All renewal attempts failed

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: "paritsu.kenyoh.com"

I ran this command: " ... ,287:INFO:certbot.renewal:Cert is due for renewal, auto-renewing..."

It produced this output: "... ,410:ERROR:certbot.renewal:All renewal attempts failed. The following certs could not be renewed:"

My web server is (include version): "apache 2.4.38"

The operating system my web server runs on is (include version): "Raspberry Pi OS
Operating System: Debian GNU/Linux 10 (buster)
Kernel: Linux 5.10.17-v8+
Architecture: arm64"

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): "yes"

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): "no"

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): "certbot 0.31.0"

I was pretty sure having screwed up something when getting and installing the certificate, but don't know what. Now Cert is due for renewal, but it fails.
I'm not experienced with this. Some help would be great.
thx

As i remember, when getting the cert, i needed to declare the name of the domain using the certificate, such as ".". As i'm using ".." i probably declared this. Maybe the problem relates to this?
thx

Hi @pikset

please share a complete log. Not only such a small part.

1 Like

sry, i'm not familiar using the boards functions or HTML

Some of the used characters affected the output.

As i remember, when getting the cert, i was asked to declare the name of the domain using the certificate, such as <sld>.<tld>. As i'm using <sub>.<sld>.<tld> i probably declared this. Maybe the problem relates to this?

letsencrypt.log:
I don't know if its needed but i replaced some output by "***************"
2021-04-30 08:21:22,847:DEBUG:certbot.plugins.selection:Requested authenticator <certbot.cli._Default object at ***********> and installer <certbot.cli._Default object at 0x7fb11f62b0>
2021-04-30 08:21:22,868:DEBUG:certbot.storage:Should renew, less than 30 days before certificate expiry 2021-05-28 20:30:42 UTC.
2021-04-30 08:21:22,869:INFO:certbot.renewal:Cert is due for renewal, auto-renewing...
2021-04-30 08:21:22,869:INFO:certbot.renewal:Non-interactive renewal: random delay of 389 seconds
2021-04-30 08:27:51,885:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2021-04-30 08:27:51,887:DEBUG:certbot.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
Initialized: <certbot.plugins.webroot.Authenticator object at *****************>
Prep: True
2021-04-30 08:27:51,890:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.webroot.Authenticator object at **************> and installer None
2021-04-30 08:27:51,891:INFO:certbot.plugins.selection:Plugins selected: Authenticator webroot, Installer None
2021-04-30 08:27:51,906:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/114006195', new_authzr_uri=None, terms_of_service=None), ******************, Meta(creation_dt=datetime.datetime(2021, 2, 26, 15, 38, 14, tzinfo=<UTC>), creation_host='localhost.localadmin'))>
2021-04-30 08:27:51,911:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2021-04-30 08:27:51,921:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2021-04-30 08:27:52,557:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 658
2021-04-30 08:27:52,560:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Fri, 30 Apr 2021 06:27:52 GMT
Content-Type: application/json
Content-Length: 658
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"UeMlDg4785A": "Adding random entries to the directory",
"keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
"website": "https://letsencrypt.org"
},
"newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
"revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2021-04-30 08:27:52,562:INFO:certbot.main:Renewing an existing certificate
2021-04-30 08:27:52,701:DEBUG:certbot.crypto_util:Generating key (2048 bits): /etc/letsencrypt/keys/0005_key-certbot.pem
2021-04-30 08:27:52,711:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0005_csr-certbot.pem
2021-04-30 08:27:52,712:DEBUG:acme.client:Requesting fresh nonce
2021-04-30 08:27:52,713:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2021-04-30 08:27:52,857:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2021-04-30 08:27:52,859:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Fri, 30 Apr 2021 06:27:52 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: **********************
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

2021-04-30 08:27:52,859:DEBUG:acme.client:Storing nonce: **********************
2021-04-30 08:27:52,860:DEBUG:acme.client:JWS payload:
b'{\n "identifiers": [\n {\n "type": "dns",\n "value": "kenyoh.com"\n },\n {\n "type": "dns",\n "value": "paritsu.kenyoh.com"\n }\n ]\n}'
2021-04-30 08:27:52,868:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
"protected": "",
"signature": "
",
"payload": "
**************"
}
2021-04-30 08:27:53,048:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 472
2021-04-30 08:27:53,050:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Fri, 30 Apr 2021 06:27:52 GMT
Content-Type: application/json
Content-Length: 472
Connection: keep-alive
Boulder-Requester: ****************
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-v02.api.letsencrypt.org/acme/order/114006195/9363204501
Replay-Nonce: **************************
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"status": "pending",
"expires": "2021-05-06T04:49:13Z",
"identifiers": [
{
"type": "dns",
"value": "kenyoh.com"
},
{
"type": "dns",
"value": "paritsu.kenyoh.com"
}
],
"authorizations": [
"https://acme-v02.api.letsencrypt.org/acme/authz-v3/12704797733",
"https://acme-v02.api.letsencrypt.org/acme/authz-v3/12704797734"
],
"finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/114006195/9363204501"
}
2021-04-30 08:27:53,050:DEBUG:acme.client:Storing nonce: ***************
2021-04-30 08:27:53,051:DEBUG:acme.client:JWS payload:
b''
2021-04-30 08:27:53,058:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/12704797733:
{
"protected": "**************",
"signature": "
",
"payload": ""
}
2021-04-30 08:27:53,230:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/12704797733 HTTP/1.1" 200 791
2021-04-30 08:27:53,231:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Fri, 30 Apr 2021 06:27:53 GMT
Content-Type: application/json
Content-Length: 791
Connection: keep-alive
Boulder-Requester: ***************
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: **********************************
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"identifier": {
"type": "dns",
"value": "kenyoh.com"
},
"status": "pending",
"expires": "2021-05-06T04:49:13Z",
"challenges": [
{
"type": "http-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/12704797733/qBpl7Q",
"token": ""
},
{
"type": "dns-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/12704797733/3tO5AA",
"token": ""
},
{
"type": "tls-alpn-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/12704797733/bPz6AA",
"token": "
************"
}
]
}
2021-04-30 08:27:53,232:DEBUG:acme.client:Storing nonce: ****************************
2021-04-30 08:27:53,233:DEBUG:acme.client:JWS payload:
b''
2021-04-30 08:27:53,240:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/12704797734:
{
"protected": "
",
"signature": "
*************",
"payload": ""
}
2021-04-30 08:27:53,423:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/12704797734 HTTP/1.1" 200 799
2021-04-30 08:27:53,424:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Fri, 30 Apr 2021 06:27:53 GMT
Content-Type: application/json
Content-Length: 799
Connection: keep-alive
Boulder-Requester: 114006195
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: ******************************
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"identifier": {
"type": "dns",
"value": "paritsu.kenyoh.com"
},
"status": "pending",
"expires": "2021-05-06T04:49:13Z",
"challenges": [
{
"type": "http-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/12704797734/RoZX4g",
"token": ""
},
{
"type": "dns-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/12704797734/HXSTFw",
"token": "
"
},
{
"type": "tls-alpn-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/12704797734/XXkFaw",
"token": "*******************************"
}
]
}
2021-04-30 08:27:53,425:DEBUG:acme.client:Storing nonce: *********************
2021-04-30 08:27:53,426:INFO:certbot.auth_handler:Performing the following challenges:
2021-04-30 08:27:53,426:INFO:certbot.auth_handler:http-01 challenge for kenyoh.com
2021-04-30 08:27:53,427:INFO:certbot.auth_handler:http-01 challenge for paritsu.kenyoh.com
2021-04-30 08:27:53,429:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 75, in handle_authorizations
resp = self._solve_challenges(aauthzrs)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 139, in _solve_challenges
resp = self.auth.perform(all_achalls)
File "/usr/lib/python3/dist-packages/certbot/plugins/webroot.py", line 81, in perform
self._set_webroots(achalls)
File "/usr/lib/python3/dist-packages/certbot/plugins/webroot.py", line 99, in _set_webroots
known_webroots)
File "/usr/lib/python3/dist-packages/certbot/plugins/webroot.py", line 115, in _prompt_for_webroot
webroot = self._prompt_with_webroot_list(domain, known_webroots)
File "/usr/lib/python3/dist-packages/certbot/plugins/webroot.py", line 132, in _prompt_with_webroot_list
cli_flag=path_flag, force_interactive=True)
File "/usr/lib/python3/dist-packages/certbot/display/util.py", line 507, in menu
self._interaction_fail(message, cli_flag, "Choices: " + repr(choices))
File "/usr/lib/python3/dist-packages/certbot/display/util.py", line 469, in _interaction_fail
raise errors.MissingCommandlineFlag(msg)
certbot.errors.MissingCommandlineFlag: Missing command line flag or config entry for this setting:
Select the webroot for paritsu.kenyoh.com:
Choices: ['Enter a new webroot', '/var/lib/letsencrypt']

(You can set this with the --webroot-path flag)

2021-04-30 08:27:53,429:DEBUG:certbot.error_handler:Calling registered functions
2021-04-30 08:27:53,430:INFO:certbot.auth_handler:Cleaning up challenges
2021-04-30 08:27:53,430:DEBUG:certbot.plugins.webroot:All challenges cleaned up
2021-04-30 08:27:53,430:WARNING:certbot.renewal:Attempting to renew cert (kenyoh.com) from /etc/letsencrypt/renewal/kenyoh.com.conf produced an unexpected error: Missing command line flag or config entry for this setting:
Select the webroot for paritsu.kenyoh.com:
Choices: ['Enter a new webroot', '/var/lib/letsencrypt']

(You can set this with the --webroot-path flag). Skipping.
2021-04-30 08:27:53,435:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 465, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1193, in renew_cert
renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 116, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 323, in renew_cert
new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
File "/usr/lib/python3/dist-packages/certbot/client.py", line 353, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/usr/lib/python3/dist-packages/certbot/client.py", line 389, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 75, in handle_authorizations
resp = self._solve_challenges(aauthzrs)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 139, in _solve_challenges
resp = self.auth.perform(all_achalls)
File "/usr/lib/python3/dist-packages/certbot/plugins/webroot.py", line 81, in perform
self._set_webroots(achalls)
File "/usr/lib/python3/dist-packages/certbot/plugins/webroot.py", line 99, in _set_webroots
known_webroots)
File "/usr/lib/python3/dist-packages/certbot/plugins/webroot.py", line 115, in _prompt_for_webroot
webroot = self._prompt_with_webroot_list(domain, known_webroots)
File "/usr/lib/python3/dist-packages/certbot/plugins/webroot.py", line 132, in _prompt_with_webroot_list
cli_flag=path_flag, force_interactive=True)
File "/usr/lib/python3/dist-packages/certbot/display/util.py", line 507, in menu
self._interaction_fail(message, cli_flag, "Choices: " + repr(choices))
File "/usr/lib/python3/dist-packages/certbot/display/util.py", line 469, in _interaction_fail
raise errors.MissingCommandlineFlag(msg)
certbot.errors.MissingCommandlineFlag: Missing command line flag or config entry for this setting:
Select the webroot for paritsu.kenyoh.com:
Choices: ['Enter a new webroot', '/var/lib/letsencrypt']

(You can set this with the --webroot-path flag)

2021-04-30 08:27:53,435:ERROR:certbot.renewal:All renewal attempts failed. The following certs could not be renewed:
2021-04-30 08:27:53,435:ERROR:certbot.renewal: /etc/letsencrypt/live/kenyoh.com/fullchain.pem (failure)
2021-04-30 08:27:53,436:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 11, in <module>
load_entry_point('certbot==0.31.0', 'console_scripts', 'certbot')()
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1365, in main
return config.func(config, plugins)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1272, in renew
renewal.handle_renewal_request(config)
File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 490, in handle_renewal_request
len(renew_failures), len(parse_failures)))
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)

thx for spending time to help me. I appreciate.

1 Like

You use webroot, but then a command line argument or a user input is required.

Certbot has asked 3 times.

And the 0.31 version has a bug, sometimes the webroot isn't saved

1 Like

thx

Can you help me resolve the issue?

As suggested by 9Peppe i finally ran 'sudo certbot renew --cert-name "kenyoh.com" --apache' and got "Congratulations, all renewals succeeded" :slight_smile:

reboot ok.
ssh ok.
site-access ok.

Being curious now what will happen next time.