@Drew,
As a new poster, your first couple of posts are moderated so don't appear immediately. I am deleting your second post.

Thanks for your post. It is an interesting method and I did not know about the cli.ini. I would have just dropped a file into /var/clearos/events/lets_encrypt, making sure it appeared alphabetically first. This is what the programmed deploy-hook executes. Note you only need to delete /etc/letsencrypt/live/README. The others are OK.

I have submitted a patch to Wikisuite, as it is their program and am just waiting for it to be accepted. If you wanted to patch manually, you need to edit the get_certificates() function in /usr/clearos/apps/lets_encrypt/libraries/Lets_Encrypt.php and change:

        foreach ($certificate_list as $certificate)



                $certs[$certificate] = $ssl->get_certificate_attributes(self::PATH_CERTIFICATES . '/' . $certificate . '/' . self::FILE_CERT);

to:

        foreach ($certificate_list as $certificate) {

            $filename = self::PATH_CERTIFICATES . '/' . $certificate . '/' . self::FILE_CERT;

            $file = new File($filename, TRUE);

            if ($file->exists())

                $certs[$certificate] = $ssl->get_certificate_attributes($filename);

        }

It is essentially what my patch does. My patch also fixes calling certbot with max-log-backups where it was implemented in just one of the three lines where the certbot command was invoked. From your post I could probably have fixed it using the cli.ini.

[edit]
Reading your patch again, I am not sure it is a good idea to overwrite renew_hook in the renewal*.conf file. Normally this does things like restart apache to make it use the new certificate. Do you know how this file interacts with the certbot renewal command line where the renew_hook is expressly specified rather than read from this file?
[/edit]

Due to TLS-SNI-01 vaidation method reaching end-of-life and getting the same message from LE, I updated to 0.31.0-2.el7 from clearos-epel repo, and had the same issue of the above error in webconfig after requesting a new certificate. I removed certbot and installed version 0.30.2-1.el7, which also had this issue. The TSL-SNI-01 method was removed in versions 0.28 and later and the most recent version of certbot in the clearos-epel repo prior to 0.30.2-1 was 0.27.1-1, so I updated back to 0.31.0-2 and added two files to fix the issue:

I created a global configuration file that will execute a deploy-hook script on all invocations of certbot by using the --deploy-hook parameter.

Then I made a script that:
1. removes the README file from the /etc/lencrypt/live directory
2. removes the README file from /etc/letsencrypt/live/certprimarydomainname.tld directory
3. removes the renew-hook entry in the certificate's renewal .conf file, which is autmatically added whenever certbot is run with a --deploy-hook parameter specified

I created a certbot global configuration file in the /etc/letsencrypt directory:

nano /etc/letsencrypt/cli.ini

I added the following line and saved the file:

deploy-hook = /etc/letsencrypt/remove_readme_files.sh

Then I created the script remove_readme_files.sh in the same directory, this script will be added as the "--deploy-hook" parameter to all invocations of certbot:

nano /etc/letsencrypt/remove_readme_files.sh

I added the following lines and saved the file:

#!/bin/bash#!/bin/bash

find /etc/letsencrypt/live/ -type f -name "README" -exec rm -f {} \;

base=$(basename "$RENEWED_LINEAGE")

sed -i '/renew_hook/d' /etc/letsencrypt/renewal/${base}.conf

I set the script to be executable:

chmod +x /etc/letsencrypt/remove_readme_files.sh

Hope this helps.

Nick Howitt wrote:

I have investigated further and it appears to be an issue with certbot-0.31 only and only when creating new certificates. If you do that, the README file appears. I tried a manual renewal and that worked OK but uses different commands from an automatic renewal, so it does not categorically prove that an automatic renewal will be OK. I have filed a bug report on the issue.

Nick, you just saved my day !

Thanks,
Bernard

Thanks again.

I have investigated further and it appears to be an issue with certbot-0.31 only and only when creating new certificates. If you do that, the README file appears. I tried a manual renewal and that worked OK but uses different commands from an automatic renewal, so it does not categorically prove that an automatic renewal will be OK. I have filed a bug report on the issue.

I'll have to load in 0.31 to check it out. It has not been released to business yet.

It looks like certbot-0.31.0-2.el7.noarch

It gets created with the letencrypt folder.

I wonder where the README came from. What version of certbot are you running? "rpm -q certbot"

I just deleted the README file and it seems to be working now.

Thank you so much for your help. I really appreciate it.

Greg

I think we are getting closer. Here is an excerpt from the log:

Mar 8 18:03:16 UTC 2019: 0.3345: profile: debug: clearos\apps\lets_encrypt\Lets_Encrypt::get_certificates (288): 

Mar 8 18:03:16 UTC 2019: 0.3345: profile: debug: clearos\apps\base\Folder::__construct (145): 

Mar 8 18:03:16 UTC 2019: 0.3346: profile: debug: clearos\apps\base\Folder::exists (340): 

Mar 8 18:03:16 UTC 2019: 0.3346: profile: debug: clearos\apps\base\Shell::__construct (105): 

Mar 8 18:03:16 UTC 2019: 0.3347: profile: debug: clearos\apps\base\Shell::execute (132): /bin/ls '/etc/letsencrypt/live'

Mar 8 18:03:16 UTC 2019: 0.3462: profile: debug: clearos\apps\base\Folder::get_listing (375): 

Mar 8 18:03:16 UTC 2019: 0.3463: profile: debug: clearos\apps\base\Folder::exists (340): 

Mar 8 18:03:16 UTC 2019: 0.3463: profile: debug: clearos\apps\base\Shell::__construct (105): 

Mar 8 18:03:16 UTC 2019: 0.3464: profile: debug: clearos\apps\base\Shell::execute (132): /bin/ls '/etc/letsencrypt/live'

Mar 8 18:03:16 UTC 2019: 0.3574: profile: debug: clearos\apps\base\Shell::__construct (105): 

Mar 8 18:03:16 UTC 2019: 0.3575: profile: debug: clearos\apps\base\Shell::execute (132): /bin/ls /etc/letsencrypt/live

Mar 8 18:03:16 UTC 2019: 0.3685: profile: debug: clearos\apps\certificate_manager\SSL::__construct (256): 

Mar 8 18:03:16 UTC 2019: 0.3687: profile: debug: clearos\apps\certificate_manager\SSL::get_certificate_attributes (941): 

Mar 8 18:03:16 UTC 2019: 0.3687: profile: debug: clearos\apps\base\File::__construct (176): 

Mar 8 18:03:16 UTC 2019: 0.3688: profile: debug: clearos\apps\base\File::exists (392): 

Mar 8 18:03:16 UTC 2019: 0.3689: profile: debug: clearos\apps\base\Shell::__construct (105): 

Mar 8 18:03:16 UTC 2019: 0.3690: profile: debug: clearos\apps\base\Shell::execute (132): /bin/ls '/etc/letsencrypt/live/README/cert.pem'

Mar 8 18:03:16 UTC 2019: 0.3803: exception: info: /usr/clearos/apps/certificate_manager/libraries/SSL.php (952): Certificate not found.

Mar 8 18:03:16 UTC 2019: 0.3804: exception: info: /usr/clearos/apps/certificate_manager/libraries/SSL.php (952): Certificate not found.

For some reason it is looking for the cert here -> /etc/letsencrypt/live/README/cert.pem

So you have not deployed the certificates anywhere, it seems.

The symlinks are the magic of certbot. When it renews your certificate next, the certificates will be whatever2.pem, but certbot will change the symlinks to point to the new certificates. That way if you want to use a certificate, your always point to the live certificate and certbot makes sure that is symlinked to the latest one.

I guess the thing to do now is to turn on webconfig debugging, but I struggle with the output. Can you do:

touch /etc/clearos/webconfig.debug

Then trigger the error. Then remove the webconfig.debug file or rename it and go and look at the log in /var/log/webconfig/debug.log.

The strange part is that deleting the letsencrypt folder removes the missing certificate errors and lets me start over. I have the original backed up. When I try to get a new cert, it seems to work, a bunch of info is displayed and the folder is recreated and certs are added. I restored the backup and no have the "Ooooops: Certificate not found." error on the Lets Encrypt page as well as the missing certificates error on the cert manager page. I ran the grep commands and this is what I get.

[root@home etc]# grep letsencrypt\/live /etc/* -r

/etc/letsencrypt/renewal/home.millernet.ca.conf:cert = /etc/letsencrypt/live/home.millernet.ca/cert.pem

/etc/letsencrypt/renewal/home.millernet.ca.confrivkey = /etc/letsencrypt/live/home.millernet.ca/privkey.pem

/etc/letsencrypt/renewal/home.millernet.ca.conf:chain = /etc/letsencrypt/live/home.millernet.ca/chain.pem

/etc/letsencrypt/renewal/home.millernet.ca.conf:fullchain = /etc/letsencrypt/live/home.millernet.ca/fullchain.pem

[root@home etc]# grep letsencrypt\/live /usr/clearos/* -r

/usr/clearos/apps/lets_encrypt/libraries/Lets_Encrypt.php:    const PATH_CERTIFICATES = '/etc/letsencrypt/live';

[root@home etc]# 

Here are the files:

[root@home etc]# ls -l /etc/letsencrypt/live/

total 4

drwxr-xr-x 2 root root  88 Mar  7 15:23 home.millernet.ca

-rw-r--r-- 1 root root 740 Mar  7 15:23 README

[root@home etc]# ls -l /etc/letsencrypt/live/home.millernet.ca

total 4

lrwxrwxrwx 1 root root  41 Mar  7 15:23 cert.pem -> ../../archive/home.millernet.ca/cert1.pem

lrwxrwxrwx 1 root root  42 Mar  7 15:23 chain.pem -> ../../archive/home.millernet.ca/chain1.pem

lrwxrwxrwx 1 root root  46 Mar  7 15:23 fullchain.pem -> ../../archive/home.millernet.ca/fullchain1.pem

lrwxrwxrwx 1 root root  44 Mar  7 15:23 privkey.pem -> ../../archive/home.millernet.ca/privkey1.pem

-rw-r--r-- 1 root root 692 Mar  7 15:23 README

I noticed that the certs have a 1 in the name but the symbolic links do not. Not sure if that could be the issue. I guess it depends on if the apps access the certs via link or directly. Now I have requested certs too many times and have reached the certbot limit. The /etc/pki/CA/sys-0-cert.pem cert is still in place as well.

If you have deleted the Let's Encrypt folder, then you'll probably have to find every app which used the Let's Encrypt certificate through its webconfig, and reset those apps to use the default certificate. Apps which I know can use Let's Encrypt are the Web Server, Webconfig, ClearGLASS (although that should not matter as it takes a local copy before using it) and, I think, OpenFire. There may be others. I don't know about ProxyPass, and it was released at about the same time as ProxyPass so I don't know how aware they are of each other. You could try grepping for the files using the certificates. Something like:

grep letsencrypt\/live /etc/* -r

grep letsencrypt\/live /usr/clearos/* -r

Alternatively, if you know the name, can you create a new certificate of the same name? You may have to use the underlying certbot app to do that directly.

Have you also checked that your default certificate (/etc/pki/CA/sys-0-cert.pem) is still there?