Can't renew follow migration to different server [SOLVED: upgrade certbot]

davidmintz · December 1, 2018, 4:27pm

OK, I am betting this is not too hard to resolve, you just have to know how.

I moved a website from one cloud-server-instance to another – one was Ubuntu 18.04, the new home is Debian 9.6. I copied what I believed (based on research) to be all the relevant folders and files from one /etc/letsencrypt to the other, along with the web files and vhost configs of course. I updated the DNS using my cloud-compute providers’ interface. Everything was working great. Everything is still great, except certificate expiration is -10 days away, and I got this error.

Sure, it’s apparently telling me about a config file compatibility problem. I just don’t know how to resolve it. certbot is also complaining about etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/dae373a69818818fd4fad6b41de387af does not exist. Not sure how to remedy that because I don’t have any such file anywhere else – the old home has gone poof! so whatever I left behind is gone.

btw, fwiw: I also tried a simple certbot command, got the menu prompting to pick a domain for which to activate HTTPS, picked interpretersoffice.org, got the same error about the config parsing as below, but also: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.

My certbot version is 0.10.2.

I am tempted to just try the delete and/or revoke commands, then start over with a fresh certificate, but before trying that I’d like to ask for expert opinion about the best strategy here.

THANK YOU!

Gory details:

My domain is: https://interpretersoffice.org (also demo-dot-interpretersoffice-dot-org but with its own cert. Not worrying about that for now.)

I ran this command: certbo renew

It produced this output:

Processing /etc/letsencrypt/renewal/interpretersoffice.org.conf

Attempting to parse the version 0.26.1 renewal configuration file found at /etc/letsencrypt/renewal/interpretersoffice.org.conf with version 0.10.2 of Certbot. This might not work.
Cert is due for renewal, auto-renewing…
Attempting to renew cert from /etc/letsencrypt/renewal/interpretersoffice.org.conf produced an unexpected error: Account at /etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/dae373a69818818fd4fad6b41de387af does not exist. Skipping.

Processing /etc/letsencrypt/renewal/demo.interpretersoffice.org.conf

Attempting to parse the version 0.26.1 renewal configuration file found at /etc/letsencrypt/renewal/demo.interpretersoffice.org.conf with version 0.10.2 of Certbot. This might not work.
Cert is due for renewal, auto-renewing…
Attempting to renew cert from /etc/letsencrypt/renewal/demo.interpretersoffice.org.conf produced an unexpected error: Account at /etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/dae373a69818818fd4fad6b41de387af does not exist. Skipping.

[output re domains not yet due for renewal omitted for brevity]

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/interpretersoffice.org/fullchain.pem (failure)
/etc/letsencrypt/live/demo.interpretersoffice.org/fullchain.pem (failure)
2 renew failure(s), 0 parse failure(s)

My web server is: apache 2.4.25/Debian
The operating system my web server runs on is (include version): Debian 9.6
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

mnordhoff · December 1, 2018, 4:39pm

Can you post "sudo ls -alR /etc/letsencrypt/accounts/"? (The contents of your private key files are secret, but the list of files isn't sensitive.)

That error is happening because you downgraded to a much older version of Certbot.

stretch-backports contains the latest version of Certbot, so I'd suggest enabling it and upgrading.

You can work around that issue without upgrading, but I think upgrading might also help with some of the other issues.

davidmintz · December 1, 2018, 5:00pm

Hey, guess what! All it took was apt-get -t stretch-backports install certbot and another certbot renew and all is well. certbot got upgraded to 0.28.0.

Damn, you’re good. Can I send you some flowers or something?

Here’s the directory listing, just for the record (as it was before running the above commands):

sudo ls -alR /etc/letsencrypt/accounts/
    /etc/letsencrypt/accounts/:
    total 20
    drwx------ 5 root root 4096 Nov 26 19:02 .
    drwxr-xr-x 8 root root 4096 Jul  1  2016 ..
    drwx------ 3 root root 4096 Feb 21  2017 acme-staging.api.letsencrypt.org
    drwx------ 3 root root 4096 Jul  1  2016 acme-v01.api.letsencrypt.org
drwx------ 3 root root 4096 Nov 26 19:02 acme-v02.api.letsencrypt.org

/etc/letsencrypt/accounts/acme-staging.api.letsencrypt.org:
total 12
drwx------ 3 root root 4096 Feb 21  2017 .
drwx------ 5 root root 4096 Nov 26 19:02 ..
drwx------ 3 root root 4096 Feb 21  2017 directory

/etc/letsencrypt/accounts/acme-staging.api.letsencrypt.org/directory:
total 12
drwx------ 3 root root 4096 Feb 21  2017 .
drwx------ 3 root root 4096 Feb 21  2017 ..
drwx------ 2 root root 4096 Feb 21  2017 b95424a8aed31fa3c520b2862a62b3cb

/etc/letsencrypt/accounts/acme-staging.api.letsencrypt.org/directory/b95424a8aed31fa3c520b2862a62b3cb:
total 20
drwx------ 2 root root 4096 Feb 21  2017 .
drwx------ 3 root root 4096 Feb 21  2017 ..
-rw-r--r-- 1 root root   65 Feb 21  2017 meta.json
-r-------- 1 root root 1632 Feb 21  2017 private_key.json
-rw-r--r-- 1 root root  710 Feb 21  2017 regr.json

/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org:
total 12
drwx------ 3 root root 4096 Jul  1  2016 .
drwx------ 5 root root 4096 Nov 26 19:02 ..
drwx------ 3 root root 4096 Jul  1  2016 directory

/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory:
total 12
drwx------ 3 root root 4096 Jul  1  2016 .
drwx------ 3 root root 4096 Jul  1  2016 ..
drwx------ 2 root root 4096 Jul  1  2016 fc236b240ff01df5ebad6903d66066b2

/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/fc236b240ff01df5ebad6903d66066b2:
total 20
drwx------ 2 root root 4096 Jul  1  2016 .
drwx------ 3 root root 4096 Jul  1  2016 ..
-rw-r--r-- 1 root root   69 Jul  1  2016 meta.json
-r-------- 1 root root 1632 Jul  1  2016 private_key.json
-rw-r--r-- 1 root root  745 Jul  1  2016 regr.json

/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org:
total 12
drwx------ 3 root root 4096 Nov 26 19:02 .
drwx------ 5 root root 4096 Nov 26 19:02 ..
drwx------ 2 root root 4096 Nov 26 19:02 directory

/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory:
total 8
drwx------ 2 root root 4096 Nov 26 19:02 .
drwx------ 3 root root 4096 Nov 26 19:02 ..

system · December 31, 2018, 5:00pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Migrating Certbot and Certificates Between Servers Help	23	12209	August 21, 2017
Copied a server setup which broke certbot Help	10	2096	July 7, 2019
Moving certs to new server, certbot error Help	5	484	February 27, 2021
Renewal problems after upgrading certbot Help	13	1883	March 18, 2019
Cant renew certificate no such file or directory Help	16	1315	September 13, 2019

Can't renew follow migration to different server [SOLVED: upgrade certbot]

Processing /etc/letsencrypt/renewal/interpretersoffice.org.conf

Processing /etc/letsencrypt/renewal/demo.interpretersoffice.org.conf

Related topics