My WordPress Install was broken for over a week :s

I received a notification a couple of days ago about an upcoming expiration of my site certificates due to me being busy I didn’t have a chance to review the issues until now.

So, here is the summary just in case someone else goes through this, my site is running on Oracle cloud within a VM (always free) on Centos 7, for the site SSL I use let’s encrypt utilities that I have documented across my blog multiple times.

This time after an update cerbot auto-renewal process failed

[root@madaravm certbot]# ./certbot-auto renew --dry-run
Your system is not supported by certbot-auto anymore.
certbot-auto and its Certbot installation will no longer receive updates.
You will not receive any bug fixes including those fixing server compatibility
or security problems.
Please visit https://certbot.eff.org/ to check for other alternatives.
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/donhk.dev.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Attempting to parse the version 1.24.0 renewal configuration file found at /etc/letsencrypt/renewal/donhk.dev.conf with version 1.10.1 of Certbot. This might not work.
Cert is due for renewal, auto-renewing...
/etc/letsencrypt/options-ssl-nginx.conf has been manually modified; updated file saved to /opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot_nginx/_internal/tls_configs/options-ssl-nginx-tls13-session-tix-on.conf. We recommend updating /etc/letsencrypt/options-ssl-nginx.conf for security purposes.
Plugins selected: Authenticator nginx, Installer nginx
Simulating renewal of an existing certificate for donhk.dev and 5 more domains
Performing the following challenges:
http-01 challenge for donhk.dev
http-01 challenge for shame.donhk.dev
http-01 challenge for tdfw.donhk.dev
http-01 challenge for www.donhk.dev
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (donhk.dev) from /etc/letsencrypt/renewal/donhk.dev.conf produced an unexpected error: Some challenges have failed.. Skipping.

Long story short, the new config file conflicted with the old one and it was causing the certificates to fail to be renewed.

After a couple of minutes of trying to find information about the error (and hopefully a fix), I found multiple people complaining about the problem without having a clear solution.

Since the issue was during renewing a certificate due to incompatibility between the versions I figured that it would be easier just to remove and recreate the certificates (in the end it is free)

first I listed the existing certificates (to also do some housekeeping)

[root@madaravm certbot]# ./certbot-auto certificates
Your system is not supported by certbot-auto anymore.
certbot-auto and its Certbot installation will no longer receive updates.
You will not receive any bug fixes including those fixing server compatibility
or security problems.
Please visit https://certbot.eff.org/ to check for other alternatives.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Attempting to parse the version 1.24.0 renewal configuration file found at /etc/letsencrypt/renewal/donhk.dev.conf with version 1.10.1 of Certbot. This might not work.
Attempting to parse the version 1.25.0 renewal configuration file found at /etc/letsencrypt/renewal/institutumscientia.page.conf with version 1.10.1 of Certbot. This might not work.
Attempting to parse the version 1.27.0 renewal configuration file found at /etc/letsencrypt/renewal/shame.donhk.dev.conf with version 1.10.1 of Certbot. This might not work.
Attempting to parse the version 1.27.0 renewal configuration file found at /etc/letsencrypt/renewal/tdfw.donhk.dev.conf with version 1.10.1 of Certbot. This might not work.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: donhk.dev
    Serial Number: 341df4275d11a1f9fed702529222914b447
    Key Type: RSA
    Domains: donhk.dev shame.donhk.dev tdfw.donhk.dev www.donhk.dev
    Expiry Date: 2022-06-13 17:18:07+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/donhk.dev/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/donhk.dev/privkey.pem
  Certificate Name: shame.donhk.dev
    Serial Number: 4b775bf5afe002862be5ff44e12274f2c43
    Key Type: RSA
    Domains: shame.donhk.dev
    Expiry Date: 2022-08-12 22:41:33+00:00 (VALID: 54 days)
    Certificate Path: /etc/letsencrypt/live/shame.donhk.dev/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/shame.donhk.dev/privkey.pem
  Certificate Name: tdfw.donhk.dev
    Serial Number: 471d00401ec88b8758a730d23060aa4b405
    Key Type: RSA
    Domains: tdfw.donhk.dev
    Expiry Date: 2022-08-12 22:41:36+00:00 (VALID: 54 days)
    Certificate Path: /etc/letsencrypt/live/tdfw.donhk.dev/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/tdfw.donhk.dev/privkey.pem

then removed the certificates (in my case it was all of them)

 ./certbot-auto delete --cert-name donhk.dev

finally, recreate the certificates

./certbot-auto certonly --dry-run

but like everything in our lives it failed miserably because we like the hard way, don’t we?

Long story short, I had to update the Nginx .config files that were pointing to the old (now removed) certificates.

After that just restarted Nginx and retried that

[root@madaravm certbot]# ./certbot-auto run
Your system is not supported by certbot-auto anymore.
certbot-auto and its Certbot installation will no longer receive updates.
You will not receive any bug fixes including those fixing server compatibility
or security problems.
Please visit https://certbot.eff.org/ to check for other alternatives.
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate and install certificates?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Apache Web Server plugin (apache)
2: Nginx Web Server plugin (nginx)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: donhk.dev
2: shame.donhk.dev
3: tdfw.donhk.dev
4: www.donhk.dev
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 
Requesting a certificate for donhk.dev and 3 more domains
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/donhk.dev.conf
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/shame.donhk.dev.conf
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/tdfw.donhk.dev.conf
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/donhk.dev.conf
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/donhk.dev.conf
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/shame.donhk.dev.conf
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/tdfw.donhk.dev.conf
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/donhk.dev.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://donhk.dev,
https://shame.donhk.dev, https://tdfw.donhk.dev, and https://www.donhk.dev
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -