Certbot crashing before installing certs

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

I ran this command:
certbot --apache
It produced this output:

File:

  • Could not be found to be deleted /etc/apache2/apache2-le-ssl.conf - Certbot probably shut down unexpectedly

My web server is (include version):
Apache2 (latest on ubuntu 18.04)
The operating system my web server runs on is (include version):
latest Ubuntu 18.04 x64
My hosting provider, if applicable, is:


I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.31.0

I’m trying to use certbot to make certificates for a bunch of domains on this server… I’m not sure how to fix this.

Could you please post the full stack trace, or /var/log/letsencrypt.log log file, from an incidence of this crash?

Previous issues suggest that orphaned RewriteCond rules (that have no consuming RewriteRule) could cause this issue. However, it’s hard to tell whether that issue is related to your issue without seeing the full log of the crash.

I have to chop off the top of this log, since I’m a new user and cannot post all the URLs in the logs.

}2019-10-09 02:57:23,574:DEBUG:certbot.util:Not suggesting name “*.domain.net”
Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot/util.py”, line 310, in get_filtered_names
filtered_names.add(enforce_le_validity(name))
File “/usr/lib/python3/dist-packages/certbot/util.py”, line 526, in enforce_le_validity
“Valid characters are A-Z, a-z, 0-9, ., and -.”.format(domain))
certbot.errors.ConfigurationError: *.domain.net contains an invalid character. Valid characters are A-Z, a-z, 0-9, ., and -.

This is the error - I think it has to do with me trying to use www.domain.net but also domain.net at the same time. If I tell certbot to do just one of them at a time (like domain.net) it will properly set the cert and redirect www.domain.net to domain.net, but if I go back and tell it to do www.domain.net it’ll have domain.net redirect to www.domain.net. When I go to the “redirected” url, any browser I use complains that the website is not secure.

Am I doing something wrong? Is this a problem with my apache configuration?

I’m not really sure that the stack trace you posted is related to the initial error you posted about. In any case, you can copy your log somewhere like https://dpaste.de if the forum restrictions are getting in the way.

If you want to do both domains on one certificate, I would suggest:

certbot --apache -d "domain.net" -d "www.domain.net"

and seeing what happens. If Certbot crashes on that one, then uploading that log file to dpaste.de would be very helpful for diagnosis.

Here’s the command followed by what I saw on screen. I’ll post the log in a sec.

root@server:/etc/apache2/sites-enabled# certbot --apache -d “domain.net” -d “www.domain.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
File:

  • Could not be found to be deleted /etc/apache2/apache2-le-ssl.conf - Certbot probably shut down unexpectedly
    An unexpected error occurred:
    StopIteration
    Please see the logfiles in /var/log/letsencrypt for more details.

IMPORTANT NOTES:

  • Unable to install the certificate
  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/domain.net/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/domain.net/privkey.pem
    Your cert will expire on 2020-01-07. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot again
    with the “certonly” option. To non-interactively renew all of
    your certificates, run “certbot renew”

here’s the paste:
https://dpaste.de/g1os#L281

Thanks.

The presence of this line:

File "/usr/lib/python3/dist-packages/certbot_apache/configurator.py", line 1332, in _sift_rewrite_rules

Makes me think it’s because of what I outlined in my first response - RewriteCond statements that don’t do anything and the associated Certbot bug.

I would go digging in your Apache configuration for RewriteCond statements that are not (eventually) followed by a RewriteRule.

This might help you get started:

grep -Ri rewritecond /etc/apache2

That command helped a lot, and I think this was my issue. I have a lot of RewriteConds without any corresponding Rewrite rules (Ironically; the only domain with a rewritecond rule is the one that was failing and breaking my certbot). I tweaked (commented out) those, and it’s issuing certs again. Now my problem is that domain1’s cert is being returned from domain2, domain3, domain4… but I think I have to tweak my apache files for that.

Thanks!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.