Cannot renew one of my letsencrypt certificates

I was able to renew 3 of my certificates.
But one of them I could not renew.

I checked the files and subfolders in /etc/letsencrypt. I was not able to find something wrong.

My domain is:
t2792.greatnet.de

I ran this command:
/root/letsencrypt/certbot-auto renew

It produced this output:
2017-10-18 08:51:31,842:INFO:certbot.renewal:Cert not yet due for renewal (that is ok)
2017-10-18 08:51:31,846:INFO:certbot.renewal:Cert not yet due for renewal (that is ok)
2017-10-18 08:51:31,850:INFO:certbot.renewal:Cert not yet due for renewal (that is ok)
2017-10-18 08:51:31,850:ERROR:certbot.renewal:All renewal attempts failed. The following certs could not be renewed:
2017-10-18 08:51:31,850:ERROR:certbot.renewal: /etc/letsencrypt/live/t2792.greatnet.de/fullchain.pem (failure)
2017-10-18 08:51:31,851:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/opt/eff.org/certbot/venv/bin/letsencrypt”, line 11, in
sys.exit(main())
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/main.py”, line 861, in main
return config.func(config, plugins)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/main.py”, line 797, in renew
renewal.handle_renewal_request(config)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/renewal.py”, line 443, in handle_renewal_request
len(renew_failures), len(parse_failures)))
Error: 1 renew failure(s), 0 parse failure(s)

My web server is (include version):
apache 2.4.23-16.1

The operating system my web server runs on is (include version):
openSUSE Leap 42.3

My hosting provider, if applicable, is:
It is my own dedicated virtual server

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

What version of python do you have installed? python -V ?

I tried the command zypper info python:
Name : python
Version : 2.7.13-26.1
Arch : x86_64
Anbieter : openSUSE
Installiert : Ja (automatisch)
Status : aktuell
Quellpaket : python-2.7.13-26.1.src
Zusammenfassung : Python Interpreter

Does this help or should I really post the (very long) output of python -V ?

That version should be fine, I am running 2.7.12 on Ubuntu. Perhaps one of the other mods might be able to help you when they come online a bit later. Does look like a python code issue to me. Did you run certbot-auto as root or with sudo?

I usually log in as root on my server.

Additionally I would like to add the renewal configuration file:

# renew_before_expiry = 30 days
version = 0.19.0
archive_dir = /etc/letsencrypt/archive/t2792.greatnet.de
cert = /etc/letsencrypt/live/t2792.greatnet.de/cert.pem
privkey = /etc/letsencrypt/live/t2792.greatnet.de/privkey.pem
chain = /etc/letsencrypt/live/t2792.greatnet.de/chain.pem
fullchain = /etc/letsencrypt/live/t2792.greatnet.de/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = xyxyxyxyxyxyxyxyxyxyxyxyxyx
authenticator = webroot
installer = None

[[webroot_map]]
t2792.greatnet.de = /srv/www/htdocs
www.t2792.greatnet.de = /srv/www/htdocs

On the first line, ther original content wasversion 0.16.0
I changed it manually to version 0.19.0 Hope this is right?

@fergru have you compared that particular renewal.conf file against the others to see if you can find a difference? Is your renewal urgent right now?

A very quick fix right now to get it renewed is to do the following, note this is only a quick fix solution.

# renew_before_expiry = 30 days
version = 0.19.0
archive_dir = /etc/letsencrypt/archive/t2792.greatnet.de
cert = /etc/letsencrypt/live/t2792.greatnet.de/cert.pem
privkey = /etc/letsencrypt/live/t2792.greatnet.de/privkey.pem
chain = /etc/letsencrypt/live/t2792.greatnet.de/chain.pem
fullchain = /etc/letsencrypt/live/t2792.greatnet.de/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = xyxyxyxyxyxyxyxyxyxyxyxyxyx
authenticator = standalone
installer = None

#[[webroot_map]]
#t2792.greatnet.de = /srv/www/htdocs
#www.t2792.greatnet.de = /srv/www/htdocs

then manually stop your web server, and run certbot-auto and see if it renews for you and if so then just restart the web server afterwards.

I changed the content of /etc/letsencrypt/renewal/t2792.greatnet.de.conf as you suggested.
Then I stopped apache2
And after that I run /root/letsencrypt/certbot-auto renew
But it did not help:
This is the beginning of the output on the terminal:
Processing /etc/letsencrypt/renewal/sieglinde-roesch.at.conf
Cert not yet due for renewal (that is ok)

Processing /etc/letsencrypt/renewal/t2792.greatnet.de.conf
Attempting to renew cert (t2792.greatnet.de) from /etc/letsencrypt/renewal/t2792.greatnet.de.conf produced an unexpected error: max() arg is an empty sequence. Skipping.

Try this, this is from one of mine which uses standalone.

# renew_before_expiry = 30 days
version = 0.18.2
archive_dir = /etc/letsencrypt/archive/t2792.greatnet.de
cert = /etc/letsencrypt/live/t2792.greatnet.de/cert.pem
privkey = /etc/letsencrypt/live/t2792.greatnet.de/privkey.pem
chain = /etc/letsencrypt/live/t2792.greatnet.de/chain.pem
fullchain = /etc/letsencrypt/live/t2792.greatnet.de/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = standalone
installer = None
account = xyxyxyxyxyxyxyxyxyxyxyxyxyx

Here’s one of mine that uses standalone authenticator looks.

# renew_before_expiry = 30 days
version = 0.18.2
archive_dir = /etc/letsencrypt/archive/mydomain.com
cert = /etc/letsencrypt/live/mydomain.com/cert.pem
privkey = /etc/letsencrypt/live/mydomain.com/privkey.pem
chain = /etc/letsencrypt/live/mydomain.com/chain.pem
fullchain = /etc/letsencrypt/live/mydomain.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = standalone
installer = None
rsa_key_size = 4096
account = xyxyxyxxyxyxyxyxyyxyxyxyx
post_hook = service nginx restart
pre_hook = service nginx stop

You can also try this:

mkdir /opt/certbot/
cd /opt/certbot
wget https://dl.eff.org/certbot-auto
chmod +x certbot-auto
./cerbot-auto renew

I was able to solve the problem.
Reason was:
Some weeks ago I cleaned up the directories in /etc/letsencrypt.

Now I looked in my data backup and luckily I found the old files in
/etc/letsencrypt/archive/t2792.greatnet.de-0001
I copied these files into
/etc/letsencrypt/archive/t2792.greatnet.de
and then I removed the symlinks in the directory
/etc/letsencrypt/live/t2792.greatnet.de
and created new links, so they point to the latest files.

After these steps and restarting apache2 I was able to renew the certificate as usual.

Thank you for trying to help me.
I would like to apologize for my mistake.

Ferdinand

Glad you figured it out and got it working again

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.