internal/wheel.py”, line 583, in move_wheel_files
outrows = get_csv_rows_for_installed(reader)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/pip/_internal/wheel.py”, line 565, in get_csv_rows_for_installed
for fpath, digest, length in old_csv_rows:
ValueError: too many values to unpack

Certbot has problem setting up the virtual environment.

We were not be able to guess the right solution from your pip
output.

Consult https://certbot.eff.org/docs/install.html#problems-with-python-virtual-environment
for possible solutions.
You may also find some support resources at https://certbot.eff.org/support/ .


Any assistance is highly appreciated.

kinds regards
Hemant

1 Like

Apparently letsencrypt is working on the problem, to find out more check for eg here https://community.letsencrypt.org/t/certbot-auto-failed-to-complete-had-a-problem-while-installing-python-packages/83697/9

1 Like

just got the same error a moment ago

Looks like the bug has been fixed, re-ran ‘sudo bench renew-lets-encrypt’ and all is updated with no errors.

kind regards
Hemant

1 Like