Certbot fails to renew certificates

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: atractor.pt

I ran this command:
certbot -v --help renew
It produced this output:
An unexpected error occurred:
UnicodeEncodeError: 'charmap' codec can't encode character '\u2019' in position 5396: character maps to
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/certbot-log-h3yfn1mb/log or re-run Certbot with -v for more details.

My web server is (include version):
Server version: Apache/2.4.6 (CentOS)
Server built: Apr 20 2018 18:10:38
The operating system my web server runs on is (include version):
Linux version 4.4.130-1.el7.elrepo.x86_64 (mockbuild@Build64R7) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-28) (GCC) ) #1 SMP Sun Apr 29 09:01:23 EDT 2018
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 3.3.0

Please provide the file /tmp/certbot-log-h3yfn1mb/log or the contents thereof, as there's just not enough info in the error message currently provided unfortunately.

Thanks for your reply! Here is the contents of the log file:

2025-04-05 13:59:22,381:DEBUG:certbot._internal.main:certbot version: 3.3.0
2025-04-05 13:59:22,382:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot
2025-04-05 13:59:22,382:DEBUG:certbot._internal.main:Arguments: ['-v', '--help', 'renew']
2025-04-05 13:59:22,383:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2025-04-05 13:59:22,397:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/opt/certbot/lib/python3.9/site-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
  File "/opt/certbot/lib/python3.9/site-packages/certbot/_internal/main.py", line 1854, in main
    config = cli.prepare_and_parse_args(plugins, cli_args)
  File "/opt/certbot/lib/python3.9/site-packages/certbot/_internal/cli/__init__.py", line 473, in prepare_and_parse_args
    return helpful.parse_args()
  File "/opt/certbot/lib/python3.9/site-packages/certbot/_internal/cli/helpful.py", line 269, in parse_args
    parsed_args = self.parser.parse_args(self.args)
  File "/opt/certbot/lib/python3.9/site-packages/configargparse.py", line 468, in parse_args
    args, argv = self.parse_known_args(
  File "/opt/certbot/lib/python3.9/site-packages/configargparse.py", line 650, in parse_known_args
    namespace, unknown_args = argparse.ArgumentParser.parse_known_args(
  File "/usr/local/miniconda3/lib/python3.9/argparse.py", line 1851, in parse_known_args
    namespace, args = self._parse_known_args(args, namespace)
  File "/usr/local/miniconda3/lib/python3.9/argparse.py", line 2060, in _parse_known_args
    start_index = consume_optional(start_index)
  File "/usr/local/miniconda3/lib/python3.9/argparse.py", line 2000, in consume_optional
    take_action(action, args, option_string)
  File "/usr/local/miniconda3/lib/python3.9/argparse.py", line 1928, in take_action
    action(self, namespace, argument_values, option_string)
  File "/usr/local/miniconda3/lib/python3.9/argparse.py", line 1092, in __call__
    parser.print_help()
  File "/usr/local/miniconda3/lib/python3.9/argparse.py", line 2548, in print_help
    self._print_message(self.format_help(), file)
  File "/usr/local/miniconda3/lib/python3.9/argparse.py", line 2554, in _print_message
    file.write(message)
  File "/usr/local/miniconda3/lib/python3.9/encodings/iso8859_15.py", line 19, in encode
    return codecs.charmap_encode(input,self.errors,encoding_table)[0]
UnicodeEncodeError: 'charmap' codec can't encode character '\u2019' in position 5396: character maps to <undefined>
2025-04-05 13:59:22,397:ERROR:certbot._internal.log:An unexpected error occurred:
2025-04-05 13:59:22,397:ERROR:certbot._internal.log:UnicodeEncodeError: 'charmap' codec can't encode character '\u2019' in position 5396: character maps to <undefined>

end of error message:

<undefined>

maybe your keyboard puts wrong kind of quote in commend?

Thanks for your suggestion, but the command I used had no quotes: certbot -v --help renewew
From what I see in the log file the error is in the configuration arguments parser but I have no idea about which file has these arguments.

What if you just do a certbot without anything else?

Yes! this works:

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Attempt to reinstall this existing certificate
2: Renew & replace the certificate (may be subject to CA rate limits)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate for atractor.pt and 2 more domains

Successfully received certificate.

Meanwhile I have been reading the March 3 topic "Transcription failure in certbot - how do i report?" and the answer by TomWLake explains where to find files causing the error I got.

Thanks to all!

Euh, the fact you were getting that question means you already had a perfectly fine certificate and there was no actual need to replace it.

I was replacing it because it would expire soon and I am not sure if it would be renewed automatically. For this I am using an entry in the crontab, but I just saw that certbot can do that and will be reading User Guide — Certbot 4.0.0.dev0 documentation for instructions.

If it was due for renewal, you wouldn't have gotten that specific question.

The certificate issued today (crt.sh | 17668181528) was a renewal for crt.sh | 17094710039 which due to expire 2025-05-08 which is 32 days into the future. Certbot only starts to renew, by default, when there's 30 days left or less, which wasn't the case today. There was still 2 days left before autorenewal would have started.

If you installed Certbot using pip, it would not have installed a cronjob automatically by the way.

In fact the crontab entry was created by me when we started to use these certificates some years ago. I am not an expert in these matters and tried to avoid problems by using means I am used to.

Also interesting is that cert with 3 domains name in it is not the one being used for requests to any of those domains.

Instead, requests to rdvrsgcl.atractor.pt use the cert from Feb7 that has only its domain name in it. And, requests to the other two domains use the cert from Mar16 that has only those two domains name in it.

@migfilg It looks like you have extra cert(s) that you don't need. If you want help cleaning that up start by showing us output of

sudo certbot certificates

image1830×654 112 KB

Yes and thanks! Here is the result:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: atractor.pt-0001
    Serial Number: 551b9a85ba9d07cd091d3caa68344302280
    Key Type: RSA
    Domains: atractor.pt www.atractor.pt
    Expiry Date: 2025-06-14 03:08:29+00:00 (VALID: 67 days)
    Certificate Path: /etc/letsencrypt/live/atractor.pt-0001/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/atractor.pt-0001/privkey.pem
  Certificate Name: atractor.pt
    Serial Number: 63f0b3bbcc93b2e2124a308878bc4177788
    Key Type: RSA
    Domains: atractor.pt rdvrsgcl.atractor.pt www.atractor.pt
    Expiry Date: 2025-07-05 09:36:26+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/atractor.pt/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/atractor.pt/privkey.pem
  Certificate Name: rdvrsgcl.atractor.pt
    Serial Number: 48181514addc2cc13b648e8785a1b7e8fb1
    Key Type: RSA
    Domains: rdvrsgcl.atractor.pt
    Expiry Date: 2025-05-08 10:01:15+00:00 (VALID: 31 days)
    Certificate Path: /etc/letsencrypt/live/rdvrsgcl.atractor.pt/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/rdvrsgcl.atractor.pt/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

A post was split to a new topic: Failed challenge port 80 in use

Thanks. I think having a cert for each VirtualHost in your Apache is easier to maintain.

And, we can tell from which cert is being used by each domain that is how you have it setup now. That is good and the "older" cert with all 3 names is probably not needed anymore.

So, unless you use the cert with all 3 names in it somewhere other than Apache you could

sudo certbot delete --cert-name atractor.pt

After that you can test the automated renew with:

sudo certbot renew --dry-run

This --dry-run will not affect your Apache config or your existing production certs. It is just a test

Thanks for your directions!

So, unless you use the cert with all 3 names in it somewhere other than Apache you could

sudo certbot delete --cert-name atractor.pt

This worked ok after confirmation...

After that you can test the automated renew with:

sudo certbot renew --dry-run
This --dry-run will not affect your Apache config or your existing production certs. It is just a test

This failed with the following message:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
#Processing /etc/letsencrypt/renewal/atractor.pt-0001.conf
#- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Error while running apachectl configtest.

[Tue Apr 08 12:33:10.896575 2025] [alias:warn] [pid 40053] AH00671: The Alias directive in /etc/httpd/conf.d/autoindex.conf at line 21 will probably never match because it overlaps an earlier Alias.
AH00526: Syntax error on line 8 of /etc/httpd/conf.d/vhosts-le-ssl.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/atractor.pt/cert.pem' does not exist or is empty

Failed to renew certificate atractor.pt-0001 with error: The apache plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError("Error while running apachectl configtest.\n\n[Tue Apr 08 12:33:10.896575 2025] [alias:warn] [pid 40053] AH00671: The Alias directive in /etc/httpd/conf.d/autoindex.conf at line 21 will probably never match because it overlaps an earlier Alias.\nAH00526: Syntax error on line 8 of /etc/httpd/conf.d/vhosts-le-ssl.conf:\nSSLCertificateFile: file '/etc/letsencrypt/live/atractor.pt/cert.pem' does not exist or is empty\n")

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/rdvrsgcl.atractor.pt.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Error while running apachectl configtest.

[Tue Apr 08 12:33:11.202525 2025] [alias:warn] [pid 40057] AH00671: The Alias directive in /etc/httpd/conf.d/autoindex.conf at line 21 will probably never match because it overlaps an earlier Alias.
AH00526: Syntax error on line 8 of /etc/httpd/conf.d/vhosts-le-ssl.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/atractor.pt/cert.pem' does not exist or is empty

Failed to renew certificate rdvrsgcl.atractor.pt with error: The apache plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError("Error while running apachectl configtest.\n\n[Tue Apr 08 12:33:11.202525 2025] [alias:warn] [pid 40057] AH00671: The Alias directive in /etc/httpd/conf.d/autoindex.conf at line 21 will probably never match because it overlaps an earlier Alias.\nAH00526: Syntax error on line 8 of /etc/httpd/conf.d/vhosts-le-ssl.conf:\nSSLCertificateFile: file '/etc/letsencrypt/live/atractor.pt/cert.pem' does not exist or is empty\n")

All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/atractor.pt-0001/fullchain.pem (failure)
/etc/letsencrypt/live/rdvrsgcl.atractor.pt/fullchain.pem (failure)

Line 8 of /etc/httpd/conf.d/vhosts-le-ssl.conf is:

SSLCertificateFile /etc/letsencrypt/live/atractor.pt/cert.pem

that seems to refer to the deleted certificate. In any case I tried to access
https://www.atractor.pt/ and there was no problem, maybe it would fail if
the server is rebooted...

As I am a bit lost on how to correct this file here is its contents after that line:

*Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/atractor.pt/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/atractor.pt/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/atractor.pt/chain.pem



<VirtualHost\ :443>
ServerName rdvrsgcl.atractor.pt
#Redirect permanent / https://www.fc.up.pt/
DocumentRoot /var/www/html/vn
RewriteEngine on
RewriteRule ^/.well-known/ - [L]
RewriteCond %{HTTP_HOST} ^rdvrsgcl*.atractor.pt$
RewriteRule ^/(.*)$ http://localhost:4723/$1 [proxy]
ProxyPassReverse / http://localhost:4723/
#ProxyPass / http://localhost:4723/
#ProxyPassReverse / http://localhost:4723/
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/atractor.pt/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/atractor.pt/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/atractor.pt/chain.pem
</VirtualHost>
</IfModule>

Any help will be most appreciated!

@MikeMcQ I think you had the incorrect certificate name in the suggested command

Yes, it would seem so. Except their system never returned the certificate that used three names. I don't know how that mix up could have happened. I don't have a lot of time right at the moment but will look at it further as soon as I can. Otherwise some manual changes to the Apache config should get the system working again