Certbot apache renewal fails

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
jgklinux.jankom.net
I ran this command:
sudo certbot rene
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/jgklinux.jankom.net.conf


Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for jgklinux.jankom.net
Waiting for verification...
Challenge failed for domain jgklinux.jankom.net
http-01 challenge for jgklinux.jankom.net
Cleaning up challenges
Attempting to renew cert (jgklinux.jankom.net) from /etc/letsencrypt/renewal/jgklinux.jankom.net.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/jgklinux.jankom.net/fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/jgklinux.jankom.net/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

My web server is (include version):
apache2 - version is current, always fully updated by ubuntu
The operating system my web server runs on is (include version):
xubuntu 20.04
My hosting provider, if applicable, is:
web server is running on a linode vps instance
I can login to a root shell on my machine (yes or no, or I don't know):
yes, using terminal, not gui
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
don't know what control panel is, just use terminal commands
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.40.0

1 Like

Hi @jankom, and welcome to the LE community forum :slight_smile:

I suspect the problem is within the Apache configuration.
Please show the output if:
sudo apachectl -S

1 Like

Hi @rg305 and thanks for the quick attention and response to my problem.
I have not changed anything on Apache set up ever and in the past it has always renewd without an error. Nevertheless, here is the output:

gellert@jgklinux:~$ sudo apachectl -S
VirtualHost configuration:
*:443                  jgklinux.jankom.net (/etc/apache2/sites-enabled/jgklinux.jankom.net-le-ssl.conf:2)
*:80                   jgklinux.jankom.net (/etc/apache2/sites-enabled/jgklinux.jankom.net.conf:9)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default 
Mutex mpm-accept: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33
gellert@jgklinux:~$

Sorry if I misused th"Blockquote feature.

1 Like

Hi, I posted my reply in the web forum, and here is my very primitive web server page that I'm securing with the letsencrypt certificate. - Janos

@jankom The e-mail you received wasn't from @rg305 personally, but is a notification service from the forum software and when you reply to said e-mail, it'll post your reply in the thread on the Community too :wink:

In any case, I'm not seeing anything weird in your Apache configuration, at least not from the apachectl -S output.. :thinking:

However, you said you're running the latest version of Apache on Ubuntu, while your website answers with:

Server: Apache/2.2.15 (CentOS)

That's weird! Also, usually the HTTP virtualhost on port 80 would redirect from HTTP to HTTPS, but that's not happening too. But when I manually try the HTTPS server on port 443, I'm getting:

Server: Apache/2.4.41 (Ubuntu)

So it seems your HTTP port 80 is on a different server than your HTTPS webserver behind port 443.

2 Likes

I must agree; something is not the same with the two ports.

I can get to port 443, but I'm unable to reach port 80:

curl -Iki http://jgklinux.jankom.net/
curl: (56) Recv failure: Connection reset by peer

curl -Iki https://jgklinux.jankom.net/
HTTP/1.1 200 OK
Date: Thu, 22 Jul 2021 20:02:45 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Thu, 10 Dec 2020 19:56:09 GMT
ETag: "a6a-5b621912785dd"
Accept-Ranges: bytes
Content-Length: 2666
Vary: Accept-Encoding
Content-Type: text/html
1 Like

Yep, port 80 is down right now, while it was working fine earlier. I guess @jankom is working on it :slight_smile:

2 Likes

@Osiris @rg305 yes, port 80 was forwarded to another server connecting to jgklinux.jankom.net via vpn to serve a simple http site. But yes, I removed the port forewarding with iptables. I don't understand why is it not accessible. Here is my iptables -S command output.

Blockquote
gellert@jgklinux:~$ sudo iptables -S
[sudo] password for gellert:
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A FORWARD -d 10.8.0.3/32 -p tcp -m tcp --dport 110 -j ACCEPT
-A FORWARD -d 10.8.0.3/32 -p tcp -m tcp --dport 587 -j ACCEPT
gellert@jgklinux:~$

Ports 110 and 587 are for my mailserver on that other machine

I thought iptables changes take effect immediately, I did not reboot..

1 Like

@rg305 @Osiris - problem solved, certificate renewed. Thank you guys for your quick help and inspiration. The issue was: my iptables was all messed up. Yes, I did not change apache configuration but about a month ago I tinkered with iptables. Lesson learned.
Please, mark it as solved. I'm new so I'm not sure how to check the box "solution".

3 Likes