Certbot fails to renew certificates

Help
21

@migfilg Sorry about this problem. I don't know why that happened.

But, we can get your Apache working again (hopefully) with this change

In this file:

/etc/httpd/conf.d/vhosts-le-ssl.conf:

Inside the VirtualHost section that starts

<VirtualHost\ :443>
ServerName rdvrsgcl.atractor.pt

Change these 3 lines from:

SSLCertificateFile /etc/letsencrypt/live/atractor.pt/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/atractor.pt/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/atractor.pt/chain.pem

To this:

SSLCertificateFile /etc/letsencrypt/live/rdvrsgcl.atractor.pt/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/rdvrsgcl.atractor.pt/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/rdvrsgcl.atractor.pt/chain.pem

Then, reload Apache and try showing output of this

sudo apachectl -t -D DUMP_VHOSTS

Update: You may need to use httpd instead of apachectl on your system

If that worked try this again:

sudo certbot renew --dry-run
3 Likes
22

Thanks a lot! It seems to be working, but I had to also replace the certificate names in both virtual host entries. So the final message of the dry run was:

Congratulations, all simulated renewals succeeded:
/etc/letsencrypt/live/atractor.pt-0001/fullchain.pem (success)
/etc/letsencrypt/live/rdvrsgcl.atractor.pt/fullchain.pem (success)

My sincere thanks to all who helped on this!

1 Like
23

It is good the dry-run worked. But, something is still very strange with your Apache config.

HTTPS requests to all 3 of the domains worked fine before and did not use the cert that had all 3 names in it. And, they still don't now (which is good). So, the lines in Apache that named that 3-domain cert are not used for actual HTTPS requests.

You likely have overlapping VirtualHost definitions in Apache. Apache allows this but it rarely produces correct results.

If you want help fixing that please show output of this

2 Likes
24

Sorry I forgot to send the output of that command; here it goes, but I am not sure how to use it...

*httpd -t -D DUMP_VHOSTS
[Tue Apr 08 17:23:48.464320 2025] [alias:warn] [pid 62317] AH00671: The *Alias directive in /etc/httpd/conf.d/autoindex.conf at line 21 will probably never match because it overlaps an earlier Alias.

VirtualHost configuration:
:443                  is a NameVirtualHost
        default server atractor.pt (/etc/httpd/conf.d/ssl.conf:60)
         port 443 namevhost atractor.pt (/etc/httpd/conf.d/ssl.conf:60)
              alias www.atractor.pt
         port 443 namevhost rdvrsgcl.atractor.pt (/etc/httpd/conf.d/ssl.conf:72)
         port 443 namevhost atractor.pt (/etc/httpd/conf.d/vhosts-le-ssl.conf:2)
              alias www.atractor.pt          
         port 443 namevhost rdvrsgcl.atractor.pt (/etc/httpd/conf.d/vhosts-le-ssl.conf:14)
:80                   is a NameVirtualHost
         default server rdvrsgcl.atractor.pt (/etc/httpd/conf.d/vhosts.conf:1)
         port 80 namevhost rdvrsgcl.atractor.pt (/etc/httpd/conf.d/vhosts.conf:1)
         port 80 namevhost atractor.pt (/etc/httpd/conf.d/vhosts.conf:16)               
              alias www.atractor.pt*
25

The duplicated domain names for the same port 443 (HTTPS) was causing the trouble. And possibly still is. We can get this sorted out.

Please show the contents of the two config files

/etc/httpd/conf.d/ssl.conf
/etc/httpd/conf.d/vhosts-le-ssl.conf

I am pretty sure I know what needs to be done. But, this time I want to check before-hand to be sure I don't give you wrong advice :slight_smile:

2 Likes
26

Please show the contents of the two config files
/etc/httpd/conf.d/ssl.conf
/etc/httpd/conf.d/vhosts-le-ssl.conf
I am pretty sure I know what needs to be done. But, this time I want to check before-hand to be sure I don't give you wrong advice 
:laughing:

I enclose the two files as one of them has 89 lines...

etc_httpd_conf.d_ssl.conf.txt (3.3 KB)
etc_httpd_conf.d_vhosts-le-ssl.conf.txt (1.2 KB)

2 Likes
27

Okay, you can delete the /etc/httpd/conf.d/vhosts-le-ssl-conf file

You could make a backup first but I am confident you won't have problems. And, you have a copy in your previous post :slight_smile:

Why is the ssl.conf file better?

  1. It has default SSL settings that have always been active so you should keep using them
  2. Both VirtualHosts name the correct SSL files for the ServerName and Alias
  3. The VirtualHosts in the vhosts file are identical to the ones in ssl.conf except the vhosts uses the wrong cert file for atractor.pt. You changed vhosts to use a valid cert file which avoided the Apache syntax error. But, you used rdvrsgcl cert for atractor.pt. This wouldn't validate properly so we know it isn't being used by Apache anyway.

After you remove vhosts-le-ssl-conf redo the DUMP_VHOSTS command from earlier. You will then see each domain name just once for each port.

And, do below just as final test it is okay

sudo certbot renew --dry-run
2 Likes
28

Okay, you can delete the /etc/httpd/conf.d/vhosts-le-ssl-conf file
You could make a backup first but I am confident you won't have
problems. And, you have a copy in your previous post

Yes, but I just renamed it by appending "_NOT_IN_USE" as there may be someone else taking care of this in the future.

Then I restarted Apache, DUMP_VHOSTS and certbot renew --dry-run:

  • apachectl restart

  • httpd -t -D DUMP_VHOSTS
    [Thu Apr 10 11:11:04.307942 2025] [alias:warn] [pid 47848] AH00671: The Alias directive in /etc/httpd/conf.d/autoindex.conf at line 21 will probably never match because it overlaps an earlier Alias.

About this warning: line 21 is Alias /icons/ "/usr/share/httpd/icons/"

VirtualHost configuration:
*:443 is a NameVirtualHost
default server atractor.pt (/etc/httpd/conf.d/ssl.conf:60)
port 443 namevhost atractor.pt (/etc/httpd/conf.d/ssl.conf:60)
alias www.atractor.pt
port 443 namevhost rdvrsgcl.atractor.pt (/etc/httpd/conf.d/ssl.conf:72)
*:80 is a NameVirtualHost
default server rdvrsgcl.atractor.pt (/etc/httpd/conf.d/vhosts.conf:1)
port 80 namevhost rdvrsgcl.atractor.pt (/etc/httpd/conf.d/vhosts.conf:1)
port 80 namevhost atractor.pt (/etc/httpd/conf.d/vhosts.conf:16)
alias www.atractor.pt

  • certbot renew --dry-run
    Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/atractor.pt-0001.conf

Simulating renewal of an existing certificate for atractor.pt and www.atractor.pt

Processing /etc/letsencrypt/renewal/rdvrsgcl.atractor.pt.conf

Simulating renewal of an existing certificate for rdvrsgcl.atractor.pt

Congratulations, all simulated renewals succeeded:
/etc/letsencrypt/live/atractor.pt-0001/fullchain.pem (success)
/etc/letsencrypt/live/rdvrsgcl.atractor.pt/fullchain.pem (success)

So it is working :slightly_smiling_face: and I renew my very sincere thanks for all the help on this!

Best wishes!

2 Likes
29

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.