Can't renew SSL certificate

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:harry63host

I ran this command:sudo certbot --apache -v -d harry63.host

It produced this output:
2022/03/23 00:58:18.850621 system_key.go:129: cannot determine nfs usage in generateSystemKey: cannot parse /etc/fstab: expected between 3 and 6 fields, found 10
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Certificate is due for renewal, auto-renewing...
Renewing an existing certificate for harry63.host
Performing the following challenges:
http-01 challenge for harry63.host
Waiting for verification...
Challenge failed for domain harry63.host
http-01 challenge for harry63.host

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: harry63.host
Type: unauthorized
Detail: Invalid response from http://harry63.host/.well-known/acme-challenge/v7WRQ3SDnaXcfZ-g0YwFZOgsFvgHz3aNludrsy9M1ko [128.65.48.27]: 404

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):
Apache/2.4.25 (Raspbian)
The operating system my web server runs on is (include version):
Raspbian
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot-auto --version

2

What happens if you run certbot renew without any additional options?

1 Like
3

I'd check the file system and available space.

Show:
df -h

Also show:
apachectl -t -D DUMP_VHOSTS

1 Like
4

sudo certbot
2022/03/23 09:07:10.591682 system_key.go:129: cannot determine nfs usage in generateSystemKey: cannot parse /etc/fstab: expected between 3 and 6 fields, found 10
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?

1: harry63.host

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Renewing an existing certificate for harry63.host

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: harry63.host
Type: unauthorized
Detail: Invalid response from http://harry63.host/.well-known/acme-challenge/PgmPKYZUXHWDN7h3nPTMSHLr0RCvcByQMMC0smLoyi4 [128.65.48.27]: 404

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

5

df -h

Filesystem                 Size  Used Avail Use% Mounted on
/dev/root                   27G  8.9G   17G  35% /
devtmpfs                   459M     0  459M   0% /dev
tmpfs                      464M     0  464M   0% /dev/shm
tmpfs                      464M   42M  422M   9% /run
tmpfs                      5.0M  4.0K  5.0M   1% /run/lock
tmpfs                      464M     0  464M   0% /sys/fs/cgroup
tmpfs                      550M  134M  417M  25% /tmp
/dev/mmcblk0p1              43M   23M   21M  53% /boot
//192.168.1.11/Multimedia   22T  6.6T   15T  31% /home/pi/Multimedia
tmpfs                       93M     0   93M   0% /run/user/1000
/dev/loop0                  94M   94M     0 100% /snap/core/12826
/dev/loop1                  52M   52M     0 100% /snap/core20/1379
/dev/loop2                  41M   41M     0 100% /snap/certbot/1889

apachectl -t -D DUMP_VHOSTS

AH00526: Syntax error on line 38 of /etc/apache2/sites-enabled/000-default-le-ssl.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/harry63.host/fullchain.pem' does not exist or is empty
Action '-t -D DUMP_VHOSTS' failed.
The Apache error log may have more information.
6

apachectl -t -D DUMP_VHOSTS
AH00112: Warning: DocumentRoot [/var/www/html/webhooks] does not exist
VirtualHost configuration:
*:80 localhost (/etc/apache2/sites-enabled/000-default.conf:1)
*:443 is a NameVirtualHost
default server harry63.host (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
port 443 namevhost harry63.host (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
port 443 namevhost harry63.host (/etc/apache2/sites-enabled/webhooks.conf:2)

7

This is a name:port conflict [overlap]:

[where the same name:port combination is being used in multiple vhosts]

This is interesting...:

Did you delete that folder?
Is the disk having trouble?

2 Likes
8

ok now a delete folder

9

delete folder and start cerbot once more.
Look my log please
root@MD:~# certbot renew --dry-run -v
Root logging level set at 10
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/harry63.host.conf

Requested authenticator <certbot.cli._Default object at 0x759bd070> and installer <ce rtbot.cli._Default object at 0x759bd070>
Var dry_run=True (set by user).
Var server={'staging', 'dry_run'} (set by user).
Var dry_run=True (set by user).
Var server={'staging', 'dry_run'} (set by user).
Var account={'server'} (set by user).
Should renew, less than 30 days before certificate expiry 2022-03-23 20:12:32 UTC.
Cert is due for renewal, auto-renewing...
Requested authenticator apache and installer apache
Apache version is 2.4.25
Single candidate plugin: * apache
Description: Apache Web Server plugin - Beta
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT
Initialized: <certbot_apache.override_debian.DebianConfigurator object at 0x759bd5b0>
Prep: True
Single candidate plugin: * apache
Description: Apache Web Server plugin - Beta
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT
Initialized: <certbot_apache.override_debian.DebianConfigurator object at 0x759bd5b0>
Prep: True
Selected authenticator <certbot_apache.override_debian.DebianConfigurator object at 0 x759bd5b0> and installer <certbot_apache.override_debian.DebianConfigurator object at 0x759bd5b0>
Plugins selected: Authenticator apache, Installer apache
Picked account: <Account(RegistrationResource(uri='https://acme-staging-v02.api.letse ncrypt.org/acme/acct/23058828', terms_of_service=None, body=Registration(terms_of_ser vice_agreed=None, key=None, contact=(), agreement=None, status=None, only_return_exis ting=None), new_authzr_uri=None), cb5943f6adf883bb397edc8aca450e7e, Meta(creation_dt= datetime.datetime(2021, 8, 11, 20, 58, 59, tzinfo=), creation_host='MD'))>
Sending GET request to https://acme-staging-v02.api.letsencrypt.org/directory.
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org:443
https://acme-staging-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 822
Received response:
HTTP 200
Server: nginx
Date: Thu, 24 Mar 2022 14:14:05 GMT
Content-Type: application/json
Content-Length: 822
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"KC6QFv_5gcw": "https://community.letsencrypt.org/t/adding-random-entries-to-the-di rectory/33417",
"keyChange": "https://acme-staging-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017. pdf",
"website": "Staging Environment - Let's Encrypt"
},
"newAccount": "https://acme-staging-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-staging-v02.api.letsencrypt.org/acme/new-order",
"renewalInfo": "https://acme-staging-v02.api.letsencrypt.org/get/draft-aaron-ari/re newalInfo/",
"revokeCert": "https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert"
}
Renewing an existing certificate
Requesting fresh nonce
Sending HEAD request to https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce.
https://acme-staging-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
Received response:
HTTP 200
Server: nginx
Date: Thu, 24 Mar 2022 14:14:08 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: https://acme-staging-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: 0002Tigwq7DWym_Wlq3onv8M4LpoRb6u78-WbqG3QvxHVXA
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

Storing nonce: 0002Tigwq7DWym_Wlq3onv8M4LpoRb6u78-WbqG3QvxHVXA
JWS payload:
b'{\n "identifiers": [\n {\n "type": "dns",\n "value": "harry63.host"\n }\n ]\n}'
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/new-order:
{
"signature": "d_TUbgW2esP57M3maQOmnCtV77NNb7jJ91J_hbHGlT-idjEoboDwpgtQfLSYtkCfdeUiy 1h6C5MzszZsHhupBb2fwIO4n8Qk3yo7e3bqyuiENOarYfVcDsTSVDAG9iJfBfRCXmA219KU5uqmsHIborX3ML VS9qN-n4sJguG2IdfhO8wCXKqQE2HsIs4TmmR23U9b9raKztK8Qjq40gJ0hg1rbMWl6C3xtnPJvPAXywNyXVA No4U71eEPuJO1kJS6k5rXVMd7OZc-Kie8oS3IrLh6-aSA1cTkBjx1aGAdIDXPg5o5H-AYhFwcdEqL-qQH-I3c raYGbMi9bMksQ2jLdQ",
"payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICA gInZhbHVlIjogImhhcnJ5NjMuaG9zdCIKICAgIH0KICBdCn0",
"protected": "eyJhbGciOiAiUlMyNTYiLCAibm9uY2UiOiAiMDAwMlRpZ3dxN0RXeW1fV2xxM29udjhNN Exwb1JiNnU3OC1XYnFHM1F2eEhWWEEiLCAidXJsIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubG V0c2VuY3J5cHQub3JnL2FjbWUvbmV3LW9yZGVyIiwgImtpZCI6ICJodHRwczovL2FjbWUtc3RhZ2luZy12MDI uYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMjMwNTg4MjgifQ"
}
https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 348
Received response:
HTTP 201
Server: nginx
Date: Thu, 24 Mar 2022 14:14:09 GMT
Content-Type: application/json
Content-Length: 348
Connection: keep-alive
Boulder-Requester: 23058828
Cache-Control: public, max-age=0, no-cache
Link: https://acme-staging-v02.api.letsencrypt.org/directory;rel="index"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/order/23058828/2114453828
Replay-Nonce: 0002ZWUIKVLsc40swr0gokaGF7dznxoklTqiLEP66Rdp4rE
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"status": "pending",
"expires": "2022-03-31T14:14:09Z",
"identifiers": [
{
"type": "dns",
"value": "harry63.host"
}
],
"authorizations": [
"https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/1997699918"
],
"finalize": "https://acme-staging-v02.api.letsencrypt.org/acme/finalize/23058828/21 14453828"
}
Storing nonce: 0002ZWUIKVLsc40swr0gokaGF7dznxoklTqiLEP66Rdp4rE
Sending GET request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/199 7699918.
https://acme-staging-v02.api.letsencrypt.org:443 "GET /acme/authz-v3/1997699918 HTTP/ 1.1" 405 103
Received response:
HTTP 405
Server: nginx
Date: Thu, 24 Mar 2022 14:14:09 GMT
Content-Type: application/problem+json
Content-Length: 103
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: https://acme-staging-v02.api.letsencrypt.org/directory;rel="index"

{
"type": "urn:ietf:params:acme:error:malformed",
"detail": "Method not allowed",
"status": 405
}
Attempting to renew cert (harry63.host) from /etc/letsencrypt/renewal/harry63.host.co nf produced an unexpected error: urn:ietf:params:acme:error:malformed :: The request message was malformed :: Method not allowed. Skipping.
Traceback was:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 430, in handle_renew al_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1168, in renew_cert
renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 116, in _get_and_save_c ert
renewal.renew_cert(config, domains, le_client, lineage)
File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 305, in renew_cert
new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
File "/usr/lib/python3/dist-packages/certbot/client.py", line 335, in obtain_certif icate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of _names)
File "/usr/lib/python3/dist-packages/certbot/client.py", line 367, in _get_order_an d_authorizations
orderr = self.acme.new_order(csr_pem)
File "/usr/lib/python3/dist-packages/acme/client.py", line 824, in new_order
return self.client.new_order(csr_pem)
File "/usr/lib/python3/dist-packages/acme/client.py", line 654, in new_order
authorizations.append(self._authzr_from_response(self.net.get(url), uri=url))
File "/usr/lib/python3/dist-packages/acme/client.py", line 1097, in get
self._send_request('GET', url, **kwargs), content_type=content_type)
File "/usr/lib/python3/dist-packages/acme/client.py", line 999, in _check_response
raise messages.Error.from_json(jobj)
acme.messages.Error: urn:ietf:params:acme:error:malformed :: The request message was malformed :: Method not allowed

All renewal attempts failed. The following certs could not be renewed:
** /etc/letsencrypt/live/harry63.host/fullchain.pem (failure)**

** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/harry63.host/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)

Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 11, in
load_entry_point('certbot==0.28.0', 'console_scripts', 'certbot')()
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1340, in main
return config.func(config, plugins)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1247, in renew
renewal.handle_renewal_request(config)
File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 455, in handle_renew al_request
len(renew_failures), len(parse_failures)))
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)
1 renew failure(s), 0 parse failure(s)

10

Please, please upgrade.

I think you can use the snap or pip version if you are on Debian 10 (if you really want to use the apt installed certbot, upgrade to the Debian 11-based raspberry pi os)

1 Like
11

I tried updating the system. But by typing apt-get update
got the following errors:
Err:6 Index of /debian/ jessie/main armhf Packages
server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
Ign:7 Index of /debian/ jessie/main Translation-en_GB
Ign:8 Index of /debian/ jessie/main Translation-en
Reading package lists... Done
W: GPG error: Index of /debian stretch-backports InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 648ACFD622F3D138 NO_PUBKEY 0E98404D386FA1D9
W: The repository 'Index of /debian stretch-backports InRelease' is not signed.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: The repository 'Index of /debian/ jessie Release' does not have a Release file.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: Failed to fetch https://repo.mosquitto.org/debian/dists/jessie/main/binary-armhf/Packages server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
E: Some index files failed to download. They have been ignored, or old ones used instead.

12

Your system is messed up. Why do you have jessie and stretch-backports at the same time?

They're both old, but very different kinds of old.

I would reinstall from scratch, but if all you need is a certificate probably you should check acme.sh instead of certbot.

1 Like
13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.