Autorenew missing webroot dry-run - no-data.org

:construction: :construction: :construction: :construction: :construction:
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: no-data.org

I ran this command: sudo certbot renew --dry-run

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/no-data.org.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for no-data.org
Cleaning up challenges
Attempting to renew cert (no-data.org) from /etc/letsencrypt/renewal/no-data.org.conf produced an unexpected error: Missing command line flag or config entry for this setting:
Input the webroot for no-data.org:. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/no-data.org/fullchain.pem (failure)


** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/no-data.org/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)


1 renew failure(s), 0 parse failure(s)

My web server is (include version):
Apache/2.4.34 (Ubuntu)

The operating system my web server runs on is (include version):
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=18.10

My hosting provider, if applicable, is:
digitalocean

I can login to a root shell on my machine (yes or no, or I don’t know):
:brain:@:computer:::herb:# #yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.31.0

Additional info:

  • Showing ssl-params.conf:


    ServerAdmin admin@no-data.org
    DocumentRoot /var/www/html
    ErrorLog {APACHE_LOG_DIR}/error.log CustomLog {APACHE_LOG_DIR}/access.log combined
    SSLEngine on
    #SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
    SSLCertificateFile /etc/letsencrypt/live/no-data.org/fullchain.pem
    #SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
    SSLCertificateKeyFile /etc/letsencrypt/live/no-data.org/privkey.pem
    <FilesMatch “.(cgi|shtml|phtml|php)$”>
    SSLOptions +StdEnvVars

    <Directory /usr/lib/cgi-bin>
    SSLOptions +StdEnvVars

    BrowserMatch “MSIE [2-6]”
    nokeepalive ssl-unclean-shutdown
    downgrade-1.0 force-response-1.0

  • Showing letsencrypt.log traceback:
    Input the webroot for no-data.org:

2019-06-26 09:48:36,513:ERROR:certbot.renewal:All renewal attempts failed. The following certs could not be renewed:
2019-06-26 09:48:36,514:ERROR:certbot.renewal: /etc/letsencrypt/live/no-data.org/fullchain.pem (failure)
2019-06-26 09:48:36,515:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/certbot”, line 11, in
load_entry_point(‘certbot==0.31.0’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1365, in main
return config.func(config, plugins)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1272, in renew
renewal.handle_renewal_request(config)
File “/usr/lib/python3/dist-packages/certbot/renewal.py”, line 477, in handle_renewal_request
len(renew_failures), len(parse_failures)))
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)

  • Showing no-data.org.conf:

renew_before_expiry = 30 days

version = 0.31.0
archive_dir = /etc/letsencrypt/archive/no-data.org
cert = /etc/letsencrypt/live/no-data.org/cert.pem
privkey = /etc/letsencrypt/live/no-data.org/privkey.pem
chain = /etc/letsencrypt/live/no-data.org/chain.pem
fullchain = /etc/letsencrypt/live/no-data.org/fullchain.pem
#webroot = /var/www # this produces same result

Options used in the renewal process

[renewalparams]
account = 16d0bceda76c2f368158b13ebdca2f6b
authenticator = webroot
server = https://acme-v02.api.letsencrypt.org/directory

:construction: :construction: :construction: :construction: :construction:

I think you got burned by this (fixed) bug: https://github.com/certbot/certbot/issues/7048

You can try potentially:

certbot renew --cert-name no-data.org -w /var/www/html

and if that doesn’t work, perhaps try the Apache authenticator:

certbot renew --cert-name no-data.org -a apache
3 Likes

:herb:@:computer::/etc/letsencrypt/live/no-data.org# certbot renew --cert-name no-data.org -w /var/www/html --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/no-data.org.conf


Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for no-data.org
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges


new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/no-data.org/fullchain.pem



** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/no-data.org/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)


:construction:
:herb:@:computer::/etc/letsencrypt/live/no-data.org# certbot renew --cert-name no-data.org -w /var/www/html
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/no-data.org.conf


Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for no-data.org
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges


new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/no-data.org/fullchain.pem



Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/no-data.org/fullchain.pem (success)


:construction: :construction: :construction:

Looks good, this works! Thanks @_az !!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.