Excellent. Now we'll fix your system so the scheduled renewal works right. First, delete these two config files that are not used and not working right sudo rm /etc/letsencrypt/renewal/mobps.de-0001.conf sudo rm /etc/letsencrypt/renewal/mobps.de.conf Also try deleting the one below. Please show result of command. It might not work as it is partly damaged. We will do a different way if this fails sudo certbot delete --cert-name MoBPSCert

Thank you so very much for all your time and your patience

changed in /etc/nginx/sites-available/default /etc/nginx/sites-enabled/default as well restarted nginx also. it's secured until September 10

Good. Let's change your nginx config to use that new certificate Change these two lines ssl_certificate /etc/letsencrypt/live/MoBPSCert/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/MoBPSCert/privkey.pem; To this and restart nginx after ssl_certificate /etc/letsencrypt/live/mobps.de-0002/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/mobps.de-0002/privkey.pem; Once we confirm nginx is using the new cert we will remove all the damaged config files and directories

Yes, Congratulations, all simulated renewals succeeded: /etc/letsencrypt/live/mobps.de-0002/fullchain.pem (success)

Amu: > Simulating renewal of an existing certificate for mobps.de and www.mobps.de What did it say after that? Did it say the simulation was successful?

No, I didn't.

Amu: > sorry, i deleted this. Why did you delete that post? Did you also delete all those directories?

MikeMcQ: > `sudo certbot renew --dry-run --cert-name mobps.de-0002` $ sudo certbot renew --dry-run --cert-name mobps.de-0002 Saving debug log to /var/log/letsencrypt/letsencrypt.log * * * Processing /etc/letsencrypt/renewal/mobps.de-0002.conf * * * failed to fetch renewal_info URL (https://acme-staging-v02.api.letsencrypt.org/draft-ietf-acme-ari-03/renewalInfo/nytfzzwhT50Et-0rLMTGcIvS1w0.Bcd3ubKg-l6agfECrRg9O3qW): urn:ietf:params:acme:error:malformed :: The request message was malformed :: While parsing ARI CertID an error occurred :: path contained an Authority Key Identifier that did not match a known issuer Simulating renewal of an existing certificate for mobps.de and www.mobps.de

Okay, let's make sure this cert can be renewed. We still need to change your nginx config and fix all these damaged configs and directories but let's do this first Please show output of this sudo certbot renew --dry-run --cert-name mobps.de-0002

here are the output of the commands : $ sudo rm /etc/letsencrypt/renewal/mobps.de.conf $ sudo certbot certonly --cert-name mobps.de --nginx -d mobps.de -d www.mobps.de Saving debug log to /var/log/letsencrypt/letsencrypt.log Requesting a certificate for mobps.de and www.mobps.de archive directory exists for mobps.de Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.$: command not found $ sudo rm /etc/letsencrypt/renewal/mobps.de-0001.conf $: command not found $ sudo certbot certonly --cert-name mobps.de --nginx -d mobps.de -d www.mobps.de $: command not found $ Saving debug log to /var/log/letsencrypt/letsencrypt.log Saving: command not found $ Requesting a certificate for mobps.de and www.mobps.de Requesting: command not found $ archive directory exists for mobps.de Command 'archive' not found, did you mean: command 'parchive' from deb parchive command 'garchive' from deb geda-utils Try: sudo apt install $ Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details. Command 'Ask' not found, did you mean: command 'ask' from deb ask Try: sudo apt install $ sudo certbot certonly --cert-name mobps.de --nginx -d mobps.de -d www.mobps.de [sudo] password for nha: Saving debug log to /var/log/letsencrypt/letsencrypt.log Requesting a certificate for mobps.de and www.mobps.de archive directory exists for mobps.de-0001 Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Amu: > archive directory exists for mobps.de Oh, sorry, that was not expected. You earlier showed no .../live/.. directory for that cert name. I should have asked to see the .../archive/... too. Please delete that directory and contents sudo rm /etc/letsencrypt/archive/mobps.de/* sudo rmdir /etc/letsencrypt/archive/mobps.de Then, re-run the `certbot certonly` command from my last post and show result. Thanks

Yes, nginx was running while I used the below commands.. $ sudo rm /etc/letsencrypt/renewal/mobps.de.conf $ sudo rm /etc/letsencrypt/renewal/mobps.de-0001.conf $ sudo certbot certonly --cert-name mobps.de --nginx -d mobps.de -d www.mobps.de Saving debug log to /var/log/letsencrypt/letsencrypt.log Requesting a certificate for mobps.de and www.mobps.de archive directory exists for mobps.de Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Adding to the above: Initial IP was deprecated separately and is unrelated. It was not part of the ACME spec, and did not receive an API announcement.

Amu: > certbot by myself. Will try your suggestions at this point. Okay. Let's setup a fresh Certbot config for a Let's Encrypt cert. We will go step by step to make sure all is working as expected The first steps are these. Make sure nginx is running before doing the Certbot command sudo rm /etc/letsencrypt/renewal/mobps.de.conf sudo rm /etc/letsencrypt/renewal/mobps.de-0001.conf sudo certbot certonly --cert-name mobps.de --nginx -d mobps.de -d www.mobps.de

certbot_ssl.txt (10.5 KB) Above link is the nginx -T code. **Do you use that cert anywhere else other than nginx?** - I don;t use it anywhere. Only in nginx. "I need some time to think about how best to proceed. You have badly damaged your Certbot directories. Please do not make manual changes to those directories or their contents. Only use Certbot commands and it will manage those directories properly." - Sure.. I am not changing anything. I just received an email from my university support team saying "Sectigo has not been the GÉANT TCS PKI service provider for University since January 2025". Now I have an option to create a new ssl certificate for a year at HARICA by myself or certbot by myself. Will try your suggestions at this point. Thank you so much for looking at my code and giving suggestions..

$sudo nginx -T nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful configuration file /etc/nginx/nginx.conf: user www-data; worker_processes auto; pid /run/nginx.pid; include /etc/nginx/modules-enabled/*.conf; events { worker_connections 1024; # multi_accept on; } http { ## # Basic Settings ## #client_max_body_size 1024M; sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 650000s; types_hash_max_size 2048; client_body_timeout 12; client_header_timeout 12; client_body_buffer_size 10k; client_header_buffer_size 1k; client_max_body_size 8m; large_client_header_buffers 4 8k; #optimize session tickets #ssl_session_cache shared:SSL:50m; ssl_session_timeout 1d; #Enable session tickets ssl_session_tickets on; add_header X-Cache-Status $upstream_cache_Status; # server_tokens off; # server_names_hash_bucket_size 64; # server_name_in_redirect off; include /etc/nginx/mime.types; default_type application/octet-stream; ## # SSL Settings ## #ssl on; ssl_session_cache builtin:1000 shared:SSL:10m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MDS:!PSK:!RC4; ssl_prefer_server_ciphers on; ## # Logging Settings ## access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; ## # Gzip Settings ## gzip on; gzip_vary on; gzip_proxied any; gzip_comp_level 6; gzip_buffers 16 8k; gzip_http_version 1.1; gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; ## # Virtual Host Configs ## include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*; } #mail { # See sample authentication script at:# GitHub - nginxinc/nginx-wiki: ARCHIVED -- Source for the now archived NGINX Wiki section of https://www.nginx.com# auth_http localhost/auth.php;# pop3_capabilities "TOP" "USER";# imap_capabilities "IMAP4rev1" "UIDPLUS";server {listen localhost:110;protocol pop3;proxy on;}server {listen localhost:143;protocol imap;proxy on;} #} configuration file /etc/nginx/modules-enabled/50-mod-http-geoip.conf: load_module modules/ngx_http_geoip_module.so; configuration file /etc/nginx/modules-enabled/50-mod-http-image-filter.conf: load_module modules/ngx_http_image_filter_module.so; configuration file /etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf: load_module modules/ngx_http_xslt_filter_module.so; configuration file /etc/nginx/modules-enabled/50-mod-mail.conf: load_module modules/ngx_mail_module.so; configuration file /etc/nginx/modules-enabled/50-mod-stream.conf: load_module modules/ngx_stream_module.so; configuration file /etc/nginx/mime.types: types { text/html html htm shtml; text/css css; text/xml xml; image/gif gif; image/jpeg jpeg jpg; application/javascript js; application/atom+xml atom; application/rss+xml rss; text/mathml mml; text/plain txt; text/vnd.sun.j2me.app-descriptor jad; text/vnd.wap.wml wml; text/x-component htc; image/png png; image/tiff tif tiff; image/vnd.wap.wbmp wbmp; image/x-icon ico; image/x-jng jng; image/x-ms-bmp bmp; image/svg+xml svg svgz; image/webp webp; application/font-woff woff; application/java-archive jar war ear; application/json json; application/mac-binhex40 hqx; application/msword doc; application/pdf pdf; application/postscript ps eps ai; application/rtf rtf; application/vnd.apple.mpegurl m3u8; application/vnd.ms-excel xls; application/vnd.ms-fontobject eot; application/vnd.ms-powerpoint ppt; application/vnd.wap.wmlc wmlc; application/vnd.google-earth.kml+xml kml; application/vnd.google-earth.kmz kmz; application/x-7z-compressed 7z; application/x-cocoa cco; application/x-java-archive-diff jardiff; application/x-java-jnlp-file jnlp; application/x-makeself run; application/x-perl pl pm; application/x-pilot prc pdb; application/x-rar-compressed rar; application/x-redhat-package-manager rpm; application/x-sea sea; application/x-shockwave-flash swf; application/x-stuffit sit; application/x-tcl tcl tk; application/x-x509-ca-cert der pem crt; application/x-xpinstall xpi; application/xhtml+xml xhtml; application/xspf+xml xspf; application/zip zip; application/octet-stream bin exe dll; application/octet-stream deb; application/octet-stream dmg; application/octet-stream iso img; application/octet-stream msi msp msm; application/vnd.openxmlformats-officedocument.wordprocessingml.document docx; application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx; application/vnd.openxmlformats-officedocument.presentationml.presentation pptx; audio/midi mid midi kar; audio/mpeg mp3; audio/ogg ogg; audio/x-m4a m4a; audio/x-realaudio ra; video/3gpp 3gpp 3gp; video/mp2t ts; video/mp4 mp4; video/mpeg mpeg mpg; video/quicktime mov; video/webm webm; video/x-flv flv; video/x-m4v m4v; video/x-mng mng; video/x-ms-asf asx asf; video/x-ms-wmv wmv; video/x-msvideo avi; } configuration file /etc/nginx/sites-enabled/default:You should look at the following URL's in order to grasp a solid understandingof Nginx configuration files in order to fully unleash the power of Nginx.NGINX DocumentationNGINX DocumentationNginx/DirectoryStructure - Debian WikiIn most cases, administrators will remove this file from sites-enabled/ andleave it as reference inside of sites-available where it will continue to beupdated by the nginx packaging team.This file will automatically load configuration files provided by otherapplications, such as Drupal or Wordpress. These applications will be madeavailable underneath a path with that package name, such as /drupal8.Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.Default server configuration #server { listen 443 ssl;ssl on;ssl_certificate /etc/nginx/ssl/mobps.de.chained.crt;ssl_certificate_key /etc/nginx/ssl/perm_with_key.pem;root /var/www/html;server_name mobps.de www.mobps.de;location / {try_files $uri $uri/ = 404;} #} #Redirect HTTP to HTTPS server { listen 80 default_server; server_name _; return 301 https://$host$request_uri; } upstream mobps.de { server 127.0.0.1:8080; } server { listen 443 ssl; server_name mobps.de; #ssl_certificate /etc/nginx/ssl/mobps.de.chained.crt; #ssl_certificate_key /etc/nginx/ssl/pem_with_key.key; #ssl_certificate /etc/letsencrypt/live/mobps.de/fullchain.pem; #ssl_certificate_key /etc/letsencrypt/live/mobps.de/privkey.pem; ssl_certificate /etc/letsencrypt/live/MoBPSCert/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/MoBPSCert/privkey.pem; root /var/www/html; index index.html index.htm index.nginx-debian.html; server_name _; location / { # First attempt to serve request as file, then # as directory, then fall back to displaying a 404. #try_files $uri $uri/ =404; proxy_pass http://localhost:8080; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; proxy_set_header Host $host; proxy_cache_bypass $http_upgrade; proxy_connect_timeout 3600; proxy_send_timeout 3600; proxy_read_timeout 3600; send_timeout 36000s; # proxy_redirect http://locahost:8080 https://mobps.de; #proxy_hide_header X-Frame-Options; #add_header X-XSS-Protection "1; mode=block"; #add_header X-Content-Type-Options nosniff; #add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; } }

There are many things wrong with your configuration. But, do not delete it all and start over. Your running nginx system uses the cert you have and nginx will fail to restart if you delete that cert. Amu: > failed to fetch renewal_info URL You can ignore this message during --dry-run. That is a bug already reported to the Certbot team on their github. It does not affect the result of the --dry-run which in your case succeeded. A --dry-run test uses the Let's Encrypt Staging system to test. Not your Sectigo system. There are other ways to test Sectigo but this is not the first thing to fix. I need some time to think about how best to proceed. You have badly damaged your Certbot directories. Please do not make manual changes to those directories or their contents. Only use Certbot commands and it will manage those directories properly. **Do you use that cert anywhere else other than nginx?** This is important to know as we make a plan to fix your system. Also, please show output of this. It will be very long. An upper case T is essential sudo nginx -T Is best if you can upload to this forum the file output from this sudo nginx -T >/someTempDirectory/config.txt

I just tried to run with this below code.. When I ran this code I got the port is being used etc.. So I stopped the port 80 and ran this command again. And got the below error message. $ sudo certbot renew --dry-run --cert-name MoBPSCert Saving debug log to /var/log/letsencrypt/letsencrypt.log * * * Processing /etc/letsencrypt/renewal/MoBPSCert.conf * * * failed to fetch renewal_info URL (https://acme-staging-v02.api.letsencrypt.org/draft-ietf-acme-ari-03/renewalInfo/kydGmAOpUWiOmNbEQkjbI79YlNI.BfRT3ZlSd1TIo0XTjkQOLUrP): urn:ietf:params:acme:error:malformed :: The request message was malformed :: While parsing ARI CertID an error occurred :: path contained an Authority Key Identifier that did not match a known issuer Simulating renewal of an existing certificate for mobps.de * * * Congratulations, all simulated renewals succeeded: /etc/letsencrypt/live/MoBPSCert/fullchain.pem (success) looks like renewals from acme sectigo is not possible at this point from the ssl provider "GWDG". I need to use letsencrypt.

Last time when i used "certbot renewal" I was getting error. Then I used "force renewal" it worked!!. I thought it work again this time. But as you said it would have created more problem or I messed up with the files!

Thank you so much for your reply. here it is: $ sudo ls -lR /etc/letsencrypt/live /etc/letsencrypt/live: total 8 drwxr-xr-x 2 root root 4096 Mar 31 07:55 MoBPSCert -rwxr-xr-x 1 root root 740 Apr 4 2022 README /etc/letsencrypt/live/MoBPSCert: total 4 lrwxrwxrwx 1 root root 37 Mar 31 07:55 cert.pem -> ../../archive/mobps.de-0001/cert2.pem lrwxrwxrwx 1 root root 38 Mar 31 07:55 chain.pem -> ../../archive/mobps.de-0001/chain2.pem lrwxrwxrwx 1 root root 42 Mar 31 07:55 fullchain.pem -> ../../archive/mobps.de-0001/fullchain2.pem lrwxrwxrwx 1 root root 40 Mar 31 07:55 privkey.pem -> ../../archive/mobps.de-0001/privkey2.pem -rw-r--r-- 1 root root 692 Mar 31 07:37 README $ sudo cat /etc/letsencrypt/renewal/mobps.de.conf version = 2.4.0 archive_dir = /etc/letsencrypt/archive/mobps.de cert = /etc/letsencrypt/live/mobps.de/cert.pem privkey = /etc/letsencrypt/live/mobps.de/privkey.pem chain = /etc/letsencrypt/live/mobps.de/chain.pem fullchain = /etc/letsencrypt/live/mobps.de/fullchain.pem [renewalparams] account = a25393f7495667ad9079ad11e71e8529 authenticator = nginx installer = nginx server = https://acme-v02.api.letsencrypt.org/directory key_type = rsa $ sudo ls -l /etc/letsencrypt/renewal total 12 -rw-r--r-- 1 root root 487 Mar 26 2024 MoBPSCert.conf -rw-r--r-- 1 root root 538 Mar 31 07:55 mobps.de-0001.conf -rw-r--r-- 1 root root 511 Apr 1 2023 mobps.de.conf $ sudo cat /etc/letsencrypt/renewal/MoBPSCert.conf version = 2.9.0 archive_dir = /etc/letsencrypt/archive/MoBPSCert cert = /etc/letsencrypt/live/MoBPSCert/cert.pem privkey = /etc/letsencrypt/live/MoBPSCert/privkey.pem chain = /etc/letsencrypt/live/MoBPSCert/chain.pem fullchain = /etc/letsencrypt/live/MoBPSCert/fullchain.pem [renewalparams] account = 31cd19eff97a270e257e6159e4cf541b server = https://acme.sectigo.com/v2/OV authenticator = standalone key_type = rsa shall i re-install the certbot?

In addition to this you should also consider migrating to simple-acme or another ACME tool as win-acme is no longer being maintained by the core developer and they have moved their efforts to the simple-acme project instead.

Thank you MikeMcQ!

Welcome @Kiet8 Yes, Let's Encrypt no longer connects an email address to an ACME Account. See: Ending Support for Expiration Notification Emails - Let's Encrypt The email is not returned in the order object which is why you are not seeing it.

Details: A former employee previously managed our IIS web server and Let's Encrypt integration via win-acme (WACS). I’ve now taken over management responsibilities. While attempting to update the ACME account contact information, I ran the following steps: 1. Launched wacs.exe 2. Navigated to: More options > ACME account details 3. At the prompt: 4. Enter email(s) for notifications about problems and abuse (comma-separated): I entered: (my email address) Although the --verbose logs indicate the request was successfully sent: DBUG] Send POST request to [https://acme-v02.api.letsencrypt.org/acme/acct/(account number) [VERB] Request completed with status OK DBUG] Send POST request to [https://acme-v02.api.letsencrypt.org/acme/new-acct [VERB] Request completed with status OK [DBUG] Saving account to C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\Registration_v2 > The ACME account status still returns: > Contact(s): (none) > Initial IP: (missing or blank) <-- should show my email address Troubleshooting performed: • Outbound HTTPS access to https://acme-v02.api.letsencrypt.org/ is working (verified using curl) • Attempted re-entry of email multiple times • Confirmed there are no errors in local WACS logs • No proxy or deep packet inspection tools are interfering based on network checks * * * Request for Assistance: • Can someone please confirm whether the contact update request is being fully accepted by Let’s Encrypt’s ACME API? • Are there known issues with email address changes not persisting under existing accounts? • Is there any further diagnostic trace or action I can provide from win-acme to assist with resolution? Thank you for your support. Kiet