Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
server2.openspace.greenrobot.com

I ran this command:

sudo certbot renew --dry-run

I then ran:
sudo lsof -i :80

then
/etc/init.d/apache2 stop

then
sudo certbot renew --dry-run

I got the same result

It produced this output:

Simulating renewal of an existing certificate for server2.openspace.greenrobot.com

Failed to renew certificate server2.openspace.greenrobot.com with error: Could not bind TCP port 80 because it is already in use by another process on this system (such as a web server). Please stop the program in question and then try again.

Processing /etc/letsencrypt/renewal/wizardwriter.greenrobot.com.conf

Simulating renewal of an existing certificate for wizardwriter.greenrobot.com

Processing /etc/letsencrypt/renewal/yesorno.greenrobot.com.conf

Simulating renewal of an existing certificate for yesorno.greenrobot.com

The following simulated renewals succeeded:

/etc/letsencrypt/live/app.wordcraft3d.greenrobot.com/fullchain.pem (success)

/etc/letsencrypt/live/feather.greenrobot.com/fullchain.pem (success)

/etc/letsencrypt/live/million3dhomepage.com/fullchain.pem (success)

/etc/letsencrypt/live/sell.eureka.greenrobot.com/fullchain.pem (success)

/etc/letsencrypt/live/server.yesorno.greenrobot.com/fullchain.pem (success)

/etc/letsencrypt/live/wizardwriter.greenrobot.com/fullchain.pem (success)

/etc/letsencrypt/live/yesorno.greenrobot.com/fullchain.pem (success)

The following simulated renewals failed:

/etc/letsencrypt/live/server2.openspace.greenrobot.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):

Apache/2.4.52

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

Linode

I can login to a root shell on my machine (yes or no, or I don't know):

Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.21.0

Hello @andytriboletti
Welcome back to the forum...
Here is what I see at first glance (with my new eyes)

Subject: CN = app.wordcraft3d.greenrobot.com >> Not After : Aug 12 22:43:10 2024 GMT
Subject: CN = feather.greenrobot.com >> Not After : Jul 4 00:47:52 2024 GMT
Subject: CN = sell.eureka.greenrobot.com >> Not After : Jul 20 06:10:27 2024 GMT
Subject: CN = server.yesorno.greenrobot.com >> Not After : Aug 18 02:03:41 2024 GMT
Subject: CN = wizardwriter.greenrobot.com >> Not After : Aug 31 01:20:04 2024 GMT
Subject: CN = yesorno.greenrobot.com >> Not After : Aug 18 02:04:00 2024 GMT

This vhost is possibly using the wrong certificate. Or there is a configuration error somewhere...
Retrieving certificate details for server2.openspace.greenrobot.com...
Subject: CN = feather.greenrobot.com >> Not After : Jul 4 00:47:52 2024 GMT

And it seems you are using separate certificates for all you hosts on the apex "greenrobot.com "
Seriously you should consider a wildcard certificate that would make your configuration much more "sane" and manageable.

Testing the domain on the letsdebug site hosted by Max shows:

It should authenticate.

I am leaving the other sites listed in your debug output out of this because they're irrelevant related to the question you posted here.

Nmap scan report for 45-79-176-221.ip.linodeusercontent.com (45.79.176.221)
Host is up (0.10s latency).

PORT    STATE SERVICE
22/tcp  open  ssh 
80/tcp  open  http	<< good
443/tcp open  https	<< good

Nmap done: 1 IP address (1 host up) scanned in 0.90 seconds
Querying DNS records for server2.openspace.greenrobot.com...
A records for server2.openspace.greenrobot.com: ['45.79.176.221']

What gives?
Why are you using a cert for "feather" on the "server2.openspace" vhost ?
I see you have feather and server2.openspace.greenrobot.com listed in alt names on the cert... Someone smarter than me may have to chime in to assist, i am afraid.

I tried to fix the feather certificate by deleting it and trying again but it's not working. I ran this:
sudo certbot delete --cert-name feather.greenrobot.com

Then when I ran this I got an error:
sudo certbot certonly --standalone -d server2.openspace.greenrobot.com

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Are you trying to change the key type of the certificate named server2.openspace.greenrobot.com from ECDSA to RSA? Please provide both --cert-name and --key-type on the command line to confirm the change you are trying to make.

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
It looks like https://feather.greenrobot.com and https://server2.openspace.greenrobot.com are both serving https.
Sorry I messed it up even more.

I thought I got it working. Like you pointed out I had the wrong cert listed for server2/feather. I edited some config files to point to the right server matching the file name. I just did a dry-run and it again failed:

Processing /etc/letsencrypt/renewal/server2.openspace.greenrobot.com.conf

Simulating renewal of an existing certificate for server2.openspace.greenrobot.com

Failed to renew certificate server2.openspace.greenrobot.com with error: Could not bind TCP port 80 because it is already in use by another process on this system (such as a web server). Please stop the program in question and then try again.

here's a look at my config file:
more server2.openspace.greenrobot.com-le-ssl.conf

<VirtualHost *:443>

The ServerName directive sets the request scheme, hostname and port that

the server uses to identify itself. This is used when creating

redirection URLs. In the context of virtual hosts, the ServerName

specifies what hostname must appear in the request's Host: header to

match this virtual host. For the default virtual host (this file) this

value is not decisive as it is used as a last resort host regardless.

However, you must set it for any further virtual host explicitly.

#ServerName www.example.com

ServerAdmin webmaster@localhost

ServerName server2.openspace.greenrobot.com

DocumentRoot /var/www/server2.openspace.greenrobot.com/public_html

Available loglevels: trace8, ..., trace1, debug, info, notice, warn,

error, crit, alert, emerg.

It is also possible to configure the loglevel for particular

modules, e.g.

#LogLevel info ssl:warn

ErrorLog ${APACHE_LOG_DIR}/error.log

CustomLog ${APACHE_LOG_DIR}/access.log combined

For most configuration files from conf-available/, which are

enabled or disabled at a global level, it is possible to

include a line for only one particular virtual host. For example the

following line enables the CGI configuration for this host only

after it has been globally disabled with "a2disconf".

#Include conf-available/serve-cgi-bin.conf

RewriteEngine on

Some rewrite rules in this file were disabled on your HTTPS site,

because they have the potential to create redirection loops.

RewriteCond %{SERVER_NAME} =server2.openspace.greenrobot.com

RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

Include /etc/letsencrypt/options-ssl-apache.conf

SSLCertificateFile /etc/letsencrypt/live/server2.openspace.greenrobot.com/fullchain.pem

SSLCertificateKeyFile /etc/letsencrypt/live/server2.openspace.greenrobot.com/privkey.pem

I tried stopping apache and it worked this time. Does this mean I'll have to go in and stop apache and renew it in close to 54 days? Or will it be automatic? Since it only works if Apache is not running.

/etc/init.d/apache2 stop

Stopping apache2 (via systemctl): apache2.service.

root@localhost:/var/www/server2.openspace.greenrobot.com/public_html/wp-content/plugins/openspace-server# certbot renew --cert-name server2.openspace.greenrobot.com --dry-run

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/server2.openspace.greenrobot.com.conf

Simulating renewal of an existing certificate for server2.openspace.greenrobot.com

Congratulations, all simulated renewals succeeded:

/etc/letsencrypt/live/server2.openspace.greenrobot.com/fullchain.pem (success)

Thank you for your help.

The --standalone method you used requires exclusive use of port 80. It should only be used when you do not have a web server already using that port.

The --webroot or --apache methods allow Apache to handle the HTTP Challenge so you don't have to stop it.

Can you show us two of the renewal config files in this folder:

/etc/letsencrypt/renewal

Show us the one related to the server2.openspace.greenrobot.com and one of the others that worked in your first post - like feather

root@localhost:/etc/letsencrypt/renewal# pwd

/etc/letsencrypt/renewal

root@localhost:/etc/letsencrypt/renewal# more server2.openspace.greenrobot.com.conf

# renew_before_expiry = 30 days

version = 1.21.0

archive_dir = /etc/letsencrypt/archive/server2.openspace.greenrobot.com

cert = /etc/letsencrypt/live/server2.openspace.greenrobot.com/cert.pem

privkey = /etc/letsencrypt/live/server2.openspace.greenrobot.com/privkey.pem

chain = /etc/letsencrypt/live/server2.openspace.greenrobot.com/chain.pem

fullchain = /etc/letsencrypt/live/server2.openspace.greenrobot.com/fullchain.pem

# Options used in the renewal process

[renewalparams]

account = 212e79635fe474daf55e321b95a9eac7

authenticator = standalone

server = https://acme-v02.api.letsencrypt.org/directory

key_type = ecdsa

root@localhost:/etc/letsencrypt/renewal# pwd

/etc/letsencrypt/renewal

root@localhost:/etc/letsencrypt/renewal# more feather.greenrobot.com.conf

# renew_before_expiry = 30 days

version = 1.21.0

archive_dir = /etc/letsencrypt/archive/feather.greenrobot.com

cert = /etc/letsencrypt/live/feather.greenrobot.com/cert.pem

privkey = /etc/letsencrypt/live/feather.greenrobot.com/privkey.pem

chain = /etc/letsencrypt/live/feather.greenrobot.com/chain.pem

fullchain = /etc/letsencrypt/live/feather.greenrobot.com/fullchain.pem

# Options used in the renewal process

[renewalparams]

account = 212e79635fe474daf55e321b95a9eac7

authenticator = apache

installer = apache

server = https://acme-v02.api.letsencrypt.org/directory

When I ran cerbot I got this mesage in red:

root@localhost:~# certbot

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
edited out other sites

5: server2.openspace.greenrobot.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Select the appropriate numbers separated by commas and/or spaces, or leave input

blank to select all options shown (Enter 'c' to cancel): 5

Are you trying to change the key type of the certificate named server2.openspace.greenrobot.com from ECDSA to RSA? Please provide both --cert-name and --key-type on the command line to confirm the change you are trying to make.

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

I ended up moving my server address in the game to server3 and using a new linode where it all works. I am building my game with the new server address now. I wanted to do that anyway cause of a potential security issue and I couldn't apt-get update properly on that server.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.