Can't renew certificates

Kude · May 24, 2021, 8:53am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: baiby.com & baiandby.com

I ran this command: service apache2 stop | certbot renew

It produced this output: Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/baiandby.com.conf

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Attempting to renew cert (baiandby.com) from /etc/letsencrypt/renewal/baiandby.com.conf produced an unexpected error: [('system library', 'fopen', 'No such file or directory'), ('BIO routines', 'BIO_new_file', 'no such file'), ('x509 certificate routines', 'X509_load_cert_crl_file', 'system lib')]. Skipping.

Processing /etc/letsencrypt/renewal/baiby.com.conf

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Attempting to renew cert (baiby.com) from /etc/letsencrypt/renewal/baiby.com.conf produced an unexpected error: [('system library', 'fopen', 'No such file or directory'), ('BIO routines', 'BIO_new_file', 'no such file'), ('x509 certificate routines', 'X509_load_cert_crl_file', 'system lib')]. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/baiandby.com/fullchain.pem (failure)
/etc/letsencrypt/live/baiby.com/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/baiandby.com/fullchain.pem (failure)
/etc/letsencrypt/live/baiby.com/fullchain.pem (failure)

2 renew failure(s), 0 parse failure(s)

My web server is (include version): Apache 2.4.25

The operating system my web server runs on is (include version): Debian 9

My hosting provider, if applicable, is: self-hosted

I can login to a root shell on my machine (yes or no, or I don't know): Yes I can run

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Certbot 0.28.0

webprofusion · May 24, 2021, 9:24am

Did you delete the baiandby.com website config for apache? If so it looks like your renewal is still expecting it to be there.

I believe you can list your renewals using certbot certificates and delete one using sudo certbot delete --cert-name <yourdomain.com>

Kude · May 24, 2021, 10:16am

Thanks webprofusion!
I understand what are you saying, but I have the same problem with the other domain too, baiby.com
this is letsencrypt.log:

2021-05-24 10:19:36,821:DEBUG:certbot.main:certbot version: 0.28.0
2021-05-24 10:19:36,822:DEBUG:certbot.main:Arguments:
2021-05-24 10:19:36,823:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2021-05-24 10:19:36,832:DEBUG:certbot.log:Root logging level set at 20
2021-05-24 10:19:36,833:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2021-05-24 10:19:36,841:DEBUG:certbot.plugins.selection:Requested authenticator <certbot.cli._Default object at 0x7f8f9fb01e80> and installer <certbot.cli._Default object at 0x7f8f9fb01e80>
2021-05-24 10:19:36,849:DEBUG:certbot.storage:Should renew, less than 30 days before certificate expiry 2021-05-24 06:22:38 UTC.
2021-05-24 10:19:36,849:INFO:certbot.renewal:Cert is due for renewal, auto-renewing...
2021-05-24 10:19:36,849:DEBUG:certbot.plugins.selection:Requested authenticator standalone and installer None
2021-05-24 10:19:36,939:DEBUG:certbot.plugins.selection:Single candidate plugin: * standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:Authenticator
Initialized: <certbot.plugins.standalone.Authenticator object at 0x7f8f9fb04f28>
Prep: True
2021-05-24 10:19:36,940:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.standalone.Authenticator object at 0x7f8f9fb04f28> and installer None
2021-05-24 10:19:36,940:INFO:certbot.plugins.selection:Plugins selected: Authenticator standalone, Installer None
2021-05-24 10:19:36,942:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(contact=('mailto:kude@didaktiker.com',), only_return_existing=None, status=None, key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x7f8fa28b36d8>)>), terms_of_service_agreed=None, agreement='https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf'), new_authzr_uri='https://acme-v01.api.letsencrypt.org/acme/new-authz', terms_of_service='https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf', uri='https://acme-v01.api.letsencrypt.org/acme/reg/4075579'), 6a278a19da37246ea6333143fbbe6930, Meta(creation_dt=datetime.datetime(2016, 9, 8, 12, 12, 56, tzinfo=), creation_host='ekoextraphp.baiby.com'))>
2021-05-24 10:19:36,944:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2021-05-24 10:19:36,950:DEBUG:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
2021-05-24 10:19:37,007:WARNING:certbot.renewal:Attempting to renew cert (baiandby.com) from /etc/letsencrypt/renewal/baiandby.com.conf produced an unexpected error: [('system library', 'fopen', 'No such file or directory'), ('BIO routines', 'BIO_new_file', 'no such file'), ('x509 certificate routines', 'X509_load_cert_crl_file', 'system lib')]. Skipping.
2021-05-24 10:19:37,009:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 443, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1166, in renew_cert
le_client = _init_le_client(config, auth, installer)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 611, in _init_le_client
return client.Client(config, acc, authenticator, installer, acme=acme)
File "/usr/lib/python3/dist-packages/certbot/client.py", line 248, in init
acme = acme_from_config_key(config, self.account.key, self.account.regr)
File "/usr/lib/python3/dist-packages/certbot/client.py", line 51, in acme_from_config_key
return acme_client.BackwardsCompatibleClientV2(net, key, config.server)
File "/usr/lib/python3/dist-packages/acme/client.py", line 763, in init
directory = messages.Directory.from_json(net.get(server).json())
File "/usr/lib/python3/dist-packages/acme/client.py", line 1097, in get
self._send_request('GET', url, **kwargs), content_type=content_type)
File "/usr/lib/python3/dist-packages/acme/client.py", line 1046, in _send_request
response = self.session.request(method, url, *args, **kwargs)
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 488, in request
resp = self.send(prep, **send_kwargs)
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 609, in send
r = adapter.send(request, **kwargs)
File "/usr/lib/python3/dist-packages/requests/adapters.py", line 423, in send
timeout=timeout
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
chunked=chunked)
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 350, in _make_request
self._validate_conn(conn)
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 837, in validate_conn
conn.connect()
File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 323, in connect
ssl_context=context)
File "/usr/lib/python3/dist-packages/urllib3/util/ssl.py", line 308, in ssl_wrap_socket
context.load_verify_locations(ca_certs, ca_cert_dir)
File "/usr/lib/python3/dist-packages/urllib3/contrib/pyopenssl.py", line 392, in load_verify_locations
self._ctx.load_verify_locations(cafile, capath)
File "/usr/lib/python3/dist-packages/OpenSSL/SSL.py", line 525, in load_verify_locations
_raise_current_error()
File "/usr/lib/python3/dist-packages/OpenSSL/_util.py", line 48, in exception_from_error_queue
raise exception_type(errors)
OpenSSL.SSL.Error: [('system library', 'fopen', 'No such file or directory'), ('BIO routines', 'BIO_new_file', 'no such file'), ('x509 certificate routines', 'X509_load_cert_crl_file', 'system lib')]

2021-05-24 10:19:37,014:DEBUG:certbot.storage:Should renew, less than 30 days before certificate expiry 2021-05-24 06:22:44 UTC.
2021-05-24 10:19:37,014:INFO:certbot.renewal:Cert is due for renewal, auto-renewing...
2021-05-24 10:19:37,014:DEBUG:certbot.plugins.selection:Requested authenticator standalone and installer None
2021-05-24 10:19:37,072:DEBUG:certbot.plugins.selection:Single candidate plugin: * standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:Authenticator
Initialized: <certbot.plugins.standalone.Authenticator object at 0x7f8f9fb52be0>
Prep: True
2021-05-24 10:19:37,072:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.standalone.Authenticator object at 0x7f8f9fb52be0> and installer None
2021-05-24 10:19:37,072:INFO:certbot.plugins.selection:Plugins selected: Authenticator standalone, Installer None
2021-05-24 10:19:37,075:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(contact=('mailto:kude@didaktiker.com',), only_return_existing=None, status=None, key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x7f8f9fb04198>)>), terms_of_service_agreed=None, agreement='https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf'), new_authzr_uri='https://acme-v01.api.letsencrypt.org/acme/new-authz', terms_of_service='https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf', uri='https://acme-v01.api.letsencrypt.org/acme/reg/4075579'), 6a278a19da37246ea6333143fbbe6930, Meta(creation_dt=datetime.datetime(2016, 9, 8, 12, 12, 56, tzinfo=), creation_host='ekoextraphp.baiby.com'))>
2021-05-24 10:19:37,075:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2021-05-24 10:19:37,077:DEBUG:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
2021-05-24 10:19:37,224:WARNING:certbot.renewal:Attempting to renew cert (baiby.com) from /etc/letsencrypt/renewal/baiby.com.conf produced an unexpected error: [('system library', 'fopen', 'No such file or directory'), ('BIO routines', 'BIO_new_file', 'no such file'), ('x509 certificate routines', 'X509_load_cert_crl_file', 'system lib')]. Skipping.
2021-05-24 10:19:37,225:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 443, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1166, in renew_cert
le_client = _init_le_client(config, auth, installer)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 611, in _init_le_client
return client.Client(config, acc, authenticator, installer, acme=acme)
File "/usr/lib/python3/dist-packages/certbot/client.py", line 248, in init
acme = acme_from_config_key(config, self.account.key, self.account.regr)
File "/usr/lib/python3/dist-packages/certbot/client.py", line 51, in acme_from_config_key
return acme_client.BackwardsCompatibleClientV2(net, key, config.server)
File "/usr/lib/python3/dist-packages/acme/client.py", line 763, in init
directory = messages.Directory.from_json(net.get(server).json())
File "/usr/lib/python3/dist-packages/acme/client.py", line 1097, in get
self._send_request('GET', url, **kwargs), content_type=content_type)
File "/usr/lib/python3/dist-packages/acme/client.py", line 1046, in _send_request
response = self.session.request(method, url, *args, **kwargs)
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 488, in request
resp = self.send(prep, **send_kwargs)
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 609, in send
r = adapter.send(request, **kwargs)
File "/usr/lib/python3/dist-packages/requests/adapters.py", line 423, in send
timeout=timeout
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
chunked=chunked)
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 350, in _make_request
self._validate_conn(conn)
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 837, in validate_conn
conn.connect()
File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 323, in connect
ssl_context=context)
File "/usr/lib/python3/dist-packages/urllib3/util/ssl.py", line 308, in ssl_wrap_socket
context.load_verify_locations(ca_certs, ca_cert_dir)
File "/usr/lib/python3/dist-packages/urllib3/contrib/pyopenssl.py", line 392, in load_verify_locations
self._ctx.load_verify_locations(cafile, capath)
File "/usr/lib/python3/dist-packages/OpenSSL/SSL.py", line 525, in load_verify_locations
_raise_current_error()
File "/usr/lib/python3/dist-packages/OpenSSL/_util.py", line 48, in exception_from_error_queue
raise exception_type(errors)
OpenSSL.SSL.Error: [('system library', 'fopen', 'No such file or directory'), ('BIO routines', 'BIO_new_file', 'no such file'), ('x509 certificate routines', 'X509_load_cert_crl_file', 'system lib')]

2021-05-24 10:19:37,225:ERROR:certbot.renewal:All renewal attempts failed. The following certs could not be renewed:
2021-05-24 10:19:37,226:ERROR:certbot.renewal: /etc/letsencrypt/live/baiandby.com/fullchain.pem (failure)
/etc/letsencrypt/live/baiby.com/fullchain.pem (failure)
2021-05-24 10:19:37,226:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 11, in
load_entry_point('certbot==0.28.0', 'console_scripts', 'certbot')()
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1340, in main
return config.func(config, plugins)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1247, in renew
renewal.handle_renewal_request(config)
File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 468, in handle_renewal_request
len(renew_failures), len(parse_failures)))
certbot.errors.Error: 2 renew failure(s), 0 parse failure(s)

webprofusion · May 24, 2021, 11:25am

Looks quite similar to this topic:OpenSSL.SSL.Error:

Kude · May 25, 2021, 7:42am

Hi!!
Thank you webprofusion!!
In the end, I have not needed to regenerate the certificates.
In March I updated other certificates and I had to remove the ca-certificate.ctr.
I have recovered it from a backup and now I can run "certbot renew" without any problems.
Best regards!!

system · June 24, 2021, 7:43am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.