How to update Let's Encrypt certificate?

[Redcoat]

I received an email notice from Lets' Encrypt to the effect that my cert will shortly expire, advising renewal (and suggesting setting up auto-renewal).

I installed Nextcloud and the cert using @danb35 's script, AFAIK without problem. I recall some interaction with the cert issue process, and I have the impression that auto-renewal setup was in place...

I have searched for info on the renewal process and so far haven't found a pointer to the starting place or the process. In one thread with a different context @danb35 advised running certbot certificates to get information on existing certs. My result is "no certs found".

So, I'm not sure where to go next and would much appreciate some help.

 

[danb35]

Is your question about the cert for Nextcloud? If so, how long ago did you set it up? And are you sure the expiration warning isn't for the staging environment?

 

[Redcoat]

Is your question about the cert for Nextcloud? If so, how long ago did you set it up?

Thanks, Dan. I "believe" I am asking about the cert for Nextcloud as I don't know that I have (or ever had?) any other.

And are you sure the expiration warning isn't for the staging environment?

No, I'm not sure about that - I don't even know what "the staging environment" is (but I will research it now...).

 

[danb35]

No, I'm not sure about that

If you can post the text of that email (redact the domain if you like), it'll be easy to tell.

 

[Redcoat]

OK, I looked up "staging environment" and yes, I do know what it is - I used it to install, then removed it, as I'm pretty sure there was an obvious acknowledgement of some sort.

Here's the email text:

Hello,
Your certificate (or certificates) for the names listed below will expire in 19 days (on 16 May 21 01:08 +0000). Please make sure to renew your certificate before then, or visitors to your web site will encounter errors.
We recommend renewing certificates automatically when they have a third of their total lifetime left. For Let's Encrypt's current 90-day certificates, that means renewing 30 days before expiration. See https://letsencrypt.org/docs/integration-guide/ for details.

<domain snipped>

For any questions or support, please visit: https://community.letsencrypt.org/ Unfortunately, we can't provide support by email.
For details about when we send these emails, please visit: https://letsencrypt.org/docs/expiration-emails/ In particular, note that this reminder email is still sent if you've obtained a slightly different certificate by adding or removing names. If you've replaced this certificate with a newer one that covers more or fewer names than the list above, you may be able to ignore this message.

If you are receiving this email in error, unsubscribe at:

<snip>

Please note that this would also unsubscribe you from other Let's Encrypt service notices, including expiration reminders for any other certificates.

Regards,

EDIT - I'm now thinking that I reinstalled Nextcloud with your script "not so long ago" - maybe 3 months. Perhaps I did not finish that correctly...

 

[danb35]

No, that doesn't look like it's from the staging environment. For context, by default, my script configures Caddy to obtain certs from the Let's Encrypt staging environment, in order to avoid exceeding the rate limits--but those certs wouldn't be trusted by your browser. Once your environment is stable and everything's otherwise working, I have a small script to change you to using the production environment. From the README:

But when you do that, the staging cert will expire, and you'll get a few warning emails about that. So that was my first guess--but I'm pretty sure the text would indicate that.

So, to continue--how long have you been running Nextcloud using my script?

 

[Redcoat]

So, to continue--how long have you been running Nextcloud using my script?

Sorry, failed to include that: first install - probably 2 years, with a re-install maybe 3-4 months ago.

Edit: Last December for "recent" reinstall.

 

[danb35]

with a re-install maybe 3-4 months ago.

If you'd installed it that long ago, it should have managed to renew the cert at least once. Hmmm.

Inside the jail, what's the content of /var/log/caddy.log?

 

[Redcoat]

Hmmm... no such file in /var/log in the pms jail

 

[danb35]

the pms jail

I thought we were talking about Nextcloud?

 

[Redcoat]

Oh, shoot!!! Sorry - we are. My face is RED!

It's a 3039 line file. I'm ssh'd in but unsure how to copy the content...

 

[danb35]

tail caddy.log and post those results.

 

[Redcoat]

tail caddy.log and post those results.

<snip>

Sorry delay, thx for the coaching.

 

[danb35]

"error":"Timeout during connect (likely firewall problem)"

OK, there's your problem--your server isn't accessible from the Internet. You have certs issued in February, last December, last November, last September, and before that, so this indicates something has changed. I'd say check your dynamic DNS to make sure it's updating properly, and your firewall to make sure it's forwarding ports 80 and 443 to your jail.

 

[Redcoat]

I'd say check your dynamic DNS to make sure it's updating properly,

It wasn't! It is now. I'm now going to have to understand why it wasn't and/or why I didn't know it wasn't. I suspect that a W10 update nuke'd the updater app.

Thanks for your help as always!

 

[danb35]

Yep, it's up now. The cert isn't renewed now, but now that DNS is updated properly, Caddy should renew the cert next time it gets around to that.