My automatic renewal wasn’t working, but after many hours figured out the problem. Here’s the fix in case someone else has the problem.
When trying to renew, this was the warning: “WARNING:letsencrypt.cli:Attempting to renew cert from … produced an unexpected error: The apache plugin is not working; there may be problems with your existing configuration.
The error was: PluginError((‘There has been an error in parsing the file (%s): %s’, u’/usr/share/modsecurity- crs/rules/REQUEST-910-IP-REPUTATION.conf’, u’Syntax error’),). Skipping.”
Turns out REQUEST-910-IP-REPUTATION.conf had this line commented:
"#SecRule TX:REAL_IP “@ipMatchFromFile ip_blacklist.data” " but the lines under were not commented out for this rule. Once I commented out the rest of the SecRule (16 lines), the renewal worked.
This was an error with Certbot’s Apache parser but it has been fixed in more recent versions. You can download a newer version of Certbot that includes this fix by following the instructions at https://certbot.eff.org/#ubuntuxenial-apache.
You might be experiencing a problem with how far operating system-provided packages are lagging behind our current releases. The letsencrypt client was renamed to certbot over a year ago, and the version you have is more than a year old. It’s possible that this issue has been fixed in the meantime.
Edit: looks like @bmw agrees that this is the issue. Thanks for checking, Brad.
Thank you! I updated as directed to version 0.12.0 (version 12?). Is it true that it has a built in crontab for auto renewal, or do I need to enter one? Thanks again!!
If you got it with certbot-auto, it didn’t create a crontab file for you and you’ll have to do that yourself. However, if you still have the operating system package installed, it may have created one which may still exist (and may be running the older version of the renewer).