My monthly certificate renewal crontab ran into an issue with Augeas (see topic title). Last time it renewed the certificates just fine.
My domain is:
fallback.blazingedge.org
pixelfabrik.org
I ran this command:
/usr/bin/certbot -vvv --rsa-key-size 4096 --apache
It produced this output:
Root logging level set at 0
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requested authenticator apache and installer apache
Apache version is 2.4.46
Single candidate plugin: * apache
Description: Apache Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache._internal.entrypoint:ENTRYPOINT
Initialized: <certbot_apache._internal.override_debian.DebianConfigurator object at 0x7f49320f6a30>
Prep: True
Selected authenticator <certbot_apache._internal.override_debian.DebianConfigurator object at 0x7f49320f6a30> and installer <certbot_apache._internal.override_debian.DebianConfigurator object at 0x7f49320f6a30>
Plugins selected: Authenticator apache, Installer apache
Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/123134286', new_authzr_uri=None, terms_of_service=None), 0d0f39e2a463f4c9037074a827ffdf26, Meta(creation_dt=datetime.datetime(2021, 5, 11, 18, 27, 21, tzinfo=<UTC>), creation_host='apollo.pixelfabrik.org', register_to_eff=None))>
Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 658
Received response:
HTTP 200
Server: nginx
Date: Sun, 01 Aug 2021 13:35:45 GMT
Content-Type: application/json
Content-Length: 658
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"QqkrjNBtNbY": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
"keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
"website": "https://letsencrypt.org"
},
"newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
"revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: fallback.blazingedge.org
2: pixelfabrik.org
3: www.pixelfabrik.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Requested authenticator apache and installer apache
Starting new HTTP connection (1): r3.o.lencr.org:80
http://r3.o.lencr.org:80 "POST / HTTP/1.1" 200 503
OCSP response for certificate /etc/letsencrypt/archive/fallback.blazingedge.org/cert1.pem is signed by the certificate's issuer.
OCSP certificate status for /etc/letsencrypt/archive/fallback.blazingedge.org/cert1.pem is: OCSPCertStatus.GOOD
Should renew, less than 30 days before certificate expiry 2021-08-09 17:28:37 UTC.
Certificate is due for renewal, auto-renewing...
Notifying user: Renewing an existing certificate for fallback.blazingedge.org
Renewing an existing certificate for fallback.blazingedge.org
Generating RSA key (4096 bits): /etc/letsencrypt/keys/0210_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0210_csr-certbot.pem
Requesting fresh nonce
Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
Received response:
HTTP 200
Server: nginx
Date: Sun, 01 Aug 2021 13:35:55 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 01027IHLg1RQM2azbJKXkZpQA-bxgEpLLOrvqMjIKMqAxp4
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Storing nonce: 01027IHLg1RQM2azbJKXkZpQA-bxgEpLLOrvqMjIKMqAxp4
JWS payload:
b'{\n "identifiers": [\n {\n "type": "dns",\n "value": "fallback.blazingedge.org"\n }\n ]\n}'
Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTIzMTM0Mjg2IiwgIm5vbmNlIjogIjAxMDI3SUhMZzFSUU0yYXpiSktYa1pwUUEtYnhnRXBMTE9ydnFNaklLTXFBeHA0IiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9uZXctb3JkZXIifQ",
"signature": "QILGz55NxFxaydhB_-SRIZbpNbpJ0iPktJ-qvrfx2ba1CAJ1A-sg1jo2HavRgvGwLYzDyDtwkQu8ST_0iV6YP1semiIwWQx-KfZRoRhWJJXZmepFdydG0XCjomLHiAlkB0bdjkO_GcL4seliLLtjLZVo232j83CsW9vgS8_8-IDo8Z9DCHI_yPNt96QpeDL-sqBJfHBZW8fAiqAz33ujOQQz9PbKHNfAEEr1rOhqWa2OjWIrf5MrecMlnB-yH9CibwJy0MpGhEc3Mcm5tMI0SBDLepba4C2IVjyYIcf1O1rs277rMKz1eIdne-2CEmBR9LS_-ALypXpEIbNAUonyHQ",
"payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogImZhbGxiYWNrLmJsYXppbmdlZGdlLm9yZyIKICAgIH0KICBdCn0"
}
https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 347
Received response:
HTTP 201
Server: nginx
Date: Sun, 01 Aug 2021 13:35:55 GMT
Content-Type: application/json
Content-Length: 347
Connection: keep-alive
Boulder-Requester: 123134286
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-v02.api.letsencrypt.org/acme/order/123134286/12124266521
Replay-Nonce: 0102Duo0xp16UHW7EUbdjfTaq41nNnd14zjlmbLvIploDhY
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"status": "pending",
"expires": "2021-08-01T16:01:15Z",
"identifiers": [
{
"type": "dns",
"value": "fallback.blazingedge.org"
}
],
"authorizations": [
"https://acme-v02.api.letsencrypt.org/acme/authz-v3/16088096641"
],
"finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/123134286/12124266521"
}
Storing nonce: 0102Duo0xp16UHW7EUbdjfTaq41nNnd14zjlmbLvIploDhY
JWS payload:
b''
Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/16088096641:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTIzMTM0Mjg2IiwgIm5vbmNlIjogIjAxMDJEdW8weHAxNlVIVzdFVWJkamZUYXE0MW5ObmQxNHpqbG1iTHZJcGxvRGhZIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8xNjA4ODA5NjY0MSJ9",
"signature": "bqI4O4AjnnxXTCp97ZObrfpLdu-lEhJc9Ocu10LtGw1ilR6DiQBT0xb2lOMsJCDRKN6WL6Se9CUHjAP1j_Oz1zah9340l_hmlHeX7jzZ6Sd_tc8G0XoZ_-J27Fnz8dLwifrNEAft3eAVekepFbYG0lL_iUV8-FI5XjKFix0l6SdWXaelsWdobF5w5Kir7wmiafAwYPdpoQ00JZUlx9zrFkwJ5wLGe2Xm9TUCOZqrYb6V9eO0pe8FN5DcemlK3BZLtVFPlLH19F5ybLXWe6Tj8WNHbFFkl1g7QJOooX9cdA54cyXdzP_09-thlP7AuLpD6jTYtQ7z-HoSN0z632g1DQ",
"payload": ""
}
https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/16088096641 HTTP/1.1" 200 805
Received response:
HTTP 200
Server: nginx
Date: Sun, 01 Aug 2021 13:35:56 GMT
Content-Type: application/json
Content-Length: 805
Connection: keep-alive
Boulder-Requester: 123134286
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0102voHAibPyx0FsWYBemFlZSk2OfjWW9xiEXEeXOA_yhEg
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"identifier": {
"type": "dns",
"value": "fallback.blazingedge.org"
},
"status": "pending",
"expires": "2021-08-01T16:01:15Z",
"challenges": [
{
"type": "http-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/16088096641/4X69pA",
"token": "UNT-gJb3zUxWgcq6Mz4RI8l9T9a96ViAAR3glXdFFyc"
},
{
"type": "dns-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/16088096641/mw8s0Q",
"token": "UNT-gJb3zUxWgcq6Mz4RI8l9T9a96ViAAR3glXdFFyc"
},
{
"type": "tls-alpn-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/16088096641/pOD3DQ",
"token": "UNT-gJb3zUxWgcq6Mz4RI8l9T9a96ViAAR3glXdFFyc"
}
]
}
Storing nonce: 0102voHAibPyx0FsWYBemFlZSk2OfjWW9xiEXEeXOA_yhEg
Performing the following challenges:
http-01 challenge for fallback.blazingedge.org
Adding a temporary challenge validation Include for name: fallback.blazingedge.org in: /etc/apache2/sites-enabled/blazingedge.org.conf
Adding a temporary challenge validation Include for name: fallback.blazingedge.org in: /etc/apache2/sites-enabled/blazingedge.org.conf
Adding a temporary challenge validation Include for name: None in: /etc/apache2/mods-enabled/status.conf
Encountered exception:
Traceback (most recent call last):
File "/snap/certbot/1280/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 73, in handle_authorizations
resps = self.auth.perform(achalls)
File "/snap/certbot/1280/lib/python3.8/site-packages/certbot_apache/_internal/configurator.py", line 2538, in perform
http_response = http_doer.perform()
File "/snap/certbot/1280/lib/python3.8/site-packages/certbot_apache/_internal/http_01.py", line 76, in perform
self._mod_config()
File "/snap/certbot/1280/lib/python3.8/site-packages/certbot_apache/_internal/http_01.py", line 120, in _mod_config
self._set_up_include_directives(vh)
File "/snap/certbot/1280/lib/python3.8/site-packages/certbot_apache/_internal/http_01.py", line 216, in _set_up_include_directives
self.configurator.parser.add_dir_beginning(
File "/snap/certbot/1280/lib/python3.8/site-packages/certbot_apache/_internal/parser.py", line 443, in add_dir_beginning
self.aug.insert(first_dir, "directive", True)
File "/snap/certbot/1280/lib/python3.8/site-packages/augeas/__init__.py", line 485, in insert
self._raise_error(AugeasValueError, "Augeas.insert() failed")
File "/snap/certbot/1280/lib/python3.8/site-packages/augeas/__init__.py", line 154, in _raise_error
raise errorclass(ec, fullmessage, msg, minor, details)
augeas.AugeasValueError: Augeas.insert() failed: No match for path expression
Calling registered functions
Cleaning up challenges
Exiting abnormally:
Traceback (most recent call last):
File "/snap/certbot/1280/bin/certbot", line 8, in <module>
sys.exit(main())
File "/snap/certbot/1280/lib/python3.8/site-packages/certbot/main.py", line 15, in main
return internal_main.main(cli_args)
File "/snap/certbot/1280/lib/python3.8/site-packages/certbot/_internal/main.py", line 1574, in main
return config.func(config, plugins)
File "/snap/certbot/1280/lib/python3.8/site-packages/certbot/_internal/main.py", line 1289, in run
new_lineage = _get_and_save_cert(le_client, config, domains,
File "/snap/certbot/1280/lib/python3.8/site-packages/certbot/_internal/main.py", line 117, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File "/snap/certbot/1280/lib/python3.8/site-packages/certbot/_internal/renewal.py", line 333, in renew_cert
new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
File "/snap/certbot/1280/lib/python3.8/site-packages/certbot/_internal/client.py", line 375, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/snap/certbot/1280/lib/python3.8/site-packages/certbot/_internal/client.py", line 425, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
File "/snap/certbot/1280/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 73, in handle_authorizations
resps = self.auth.perform(achalls)
File "/snap/certbot/1280/lib/python3.8/site-packages/certbot_apache/_internal/configurator.py", line 2538, in perform
http_response = http_doer.perform()
File "/snap/certbot/1280/lib/python3.8/site-packages/certbot_apache/_internal/http_01.py", line 76, in perform
self._mod_config()
File "/snap/certbot/1280/lib/python3.8/site-packages/certbot_apache/_internal/http_01.py", line 120, in _mod_config
self._set_up_include_directives(vh)
File "/snap/certbot/1280/lib/python3.8/site-packages/certbot_apache/_internal/http_01.py", line 216, in _set_up_include_directives
self.configurator.parser.add_dir_beginning(
File "/snap/certbot/1280/lib/python3.8/site-packages/certbot_apache/_internal/parser.py", line 443, in add_dir_beginning
self.aug.insert(first_dir, "directive", True)
File "/snap/certbot/1280/lib/python3.8/site-packages/augeas/__init__.py", line 485, in insert
self._raise_error(AugeasValueError, "Augeas.insert() failed")
File "/snap/certbot/1280/lib/python3.8/site-packages/augeas/__init__.py", line 154, in _raise_error
raise errorclass(ec, fullmessage, msg, minor, details)
augeas.AugeasValueError: Augeas.insert() failed: No match for path expression
An unexpected error occurred:
augeas.AugeasValueError: Augeas.insert() failed: No match for path expression
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
My web server is (include version):
Apache/2.4.46
The operating system my web server runs on is (include version):
Linux apollo 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u1 (2019-09-20) x86_64 GNU/Linux
My hosting provider, if applicable, is:
Self hosted on Hetzner premises
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you're using Certbot):
certbot 1.17.0 (installed according to Certbot - Debianbuster Apache)
root@apollo ~ # apachectl -S
VirtualHost configuration:
*:80 is a NameVirtualHost
default server apollo.pixelfabrik.org (/etc/apache2/mods-enabled/status.conf:7)
port 80 namevhost apollo.pixelfabrik.org (/etc/apache2/mods-enabled/status.conf:7)
port 80 namevhost fallback.blazingedge.org (/etc/apache2/sites-enabled/blazingedge.org.conf:1)
port 80 namevhost pixelfabrik.org (/etc/apache2/sites-enabled/pixelfabrik.org.conf:1)
alias www.pixelfabrik.org
*:443 is a NameVirtualHost
default server fallback.blazingedge.org (/etc/apache2/sites-enabled/blazingedge.org.conf:15)
port 443 namevhost fallback.blazingedge.org (/etc/apache2/sites-enabled/blazingedge.org.conf:15)
port 443 namevhost pixelfabrik.org (/etc/apache2/sites-enabled/pixelfabrik.org.conf:13)
alias www.pixelfabrik.org
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex fcgid-pipe: using_defaults
Mutex authdigest-opaque: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex authdigest-client: using_defaults
Mutex fcgid-proctbl: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex ssl-cache: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33