Certbot-auto: Unable to insert label!

manngo · January 9, 2019, 10:41am

My domain is: internotes.net, internotes.site, internotes.link and various subdomains

I ran this command: certbot-auto --apache renew

It produced this output:

Attempting to renew cert (internotes) from /etc/letsencrypt/renewal/internotes.conf produced an unexpected error: Unable to insert label!. Skipping.

My web server is (include version): Apache

The operating system my web server runs on is (include version): Centos 6

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

I am using same apache vhost files as last time, and it did work previously.

The version is:

# certbot-auto --version
certbot 0.30.0

There is a similar question, but the solution doesn’t apply in my case.

mnordhoff · January 9, 2019, 10:43am

Can you post /etc/letsencrypt/renewal/internotes.conf, the traceback from /var/log/letsencrypt/letsencrypt.log, and the Apache virtual host?

manngo · January 9, 2019, 10:51am

internotes.conf

# renew_before_expiry = 30 days
version = 0.27.1
archive_dir = /etc/letsencrypt/archive/internotes
cert = /etc/letsencrypt/live/internotes/cert.pem
privkey = /etc/letsencrypt/live/internotes/privkey.pem
chain = /etc/letsencrypt/live/internotes/chain.pem
fullchain = /etc/letsencrypt/live/internotes/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = apache
account = b60e2240655e71a6272cbf649486d94e
server = https://acme-v02.api.letsencrypt.org/directory

letsencryt.log is over 1300 lines long, so I don’t know how much you want of that.

The Apache virtual host is over 200 lines long: do you want me to include that?

JuergenAuer · January 9, 2019, 10:56am

Hi @manngo

checking the other thread with the same problem:

Do you have a vHost port 80 with every domain name?

https://transparencyreport.google.com/https/certificates/VovbKAUFMB%2FfADi8EEhJ8HOB%2FUpvSq0PKLroAai4g7U%3D

lists 17 domain names:

ajax-samples.internotes.net
ajax.internotes.net
fonts.internotes.net
html-tools.internotes.net
internotes.link
internotes.net
internotes.site
javascript.internotes.net
jsturtle.internotes.net
pager.internotes.net
scripts.internotes.net
snippets.internotes.net
thewebcoder.net
www.internotes.link
www.internotes.net
www.internotes.site
www.thewebcoder.net

Or a standard - vHost port 80?

manngo · January 9, 2019, 11:09am

I think I have <VirtualHost *:80> for every name. I am checking.

I can’t upload a file as a new user (I didn’t think I was that new). Would it be helpful if I paste it in here?

mnordhoff · January 9, 2019, 12:07pm

You're not new but you haven't posted a lot yet.

I adjusted your trust level, so you should be able to upload files now.

manngo · January 9, 2019, 6:27pm

internotes.txt (6.8 KB)
I tried after logging out and in again and it worked.
Thanks

rg305 · January 10, 2019, 12:31am

I’ve reduced the txt file to the relevant entries.
And pointed to the lines which are repeated that should only appear once:

<VirtualHost *:80>
    ServerName internotes.net:80 <<<<<<<<<<<<<<<<<<<<<<
    ServerAlias internotes.net
</VirtualHost>
<VirtualHost *:80>
    ServerName internotes.net:80 <<<<<<<<<<<<<<<<<<<<<<
    ServerAlias www.internotes.net
</VirtualHost>
<VirtualHost *:80>
    ServerName internotes.net:80 <<<<<<<<<<<<<<<<<<<<<<
    ServerAlias ajax.internotes.net
</VirtualHost>
<VirtualHost *:80>
    ServerName internotes.net:80 <<<<<<<<<<<<<<<<<<<<<<
    ServerAlias ajax-samples.internotes.net
</VirtualHost>
<VirtualHost *:80>
    ServerName internotes.net:80 <<<<<<<<<<<<<<<<<<<<<<
    ServerAlias html-tools.internotes.net
</VirtualHost>
<VirtualHost *:80>
    ServerName internotes.net:80 <<<<<<<<<<<<<<<<<<<<<<
    ServerAlias scripts.internotes.net
</VirtualHost>
<VirtualHost *:80>
    ServerName internotes.net:80 <<<<<<<<<<<<<<<<<<<<<<
    ServerAlias fonts.internotes.net
</VirtualHost>
<VirtualHost *:80>
    ServerName internotes.net:80 <<<<<<<<<<<<<<<<<<<<<<
    ServerAlias javascript.internotes.net
</VirtualHost>
<VirtualHost *:80>
    ServerName internotes.net:80 <<<<<<<<<<<<<<<<<<<<<<
    ServerAlias snippets.internotes.net
</VirtualHost>
<VirtualHost *:80>
    ServerName internotes.net:80 <<<<<<<<<<<<<<<<<<<<<<
    ServerAlias pager.internotes.net
</VirtualHost>
<VirtualHost *:80>
    ServerName internotes.net:80 <<<<<<<<<<<<<<<<<<<<<<
    ServerAlias jsturtle.internotes.net
</VirtualHost>


<VirtualHost *:443>
	ServerName internotes.site:443 <<<<<<<<<<<<<<<<<<<<<<
	ServerAlias *.internotes.site <<<<<<<<<<<<<<<<<<<<<<
</VirtualHost>
<VirtualHost *:443>
	ServerName internotes.site:443 <<<<<<<<<<<<<<<<<<<<<<
	ServerAlias *.internotes.site <<<<<<<<<<<<<<<<<<<<<<
</VirtualHost>

manngo · January 10, 2019, 8:18am

internotes.renewal.txt (509 Bytes)
internotes.vhosts.txt (6.9 KB)

Sorry, I can’t get it working.

I have attached two files:

/etc/httpd/vhosts.d/internotes.conf as internotes.vhosts.txt
/etc/letsencrypt/renewal/internotes.conf as internotes.renewal.txt

I also tried, usuccessfully, to create new certificates for this, and I have downloaded cert-auto again.

rg305 · January 10, 2019, 5:53pm

I can only find minor “problems”…

RedirectMatch 301 (.*) https://www.internotes.site?test # missing “/” after site
using: ServerName FQDN:PORT (can be better without the :PORT)
using ServerAlias with the same FQDN used in ServerName (not necessary)

~ # if the only reason for repeating the FQDN in the ServerAlias was to insure “it works”, then you need to fix what “isn’t working” and not add more (unnecessary) code.

 ServerName thewebcoder.net:80
 ServerAlias thewebcoder.net

 ServerName internotes.site:80
 ServerAlias internotes.site

 ServerName www.internotes.site:80
 ServerAlias www.internotes.site

 ServerName internotes.link:80
 ServerAlias internotes.link

 ServerName www.internotes.link:80
 ServerAlias www.internotes.link

 ServerName internotes.net:80
 ServerAlias internotes.net

 ServerName www.internotes.net:80
 ServerAlias www.internotes.net

 ServerName ajax.internotes.net:80
 ServerAlias ajax.internotes.net

 ServerName ajax-samples.internotes.net:80
 ServerAlias ajax-samples.internotes.net

 ServerName html-tools.internotes.net:80
 ServerAlias html-tools.internotes.net

 ServerName scripts.internotes.net:80
 ServerAlias scripts.internotes.net

 ServerName fonts.internotes.net:80
 ServerAlias fonts.internotes.net

 ServerName javascript.internotes.net:80
 ServerAlias javascript.internotes.net

 ServerName snippets.internotes.net:80
 ServerAlias snippets.internotes.net

 ServerName pager.internotes.net:80
 ServerAlias pager.internotes.net

 ServerName jsturtle.internotes.net:80
 ServerAlias jsturtle.internotes.net

Aside from those MINOR changes, I don’t see why you are unable to get a cert.
Maybe you can post the LE log file with added detail (while using -vvv in the command).

manngo · January 11, 2019, 7:07am

Thanks again for looking at this. I’m still getting nowhere.

I have cleaned up my vhosts file, and attached it and the log file:

internotes.vhosts.txt (7.2 KB)
letsencrype.log.txt (79.5 KB)

manngo · January 11, 2019, 7:42am

Further experimenting:

If I do not include /etc/letsencrypt/renewal/internotes.conf everything is fine (except, of course, I don’t get to renew my certificates).
If I do not include my vhosts file, or trim it down to a bare minimum for a single domain, it fails.

This leads me to conclude that the problem lies with the letsencrypt conf file.

JuergenAuer · January 11, 2019, 8:50am

Isn’t this a part of the error?

2019-01-11 07:47:55,499:DEBUG:certbot_apache.http_01:Adding a temporary challenge validation Include for name: jsturtle.internotes.net in: /etc/httpd/vhosts.d/internotes.conf
2019-01-11 07:47:55,499:DEBUG:certbot_apache.http_01:Adding a temporary challenge validation Include for name: None in: /etc/httpd/vhosts.d/comparity.net.conf
2019-01-11 07:47:55,501:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/auth_handler.py", line 75, in handle_authorizations
    resp = self._solve_challenges(aauthzrs)
  File "/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/auth_handler.py", line 132, in _solve_challenges
    resp = self.auth.perform(all_achalls)
  File "/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot_apache/configurator.py", line 2280, in perform
    http_response = http_doer.perform()
  File "/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot_apache/http_01.py", line 72, in perform
    self._mod_config()
  File "/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot_apache/http_01.py", line 100, in _mod_config
    self._set_up_include_directives(vh)
  File "/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot_apache/http_01.py", line 172, in _set_up_include_directives
    vhost.path, "Include", self.challenge_conf_pre)
  File "/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot_apache/parser.py", line 346, in add_dir_beginning
    self.aug.insert(first_dir, "directive", True)
  File "/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/augeas.py", line 369, in insert
    raise ValueError("Unable to insert label!")
ValueError: Unable to insert label!

A lot of “Adding a temporary challenge”, but this doesn’t work with

None in: /etc/httpd/vhosts.d/comparity.net.conf

then Certbot crashes.

And is it really required that Certbot adds two temporary challenges to one file?

2019-01-11 07:47:55,493:DEBUG:certbot_apache.http_01:Adding a temporary challenge validation Include for name: internetcourseware.com:80 in: /etc/httpd/vhosts.d/101courseware.com.conf
2019-01-11 07:47:55,493:DEBUG:certbot_apache.http_01:Adding a temporary challenge validation Include for name: internetcourseware.com:80 in: /etc/httpd/vhosts.d/101courseware.com.conf

Looks like there are a lot of double - definitions.

system · February 10, 2019, 8:50am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.