Can't renew follow migration to different server [SOLVED: upgrade certbot]

davidmintz · December 1, 2018, 4:27pm

OK, I am betting this is not too hard to resolve, you just have to know how.

I moved a website from one cloud-server-instance to another – one was Ubuntu 18.04, the new home is Debian 9.6. I copied what I believed (based on research) to be all the relevant folders and files from one /etc/letsencrypt to the other, along with the web files and vhost configs of course. I updated the DNS using my cloud-compute providers’ interface. Everything was working great. Everything is still great, except certificate expiration is -10 days away, and I got this error.

Sure, it’s apparently telling me about a config file compatibility problem. I just don’t know how to resolve it. certbot is also complaining about etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/dae373a69818818fd4fad6b41de387af does not exist. Not sure how to remedy that because I don’t have any such file anywhere else – the old home has gone poof! so whatever I left behind is gone.

btw, fwiw: I also tried a simple certbot command, got the menu prompting to pick a domain for which to activate HTTPS, picked interpretersoffice.org, got the same error about the config parsing as below, but also: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.

My certbot version is 0.10.2.

I am tempted to just try the delete and/or revoke commands, then start over with a fresh certificate, but before trying that I’d like to ask for expert opinion about the best strategy here.

THANK YOU!

Gory details:

My domain is: https://interpretersoffice.org (also demo-dot-interpretersoffice-dot-org but with its own cert. Not worrying about that for now.)

I ran this command: certbo renew

It produced this output:

Processing /etc/letsencrypt/renewal/interpretersoffice.org.conf

Attempting to parse the version 0.26.1 renewal configuration file found at /etc/letsencrypt/renewal/interpretersoffice.org.conf with version 0.10.2 of Certbot. This might not work.
Cert is due for renewal, auto-renewing…
Attempting to renew cert from /etc/letsencrypt/renewal/interpretersoffice.org.conf produced an unexpected error: Account at /etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/dae373a69818818fd4fad6b41de387af does not exist. Skipping.

Processing /etc/letsencrypt/renewal/demo.interpretersoffice.org.conf

Attempting to parse the version 0.26.1 renewal configuration file found at /etc/letsencrypt/renewal/demo.interpretersoffice.org.conf with version 0.10.2 of Certbot. This might not work.
Cert is due for renewal, auto-renewing…
Attempting to renew cert from /etc/letsencrypt/renewal/demo.interpretersoffice.org.conf produced an unexpected error: Account at /etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/dae373a69818818fd4fad6b41de387af does not exist. Skipping.

[output re domains not yet due for renewal omitted for brevity]

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/interpretersoffice.org/fullchain.pem (failure)
/etc/letsencrypt/live/demo.interpretersoffice.org/fullchain.pem (failure)
2 renew failure(s), 0 parse failure(s)

My web server is: apache 2.4.25/Debian
The operating system my web server runs on is (include version): Debian 9.6
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

mnordhoff · December 1, 2018, 4:39pm

Can you post "sudo ls -alR /etc/letsencrypt/accounts/"? (The contents of your private key files are secret, but the list of files isn't sensitive.)

That error is happening because you downgraded to a much older version of Certbot.

stretch-backports contains the latest version of Certbot, so I'd suggest enabling it and upgrading.

You can work around that issue without upgrading, but I think upgrading might also help with some of the other issues.

davidmintz · December 1, 2018, 5:00pm

Hey, guess what! All it took was apt-get -t stretch-backports install certbot and another certbot renew and all is well. certbot got upgraded to 0.28.0.

Damn, you’re good. Can I send you some flowers or something?

Here’s the directory listing, just for the record (as it was before running the above commands):

sudo ls -alR /etc/letsencrypt/accounts/
    /etc/letsencrypt/accounts/:
    total 20
    drwx------ 5 root root 4096 Nov 26 19:02 .
    drwxr-xr-x 8 root root 4096 Jul  1  2016 ..
    drwx------ 3 root root 4096 Feb 21  2017 acme-staging.api.letsencrypt.org
    drwx------ 3 root root 4096 Jul  1  2016 acme-v01.api.letsencrypt.org
drwx------ 3 root root 4096 Nov 26 19:02 acme-v02.api.letsencrypt.org

/etc/letsencrypt/accounts/acme-staging.api.letsencrypt.org:
total 12
drwx------ 3 root root 4096 Feb 21  2017 .
drwx------ 5 root root 4096 Nov 26 19:02 ..
drwx------ 3 root root 4096 Feb 21  2017 directory

/etc/letsencrypt/accounts/acme-staging.api.letsencrypt.org/directory:
total 12
drwx------ 3 root root 4096 Feb 21  2017 .
drwx------ 3 root root 4096 Feb 21  2017 ..
drwx------ 2 root root 4096 Feb 21  2017 b95424a8aed31fa3c520b2862a62b3cb

/etc/letsencrypt/accounts/acme-staging.api.letsencrypt.org/directory/b95424a8aed31fa3c520b2862a62b3cb:
total 20
drwx------ 2 root root 4096 Feb 21  2017 .
drwx------ 3 root root 4096 Feb 21  2017 ..
-rw-r--r-- 1 root root   65 Feb 21  2017 meta.json
-r-------- 1 root root 1632 Feb 21  2017 private_key.json
-rw-r--r-- 1 root root  710 Feb 21  2017 regr.json

/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org:
total 12
drwx------ 3 root root 4096 Jul  1  2016 .
drwx------ 5 root root 4096 Nov 26 19:02 ..
drwx------ 3 root root 4096 Jul  1  2016 directory

/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory:
total 12
drwx------ 3 root root 4096 Jul  1  2016 .
drwx------ 3 root root 4096 Jul  1  2016 ..
drwx------ 2 root root 4096 Jul  1  2016 fc236b240ff01df5ebad6903d66066b2

/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/fc236b240ff01df5ebad6903d66066b2:
total 20
drwx------ 2 root root 4096 Jul  1  2016 .
drwx------ 3 root root 4096 Jul  1  2016 ..
-rw-r--r-- 1 root root   69 Jul  1  2016 meta.json
-r-------- 1 root root 1632 Jul  1  2016 private_key.json
-rw-r--r-- 1 root root  745 Jul  1  2016 regr.json

/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org:
total 12
drwx------ 3 root root 4096 Nov 26 19:02 .
drwx------ 5 root root 4096 Nov 26 19:02 ..
drwx------ 2 root root 4096 Nov 26 19:02 directory

/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory:
total 8
drwx------ 2 root root 4096 Nov 26 19:02 .
drwx------ 3 root root 4096 Nov 26 19:02 ..

system · December 31, 2018, 5:00pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.