I ran this command:
certbot -q renew (in cron.d/certbot)
It produced this output (received via email):
Attempting to renew cert (winecountryswing.com) from /etc/letsencrypt/renewal/winecountryswing.com.conf produced an unexpected error: The nginx plugin is not working; there may be problems with your existing configuration.
The error was: NoInstallationError(). Skipping. All renewal attempts failed.
The following certs could not be renewed: /etc/letsencrypt/live/winecountryswing.com/fullchain.pem (failure) 1 renew failure(s), 0 parse failure(s)
My web server is (include version):
nginx 1.10.3
The operating system my web server runs on is (include version):
ubuntu 16.04.5
My hosting provider, if applicable, is:
DigitalOcean
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
(I use Webmin 1.890 for some things, but mostly I use shell access.)
Note that this was working fine until a few weeks ago. I think it broke after a certbot update. Here is the cron file:
# /etc/cron.d/certbot: crontab entries for the certbot package
#
# Upstream recommends attempting renewal twice a day
#
# Eventually, this will be an opportunity to validate certificates
# haven't been revoked, etc. Renewal will only occur if expiration
# is within 30 days.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew
This means that Certbot canât find the nginx binary (or perhaps the nginx configuration directory).
If either is relocated (as is the case with some control panels like Bitnami), then you need to tell Certbot where to find it.
certbot help nginx
nginx:
Nginx Web Server plugin
--nginx-server-root NGINX_SERVER_ROOT
Nginx server root directory. (default: /etc/nginx)
--nginx-ctl NGINX_CTL
Path to the 'nginx' binary, used for 'configtest' and
retrieving nginx version number. (default: nginx)
Edit: make sure youâre actually running the renew command as root. If nginx is located in /sbin/ for example, that may not be in your PATH when youâre not root, so this could just be a red herring, and the true cause of failure something else.
Understand that certbot renew --dry-run always succeeded. The command in the cron job is whatâs failing. It used to work. My nginx configuration has not changed.
Iâve added the --nginx-ctl /usr/sbin/nginx --nginx-server-root /etc/nginx parameters to the cron.d/certbot file. Weâll see what happens when it runs this afternoon.
Still failed. I see that in my /etc/letsencrypt/renewal directory there is a new file winecountryswing.com-0001.conf. It is dated Jul 24 and it is missing the line installer = nginx. That line is present in winecountryswing.com.conf.
Also thereâs a winecountryswing.com-0001 in the live and archive subdirectories, containing certificates. Whatâs going on there? Has it created the certs and then failed to install them and clean up?
Since the most recent certbot update a few days ago, everything appears to be back to normal. Thereâs no error message in the latest renewal email. On checking, I see that the cert was properly renewed on July 27. I guess that the ânginx plugin is not workingâ problem was specific to a certain version of certbot.
I was using 0.26.0. One notable change in that version was âThe Nginx plugin is no longer marked labeled as an âAlphaâ version.â Maybe thatâs why it thought the plugin wasnât installed.
An update appeared a couple of days ago and installing it seems to have solved the problem. They didnât bump the version number for that. I see on github a change 6 days ago in certbot-nginx labeled âBump the acme version needed for account reuse (#6250)â. Perhaps that was the fix.