Certbot certonly --webroot succeeds but renew --dry-run fails

Form answers:

My domain is: gmallards.com

I ran this command: certbot --config-dir C:\Website\Tech\certbot\config-dir --work-dir C:\Website\Tech\certbot\config-dir\lib --logs-dir C:\Website\Tech\certbot\config-dir\log --pre-hook "net.exe stop Apache2.4" --post-hook "net.exe start Apache2.4" renew --dry-run

It produced this output:

Saving debug log to C:\Website\Tech\certbot\config-dir\log\letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing C:\Website\Tech\certbot\config-dir\renewal\gmallards.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Hook 'pre-hook' ran with output:
 The Apache2.4 service is stopping.
 The Apache2.4 service was stopped successfully.
Simulating renewal of an existing certificate for gmallards.com

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: gmallards.com
  Type:   connection
  Detail: Fetching http://gmallards.com/.well-known/acme-challenge/VT7dhhiJT-EkyMLo8hN5-5U6Sx7MThn2lhtRlZGsG2M: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Failed to renew certificate gmallards.com with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All simulated renewals failed. The following certificates could not be renewed:
  C:\Website\Tech\certbot\config-dir\live\gmallards.com\fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Hook 'post-hook' ran with output:
 The Apache2.4 service is starting.
 The Apache2.4 service was started successfully.
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile C:\Website\Tech\certbot\config-dir\log\letsencrypt.log or re-run Certbot with -v for more details.

C:\Website\Tech\certbot>

My web server is (include version):
Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.23

The operating system my web server runs on is (include version):
Windows 10 Version 20H2 (OS Build 19042.1348)

My hosting provider, if applicable, is:
Self-hosted

I can login to a root shell on my machine (yes or no, or I don't know):
I can make an administrator Command Prompt

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.16.0


This is puzzling: when I run my initial install with certbot [...] certonly --webroot (some log directories are customised but I don't think that's the problem), I get a certificate for the next 3 months fine, and it works.

However, when I run the equivalent certbot [...] renew --dry-run, it fails with the output above in the terminal and the letsencrypt.log goes wrong around this part:

2021-11-14 13:18:39,535:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sun, 14 Nov 2021 18:18:39 GMT
Content-Type: application/json
Content-Length: 1036
Connection: keep-alive
Boulder-Requester: 33707398
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 000165vCHQWSxqhpGtgdihTj0zq9WRXp4uWWqodDmaaKVtE
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "gmallards.com"
  },
  "status": "invalid",
  "expires": "2021-11-21T18:18:27Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:connection",
        "detail": "Fetching http://gmallards.com/.well-known/acme-challenge/VT7dhhiJT-EkyMLo8hN5-5U6Sx7MThn2lhtRlZGsG2M: Timeout during connect (likely firewall problem)",
        "status": 400
      },
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/936810368/sQccTA",
      "token": "VT7dhhiJT-EkyMLo8hN5-5U6Sx7MThn2lhtRlZGsG2M",
      "validationRecord": [
        {
          "url": "http://gmallards.com/.well-known/acme-challenge/VT7dhhiJT-EkyMLo8hN5-5U6Sx7MThn2lhtRlZGsG2M",
          "hostname": "gmallards.com",
          "port": "80",
          "addressesResolved": [
            "67.86.63.97"
          ],
          "addressUsed": "67.86.63.97"
        }
      ],
      "validated": "2021-11-14T18:18:27Z"
    }
  ]
}
2021-11-14 13:18:39,535:DEBUG:acme.client:Storing nonce: 000165vCHQWSxqhpGtgdihTj0zq9WRXp4uWWqodDmaaKVtE
2021-11-14 13:18:39,535:INFO:certbot._internal.auth_handler:Challenge failed for domain gmallards.com
2021-11-14 13:18:39,535:INFO:certbot._internal.auth_handler:http-01 challenge for gmallards.com
2021-11-14 13:18:39,535:DEBUG:certbot.display.util:Notifying user: 
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: gmallards.com
  Type:   connection
  Detail: Fetching http://gmallards.com/.well-known/acme-challenge/VT7dhhiJT-EkyMLo8hN5-5U6Sx7MThn2lhtRlZGsG2M: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

2021-11-14 13:18:39,535:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "C:\Program Files (x86)\Certbot\pkgs\certbot\_internal\auth_handler.py", line 93, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)

The same commands worked on a previous installation on my old PC also under Windows 10. I checked https://canyouseeme.org/ that I am visible on ports 80 and 443 to the outside world.

1 Like

How can stopping the webserver work (whether --dry-run or not) ? ? ?

2 Likes

Stopping the webserver works fine, it's required in case the certificate gets updated, I think. The new certificate is loaded when it restarts with --post-hook.

[edit] Actually... I removed those and now it renews properly. I had to add a command to restart apache after renewing the certificate. Although the only reason I had those --pre-hook and --post-hook were because a tutorial said I had to, and it worked on my previous installation.

[edit2] Found something about this on the forums: Renewing Certificats and configuring on windows 10 - #2 by _az
particularly the part where it says I think this older advice is not ideal for our Windows users. Sorry!

Welcome to the Let's Encrypt Community, Stephen :slightly_smiling_face:

Please run this:

certbot certonly --apache -d "gmallards.com,www.gmallards.com" --config-dir C:\Website\Tech\certbot\config-dir --work-dir C:\Website\Tech\certbot\config-dir\lib --logs-dir C:\Website\Tech\certbot\config-dir\log --dry-run

If that works, please run this:

certbot --cert-name gmallards.com --apache -d "gmallards.com,www.gmallards.com" --config-dir C:\Website\Tech\certbot\config-dir --work-dir C:\Website\Tech\certbot\config-dir\lib --logs-dir C:\Website\Tech\certbot\config-dir\log

2 Likes

On running the first one, I get:

Saving debug log to C:\Website\Tech\certbot\config-dir\log\letsencrypt.log
The requested apache plugin does not appear to be installed
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile C:\Website\Tech\certbot\config-dir\log\letsencrypt.log or re-run Certbot with -v for more details.```
1 Like

What is the webroot directory for gmallards.com?

2 Likes

C:\Website\Local

Although I believe I now have a solution, by removing the --pre-hook and --post-hook and doing a httpd -k restart on Apache after the certificate gets updated.

1 Like

certbot certonly --cert-name gmallards.com --webroot -w C:\Website\Local -d "gmallards.com,www.gmallards.com" --config-dir C:\Website\Tech\certbot\config-dir --work-dir C:\Website\Tech\certbot\config-dir\lib --logs-dir C:\Website\Tech\certbot\config-dir\log --deploy-hook "httpd -k graceful"

2 Likes
Unable to find deploy-hook command httpd in the PATH.
(PATH is C:\Program Files\ImageMagick;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Program Files (x86)\Certbot\bin;C:\Users\User\AppData\Local\Microsoft\WindowsApps;C:\Users\User\AppData\Local\Programs\MiKTeX\miktex\bin\x64\;C:\Program Files (x86)\Certbot\Python)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile C:\Users\User\AppData\Local\Temp\tmprkse_28y\log or re-run Certbot with -v for more details.

So Apache's bin folder with httpd isn't in the system PATH. OK, I'll put the full path:

C:\Website\Tech\certbot>certbot --cert-name gmallards.com --webroot -w C:\Website\Local -d "gmallards.com,www.gmallards.com" --config-dir C:\Website\Tech\certbot\config-dir --work-dir C:\Website\Tech\certbot\config-dir\lib --logs-dir C:\Website\Tech\certbot\config-dir\log --deploy-hook "C:\Website\Tech\Apache24\bin\httpd -k graceful"
Unable to find deploy-hook command C:\Website\Tech\Apache24\bin\httpd in the PATH.
(PATH is C:\Program Files\ImageMagick;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Program Files (x86)\Certbot\bin;C:\Users\User\AppData\Local\Microsoft\WindowsApps;C:\Users\User\AppData\Local\Programs\MiKTeX\miktex\bin\x64\;C:\Program Files (x86)\Certbot\Python)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile C:\Users\User\AppData\Local\Temp\tmpv4r_ftvs\log or re-run Certbot with -v for more details.

Hmm? Maybe it requires the full file name httpd.exe?

C:\Website\Tech\certbot>certbot --cert-name gmallards.com --webroot -w C:\Website\Local -d "gmallards.com,www.gmallards.com" --config-dir C:\Website\Tech\certbot\config-dir --work-dir C:\Website\Tech\certbot\config-dir\lib --logs-dir C:\Website\Tech\certbot\config-dir\log --deploy-hook "C:\Website\Tech\Apache24\bin\httpd.exe -k graceful"
Saving debug log to C:\Website\Tech\certbot\config-dir\log\letsencrypt.log
With the webroot plugin, you probably want to use the "certonly" command, eg:

    certbot certonly --webroot

(Alternatively, add a --installer flag. See https://eff.org/letsencrypt-plugins
 and "--help plugins" for more information.)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile C:\Website\Tech\certbot\config-dir\log\letsencrypt.log or re-run Certbot with -v for more details.

Now a different error. OK, so I'll add "certonly" to the command:

C:\Website\Tech\certbot>certbot certonly --cert-name gmallards.com --webroot -w C:\Website\Local -d "gmallards.com,www.gmallards.com" --config-dir C:\Website\Tech\certbot\config-dir --work-dir C:\Website\Tech\certbot\config-dir\lib --logs-dir C:\Website\Tech\certbot\config-dir\log --deploy-hook "C:\Website\Tech\Apache24\bin\httpd.exe -k graceful"
Saving debug log to C:\Website\Tech\certbot\config-dir\log\letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You are updating certificate gmallards.com to include new domain(s):
+ www.gmallards.com

You are also removing previously included domain(s):
(None)

Did you intend to make this change?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(U)pdate certificate/(C)ancel: U
Renewing an existing certificate for gmallards.com and www.gmallards.com
Hook 'deploy-hook' reported error code 1
Hook 'deploy-hook' ran with error output:
 (OS 10048)Only one usage of each socket address (protocol/network address/port) is normally permitted.  : AH00072: make_sock: could not bind to address [::]:80
 (OS 10048)Only one usage of each socket address (protocol/network address/port) is normally permitted.  : AH00072: make_sock: could not bind to address 0.0.0.0:80
 AH00451: no listening sockets available, shutting down
 AH00015: Unable to open logs

Successfully received certificate.
Certificate is saved at: C:\Website\Tech\certbot\config-dir\live\gmallards.com\fullchain.pem
Key is saved at:         C:\Website\Tech\certbot\config-dir\live\gmallards.com\privkey.pem
This certificate expires on 2022-02-12.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Still more errors, but don't really worry about it since I have another way that works now.

1 Like

@_az

Can you please review the errors in the previous post. Something smells fishy.

2 Likes

Probably need to add this to command - at least for the hook validation issues: --disable-hook-validation
Used when hook not in path or when complex command
So like this (of one of the examples above):

certbot --cert-name gmallards.com certonly --webroot -w C:\Website\Local -d "gmallards.com,www.gmallards.com" --config-dir C:\Website\Tech\certbot\config-dir --work-dir C:\Website\Tech\certbot\config-dir\lib --logs-dir C:\Website\Tech\certbot\config-dir\log --deploy-hook "C:\Website\Tech\Apache24\bin\httpd -k graceful" --disable-hook-validation

See:
https://eff-certbot.readthedocs.io/en/stable/using.html#certbot-command-line-options

3 Likes

This seems to work without errors, although I don't want to actually renew it right now

C:\Website\Tech\certbot>certbot --cert-name gmallards.com certonly --webroot -w C:\Website\Local -d "gmallards.com,www.gmallards.com" --config-dir C:\Website\Tech\certbot\config-dir --work-dir C:\Website\Tech\certbot\config-dir\lib --logs-dir C:\Website\Tech\certbot\config-dir\log --deploy-hook "C:\Website\Tech\Apache24\bin\httpd -k graceful" --disable-hook-validation
Saving debug log to C:\Website\Tech\certbot\config-dir\log\letsencrypt.log
Certificate not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: C:\Website\Tech\certbot\config-dir\renewal\gmallards.com.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Keep the existing certificate for now
2: Renew & replace the certificate (may be subject to CA rate limits)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not yet due for renewal; no action taken.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 Like

It might be the cause that httpd.exe -k graceful doesn't work on Windows, full stop.

On a fresh Windows + Apache installation, I see the same thing without involving Certbot at all:

According to this part of the Apache documentation, httpd.exe -k restart is the Windows equivalent of kill -USR1 (what httpd -k graceful does).

3 Likes

So, final answer (run only once):

certbot certonly --cert-name gmallards.com --webroot -w C:\Website\Local -d "gmallards.com,www.gmallards.com" --config-dir C:\Website\Tech\certbot\config-dir --work-dir C:\Website\Tech\certbot\config-dir\lib --logs-dir C:\Website\Tech\certbot\config-dir\log --deploy-hook "C:\Website\Tech\Apache24\bin\httpd.exe -k restart" --force-renewal

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.