Cannot renew one of my letsencrypt certificates

fergru · October 18, 2017, 9:05am

I was able to renew 3 of my certificates.
But one of them I could not renew.

I checked the files and subfolders in /etc/letsencrypt. I was not able to find something wrong.

I ran this command:
/root/letsencrypt/certbot-auto renew

It produced this output:
2017-10-18 08:51:31,842:INFO:certbot.renewal:Cert not yet due for renewal (that is ok)
2017-10-18 08:51:31,846:INFO:certbot.renewal:Cert not yet due for renewal (that is ok)
2017-10-18 08:51:31,850:INFO:certbot.renewal:Cert not yet due for renewal (that is ok)
2017-10-18 08:51:31,850:ERROR:certbot.renewal:All renewal attempts failed. The following certs could not be renewed:
2017-10-18 08:51:31,850:ERROR:certbot.renewal: /etc/letsencrypt/live/t2792.greatnet.de/fullchain.pem (failure)
2017-10-18 08:51:31,851:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/opt/eff.org/certbot/venv/bin/letsencrypt”, line 11, in
sys.exit(main())
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/main.py”, line 861, in main
return config.func(config, plugins)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/main.py”, line 797, in renew
renewal.handle_renewal_request(config)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/renewal.py”, line 443, in handle_renewal_request
len(renew_failures), len(parse_failures)))
Error: 1 renew failure(s), 0 parse failure(s)

My web server is (include version):
apache 2.4.23-16.1

The operating system my web server runs on is (include version):
openSUSE Leap 42.3

My hosting provider, if applicable, is:
It is my own dedicated virtual server

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

MitchellK · October 18, 2017, 9:17am

What version of python do you have installed? python -V ?

fergru · October 18, 2017, 9:34am

I tried the command zypper info python:
Name : python
Version : 2.7.13-26.1
Arch : x86_64
Anbieter : openSUSE
Installiert : Ja (automatisch)
Status : aktuell
Quellpaket : python-2.7.13-26.1.src
Zusammenfassung : Python Interpreter

Does this help or should I really post the (very long) output of python -V ?

MitchellK · October 18, 2017, 9:51am

That version should be fine, I am running 2.7.12 on Ubuntu. Perhaps one of the other mods might be able to help you when they come online a bit later. Does look like a python code issue to me. Did you run certbot-auto as root or with sudo?

fergru · October 18, 2017, 10:07am

I usually log in as root on my server.

Additionally I would like to add the renewal configuration file:

# renew_before_expiry = 30 days
version = 0.19.0
archive_dir = /etc/letsencrypt/archive/t2792.greatnet.de
cert = /etc/letsencrypt/live/t2792.greatnet.de/cert.pem
privkey = /etc/letsencrypt/live/t2792.greatnet.de/privkey.pem
chain = /etc/letsencrypt/live/t2792.greatnet.de/chain.pem
fullchain = /etc/letsencrypt/live/t2792.greatnet.de/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = xyxyxyxyxyxyxyxyxyxyxyxyxyx
authenticator = webroot
installer = None

[[webroot_map]]
t2792.greatnet.de = /srv/www/htdocs
www.t2792.greatnet.de = /srv/www/htdocs

On the first line, ther original content wasversion 0.16.0
I changed it manually to version 0.19.0 Hope this is right?

MitchellK · October 18, 2017, 10:20am

@fergru have you compared that particular renewal.conf file against the others to see if you can find a difference? Is your renewal urgent right now?

A very quick fix right now to get it renewed is to do the following, note this is only a quick fix solution.

# renew_before_expiry = 30 days
version = 0.19.0
archive_dir = /etc/letsencrypt/archive/t2792.greatnet.de
cert = /etc/letsencrypt/live/t2792.greatnet.de/cert.pem
privkey = /etc/letsencrypt/live/t2792.greatnet.de/privkey.pem
chain = /etc/letsencrypt/live/t2792.greatnet.de/chain.pem
fullchain = /etc/letsencrypt/live/t2792.greatnet.de/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = xyxyxyxyxyxyxyxyxyxyxyxyxyx
authenticator = standalone
installer = None

#[[webroot_map]]
#t2792.greatnet.de = /srv/www/htdocs
#www.t2792.greatnet.de = /srv/www/htdocs

then manually stop your web server, and run certbot-auto and see if it renews for you and if so then just restart the web server afterwards.

fergru · October 18, 2017, 10:53am

I changed the content of /etc/letsencrypt/renewal/t2792.greatnet.de.conf as you suggested.
Then I stopped apache2
And after that I run /root/letsencrypt/certbot-auto renew
But it did not help:
This is the beginning of the output on the terminal:
Processing /etc/letsencrypt/renewal/sieglinde-roesch.at.conf
Cert not yet due for renewal (that is ok)

Processing /etc/letsencrypt/renewal/t2792.greatnet.de.conf
Attempting to renew cert (t2792.greatnet.de) from /etc/letsencrypt/renewal/t2792.greatnet.de.conf produced an unexpected error: max() arg is an empty sequence. Skipping.

MitchellK · October 18, 2017, 11:16am

Try this, this is from one of mine which uses standalone.

# renew_before_expiry = 30 days
version = 0.18.2
archive_dir = /etc/letsencrypt/archive/t2792.greatnet.de
cert = /etc/letsencrypt/live/t2792.greatnet.de/cert.pem
privkey = /etc/letsencrypt/live/t2792.greatnet.de/privkey.pem
chain = /etc/letsencrypt/live/t2792.greatnet.de/chain.pem
fullchain = /etc/letsencrypt/live/t2792.greatnet.de/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = standalone
installer = None
account = xyxyxyxyxyxyxyxyxyxyxyxyxyx

MitchellK · October 18, 2017, 11:28am

Here’s one of mine that uses standalone authenticator looks.

# renew_before_expiry = 30 days
version = 0.18.2
archive_dir = /etc/letsencrypt/archive/mydomain.com
cert = /etc/letsencrypt/live/mydomain.com/cert.pem
privkey = /etc/letsencrypt/live/mydomain.com/privkey.pem
chain = /etc/letsencrypt/live/mydomain.com/chain.pem
fullchain = /etc/letsencrypt/live/mydomain.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = standalone
installer = None
rsa_key_size = 4096
account = xyxyxyxxyxyxyxyxyyxyxyxyx
post_hook = service nginx restart
pre_hook = service nginx stop

MitchellK · October 18, 2017, 11:30am

You can also try this:

mkdir /opt/certbot/
cd /opt/certbot
wget https://dl.eff.org/certbot-auto
chmod +x certbot-auto
./cerbot-auto renew

fergru · October 18, 2017, 5:21pm

I was able to solve the problem.
Reason was:
Some weeks ago I cleaned up the directories in /etc/letsencrypt.

Now I looked in my data backup and luckily I found the old files in
/etc/letsencrypt/archive/t2792.greatnet.de-0001
I copied these files into
/etc/letsencrypt/archive/t2792.greatnet.de
and then I removed the symlinks in the directory
/etc/letsencrypt/live/t2792.greatnet.de
and created new links, so they point to the latest files.

After these steps and restarting apache2 I was able to renew the certificate as usual.

Thank you for trying to help me.
I would like to apologize for my mistake.

Ferdinand

MitchellK · October 19, 2017, 9:34am

Glad you figured it out and got it working again

system · November 18, 2017, 9:35am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.