Cert renewal failure after server migration/update

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: SeQent.Com

I ran this command: certbot renewal

It produced this output:
Saving debug log to /var/letsencrypt/log/letsencrypt.log

Processing /usr/pkg/etc/letsencrypt/renewal/seqent.com.conf

Cert is due for renewal, auto-renewing…

Plugins selected: Authenticator webroot, Installer None

Attempting to renew cert (seqent.com) from /usr/pkg/etc/letsencrypt/renewal/seqent.com.conf produced an unexpected error: Account at /usr/pkg/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/fcbe89150afa6547b6b2ad36e4d23385 does not exist. Skipping.

All renewal attempts failed. The following certs could not be renewed:

/usr/pkg/etc/letsencrypt/live/seqent.com/fullchain.pem (failure)

My web server is (include version):Private

The operating system my web server runs on is (include version):Privatre

My hosting provider, if applicable, is:N/A

I can login to a root shell on my machine (yes or no, or I don’t know): YES

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): NO

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):certbot 1.5.0

This started happening after migrating to a new server with updated O/S and layered products. What’s the easiest way to resolve?

NewServer: certbot certificates
Saving debug log to /var/letsencrypt/log/letsencrypt.log

Found the following certs:
Certificate Name: seqent.com
Serial Number: 40c053e433cbb6d2ea533bb86d1b2839c1e
Domains: seqent.com netcontech.com seqent.biz seqent.co seqent.info seqent.mobi seqent.net seqent.org www.netcontech.com www.seqent.biz www.seqent.co www.seqent.com www.seqent.info www.seqent.mobi www.seqent.net www.seqent.org
Expiry Date: 2020-08-30 16:48:39+00:00 (VALID: 19 days)
Certificate Path: /usr/pkg/etc/letsencrypt/live/seqent.com/fullchain.pem
Private Key Path: /usr/pkg/etc/letsencrypt/live/seqent.com/privkey.pem

NewServer: certbot renew
Saving debug log to /var/letsencrypt/log/letsencrypt.log

Processing /usr/pkg/etc/letsencrypt/renewal/seqent.com.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Attempting to renew cert (seqent.com) from /usr/pkg/etc/letsencrypt/renewal/seqent.com.conf produced an unexpected error: Account at /usr/pkg/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/fcbe89150afa6547b6b2ad36e4d23385 does not exist. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/usr/pkg/etc/letsencrypt/live/seqent.com/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
/usr/pkg/etc/letsencrypt/live/seqent.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

NewServer: more /var/letsencrypt/log/letsencrypt.log
2020-08-10 13:38:05,403:DEBUG:certbot._internal.main:certbot version: 1.5.0
2020-08-10 13:38:05,404:DEBUG:certbot._internal.main:Arguments:
2020-08-10 13:38:05,404:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2020-08-10 13:38:06,238:DEBUG:certbot._internal.log:Root logging level set at 20
2020-08-10 13:38:06,238:INFO:certbot._internal.log:Saving debug log to /var/letsencrypt/log/letsencrypt.log
2020-08-10 13:38:06,276:DEBUG:certbot._internal.plugins.selection:Requested authenticator <certbot._internal.cli.cli_utils._Default object at 0x7eb1f5b57a20> and installer <certbot._internal.cli.cli_utils._Default object at 0x7eb1f5b57a20>
2020-08-10 13:38:06,313:DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): ocsp.int-x3.letsencrypt.org:80
2020-08-10 13:38:06,418:DEBUG:urllib3.connectionpool:http://ocsp.int-x3.letsencrypt.org:80 “POST / HTTP/1.1” 200 527
2020-08-10 13:38:06,420:DEBUG:certbot.ocsp:OCSP response for certificate /usr/pkg/etc/letsencrypt/archive/seqent.com/cert12.pem is signed by the certificate’s issuer.
2020-08-10 13:38:06,424:DEBUG:certbot.ocsp:OCSP certificate status for /usr/pkg/etc/letsencrypt/archive/seqent.com/cert12.pem is: OCSPCertStatus.GOOD
2020-08-10 13:38:06,430:DEBUG:certbot._internal.storage:Should renew, less than 30 days before certificate expiry 2020-08-30 16:48:39 UTC.
2020-08-10 13:38:06,431:INFO:certbot._internal.renewal:Cert is due for renewal, auto-renewing…
2020-08-10 13:38:06,431:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer None
2020-08-10 13:38:06,437:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot._internal.plugins.webroot:Authenticator
Initialized: <certbot._internal.plugins.webroot.Authenticator object at 0x7eb1f5a9f2a0>
Prep: True
2020-08-10 13:38:06,438:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot._internal.plugins.webroot.Authenticator object at 0x7eb1f5a9f2a0> and installer None
2020-08-10 13:38:06,438:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator webroot, Installer None
2020-08-10 13:38:06,439:WARNING:certbot._internal.renewal:Attempting to renew cert (seqent.com) from /usr/pkg/etc/letsencrypt/renewal/seqent.com.conf produced an unexpected error: Account at /usr/pkg/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/fcbe89150afa6547b6b2ad36e4d23385 does not exist. Skipping.
2020-08-10 13:38:06,444:DEBUG:certbot._internal.renewal:Traceback was:
Traceback (most recent call last):
File “/usr/pkg/lib/python3.7/site-packages/certbot/_internal/renewal.py”, line 448, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File “/usr/pkg/lib/python3.7/site-packages/certbot/_internal/main.py”, line 1174, in renew_cert
le_client = _init_le_client(config, auth, installer)
File “/usr/pkg/lib/python3.7/site-packages/certbot/_internal/main.py”, line 603, in _init_le_client
acc, acme = _determine_account(config)
File “/usr/pkg/lib/python3.7/site-packages/certbot/_internal/main.py”, line 507, in _determine_account
acc = account_storage.load(config.account)
File “/usr/pkg/lib/python3.7/site-packages/certbot/_internal/account.py”, line 242, in load
return self._load_for_server_path(account_id, self.config.server_path)
File “/usr/pkg/lib/python3.7/site-packages/certbot/_internal/account.py”, line 217, in _load_for_server_path
prev_loaded_account = self._load_for_server_path(account_id, prev_server_path)
File “/usr/pkg/lib/python3.7/site-packages/certbot/_internal/account.py”, line 227, in _load_for_server_path
“Account at %s does not exist” % account_dir_path)
certbot.errors.AccountNotFound: Account at /usr/pkg/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/fcbe89150afa6547b6b2ad36e4d23385 does not exist

2020-08-10 13:38:06,445:ERROR:certbot._internal.renewal:All renewal attempts failed. The following certs could not be renewed:
2020-08-10 13:38:06,445:ERROR:certbot._internal.renewal: /usr/pkg/etc/letsencrypt/live/seqent.com/fullchain.pem (failure)
2020-08-10 13:38:06,446:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File “/usr/pkg/bin/certbot”, line 11, in
load_entry_point(‘certbot==1.5.0’, ‘console_scripts’, ‘certbot’)()
File “/usr/pkg/lib/python3.7/site-packages/certbot/main.py”, line 15, in main
return internal_main.main(cli_args)
File “/usr/pkg/lib/python3.7/site-packages/certbot/_internal/main.py”, line 1347, in main
return config.func(config, plugins)
File “/usr/pkg/lib/python3.7/site-packages/certbot/_internal/main.py”, line 1255, in renew
renewal.handle_renewal_request(config)
File “/usr/pkg/lib/python3.7/site-packages/certbot/_internal/renewal.py”, line 473, in handle_renewal_request
len(renew_failures), len(parse_failures)))
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)
2020-08-10 13:38:06,448:ERROR:certbot._internal.log:1 renew failure(s), 0 parse failure(s)

Tree from old server
OldServer: tree
.
| accounts
| acme-v01.api.letsencrypt.org
| directory
| fcbe89150afa6547b6b2ad36e4d23385
| acme-staging.api.letsencrypt.org
| directory
| 08b643d466207eedd8fb3699c0122e0c
| acme-v02.api.letsencrypt.org
| renewal
| keys
| csr
| archive
| seqent.com
| live
| seqent.com
| renewal-hooks
| pre
| deploy
| post

Tree from New server where renewal fails

NewServer: tree
.
|_renewal-hooks
|___pre
|___deploy
|___post
|_accounts
|___acme-v02.api.letsencrypt.org
|_____directory
|_______e1afc73e1a123af2aae51bbf787f7a1b
|___acme-staging-v02.api.letsencrypt.org
|_____directory
|_______1ba499017934139d3c7ae15e722a4777
|_renewal
|_keys
|_csr
|_archive
|___seqent.com
|_live
|___seqent.com

2

The easiest way to fix the current issue is switch acme api server manually. This can be done by spcifying
sudo certbot renew --server https://acme-v02.api.letsencrypt.org/directory --cert-name seqent.com

The above command will switch to ACMEv2 server for the certificate mentioned above and attempt to renew.

P.S. This is a one-time action, you should still use certbot renew for future renewals.
The switch might introduce further issues or (might not solve the current issue), post back if there's anything.

3

Failed...
root@ncti106-/root: certbot renew --server https://acme-v02.api.letsencrypt.org/directory --cert-name seqent.com
Saving debug log to /var/letsencrypt/log/letsencrypt.log

Processing /usr/pkg/etc/letsencrypt/renewal/seqent.com.conf

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for netcontech.com
http-01 challenge for seqent.biz
http-01 challenge for seqent.co
http-01 challenge for seqent.com
http-01 challenge for seqent.info
http-01 challenge for seqent.mobi
http-01 challenge for seqent.net
http-01 challenge for seqent.org
http-01 challenge for www.netcontech.com
http-01 challenge for www.seqent.biz
http-01 challenge for www.seqent.co
http-01 challenge for www.seqent.com
http-01 challenge for www.seqent.info
http-01 challenge for www.seqent.mobi
http-01 challenge for www.seqent.net
http-01 challenge for www.seqent.org
Waiting for verification...
Challenge failed for domain seqent.com
Challenge failed for domain seqent.net
Challenge failed for domain seqent.org
Challenge failed for domain www.seqent.org
Challenge failed for domain seqent.mobi
Challenge failed for domain www.seqent.mobi
Challenge failed for domain seqent.co
Challenge failed for domain seqent.info
Challenge failed for domain www.netcontech.com
Challenge failed for domain www.seqent.com
Challenge failed for domain www.seqent.net
http-01 challenge for seqent.com
http-01 challenge for seqent.net
http-01 challenge for seqent.org
http-01 challenge for www.seqent.org
http-01 challenge for seqent.mobi
http-01 challenge for www.seqent.mobi
http-01 challenge for seqent.co
http-01 challenge for seqent.info
http-01 challenge for www.netcontech.com
http-01 challenge for www.seqent.com
http-01 challenge for www.seqent.net
Cleaning up challenges
Attempting to renew cert (seqent.com) from /usr/pkg/etc/letsencrypt/renewal/seqent.com.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/usr/pkg/etc/letsencrypt/live/seqent.com/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
/usr/pkg/etc/letsencrypt/live/seqent.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: seqent.com
    Type: dns
    Detail: During secondary validation: DNS problem: networking error
    looking up A for seqent.com

    Domain: seqent.net
    Type: dns
    Detail: During secondary validation: DNS problem: networking error
    looking up A for seqent.net

    Domain: seqent.org
    Type: dns
    Detail: During secondary validation: DNS problem: networking error
    looking up A for seqent.org

    Domain: www.seqent.org
    Type: dns
    Detail: During secondary validation: No valid IP addresses found
    for www.seqent.org

    Domain: seqent.mobi
    Type: dns
    Detail: During secondary validation: No valid IP addresses found
    for seqent.mobi

    Domain: www.seqent.mobi
    Type: dns
    Detail: During secondary validation: No valid IP addresses found
    for www.seqent.mobi

    Domain: seqent.co
    Type: dns
    Detail: During secondary validation: DNS problem: networking error
    looking up CAA for seqent.co

    Domain: seqent.info
    Type: dns
    Detail: During secondary validation: DNS problem: networking error
    looking up A for seqent.info

    Domain: www.netcontech.com
    Type: dns
    Detail: During secondary validation: DNS problem: networking error
    looking up A for www.netcontech.com

    Domain: www.seqent.com
    Type: dns
    Detail: During secondary validation: DNS problem: networking error
    looking up A for www.seqent.com

    Domain: www.seqent.net
    Type: dns
    Detail: During secondary validation: DNS problem: networking error
    looking up A for www.seqent.net

4

I tried again as it appeared to be a DNS issue and it worked just fine. Thanks for your help!

1 Like
5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.