Certbot certifcate update fails for db.taplaundry.com/cert.pem

Hello,

I am new to certbot and managing a new to me server,

For the certificate for db.taplaundry.com, certbot reports it is INVALID: EXPIRED and that the OSCP check failed for /etc/letsencrypt/live/db.taplaundry.com/cert.pem (are we offline?)

Can someone explain what is happening and how to fix this?

Thank you.

ps - details of the server follow

My domain is: taplaundry.com

I ran this command:

sudo certbot certificates

It produced this output:

[sudo] password for xxxxx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/stadiumcoinlaundry.com-0002.conf produced an unexpected error: expected /etc/letsencrypt/live/stadiumcoinlaundry.com-0002/cert.pem to be a symlink. Skipping.
Renewal configuration file /etc/letsencrypt/renewal/stadiumcoinlaundry.com-0001.conf produced an unexpected error: expected /etc/letsencrypt/live/stadiumcoinlaundry.com-0001/cert.pem to be a symlink. Skipping.
OCSP check failed for /etc/letsencrypt/live/workdeskstage.taplaundry.com/cert.pem (are we offline?)
OCSP check failed for /etc/letsencrypt/live/taplaundry.com/cert.pem (are we offline?)
OCSP check failed for /etc/letsencrypt/live/stage.joinlaundrycare.biz/cert.pem (are we offline?)
OCSP check failed for /etc/letsencrypt/live/db.taplaundry.com/cert.pem (are we offline?)


Found the following certs:
Certificate Name: yourlaundrychute.com
Domains: yourlaundrychute.com www.yourlaundrychute.com
Expiry Date: 2019-12-07 23:14:23+00:00 (VALID: 66 days)
Certificate Path: /etc/letsencrypt/live/yourlaundrychute.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/yourlaundrychute.com/privkey.pem
Certificate Name: stadiumcoinlaundry.com
Domains: stadiumcoinlaundry.com www.stadiumcoinlaundry.com
Expiry Date: 2019-10-27 03:01:00+00:00 (VALID: 24 days)
Certificate Path: /etc/letsencrypt/live/stadiumcoinlaundry.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/stadiumcoinlaundry.com/privkey.pem
Certificate Name: the-clothesline-laundry.com
Domains: the-clothesline-laundry.com www.the-clothesline-laundry.com
Expiry Date: 2019-12-01 23:37:19+00:00 (VALID: 60 days)
Certificate Path: /etc/letsencrypt/live/the-clothesline-laundry.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/the-clothesline-laundry.com/privkey.pem
Certificate Name: workdeskstage.taplaundry.com
Domains: workdeskstage.taplaundry.com
Expiry Date: 2019-05-02 20:06:41+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/workdeskstage.taplaundry.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/workdeskstage.taplaundry.com/privkey.pem
Certificate Name: taplaundry.dev
Domains: taplaundry.dev api.taplaundry.dev cert.taplaundry.dev stage.taplaundry.dev workdesk.taplaundry.dev www.taplaundry.dev
Expiry Date: 2019-12-06 11:17:34+00:00 (VALID: 64 days)
Certificate Path: /etc/letsencrypt/live/taplaundry.dev/fullchain.pem
Private Key Path: /etc/letsencrypt/live/taplaundry.dev/privkey.pem
Certificate Name: taplaundry.com-0001
Domains: taplaundry.com www.taplaundry.com
Expiry Date: 2019-11-06 11:11:40+00:00 (VALID: 34 days)
Certificate Path: /etc/letsencrypt/live/taplaundry.com-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/taplaundry.com-0001/privkey.pem
Certificate Name: taplaundry.com
Domains: taplaundry.com tax.taplaundry.com www.taplaundry.com
Expiry Date: 2018-09-02 23:41:18+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/taplaundry.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/taplaundry.com/privkey.pem
Certificate Name: itshampertime.com
Domains: itshampertime.com www.itshampertime.com
Expiry Date: 2019-12-08 05:44:35+00:00 (VALID: 66 days)
Certificate Path: /etc/letsencrypt/live/itshampertime.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/itshampertime.com/privkey.pem
Certificate Name: stageworkdesk.taplaundry.com
Domains: stageworkdesk.taplaundry.com
Expiry Date: 2019-12-28 23:39:54+00:00 (VALID: 87 days)
Certificate Path: /etc/letsencrypt/live/stageworkdesk.taplaundry.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/stageworkdesk.taplaundry.com/privkey.pem
Certificate Name: taplaundry.com-0002
Domains: taplaundry.com
Expiry Date: 2019-12-29 20:26:27+00:00 (VALID: 88 days)
Certificate Path: /etc/letsencrypt/live/taplaundry.com-0002/fullchain.pem
Private Key Path: /etc/letsencrypt/live/taplaundry.com-0002/privkey.pem
Certificate Name: mail.taplaundry.com
Domains: mail.taplaundry.com
Expiry Date: 2019-12-17 11:22:38+00:00 (VALID: 75 days)
Certificate Path: /etc/letsencrypt/live/mail.taplaundry.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/mail.taplaundry.com/privkey.pem
Certificate Name: chutenearme.com
Domains: chutenearme.com www.chutenearme.com
Expiry Date: 2019-10-07 15:11:27+00:00 (VALID: 4 days)
Certificate Path: /etc/letsencrypt/live/chutenearme.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/chutenearme.com/privkey.pem
Certificate Name: soapboxlaundry.com
Domains: soapboxlaundry.com www.soapboxlaundry.com
Expiry Date: 2019-11-06 23:05:18+00:00 (VALID: 35 days)
Certificate Path: /etc/letsencrypt/live/soapboxlaundry.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/soapboxlaundry.com/privkey.pem
Certificate Name: atyourservicecoinlaundry.com
Domains: atyourservicecoinlaundry.com www.atyourservicecoinlaundry.com
Expiry Date: 2019-12-17 18:21:54+00:00 (VALID: 75 days)
Certificate Path: /etc/letsencrypt/live/atyourservicecoinlaundry.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/atyourservicecoinlaundry.com/privkey.pem
Certificate Name: snaplaundrydemo.com
Domains: snaplaundrydemo.com www.snaplaundrydemo.com
Expiry Date: 2019-11-01 17:01:29+00:00 (VALID: 29 days)
Certificate Path: /etc/letsencrypt/live/snaplaundrydemo.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/snaplaundrydemo.com/privkey.pem
Certificate Name: workdesk.taplaundry.com
Domains: workdesk.taplaundry.com
Expiry Date: 2019-11-12 11:37:13+00:00 (VALID: 40 days)
Certificate Path: /etc/letsencrypt/live/workdesk.taplaundry.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/workdesk.taplaundry.com/privkey.pem
Certificate Name: laundrycare.biz
Domains: laundrycare.biz www.laundrycare.biz
Expiry Date: 2019-11-28 23:47:27+00:00 (VALID: 57 days)
Certificate Path: /etc/letsencrypt/live/laundrycare.biz/fullchain.pem
Private Key Path: /etc/letsencrypt/live/laundrycare.biz/privkey.pem
Certificate Name: stage.taplaundry.com
Domains: stage.taplaundry.com
Expiry Date: 2019-11-23 23:15:29+00:00 (VALID: 52 days)
Certificate Path: /etc/letsencrypt/live/stage.taplaundry.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/stage.taplaundry.com/privkey.pem
Certificate Name: stage.joinlaundrycare.biz
Domains: stage.joinlaundrycare.biz
Expiry Date: 2018-10-30 01:42:30+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/stage.joinlaundrycare.biz/fullchain.pem
Private Key Path: /etc/letsencrypt/live/stage.joinlaundrycare.biz/privkey.pem
Certificate Name: db.taplaundry.com
Domains: db.taplaundry.com
Expiry Date: 2018-09-21 00:28:47+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/db.taplaundry.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/db.taplaundry.com/privkey.pem
Certificate Name: clevelandlaundryservice.com
Domains: clevelandlaundryservice.com www.clevelandlaundryservice.com
Expiry Date: 2019-11-28 23:47:40+00:00 (VALID: 57 days)
Certificate Path: /etc/letsencrypt/live/clevelandlaundryservice.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/clevelandlaundryservice.com/privkey.pem
Certificate Name: officemovingalliance.com
Domains: officemovingalliance.com www.officemovingalliance.com
Expiry Date: 2019-11-28 23:47:46+00:00 (VALID: 57 days)
Certificate Path: /etc/letsencrypt/live/officemovingalliance.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/officemovingalliance.com/privkey.pem
Certificate Name: lotuslaundryservice.com
Domains: lotuslaundryservice.com www.lotuslaundryservice.com
Expiry Date: 2019-12-15 11:51:03+00:00 (VALID: 73 days)
Certificate Path: /etc/letsencrypt/live/lotuslaundryservice.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/lotuslaundryservice.com/privkey.pem
Certificate Name: joinlaundrycare.biz
Domains: joinlaundrycare.biz www.joinlaundrycare.biz
Expiry Date: 2019-11-06 11:11:53+00:00 (VALID: 34 days)
Certificate Path: /etc/letsencrypt/live/joinlaundrycare.biz/fullchain.pem
Private Key Path: /etc/letsencrypt/live/joinlaundrycare.biz/privkey.pem
Certificate Name: pushlaundry.com
Domains: pushlaundry.com www.pushlaundry.com
Expiry Date: 2019-11-28 23:47:51+00:00 (VALID: 57 days)
Certificate Path: /etc/letsencrypt/live/pushlaundry.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/pushlaundry.com/privkey.pem
Certificate Name: uploads.taplaundry.com
Domains: uploads.taplaundry.com
Expiry Date: 2019-12-28 11:01:42+00:00 (VALID: 86 days)
Certificate Path: /etc/letsencrypt/live/uploads.taplaundry.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/uploads.taplaundry.com/privkey.pem

The following renewal configuration files were invalid:
/etc/letsencrypt/renewal/stadiumcoinlaundry.com-0002.conf
/etc/letsencrypt/renewal/stadiumcoinlaundry.com-0001.conf

My web server is (include version):

Server version: Apache/2.4.25 (Debian)
Server built: 2019-08-19T19:25:31

The operating system my web server runs on is (include version): Debian 9.6

My hosting provider, if applicable, is: Digital

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

certbot 0.10.2


The reason the OCSP checks are failing is because the certificates have expired. So you can ignore that. It’s a symptom of the main issue, not a second issue. :slightly_smiling_face: (Certbot 0.39.0 fixes it by disabling OCSP checks for expired certificates.)

Does /var/log/letsencrypt/ contain logs showing that Certbot is trying to renew the certificates but it’s failing for some reason?

Certbot 0.28.0 is available on Debian 9; you might want or need to upgrade.

1 Like

Thank you mnordhoff for the reply. That makes sense regarding OSCP check failing.

I installed the Debian back ports and upgraded to Certbot 0.28.

Unfortunately the issue remains.

What follows is the debug outt from /var/log/letencrypt.

2019-10-03 12:29:17,342:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: tax.taplaundry.com
Type: unauthorized
Detail: Invalid response from http://tax.taplaundry.com/.well-known/acme-challenge/QHMi2jdMrWRxA4fbe6jqQ1xUXjM3jqnkgLg3FCvpj4s [165.227.250.69]: “\n\n403 Forbidden\n\n

Forbidden

\n<p”

To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address.
2019-10-03 12:29:17,342:INFO:certbot.auth_handler:Cleaning up challenges
2019-10-03 12:29:17,342:DEBUG:certbot.plugins.webroot:Removing /var/www/taplaundry.com/.well-known/acme-challenge/2Y6W2Kk_QPGOYcLAGOGIMH9BrIV1i8i6FhjzjuLIv0E
2019-10-03 12:29:17,342:DEBUG:certbot.plugins.webroot:Removing /var/www/tax_api/.well-known/acme-challenge/QHMi2jdMrWRxA4fbe6jqQ1xUXjM3jqnkgLg3FCvpj4s
2019-10-03 12:29:17,343:DEBUG:certbot.plugins.webroot:Removing /var/www/taplaundry.com/.well-known/acme-challenge/nXvwAxhL-gFI6sgSp9OGwMFjoVozwx6hSf1LlAROxO4
2019-10-03 12:29:17,343:DEBUG:certbot.plugins.webroot:All challenges cleaned up, removing /var/www/taplaundry.com/.well-known/acme-challenge
2019-10-03 12:29:17,343:DEBUG:certbot.plugins.webroot:All challenges cleaned up, removing /var/www/tax_api/.well-known/acme-challenge
2019-10-03 12:29:17,344:WARNING:certbot.renewal:Attempting to renew cert from /etc/letsencrypt/renewal/taplaundry.com.conf produced an unexpected error: Failed authorization procedure. tax.taplaundry.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://tax.taplaundry.com/.well-known/acme-challenge/QHMi2jdMrWRxA4fbe6jqQ1xUXjM3jqnkgLg3FCvpj4s [165.227.250.69]: “\n\n403 Forbidden\n\n

Forbidden

\n<p”. Skipping.
2019-10-03 12:29:17,345:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
File “/usr/lib/python2.7/dist-packages/certbot/renewal.py”, line 413, in handle_renewal_request
main.obtain_cert(lineage_config, plugins, renewal_candidate)
File “/usr/lib/python2.7/dist-packages/certbot/main.py”, line 626, in obtain_cert
action, _ = _auth_from_available(le_client, config, domains, certname, lineage)
File “/usr/lib/python2.7/dist-packages/certbot/main.py”, line 103, in _auth_from_available
renewal.renew_cert(config, domains, le_client, lineage)
File “/usr/lib/python2.7/dist-packages/certbot/renewal.py”, line 296, in renew_cert
new_certr, new_chain, new_key, _ = le_client.obtain_certificate(domains)
File “/usr/lib/python2.7/dist-packages/certbot/client.py”, line 262, in obtain_certificate
self.config.allow_subset_of_names)
File “/usr/lib/python2.7/dist-packages/certbot/auth_handler.py”, line 77, in get_authorizations
self._respond(resp, best_effort)
File “/usr/lib/python2.7/dist-packages/certbot/auth_handler.py”, line 134, in _respond
self._poll_challenges(chall_update, best_effort)
File “/usr/lib/python2.7/dist-packages/certbot/auth_handler.py”, line 198, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. tax.taplaundry.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://tax.taplaundry.com/.well-known/acme-challenge/QHMi2jdMrWRxA4fbe6jqQ1xUXjM3jqnkgLg3FCvpj4s [165.227.250.69]: “\n\n403 Forbidden\n\n

Forbidden

\n<p”

2019-10-03 12:29:17,351:INFO:certbot.renewal:Cert not yet due for renewal
2019-10-03 12:29:17,358:INFO:certbot.renewal:Cert not yet due for renewal
2019-10-03 12:29:17,360:WARNING:certbot.renewal:expected /etc/letsencrypt/live/stadiumcoinlaundry.com-0001/cert.pem to be a symlink
2019-10-03 12:29:17,361:WARNING:certbot.renewal:Renewal configuration file /etc/letsencrypt/renewal/stadiumcoinlaundry.com-0001.conf is broken. Skipping.
2019-10-03 12:29:17,361:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
File “/usr/lib/python2.7/dist-packages/certbot/renewal.py”, line 59, in _reconstitute
renewal_candidate = storage.RenewableCert(full_path, config)
File “/usr/lib/python2.7/dist-packages/certbot/storage.py”, line 392, in init
self._check_symlinks()
File “/usr/lib/python2.7/dist-packages/certbot/storage.py”, line 431, in _check_symlinks
“expected {0} to be a symlink”.format(link))
CertStorageError: expected /etc/letsencrypt/live/stadiumcoinlaundry.com-0001/cert.pem to be a symlink

2019-10-03 12:29:17,370:INFO:certbot.renewal:Cert not yet due for renewal
2019-10-03 12:29:17,386:INFO:certbot.renewal:Cert not yet due for renewal
2019-10-03 12:29:17,394:DEBUG:certbot.storage:Should renew, less than 30 days before certificate expiry 2019-10-07 15:11:27 UTC.
2019-10-03 12:29:17,395:INFO:certbot.renewal:Cert is due for renewal, auto-renewing…
2019-10-03 12:29:17,395:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2019-10-03 9-10-03 12:29:17,396:DEBUG:certbot.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
Initialized: <certbot.plugins.webroot.Authenticator object at 0x7fb07caf6cd0>
Prep: True
2019-10-03 12:29:17,396:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x7fb07caf6cd0> and installer None
2019-10-03 12:29:17,399:DEBUG:certbot.main:Picked account: <Account(b6260a0fb99c0323c6fadc6b41d88e9c)>
2019-10-03 12:29:17,400:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/directory.
2019-10-03 12:29:17,401:DEBUG:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2019-10-03 12:29:17,606:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 “GET /directory HTTP/1.1” 200 658
2019-10-03 12:29:17,607:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 03 Oct 2019 12:29:17 GMT
Content-Type: application/json
Content-Length: 658
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Replay-Nonce: 0101O3R7j-QYEkvPj2mKbaWXhx1PrtJUGjHjSmP9DSLnfbI
X-Frame-Options: DENY
12:29:17,396:DEBUG:certbot.plugins.selection:Single candidate plugin: * webroot

Update to ^^^^^^

1.) For the two errors show below. I see a possible fix by fixing the symlink issue but on the broken conf file , if you can suggest a fix, I would be most thankful.

2019-10-03 12:29:17,360:WARNING:certbot.renewal:expected /etc/letsencrypt/live/stadiumcoinlaundry.com-0001/cert.pem to be a symlink
2019-10-03 12:29:17,361:WARNING:certbot.renewal:Renewal configuration file /etc/letsencrypt/renewal/stadiumcoinlaundry.com-0001.conf is broken. Skipping.

  1. Regarding the DNS NXDOMAIN error, I ran a dig and the A records looks good.

$ dig db.taplaundry.com

; <<>> DiG 9.10.3-P4-Debian <<>> db.taplaundry.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58857
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;db.taplaundry.com. IN A

;; ANSWER SECTION:
db.taplaundry.com. 1765 IN A 165.227.250.69

;; Query time: 0 msec
;; SERVER: 67.207.67.2#53(67.207.67.2)
;; WHEN: Thu Oct 03 22:10:24 UTC 2019
;; MSG SIZE rcvd: 62

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.