[SOLVED] Lets Encrypt Nag! Topic is solved

Have some feedback, questions, suggestions, or just fancy a chat? Pop it in here.
Post Reply
cpcnw
Posts: 17
Joined: Wed Jun 29, 2016 8:31 am

[SOLVED] Lets Encrypt Nag!

Post by cpcnw »

Hi,

Been getting a few emails from Lets Encrypt nagging me about certificate renewal.

Decided to do manual update instead of waiting for cron

End result was

Code: Select all

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/www.domain.co.uk/fullchain.pem (success)
DietPi-LetsEncrypt | RPi 2 Model B (armv7l) | IP:
however just prior to that

Code: Select all

DietPi-LetsEncrypt 
[FAILED] Setting could not be added after desired line

The pattern $4 "mod_.+", could not be found in file $3 /etc/lighttpd/lighttpd.conf

Please retry with valid parameter $4 or apply the setting manually:
"mod_setenv",
I just checked and this is the line in my lighty conf

Code: Select all

server.modules  = ( "mod_access","mod_alias", "mod_rewrite", "mod_redirect", "mod_setenv" )
Should I be worried?

I also checked in cron.monthly and there is no ref to letsencrypt?
Last edited by cpcnw on Sun Mar 10, 2019 10:28 am, edited 2 times in total.
cpcnw
Posts: 17
Joined: Wed Jun 29, 2016 8:31 am

Re: Lets Encrypt Nag!

Post by cpcnw »

just ran the following;

Code: Select all

# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
  Certificate Name: www.domain.co.uk
    Domains: www.domain.co.uk
    Expiry Date: 2019-06-01 20:16:51+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/www.domain.co.uk/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.domain.co.uk/privkey.pem
And the site is up fine. If you get 90 days would there be any point in a cron.monthly anyway or is LetsEncrypt sensible enough not to bother if cert is already valid?
cpcnw
Posts: 17
Joined: Wed Jun 29, 2016 8:31 am

Re: Lets Encrypt Nag!

Post by cpcnw »

OK so I just re-ran #dietpi-letsencrypt 1 and the second run outputted

Code: Select all

Processing /etc/letsencrypt/renewal/www.domain.co.uk.conf
Cert not yet due for renewal
The following certs are not due for renewal yet:
  /etc/letsencrypt/live/www.domain.co.uk/fullchain.pem (skipped)
No renewals were attempted.
Ignoring unknown module: dietpi-hsts
So that's answered the renewal question :)

Ive pasted the following into /etc/cron.monthly/dietpit-letsencrypt

Code: Select all

#!/bin/bash
{
/DietPi/dietpi/dietpi-letsencrypt 1 &>> /var/log/letsencrypt/dietpi-letsencrypt.log
exit
}
Hopefully that should sort it. Not sure what hsts is though?
cpcnw
Posts: 17
Joined: Wed Jun 29, 2016 8:31 am

Re: Lets Encrypt Nag!

Post by cpcnw »

Crap - cron job halts waiting for input on the lighty error in first post!

Advice appreciated!
cpcnw
Posts: 17
Joined: Wed Jun 29, 2016 8:31 am

Re: Lets Encrypt Nag!

Post by cpcnw »

Seems like this is more urgent now?

---

Action may be required to prevent your Let's Encrypt certificate renewals from
breaking.

If you already received a similar e-mail, this one contains updated information.

Your Let's Encrypt client used ACME TLS-SNI-01 domain validation to issue a
certificate in the past 12 days. Below is a list of names and IP addresses
validated (max of one per account):

www.domain.co.uk (...) on 2019-03-03

TLS-SNI-01 validation is reaching end-of-life. It will stop working
permanently on March 13th, 2019. Any certificates issued before then will
continue to work for 90 days after their issuance date.

You need to update your ACME client to use an alternative validation method
(HTTP-01, DNS-01 or TLS-ALPN-01) before this date or your certificate renewals
will break and existing certificates will start to expire.

Our staging environment already has TLS-SNI-01 disabled, so if you'd like to
test whether your system will work after March 13, you can run against
staging: https://letsencrypt.org/docs/staging-environment/

If you're a Certbot user, you can find more information here:
https://community.letsencrypt.org/t/how ... tbot/83210

Our forum has many threads on this topic. Please search to see if your question
has been answered, then open a new thread if it has not:
https://community.letsencrypt.org/

For more information about the TLS-SNI-01 end-of-life, please see our API
announcement:
https://community.letsencrypt.org/t/feb ... port/74209
---

Is there an update for the Diet-Pi ?
User avatar
MichaIng
Site Admin
Posts: 2421
Joined: Sat Nov 18, 2017 6:21 pm

Re: Lets Encrypt Nag!

Post by MichaIng »

@cpcnw
The pattern $4 "mod_.+", could not be found in file $3 /etc/lighttpd/lighttpd.conf
...
server.modules = ( "mod_access","mod_alias", "mod_rewrite", "mod_redirect", "mod_setenv" )
This is indeed a one-liner in your lighttpd.conf? Hmm this is neither Debian default nor DietPi default, where every module has it's own line so the command above does not fail.
However you can safely ignore it since "mod_setenv" is already inside.

You are on Raspbian Stretch, right? There is a systemd unit installed with certbot that does the renewal attempt two times a day, check: systemctl status certbot

In case of Jessie (should be not the case with RPi), we place a weekly cron job: cat /etc/cron.weekly/dietpi-letsencrypt

So please remove your monthly cron job in every case, it is obsolete and not really made for non-interactive execution. As of the already present systemd or cron job, certbot renew instead is the way to go.

About the TLS-SNI-01 error:
Please run G_AGI certbot to update the package which should install cerbot v0.28 which resolves the issue.
Then run certbot renew to check if everything is going right as expected.
cpcnw
Posts: 17
Joined: Wed Jun 29, 2016 8:31 am

Re: Lets Encrypt Nag!

Post by cpcnw »

Code: Select all

root@raspi:~# systemctl status certbot
? certbot.service - Certbot
   Loaded: loaded (/lib/systemd/system/certbot.service; static; vendor preset: enabled)
  Drop-In: /etc/systemd/system/certbot.service.d
           +-dietpi-lighttpd.conf
   Active: inactive (dead) since Sun 2019-03-10 00:57:44 GMT; 8h ago
     Docs: file:///usr/share/doc/python-certbot-doc/html/index.html
           https://letsencrypt.readthedocs.io/en/latest/
  Process: 30465 ExecStartPost=/bin/bash -c /bin/cat /etc/letsencrypt/live/www.domain.co.uk/priv
key.pem /etc/letsencrypt/live/www.domain.co.uk/cert.pem > /etc/letsencrypt/live/www.domain.co.uk/
combined.pem (code=exited, status=0/SUCCESS)
  Process: 30460 ExecStart=/usr/bin/certbot -q renew (code=exited, status=0/SUCCESS)
 Main PID: 30460 (code=exited, status=0/SUCCES
Mar 10 00:57:38 raspi systemd[1]: Starting Certbot...
Mar 10 00:57:44 raspi systemd[1]: Started Certbot.
Will remove cronjob now thanks!

Code: Select all

root@raspi:~# G_AGI certbot
[  OK  ] Root access verified.
[  OK  ] APT installation for: certbot, please wait...
Extracting templates from packages: 100%
Selecting previously unselected package libpython3.5-minimal:armhf.
|
| Removed multiple lines - no error messages :)
|
Processing triggers for libc-bin (2.24-11+deb9u4) ...
[  OK  ] G_AGI: certbot

root@raspi:~# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - -- - - - - - - - -
Processing /etc/letsencrypt/renewal/www.domain.co.uk.conf
- - - - - - - - - - - - - - - - - - - - - - -  - - - - - - - -
Cert not yet due for renewal
- - - - - - - - - - - - - -  - - - - - - - - - - - - - - - - -
The following certs are not due for renewal yet:
  /etc/letsencrypt/live/www.domain.co.uk/fullchain.pem expires on 2019-06-01 (skipped)
No renewals were attempted.

root@raspi:~# certbot --version
certbot 0.28.0
Amazing - thanks so much for help - will marked solved etc - will make donation :)
Post Reply