2 sites configured identically, one will autorenew, one won't

Hi there, I have 5 domains configured under Apache. All were “sslised” using certbot and the virtual host configs are identical (Other than obviously the domain names) But when I run certbot renew --dry-run they all renew fine, except for one that fails with:

“Attempting to renew cert (angry-monk.com) from /etc/letsencrypt/renewal/angry-monk.com.conf produced an unexpected error: Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80… Skipping.”

I’ve set up Apache to redirect all port 80 requests to https there are no virtual hosts configured on port 80, but that’s true for all the domains. I can’t figure out why this one domain fails with this response. Diffs of this and an working virtual host file only differ in paths to the certs, server name and alias, and log files. The domain works fine in my browser, https is functioning great. It just won’t auto-renew.

Any suggestions?

Hi @Kai, they might be using different authenticator plugins.

Could you try this?

grep -r authenticator /etc/letsencrypt/renewal

ooooooo There is a difference there… (other domains renamed for privacy)

/etc/letsencrypt/renewal/domain1.conf:authenticator = webroot
/etc/letsencrypt/renewal/domain2.conf:authenticator = webroot
/etc/letsencrypt/renewal/domain3.conf:authenticator = webroot
/etc/letsencrypt/renewal/angry-monk.com.conf:authenticator = apache
/etc/letsencrypt/renewal/domain4.conf:authenticator = webroot
/etc/letsencrypt/renewal/domain5.conf:authenticator = webroot

do you think I should rename the apache one to webroot?

It’s possible to fix it in other ways, but that would be the easiest way! This discrepancy is mostly likely translating into the difference that you’re seeing in the renewal behavior.

If you do change it to webroot, you’ll also want to be sure that there’s a webroot_path setting or [[webroot_map]] section in the configuration file along the lines of the other files. The webroot_path would be a directory path where files can be placed in order to make them appear on that web site. (The existence of the redirection to HTTPS is OK as long as an HTTP URL is always redirected to the corresponding HTTPS URL.)

The reason that this only turned up now could be that the Apache plugin was changed in a recent Certbot release to use a different way of editing your Apache configuration files, in response to this issue on the server side:

So perhaps the renewal was previously working OK using the apache authenticator, and then the Certbot upgrade resulted in its no longer being compatible with your configuration.

Thanks! This fixed it immediately. I think webroot seems to be the way to go for me. I’ll leave the Apache module for the time being!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.