Page 1 of 1

[SOLVED] Lets Encrypt Nag!

Posted: Sun Mar 03, 2019 10:30 pm
by cpcnw

Been getting a few emails from Lets Encrypt nagging me about certificate renewal.

Decided to do manual update instead of waiting for cron

End result was

Code: Select all

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/ (success)
DietPi-LetsEncrypt | RPi 2 Model B (armv7l) | IP:
however just prior to that

Code: Select all

[FAILED] Setting could not be added after desired line

The pattern $4 "mod_.+", could not be found in file $3 /etc/lighttpd/lighttpd.conf

Please retry with valid parameter $4 or apply the setting manually:
I just checked and this is the line in my lighty conf

Code: Select all

server.modules  = ( "mod_access","mod_alias", "mod_rewrite", "mod_redirect", "mod_setenv" )
Should I be worried?

I also checked in cron.monthly and there is no ref to letsencrypt?

Re: Lets Encrypt Nag!

Posted: Sun Mar 03, 2019 10:46 pm
by cpcnw
just ran the following;

Code: Select all

# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
  Certificate Name:
    Expiry Date: 2019-06-01 20:16:51+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/
    Private Key Path: /etc/letsencrypt/live/
And the site is up fine. If you get 90 days would there be any point in a cron.monthly anyway or is LetsEncrypt sensible enough not to bother if cert is already valid?

Re: Lets Encrypt Nag!

Posted: Sun Mar 03, 2019 11:09 pm
by cpcnw
OK so I just re-ran #dietpi-letsencrypt 1 and the second run outputted

Code: Select all

Processing /etc/letsencrypt/renewal/
Cert not yet due for renewal
The following certs are not due for renewal yet:
  /etc/letsencrypt/live/ (skipped)
No renewals were attempted.
Ignoring unknown module: dietpi-hsts
So that's answered the renewal question :)

Ive pasted the following into /etc/cron.monthly/dietpit-letsencrypt

Code: Select all

/DietPi/dietpi/dietpi-letsencrypt 1 &>> /var/log/letsencrypt/dietpi-letsencrypt.log
Hopefully that should sort it. Not sure what hsts is though?

Re: Lets Encrypt Nag!

Posted: Sun Mar 03, 2019 11:16 pm
by cpcnw
Crap - cron job halts waiting for input on the lighty error in first post!

Advice appreciated!

Re: Lets Encrypt Nag!

Posted: Tue Mar 05, 2019 10:26 am
by cpcnw
Seems like this is more urgent now?


Action may be required to prevent your Let's Encrypt certificate renewals from

If you already received a similar e-mail, this one contains updated information.

Your Let's Encrypt client used ACME TLS-SNI-01 domain validation to issue a
certificate in the past 12 days. Below is a list of names and IP addresses
validated (max of one per account): (...) on 2019-03-03

TLS-SNI-01 validation is reaching end-of-life. It will stop working
permanently on March 13th, 2019. Any certificates issued before then will
continue to work for 90 days after their issuance date.

You need to update your ACME client to use an alternative validation method
(HTTP-01, DNS-01 or TLS-ALPN-01) before this date or your certificate renewals
will break and existing certificates will start to expire.

Our staging environment already has TLS-SNI-01 disabled, so if you'd like to
test whether your system will work after March 13, you can run against

If you're a Certbot user, you can find more information here: ... tbot/83210

Our forum has many threads on this topic. Please search to see if your question
has been answered, then open a new thread if it has not:

For more information about the TLS-SNI-01 end-of-life, please see our API
announcement: ... port/74209

Is there an update for the Diet-Pi ?

Re: Lets Encrypt Nag!

Posted: Wed Mar 06, 2019 1:30 am
by MichaIng
The pattern $4 "mod_.+", could not be found in file $3 /etc/lighttpd/lighttpd.conf
server.modules = ( "mod_access","mod_alias", "mod_rewrite", "mod_redirect", "mod_setenv" )
This is indeed a one-liner in your lighttpd.conf? Hmm this is neither Debian default nor DietPi default, where every module has it's own line so the command above does not fail.
However you can safely ignore it since "mod_setenv" is already inside.

You are on Raspbian Stretch, right? There is a systemd unit installed with certbot that does the renewal attempt two times a day, check: systemctl status certbot

In case of Jessie (should be not the case with RPi), we place a weekly cron job: cat /etc/cron.weekly/dietpi-letsencrypt

So please remove your monthly cron job in every case, it is obsolete and not really made for non-interactive execution. As of the already present systemd or cron job, certbot renew instead is the way to go.

About the TLS-SNI-01 error:
Please run G_AGI certbot to update the package which should install cerbot v0.28 which resolves the issue.
Then run certbot renew to check if everything is going right as expected.

Re: Lets Encrypt Nag!

Posted: Sun Mar 10, 2019 10:23 am
by cpcnw

Code: Select all

root@raspi:~# systemctl status certbot
? certbot.service - Certbot
   Loaded: loaded (/lib/systemd/system/certbot.service; static; vendor preset: enabled)
  Drop-In: /etc/systemd/system/certbot.service.d
   Active: inactive (dead) since Sun 2019-03-10 00:57:44 GMT; 8h ago
     Docs: file:///usr/share/doc/python-certbot-doc/html/index.html
  Process: 30465 ExecStartPost=/bin/bash -c /bin/cat /etc/letsencrypt/live/
key.pem /etc/letsencrypt/live/ > /etc/letsencrypt/live/
combined.pem (code=exited, status=0/SUCCESS)
  Process: 30460 ExecStart=/usr/bin/certbot -q renew (code=exited, status=0/SUCCESS)
 Main PID: 30460 (code=exited, status=0/SUCCES
Mar 10 00:57:38 raspi systemd[1]: Starting Certbot...
Mar 10 00:57:44 raspi systemd[1]: Started Certbot.
Will remove cronjob now thanks!

Code: Select all

root@raspi:~# G_AGI certbot
[  OK  ] Root access verified.
[  OK  ] APT installation for: certbot, please wait...
Extracting templates from packages: 100%
Selecting previously unselected package libpython3.5-minimal:armhf.
| Removed multiple lines - no error messages :)
Processing triggers for libc-bin (2.24-11+deb9u4) ...
[  OK  ] G_AGI: certbot

root@raspi:~# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - -- - - - - - - - -
Processing /etc/letsencrypt/renewal/
- - - - - - - - - - - - - - - - - - - - - - -  - - - - - - - -
Cert not yet due for renewal
- - - - - - - - - - - - - -  - - - - - - - - - - - - - - - - -
The following certs are not due for renewal yet:
  /etc/letsencrypt/live/ expires on 2019-06-01 (skipped)
No renewals were attempted.

root@raspi:~# certbot --version
certbot 0.28.0
Amazing - thanks so much for help - will marked solved etc - will make donation :)