Auto-renewal fails unexpectedly

briuri · October 29, 2025, 12:57am

My web server is (include version):
Apache/2.4.65 (Amazon Linux) installed at /etc/httpd

The operating system my web server runs on is (include version):
Amazon Linux 2023.9.20251027

My hosting provider, if applicable, is:
N/A

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot-2.6.0 (python3-certbot 2.6.0-4.amzn2023.0.1)

Issue and Troubleshooting Steps So Far

I set up Certbot with Amazon Linux and Apache in January 2024. Manual cert creation and automated renewals have worked fine up to now.
After normal (monthly) dnf updates, Certbot is no longer renewing. Initial error was "Cannot find Apache executable apache2ctl". This server uses apachectl / httpd, and the absence of apache2ctl was never a problem before. Last successful renewal seems to be July 2025.
I validated the Apache configuration with "apachectl configtest" and got "Syntax OK". I restarted Apache.
I tried "certbot-3 renew -v --apache-ctl /usr/sbin/apachectl --apache-server-root /etc/httpd" and got a different error: "The apache plugin is not working; there may be problems with your existing configuration." (complete stack trace is pasted below)
I see no obvious errors in any Apache config files (and I have not manually edited them since 2024).
I did a dnf remove of python3-certbot and reinstalled it, no change.

Are there other avenues I can try to continue troubleshooting?

Thank you!

briuri · October 29, 2025, 12:59am

Stack Trace:

2025-10-28 20:38:24,695:DEBUG:certbot._internal.main:certbot version: 2.6.0
2025-10-28 20:38:24,695:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot-3
2025-10-28 20:38:24,695:DEBUG:certbot._internal.main:Arguments: ['--apache-ctl', '/usr/sbin/apachectl', '--apache-server-root', '/etc/httpd']
2025-10-28 20:38:24,695:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2025-10-28 20:38:24,707:DEBUG:certbot._internal.log:Root logging level set at 30
2025-10-28 20:38:24,708:DEBUG:certbot._internal.display.obj:Notifying user: Processing /etc/letsencrypt/renewal/ddmsence.urizone.net.conf
2025-10-28 20:38:24,719:DEBUG:certbot._internal.plugins.selection:Requested authenticator <certbot._internal.cli.cli_utils._Default object at 0x7efd11dfd280> and installer <certbot._internal.cli.cli_utils._Default object at 0x7efd11dfd280>
2025-10-28 20:38:24,729:DEBUG:certbot._internal.storage:Should renew, less than 30 days before certificate expiry 2025-10-28 19:14:45 UTC.
2025-10-28 20:38:24,730:INFO:certbot._internal.renewal:Certificate is due for renewal, auto-renewing...
2025-10-28 20:38:24,730:DEBUG:certbot._internal.plugins.selection:Requested authenticator apache and installer apache
2025-10-28 20:38:24,808:DEBUG:certbot_apache._internal.configurator:Apache version is 2.4.65
2025-10-28 20:38:24,832:WARNING:certbot_apache._internal.apache_util:Error in checking parameter list:
2025-10-28 20:38:24,833:DEBUG:certbot._internal.plugins.disco:Misconfigured PluginEntryPoint#apache: Apache is unable to check whether or not the module is loaded because Apache is misconfigured.
Traceback (most recent call last):
File "/usr/lib/python3.9/site-packages/certbot/_internal/plugins/disco.py", line 111, in prepare
self._initialized.prepare()
File "/usr/lib/python3.9/site-packages/certbot_apache/_internal/configurator.py", line 376, in prepare
self.parser = self.get_parser()
File "/usr/lib/python3.9/site-packages/certbot_apache/_internal/configurator.py", line 482, in get_parser
return parser.ApacheParser(
File "/usr/lib/python3.9/site-packages/certbot_apache/_internal/parser.py", line 78, in init
self.update_runtime_variables()
File "/usr/lib/python3.9/site-packages/certbot_apache/_internal/parser.py", line 293, in update_runtime_variables
self.update_defines()
File "/usr/lib/python3.9/site-packages/certbot_apache/_internal/parser.py", line 299, in update_defines
self.variables = apache_util.parse_defines(self.configurator.options.get_defines_cmd)
File "/usr/lib/python3.9/site-packages/certbot_apache/_internal/apache_util.py", line 151, in parse_defines
matches = parse_from_subprocess(define_cmd, r"Define: ([^ \n]*)")
File "/usr/lib/python3.9/site-packages/certbot_apache/_internal/apache_util.py", line 204, in parse_from_subprocess
stdout = _get_runtime_cfg(command)
File "/usr/lib/python3.9/site-packages/certbot_apache/_internal/apache_util.py", line 237, in _get_runtime_cfg
raise errors.MisconfigurationError(
certbot.errors.MisconfigurationError: Apache is unable to check whether or not the module is loaded because Apache is misconfigured.
2025-10-28 20:38:24,834:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server plugin
Interfaces: Authenticator, Installer, Plugin
Entry point: apache = certbot_apache._internal.entrypoint:ENTRYPOINT
Initialized: <certbot_apache._internal.configurator.ApacheConfigurator object at 0x7efd11e9dfd0>
Prep: Apache is unable to check whether or not the module is loaded because Apache is misconfigured.
2025-10-28 20:38:24,835:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server plugin
Interfaces: Authenticator, Installer, Plugin
Entry point: apache = certbot_apache._internal.entrypoint:ENTRYPOINT
Initialized: <certbot_apache._internal.configurator.ApacheConfigurator object at 0x7efd11e9dfd0>
Prep: Apache is unable to check whether or not the module is loaded because Apache is misconfigured.
2025-10-28 20:38:24,835:ERROR:certbot._internal.renewal:Failed to renew certificate ddmsence.urizone.net with error: The apache plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError('Apache is unable to check whether or not the module is loaded because Apache is misconfigured.')
2025-10-28 20:38:24,836:DEBUG:certbot._internal.renewal:Traceback was:
Traceback (most recent call last):
File "/usr/lib/python3.9/site-packages/certbot/_internal/renewal.py", line 533, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File "/usr/lib/python3.9/site-packages/certbot/_internal/main.py", line 1544, in renew_cert
installer, auth = plug_sel.choose_configurator_plugins(config, plugins, "certonly")
File "/usr/lib/python3.9/site-packages/certbot/_internal/plugins/selection.py", line 256, in choose_configurator_plugins
diagnose_configurator_problem("authenticator", req_auth, plugins)
File "/usr/lib/python3.9/site-packages/certbot/_internal/plugins/selection.py", line 374, in diagnose_configurator_problem
raise errors.PluginSelectionError(msg)
certbot.errors.PluginSelectionError: The apache plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError('Apache is unable to check whether or not the module is loaded because Apache is misconfigured.')

webprofusion · October 29, 2025, 1:53am

I don't have the answer but the first suggestion would be to use a current version of Certbot. Can you snap install the latest cerbot instead? Your version is from a few years ago.

MikeMcQ · October 29, 2025, 4:16am

I don't think Amazon Linux 2023 supports snap directly. I know earlier versions of Amazon Linux did not and it was very painful to add it (from personal experience). For AL2023 I found this thread at snapcraft describing adding it but I haven't tried it myself: Snap error on Amazon Linux 2023 - #14 by mborzecki1 - snapd - snapcraft.io

You may be better off switching to the --webroot method rather using the --apache option as you have been. Webroot will have Certbot place a challenge token file in the --webroot-path. Let's Encrypt will then get that token directly from Apache. In this case Certbot does not have to know anything about your Apache setup. You just give it a directory

With --apache Certbot not only parses your Apache config but it also needs to reload it. Certbot makes temp changes to your Apache config, reloads Apache, waits for the cert request to complete, removes the temp changes and reloads Apache again. The --apache plugin code is what looks to be failing.

briuri · October 29, 2025, 12:38pm

Apologies for the anticlimactic ending to this thread, but auto-renewal is working for me again.

While reviewing my VirtualHosts in Apache, I found an extra RewriteEngine code block in the most recently edited subdomain entry. It was placed AFTER a permanent redirect of all traffic and thus, never executed. apachectl configtest did not flag it as bad, but removing it allowed python3-certbot to work again. Lesson Learned: Store VirtualHosts in git so stray testing changes are easier to spot.

Thanks for your kind and fast suggestions!

system · November 28, 2025, 12:39pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Certbot -renew -apache failed Help	20	2910	June 7, 2023
Cert renew not working; apache plugin error Help	7	9747	August 5, 2017
Certbot (snap) apache plugin missing Help	2	477	March 7, 2024
Certbot can't find apache web server anymore Help	9	5005	August 26, 2022
Unable to renew certificates with apache plugin on CentOS 7 Help	2	1325	March 20, 2020

Auto-renewal fails unexpectedly

Related topics