Can't update certificate, get weird error

Bratzmeister · September 26, 2021, 7:52pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: weilichskann.servebeer.com

I ran this command: certbot -v renew

It produced this output: dpaste/URKq (Bash)

My web server is (include version): Apache/2.4.38 (Raspbian)

The operating system my web server runs on is (include version):

OS: Raspbian 10 buster
Kernel: armv7l Linux 5.10.60-v7+
Uptime: 1d 15h 16m
Packages: 753
Shell: 10941
CPU: ARMv7 rev 4 (v7l) @ 4x 1.2GHz [56.9°C]
GPU: BCM2708
RAM: 433MiB / 966MiB

My hosting provider, if applicable, is: hosted at home

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0

rg305 · September 26, 2021, 8:00pm

Hi @Bratzmeister, welcome to the LE community forum

It seems that when you last obtained this cert it was via --standalone authentication.
And today there is a running service using the HTTP port.
Likely:

You can either:

stop apache before running certbot in --standalone mode (not recommended)
use the --apache authenticator (not my first choice)
use Apache for web service and use certbot in --webroot mode (my first choice)

If you should need any help with implementing any of those choices, just ask.

Osiris · September 26, 2021, 8:03pm

Please elaborate why you prefer the webroot over the apache plugin, as for many (novice) users, the apache plugin is probably the most easy method, if the Apache configuration is compatible of course.

rg305 · September 26, 2021, 8:06pm

Because Apache is notorious for running at all cost.
There is a much higher probability of success with the webroot authenticator than with the apache.
I can't think of one example where apache would work and webroot would fail.
Whereas this community is filled with counter examples.

Bratzmeister · September 26, 2021, 8:07pm

i tried webroot but i guess i'm missing some files that it wants me to put
--apache didnt work, maybe im missing a plugin
--standalone, yields exactly the same error as plain certbot renew

rg305 · September 26, 2021, 8:09pm

Maybe you didn't understand me.
certbot renew is doing certbot renew --standalone
Please review the file:

If you need help with implementing --webroot, just ask for it.

rg305 · September 26, 2021, 8:10pm

Likely a badly configured Apache.
You can start to unravel that, with:
sudo apachectl -t -D DUMP_VHOSTS

Bratzmeister · September 26, 2021, 8:12pm

sudo apachectl -t -D DUMP_VHOSTS VirtualHost configuration: *:443 weilichskann.servebeer.com (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2) *:80 weilichskann.servebeer.com (/etc/apache2/sites-enabled/000-default.conf:1)

rg305 · September 26, 2021, 8:13pm

Then there are no more than those two files to review.

Feel free to post them here if you need any help with them.

danb35 · September 26, 2021, 8:14pm

I'm obviously not Rudy, but I'd say because the apache plugin makes many assumptions about how your apache config files are laid out, which are often incorrect. OTOH, if you know where the web root location is, and your web server isn't configured to do something stupid like deny access to directories starting with a . , webroot is almost certain to work.

Bratzmeister · September 26, 2021, 8:14pm

i rebooted the system and now i get this:

sudo certbot --apache renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/weilichskann.servebeer.com.conf

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for weilichskann.servebeer.com
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (weilichskann.servebeer.com) from /etc/letsencrypt/renewal/weilichskann.servebeer.com.conf produced an unexpected error: Failed authorization procedure. weilichskann.servebeer.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://weilichskann.servebeer.com/.well-known/acme-challenge/g-L9RLn_eD7FYZbUqxO1s-uag0i98mtpYOir3lfUz10: Error getting validation data. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/weilichskann.servebeer.com/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/weilichskann.servebeer.com/fullchain.pem (failure)

rg305 · September 26, 2021, 8:16pm

And what did you expect (for it to suddenly work - simply by rebooting it)?
That's not how things get fixed - well not unless you are running Windows - LOL

Bratzmeister · September 26, 2021, 8:17pm

no, the error is a different one-.-

rg305 · September 26, 2021, 8:19pm

This error shown is because:

you are no longer trying to run certbot in standalone mode (which would conflict with apache for port 80)

your Apache config is incomprehensible to certbot and it fails to get the job done with the current Apache config.

Which is what I expected and why I pointed you in the direction of:

using webroot authentication
OR
show the apache config files and maybe we can fix the mess apache has made

Bratzmeister · September 26, 2021, 8:29pm

<IfModule mod_ssl.c>
<VirtualHost *:443>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        ServerName weilichskann.servebeer.com
#       Redirect permanent / https://weilichskann.servebeer.com/

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf
SSLCertificateFile /etc/letsencrypt/live/weilichskann.servebeer.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/weilichskann.servebeer.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
<IfModule mod_headers.c>
        Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
</IfModule>
</VirtualHost>

<VirtualHost *:80>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        ServerName weilichskann.servebeer.com
        Redirect permanent / https://weilichskann.servebeer.com/

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf
RewriteEngine on
RewriteCond %{SERVER_NAME} =weilichskann.servebeer.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
</VirtualHost>

rg305 · September 26, 2021, 8:43pm

According to those files, the HTTP request from LE should be redirected to HTTPS.
But the error you showed in the post above last has only HTTP.
So, LE isn't being redirected; Thus not reaching your HTTP site.
We don't see enough of the logfile to understand exactly why the HTTP LE request has failed.
Likely "firewall problem".
Since I can't reach your site via HTTP (and thus don't get redirected) either:

curl -Iki weilichskann.servebeer.com
curl: (56) Recv failure: Connection reset by peer

Please show the LE log file (/var/log/letsencrypt/letsencrypt.log) and confirm that the entire Internet can reach your site via HTTP.

Osiris · September 26, 2021, 8:47pm

No reason not to try the Apache plugin to begin with IMO. It doesn't break anything, if it doesn't hurt, try it. Suggesting --apache is way more easy than suggesting --webroot and explain how and where to find the webroot path et cetera.

Bratzmeister · September 26, 2021, 9:00pm

i obviously have port 80 and 443 forwarded to my machine.


2021-09-26 04:13:20,089:DEBUG:certbot.main:certbot version: 0.31.0
2021-09-26 04:13:20,090:DEBUG:certbot.main:Arguments: ['-q']
2021-09-26 04:13:20,091:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2021-09-26 04:13:20,155:DEBUG:certbot.log:Root logging level set at 30
2021-09-26 04:13:20,156:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2021-09-26 04:13:20,223:DEBUG:certbot.plugins.selection:Requested authenticator <certbot.cli._Default object at 0x75581a70> and installer <certbot.cli._Default object at 0x75581a70>
2021-09-26 04:13:20,274:DEBUG:certbot.storage:Should renew, less than 30 days before certificate expiry 2020-08-03 12:31:07 UTC.
2021-09-26 04:13:20,275:INFO:certbot.renewal:Cert is due for renewal, auto-renewing...
2021-09-26 04:13:20,275:INFO:certbot.renewal:Non-interactive renewal: random delay of 52 seconds
2021-09-26 04:14:12,322:DEBUG:certbot.plugins.selection:Requested authenticator standalone and installer None
2021-09-26 04:14:16,237:DEBUG:certbot.plugins.selection:Single candidate plugin: * standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:Authenticator
Initialized: <certbot.plugins.standalone.Authenticator object at 0x75585fd0>
Prep: True
2021-09-26 04:14:16,240:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.standalone.Authenticator object at 0x75585fd0> and installer None
2021-09-26 04:14:16,240:INFO:certbot.plugins.selection:Plugins selected: Authenticator standalone, Installer None
2021-09-26 04:14:16,267:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x75585b10>)>), contact=('mailto:marc_wippermann@web.de',), agreement='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf', status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v01.api.letsencrypt.org/acme/reg/33769596', new_authzr_uri='https://acme-v01.api.letsencrypt.org/acme/new-authz', terms_of_service='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'), 3645efe1bd01a2c10fbf32b0eee2c1dd, Meta(creation_dt=datetime.datetime(2018, 4, 22, 23, 2, 17, tzinfo=<UTC>), creation_host='cca80'))>
2021-09-26 04:14:16,271:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2021-09-26 04:14:16,289:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2021-09-26 04:14:16,909:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 658
2021-09-26 04:14:16,912:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sun, 26 Sep 2021 02:14:16 GMT
Content-Type: application/json
Content-Length: 658
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "61vH_UJoIdk": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
2021-09-26 04:13:20,089:DEBUG:certbot.main:certbot version: 0.31.0
2021-09-26 04:13:20,090:DEBUG:certbot.main:Arguments: ['-q']
2021-09-26 04:13:20,091:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2021-09-26 04:13:20,155:DEBUG:certbot.log:Root logging level set at 30
2021-09-26 04:13:20,156:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2021-09-26 04:13:20,223:DEBUG:certbot.plugins.selection:Requested authenticator <certbot.cli._Default object at 0x75581a70> and installer <certbot.cli._Default object at 0x75581a70>
2021-09-26 04:13:20,274:DEBUG:certbot.storage:Should renew, less than 30 days before certificate expiry 2020-08-03 12:31:07 UTC.
2021-09-26 04:13:20,275:INFO:certbot.renewal:Cert is due for renewal, auto-renewing...
2021-09-26 04:13:20,275:INFO:certbot.renewal:Non-interactive renewal: random delay of 52 seconds
2021-09-26 04:14:12,322:DEBUG:certbot.plugins.selection:Requested authenticator standalone and installer None
2021-09-26 04:14:16,237:DEBUG:certbot.plugins.selection:Single candidate plugin: * standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:Authenticator
Initialized: <certbot.plugins.standalone.Authenticator object at 0x75585fd0>
Prep: True
2021-09-26 04:14:16,240:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.standalone.Authenticator object at 0x75585fd0> and installer None
2021-09-26 04:14:16,240:INFO:certbot.plugins.selection:Plugins selected: Authenticator standalone, Installer None
2021-09-26 04:14:16,267:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x75585b10>)>), contact=('mailto:marc_wippermann@web.de',), agreement='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf', status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v01.api.letsencrypt.org/acme/reg/33769596', new_authzr_uri='https://acme-v01.api.letsencrypt.org/acme/new-authz', terms_of_service='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'), 3645efe1bd01a2c10fbf32b0eee2c1dd, Meta(creation_dt=datetime.datetime(2018, 4, 22, 23, 2, 17, tzinfo=<UTC>), creation_host='cca80'))>
2021-09-26 04:14:16,271:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2021-09-26 04:14:16,289:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2021-09-26 04:14:16,909:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 658
2021-09-26 04:14:16,912:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sun, 26 Sep 2021 02:14:16 GMT
Content-Type: application/json
Content-Length: 658
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "61vH_UJoIdk": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
...skipping...
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 389, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 75, in handle_authorizations
    resp = self._solve_challenges(aauthzrs)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 139, in _solve_challenges
    resp = self.auth.perform(all_achalls)
  File "/usr/lib/python3/dist-packages/certbot/plugins/webroot.py", line 81, in perform
    self._set_webroots(achalls)
  File "/usr/lib/python3/dist-packages/certbot/plugins/webroot.py", line 99, in _set_webroots
    known_webroots)
  File "/usr/lib/python3/dist-packages/certbot/plugins/webroot.py", line 120, in _prompt_for_webroot
    webroot = self._prompt_for_new_webroot(domain, True)
  File "/usr/lib/python3/dist-packages/certbot/plugins/webroot.py", line 144, in _prompt_for_new_webroot
    force_interactive=True)
  File "/usr/lib/python3/dist-packages/certbot/display/ops.py", line 372, in validated_directory
    validator, *args, **kwargs)
  File "/usr/lib/python3/dist-packages/certbot/display/ops.py", line 329, in _get_validated
    code, raw = method(message, default=default, **kwargs)
  File "/usr/lib/python3/dist-packages/certbot/display/util.py", line 583, in directory_select
    return self.input(message, default, cli_flag)
  File "/usr/lib/python3/dist-packages/certbot/display/util.py", line 524, in input
    self._interaction_fail(message, cli_flag)
  File "/usr/lib/python3/dist-packages/certbot/display/util.py", line 469, in _interaction_fail
    raise errors.MissingCommandlineFlag(msg)
certbot.errors.MissingCommandlineFlag: Missing command line flag or config entry for this setting:
Input the webroot for weilichskann.servebeer.com:

2021-09-26 22:15:56,711:ERROR:certbot.renewal:All renewal attempts failed. The following certs could not be renewed:
2021-09-26 22:15:56,712:ERROR:certbot.renewal:  /etc/letsencrypt/live/weilichskann.servebeer.com/fullchain.pem (failure)
2021-09-26 22:15:56,713:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.31.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1365, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1272, in renew
    renewal.handle_renewal_request(config)
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 490, in handle_renewal_request
    len(renew_failures), len(parse_failures)))
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)

Bratzmeister · September 26, 2021, 9:21pm

uhm for some reason it seems my dyn-dns wasnt updating properly. i updated it manually and now i could renew with --apache

system · October 26, 2021, 9:22pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.