Hi, my certbot renewal has stopped working for my ubuntu + apache setup. I see there are some instructions here [Certbot - Ubuntuxenial Apache], but not sure if those take into consideration that I have an older version of certbot already running. Also since the site is live, I'm not sure if it will interrupt traffic while going through the steps.
I ran this command:
sudo certbot renew --dry-run
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Processing /etc/letsencrypt/renewal/foo.com.conf
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Attempting to renew cert (foo.com) from /etc/letsencrypt/renewal/foo.com.conf produced an unexpected error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/foo.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/foo.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
1 renew failure(s), 0 parse failure(s)
My web server is (include version):
Apache/2.4.18 (Ubuntu)
The operating system my web server runs on is (include version):
ubuntu 16.04
I'm afraid that's not true. For your suggestion to work, the --dry-run needs to succeed too. But it fails.
@Test9372 Your Ubuntu 16.04 probably doesn't recognise the ISRG Root X1 certificate as a trusted root certificate because it's too old. Which version of ca-certificates is installed? And can you upgrade it to something recent?
Package: ca-certificates
Version: 20210119~16.04.1
Priority: standard
Section: misc
Origin: Ubuntu
Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
Original-Maintainer: Michael Shuler <michael@pbandjelly.org>
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Installed-Size: 389 kB
Depends: openssl (>= 1.0.0), debconf (>= 0.5) | debconf-2.0
Breaks: ca-certificates-java (<< 20121112+nmu1)
Enhances: openssl
Task: standard, ubuntu-core, ubuntu-core, mythbuntu-frontend, mythbuntu-backend-slave, mythbuntu-backend-master, ubuntu-touch-core, ubuntu-touch, ubuntu-sdk-libs-tools, ubuntu-sdk
Supported: 5y
Download-Size: 148 kB
APT-Manual-Installed: yes
APT-Sources: http://mirrors.digitalocean.com/ubuntu xenial-updates/main amd64 Packages
Description: Common CA certificates
This package includes PEM files of CA certificates to allow SSL-based
applications to check for the authenticity of SSL connections.
.
It includes, among others, certificate authorities used by the Debian
infrastructure and those shipped with Mozilla's browsers.
.
Please note that Debian can neither confirm nor deny whether the
certificate authorities whose certificates are included in this package
have in any way been audited for trustworthiness or RFC 3647 compliance.
Full responsibility to assess them belongs to the local system
administrator.
N: There is 1 additional record. Please use the '-a' switch to see it
When I try to run the renewal command again, sudo certbot renew --dry-run, now I get a different error:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/foo.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Attempting to renew cert (foo.com) from /etc/letsencrypt/renewal/foo.com.conf produced an unexpected error: urn:ietf:params:acme:error:malformed :: The request message was malformed :: Method not allowed. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/foo.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/foo.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
but the post here says that it's a bug with certbot dry-run when version < 0.32:
Running it for real works now and my certificate was updated.