# HTTPS Certificate: Letsencrypt not working

## ebnerjoh

Hi,

I am running my own OwnCloud instance since a couple of years and I was using StartSSL for my HTTPS Connection. Because Chrome and Firefox are not trusting StartSSL anymore I was searching for an alternative solution and found the follwoing how-to:

https://wiki.gentoo.org/wiki/Let%27s_Encrypt

I followed the howto, but when I try to create the Certificate with acme-tiny I am getting the following error:

```
/usr/bin/acme-tiny --account-key account.key --csr domain.csr --acme-dir /var/www/localhost/acme-challenge/ > signed.crt

Parsing account key...

Parsing CSR...

Traceback (most recent call last):

  File "/usr/lib/python-exec/python3.4/acme-tiny", line 11, in <module>

    load_entry_point('acme-tiny==0.1.dev79+ndaba51d.d20170212', 'console_scripts', 'acme-tiny')()

  File "/usr/lib64/python3.4/site-packages/acme_tiny.py", line 198, in main

    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, args.account_email, log=LOGGER, CA=args.ca)

  File "/usr/lib64/python3.4/site-packages/acme_tiny.py", line 70, in get_crt

    raise IOError("Error loading {0}: {1}".format(csr, err))

OSError: Error loading domain.csr: b"domain.csr: No such file or directory\n139640932869784:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('domain.csr','r')\n139640932869784:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:\n"

```

What could I do wrong?

Other question: Is there another alternative for getting SSL Certificate? 10 Euro per year would be ok for my private usage...

Br,

Johannes

----------

## ebnerjoh

Ok, 

I was checking the "Discussion" Site and found there the solution. It is working now.

Br,

Johannes

----------

## skunk

 *ebnerjoh wrote:*   

> 
> 
> ```
> OSError: Error loading domain.csr: b"domain.csr: No such file or directory\n139640932869784:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('domain.csr','r')\n139640932869784:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:\n"
> 
> ...

 

as the error message says it fails to open domain.csr, does it exist?

on the wiki page it states:

 *Quote:*   

> 
> 
> Create an account key, domain key and a CSR (replace www.example.co.uk with your host name):
> 
> 

 

but then there is no command for creating the csr which should look like this:

```

openssl req -new -sha256 -key domain.key -out domain.csr

```

i've never used app-crypt/acme-tiny, i use the official let's encrypt client app-crypt/certbot which is easy and fast for both new certificates and renewals:

```

certbot certonly --webroot -w /path/to/document/root -d domain.tld

certbot renew

```

----------

## ebnerjoh

Thanks,

Certbot is working fine.

I will add it into crontab for renewal (daily). I guess I have to restart apache after renewal?

Br,

Johannes

----------

## skunk

monthly would be enough and yes, you've to reload apache...

----------

## Elleni

Because of renewal by cron (certbot renew) I would like to know, how I can configure that apache, dovecot and postfix are restarted automatically after the certificate update.

----------

## Fitzcarraldo

 *Elleni wrote:*   

> Because of renewal by cron (certbot renew) I would like to know, how I can configure that apache, dovecot and postfix are restarted automatically after the certificate update.

 

certbot incudes hooks to run scripts, so you could do something similar to the following:

```
certbot renew --renew-hook /path/to/renew-hook-script
```

That should only run the script renew-hook-script once each time the SSL certificate is actually renewed. In the script you could include commands such as the following to restart Apache:

```
apachectl graceful
```

----------

## toralf

 *skunk wrote:*   

> monthly would be enough

 Weekly would be better - if -for some reason- 2 updates do fail in a row, then the next call might be too late.

----------

## Fitzcarraldo

 *toralf wrote:*   

>  *skunk wrote:*   monthly would be enough Weekly would be better - if -for some reason- 2 updates do fail in a row, then the next call might be too late.

 

The 'certbot renew' command only renews certificates that are near expiry, so it can be run as frequently as you want - since it will usually take no action. My crontab job runs it twice daily and redirects the stdout output to a logfile (optional), which contains e.g. the following if there is no need to renew the certificate:

```
-------------------------------------------------------------------------------

Processing /etc/letsencrypt/renewal/example.com.conf

-------------------------------------------------------------------------------

The following certs are not due for renewal yet:

  /etc/letsencrypt/live/example.com/fullchain.pem (skipped)

No renewals were attempted.
```

----------

## Elleni

Hello all, 

thanks for replies, thats elegant, so I setup a small script with: 

```
/etc/init.d/apache2 restart && /etc/init.d/dovecot restart && /etc/init.d/postfix restart
```

and add a cronjob of certbot renew --renew-hook /path/to/renew-hook-script

Perfect   :Smile: 

----------

## chiefbag

 *Quote:*   

> 
> 
> ```
> /etc/init.d/apache2 restart && /etc/init.d/dovecot restart && /etc/init.d/postfix restart
> ```
> ...

 

You should break them out into separate scripts/commands or add error handling to the above command  if your worried about stuff failing.

----------

## Elleni

how would I do that ?

----------

## chiefbag

 *Quote:*   

> 
> 
> ```
> /etc/init.d/apache2 restart && /etc/init.d/dovecot restart && /etc/init.d/postfix restart
> ```
> ...

 

The following would be an improvement on your above "/path/to/renew-hook-script" script, for if a command preceding "&&" fails the commands following will not be executed in your current script.

This could be further improved on by adding checking of the return code for each command and either notifying and or retrying upon error.

```
#!/bin/bash

echo "Command 1"

/etc/init.d/apache2 restart

echo "Command 2"

/etc/init.d/dovecot restart

echo "Command 3"

/etc/init.d/postfix restart
```

----------

## Syl20

At worst, replace "&&" with ";". "command 1 && command 2" means command 2 is executed only if command 1 ends without error (return code = 0).

----------

## Elleni

oh, I see! Thanks for suggestions  :Smile: 

----------

