Certificate is expiring soon

box.test.com	Certificate has a problem: The certificate is expiring soon: The certificate expires in 4 days on 2021-12-04.	Install Certificate
mta-sts.box.test.com	Certificate has a problem: The certificate is expiring soon: The certificate expires in 4 days on 2021-12-04.	Install Certificate
test.com	Certificate has a problem: The certificate is expiring soon: The certificate expires in 3 days on 2021-12-03.	Install Certificate
autoconfig.test.com	Certificate has a problem: The certificate is expiring soon: The certificate expires in 3 days on 2021-12-03.	Install Certificate
autodiscover.test.com	Certificate has a problem: The certificate is expiring soon: The certificate expires in 3 days on 2021-12-03.	Install Certificate
mta-sts.test.com	Certificate has a problem: The certificate is expiring soon: The certificate expires in 3 days on 2021-12-03.	Install Certificate
www.test.com	Certificate has a problem: The certificate is expiring soon: The certificate expires in 3 days on 2021-12-03.

We are running Mail-In-A-Box version v55 on Ubuntu 18.04.6 LTS
Everything works perfectly but we are not able to renew the SSL certificates

I think there is usually something in the status checks emails with more details about why the certificate is not being renewed.

System Status Checks

System
✓	
All system services are running.
✖	
The SSH server on this machine permits password-based login. A more secure way to log in is using a public key. Add your SSH public key to $HOME/.ssh/authorized_keys, check that you can log in without a password, set the option 'PasswordAuthentication no' in /etc/ssh/sshd_config, and then restart the openssh via 'sudo service ssh restart'.
✓	
System software is up to date.
✓	
Mail-in-a-Box is up to date. You are running version v55.
✓	
System administrator address exists as a mail alias. [administrator@box.test.com.com ↦ staff@test.com.com]
✓	
The disk has 12.45 GB space remaining.
✓	
System memory is 74% free.
Network
✓	
Firewall is active.
✓	
Outbound mail (SMTP port 25) is not blocked.
✓	
IP address is not blacklisted by zen.spamhaus.org.
box.test.com.com
✓	
DNSSEC 'DS' record is set correctly at registrar.
✓	
Nameserver glue records are correct at registrar. [ns1/ns2.box.test.com.com ↦ 93.145.24.47]
✓	
Domain resolves to box's IP address. [box.test.com.com ↦ 93.145.24.47 / 1b12:1a4:a137:89ad::1]
✖	
Your box's reverse DNS is currently box.test.com.com (IPv4) and [Not Set] (IPv6), but it should be box.test.com.com. Your ISP or cloud provider will have instructions on setting up reverse DNS for your box.
✓	
The DANE TLSA record for incoming mail is correct (_25._tcp.box.test.com.com).
✓	
Hostmaster contact address exists as a mail alias. [hostmaster@box.test.com.com ↦ staff@test.com.com]
✓	
Domain's email is directed to this domain. [box.test.com.com ↦ 10 box.test.com.com]
✖	
MTA-STS policy is missing: STSFetchResult.NONE
✓	
Postmaster contact address exists as a mail alias. [postmaster@box.test.com.com ↦ staff@test.com.com]
✓	
Domain is not blacklisted by dbl.spamhaus.org.
✖	
The TLS (SSL) certificate has a problem: The certificate is expiring soon: The certificate expires in 4 days on 2021-12-04.
test.com.com
✓	
DNSSEC 'DS' record is set correctly at registrar.
✓	
Nameservers are set correctly at registrar. [ns1.box.test.com.com; ns2.box.test.com.com]
✓	
Domain's email is directed to this domain. [test.com.com ↦ 10 box.test.com.com]
✖	
MTA-STS policy is missing: STSFetchResult.NONE
✓	
Postmaster contact address exists as a mail alias. [postmaster@test.com.com ↦ staff@test.com.com]
✓	
Domain is not blacklisted by dbl.spamhaus.org.
✓	
Domain resolves to this box's IP address. [test.com.com ↦ 93.145.24.47; 1b12:1a4:a137:89ad::1]
✖	
The TLS (SSL) certificate has a problem: The certificate is expiring soon: The certificate expires in 3 days on 2021-12-03.
✓	
www.test.com.com: Domain resolves to this box's IP address. [www.test.com.com ↦ 93.145.24.47; 1b12:1a4:a137:89ad::1]
✖	
www.test.com.com: The TLS (SSL) certificate has a problem: The certificate is expiring soon: The certificate expires in 3 days on 2021-12-03.
✓	
autoconfig.test.com.com: Domain resolves to this box's IP address. [autoconfig.test.com.com ↦ 93.145.24.47; 1b12:1a4:a137:89ad::1]
✖	
autoconfig.test.com.com: The TLS (SSL) certificate has a problem: The certificate is expiring soon: The certificate expires in 3 days on 2021-12-03.
✓	
autodiscover.test.com.com: Domain resolves to this box's IP address. [autodiscover.test.com.com ↦ 93.145.24.47; 1b12:1a4:a137:89ad::1]
✖	
autodiscover.test.com.com: The TLS (SSL) certificate has a problem: The certificate is expiring soon: The certificate expires in 3 days on 2021-12-03.

/var/log/letsencrypt/letsencrypt.log

2021-11-29 07:59:42,390:DEBUG:certbot.main:certbot version: 0.31.0
2021-11-29 07:59:42,391:DEBUG:certbot.main:Arguments: ['--register-unsafely-without-email', '--agree-tos', '--config-dir', '/home/user-data/ssl/lets_encrypt']
2021-11-29 07:59:42,391:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2021-11-29 07:59:42,398:DEBUG:certbot.log:Root logging level set at 20
2021-11-29 07:59:42,399:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2021-11-29 07:59:42,400:INFO:certbot.client:Registering without email!
2021-11-29 07:59:42,625:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2021-11-29 07:59:42,629:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2021-11-29 07:59:45,103:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 658
2021-11-29 07:59:45,105:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 29 Nov 2021 12:59:45 GMT
Content-Type: application/json
Content-Length: 658
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "GlxnFiVohXQ": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2021-11-29 07:59:45,106:DEBUG:acme.client:Requesting fresh nonce
2021-11-29 07:59:45,106:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2021-11-29 07:59:45,265:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2021-11-29 07:59:45,267:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 29 Nov 2021 12:59:45 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 00020HWVWUz4LBIlexWynlpLoQr8NA6Rgs_QC4LlmYc9n0c
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800


2021-11-29 07:59:45,267:DEBUG:acme.client:Storing nonce: 00020HWVWUz4LBIlexWynlpLoQr8NA6Rgs_QC4LlmYc9n0c
2021-11-29 07:59:45,269:DEBUG:acme.client:JWS payload:
b'{\n  "termsOfServiceAgreed": true,\n  "resource": "new-reg"\n}'
2021-11-29 07:59:45,277:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-acct:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAiandrIjogeyJuIjogInMyWjZkWUxURzgxRHBhc0NFVEVQZzR6elkzMGprODZ0ekdyTHMyYURQOGg5elNkRDFXMW9EM1BHcWg1S1VnLTJLOUJ3UHZfT1V4SmJPUzBWRC1rbXEwbWJyVGRfN1ZwX1JRcTVPYVlEQWFiZEZwM2RfY29NTUhjNkQyVDFjSVNEdzdOd3NqdWNCN083YlljS1dUbjR0b3VNSHlIeVR3Z0MyVWtvb3lUa3o2dWd0Tm44SVE4blBjMUxnRjFQRDk4enZUb25TYW1ST2w0VUxmemxaSThaRktJbVdjd0pEZTNRUjNqeGhocE13Yi10a01XYnM1eTlhYTZWcXEySlVYbzVPcGtadGFDMkcxNWgzcmxsQ2dpbGh1bEVsbXhFemVyZmRyNFZfcDBPWktKZ3lVRm5HbWNHRDFBYnlORHB5cDctY21VT2FzQktOS1BFTXkzZllwcFJYUSIsICJlIjogIkFRQUIiLCAia3R5IjogIlJTQSJ9LCAibm9uY2UiOiAiMDAwMjBIV1ZXVXo0TEJJbGV4V3lubHBMb1FyOE5BNlJnc19RQzRMbG1ZYzluMGMiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL25ldy1hY2N0In0",
  "signature": "X6nRNW-rNOx1w6F8oTmtAG7iY4b38BWpVh0iFO0k0aeIhwg1F9onp8mgGjFvIVxQHu80l0L85MXnFE2amJd3lR3fdoYbi1rRx79djXeeuhvgYImo2GCHv26OqAvjCLoqFD0Nrbg4KK1wbk7rKsyBtBm1AR6v26YTwrJZgLiSmMsYrOqaAkjSmW0eKQ7FHCAb1XDkednvU8kr6E4C6rTlHZKMeVqVHcvWskaER5ErSNZNTvXcaz98_3ZST1rBmPMiTxzKTSN6glofgOTwgJSipLy9SgiEAmwX5C51eGduuAIeFccbPGh00qe5h0RSylogduNStxOPtuUzTCx5ZwNHMg",
  "payload": "ewogICJ0ZXJtc09mU2VydmljZUFncmVlZCI6IHRydWUsCiAgInJlc291cmNlIjogIm5ldy1yZWciCn0"
}
2021-11-29 07:59:45,902:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-acct HTTP/1.1" 201 517
2021-11-29 07:59:45,903:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Mon, 29 Nov 2021 12:59:45 GMT
Content-Type: application/json
Content-Length: 517
Connection: keep-alive
Boulder-Requester: 300182020
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index", <https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf>;rel="terms-of-service"
Location: https://acme-v02.api.letsencrypt.org/acme/acct/300182020
Replay-Nonce: 0001gPg1FDGa1su5IRQLBFdp2lbnSfgsURpBLuZYR8Zd0wU
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "key": {
    "kty": "RSA",
    "n": "s2Z6dYLTG81DpasCETEPg4zzY30jk86tzGrLs2aDP8h9zSdD1W1oD3PGqh5KUg-2K9BwPv_OUxJbOS0VD-kmq0mbrTd_7Vp_RQq5OaYDAabdFp3d_coMMHc6D2T1cISDw7NwsjucB7O7bYcKWTn4touMHyHyTwgC2UkooyTkz6ugtNn8IQ8nPc1LgF1PD98zvTonSamROl4ULfzlZI8ZFKImWcwJDe3QR3jxhhpMwb-tkMWbs5y9aa6Vqq2JUXo5OpkZtaC2G15h3rllCgilhulElmxEzerfdr4V_p0OZKJgyUFnGmcGD1AbyNDpyp7-cmUOasBKNKPEMy3fYppRXQ",
    "e": "AQAB"
  },
  "initialIp": "2a01:4f9:c011:43ce::1",
  "createdAt": "2021-11-29T12:59:45.815440295Z",
  "status": "valid"
}
2021-11-29 07:59:45,903:DEBUG:acme.client:Storing nonce: 0001gPg1FDGa1su5IRQLBFdp2lbnSfgsURpBLuZYR8Zd0wU
2021-11-29 07:59:46,039:DEBUG:certbot.reporter:Reporting to user: Your account credentials have been saved in your Certbot configuration directory at /home/user-data/ssl/lets_encrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal.
2021-11-29 08:10:16,191:DEBUG:certbot.main:certbot version: 0.31.0
2021-11-29 08:10:16,193:DEBUG:certbot.main:Arguments: ['--non-interactive', '-d', 'test.com,autoconfig.test.com,autodiscover.test.com,mta-sts.test.com,www.test.com', '--csr', '/tmp/tmpbjpdzyd1', '--cert-path', '/tmp/tmpwd4uc1sj/cert', '--chain-path', '/tmp/tmpwd4uc1sj/chain', '--fullchain-path', '/tmp/tmpwd4uc1sj/cert_and_chain.pem', '--webroot', '--webroot-path', '/home/user-data/ssl/lets_encrypt/webroot', '--config-dir', '/home/user-data/ssl/lets_encrypt']
2021-11-29 08:10:16,193:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2021-11-29 08:10:16,206:DEBUG:certbot.log:Root logging level set at 20
2021-11-29 08:10:16,207:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2021-11-29 08:10:16,208:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2021-11-29 08:10:16,208:DEBUG:certbot.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
Initialized: <certbot.plugins.webroot.Authenticator object at 0x7fbb1ebef4a8>
Prep: True
2021-11-29 08:10:16,209:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x7fbb1ebef4a8> and installer None
2021-11-29 08:10:16,209:INFO:certbot.plugins.selection:Plugins selected: Authenticator webroot, Installer None
2021-11-29 08:10:16,274:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.31.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1365, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1234, in certonly
    le_client = _init_le_client(config, auth, installer)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 605, in _init_le_client
    acc, acme = _determine_account(config)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 513, in _determine_account
    acc = display_ops.choose_account(accounts)
  File "/usr/lib/python3/dist-packages/certbot/display/ops.py", line 86, in choose_account
    "Please choose an account", labels, force_interactive=True)
  File "/usr/lib/python3/dist-packages/certbot/display/util.py", line 507, in menu
    self._interaction_fail(message, cli_flag, "Choices: " + repr(choices))
  File "/usr/lib/python3/dist-packages/certbot/display/util.py", line 469, in _interaction_fail
    raise errors.MissingCommandlineFlag(msg)
certbot.errors.MissingCommandlineFlag: Missing command line flag or config entry for this setting:
Please choose an account
Choices: ['box.test.com@2021-09-16T04:09:37Z (73a6)', 'box.test.com@2019-12-15T10:55:18Z (f43e)', 'box.test.com@2021-09-16T05:27:03Z (3c61)']

Is that what gets sent in the emails?

not in the email

when I click on the Provision button I get:

A TLS certificate can be automatically provisioned from Let’s Encrypt, a free TLS certificate provider, for:
box.test.com, mta-sts.box.test.com, test.com, autoconfig.test.com, autodiscover.test.com, mta-sts.test.com, www.test.com

test.com, autoconfig.test.com, autodiscover.test.com, mta-sts.test.com, www.test.com

Log:
Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Missing command line flag or config entry for this setting: Please choose an account Choices: ['box.test.com@2021-09-16T04:09:37Z (73a6)', 'box.test.com@2019-12-15T10:55:18Z (f43e)', 'box.test.com@2021-09-16T05:27:03Z (3c61)']

Do you receive and read the status checks emails?

the last email

box.test.com -- Previously:
==========================
✖  The TLS (SSL) certificate has a problem: The certificate is expiring soon: The certificate expires in 7 days on 2021-12-04.

box.test.com -- Currently:
=========================
✖  The TLS (SSL) certificate has a problem: The certificate is expiring soon: The certificate expires in 6 days on 2021-12-04.

test.com -- Previously:
======================
✖  The TLS (SSL) certificate has a problem: The certificate is expiring soon: The certificate expires in 6 days on 2021-12-03.

test.com -- Currently:
=====================
✖  The TLS (SSL) certificate has a problem: The certificate is expiring soon: The certificate expires in 5 days on 2021-12-03.

test.com -- Previously:
======================
✖  www.test.com: The TLS (SSL) certificate has a problem: The certificate is expiring soon: The certificate expires in 6 days on 2021-12-03.

test.com -- Currently:
=====================
✖  www.test.com: The TLS (SSL) certificate has a problem: The certificate is expiring soon: The certificate expires in 5 days on 2021-12-03.

test.com -- Previously:
======================
✖  autoconfig.test.com: The TLS (SSL) certificate has a problem: The certificate is expiring soon: The certificate expires in 6 days on 2021-12-03.

test.com -- Currently:
=====================
✖  autoconfig.test.com: The TLS (SSL) certificate has a problem: The certificate is expiring soon: The certificate expires in 5 days on 2021-12-03.

test.com -- Previously:
======================
✖  autodiscover.test.com: The TLS (SSL) certificate has a problem: The certificate is expiring soon: The certificate expires in 6 days on 2021-12-03.

test.com -- Currently:
=====================
✖  autodiscover.test.com: The TLS (SSL) certificate has a problem: The certificate is expiring soon: The certificate expires in 5 days on 2021-12-03.

email 2

provisioning TLS certificates for test.com, autoconfig.test.com, autodiscover.test.com, mta-sts.test.com, www.test.com.
error: test.com, autoconfig.test.com, autodiscover.test.com, mta-sts.test.com, www.test.com:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Missing command line flag or config entry for this setting:
Please choose an account
Choices: ['box.test.com@2019-12-15T10:55:18Z (f43e)', 'box.test.com@2021-09-16T05:27:03Z (3c61)', 'box.test.com@2021-09-16T04:09:37Z (73a6)']

Okay, I’m confusing the messages.

There is an email from MiaB with Subject: TLS Certificate Provisioning Result that will include the results of provisioning, whether successful or failed.

yes this one:

TLS Certificate Provisioning Result

Provisioning TLS certificates for test.com, autoconfig.test.com, autodiscover.test.com, mta-sts.test.com, www.test.com.
error: test.com, autoconfig.test.com, autodiscover.test.com, mta-sts.test.com, www.test.com:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Missing command line flag or config entry for this setting:
Please choose an account
Choices: ['box.test.com@2019-12-15T10:55:18Z (f43e)', 'box.test.com@2021-09-16T05:27:03Z (3c61)', 'box.test.com@2021-09-16T04:09:37Z (73a6)']

How did you originally provision these certificates?

we just installed mailinabox and if I remember correctly they were automatically provisioned

It’s been a while since I had these sorts of issues in MiaB - is there an option in the dashboard to renew the certs?

I was just able to make it work thanks to DaveinCR !!!

here is a link to the answer

DaveinCR
Nov '20
Hi, this is just a note for anyone else that encounters this issue. I recently moved my box to a new host/server. When the certificates came up for renewal (after the reinstall on the new server) I started to get these errors: MissingCommandlineFlag(msg)
certbot.errors.MissingCommandlineFlag: Missing command line flag or config entry for this setting:
Please choose an account

Basically, it looks like the restore moved the original certificate information and the reinstall created a new one. So, when the renewal attempted to happen it was confused about which one to use to renew. To fix, I went to /home/user-data/ssl/lets_encrypt/accounts/acme-v02.api.letsencrypt.org/directory and chose the oldest directory there (there should be 3 files in it) and moved the entire directory to a temp directory just in case it didn’t fix it. I than ran the “provision” request from inside the MIAB GUI and it ran successfully and updated the pending certificates. In case anyone else encounters this, I hope this helps.
3 Likes

This topic was automatically closed 40 days after the last reply. New replies are no longer allowed.