Certbot no longer working for me

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: portman.no-ip.biz and vimcor.com

I ran this command: sudo certbot renew --dry-run

It produced this output:

Processing /etc/letsencrypt/renewal/portman.no-ip.biz-0001.conf


Failed to renew certificate portman.no-ip.biz-0001 with error: HTTPSConnectionPool(host='acme-staging-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7fba267ed100>: Failed to establish a new connection: [Errno -2] Name or service not known'))


Processing /etc/letsencrypt/renewal/portman.no-ip.biz.conf


Failed to renew certificate portman.no-ip.biz with error: HTTPSConnectionPool(host='acme-staging-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7fba266cdd30>: Failed to establish a new connection: [Errno -2] Name or service not known'))


All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/portman.no-ip.biz-0001/fullchain.pem (failure)
/etc/letsencrypt/live/portman.no-ip.biz/fullchain.pem (failure)


2 renew failure(s), 0 parse failure(s)

My web server is (include version): apache2-bin (2.4.41-4ubuntu3.17

The operating system my web server runs on is (include version): Linux Mint 64

My hosting provider, if applicable, is: none

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.11.0

I wanted to add that it was working fine as of February (the last auto update). I have searched the forums before posting especially about geo blocked domains and as near as I can tell none are blocked.

That seems concerning...

What shows?:

certbot certificates

2 Likes

I don't know why it added the -0001 I think it was always there?? It was working before, so I am not sure that is the issue??

This looks like your system can't resolve the name of the Let's Encrypt API server. Can your system connect to other places on the Internet?

3 Likes
1 Like

I also wondered about not finding services for the acme server. I tried to ping it from a different pc (same office) and it would say server not found. I have not changed DNS servers though from when it was working properly though??

From certbot certificates:


Found the following certs:
Certificate Name: portman.no-ip.biz-0001
Serial Number: 4691e1554c08eba623c5f7d09e189c6473a
Key Type: RSA
Domains: portman.no-ip.biz
Expiry Date: 2024-08-12 21:12:42+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/portman.no-ip.biz-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/portman.no-ip.biz-0001/privkey.pem
Certificate Name: portman.no-ip.biz
Serial Number: 37607fdc673ac9be211ec8dccb23b4a3928
Key Type: ECDSA
Domains: portman.no-ip.biz smartvestoraltoona.com vimcor.com
Expiry Date: 2024-08-13 21:14:22+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/portman.no-ip.biz/fullchain.pem
Private Key Path: /etc/letsencrypt/live/portman.no-ip.biz/privkey.pem


Blockquote

As Peter noted earlier there is some problem with your system resolving domain names. You won't be able to renew your cert until you fix that.

What do these show

curl -I https://acme-v02.api.letsencrypt.org/directory
curl -I https://google.com
4 Likes

This explains why the "-0001" cert exists:

The original cert had 3 domains, later a cert was issued with only one of the names.
That new cert just so happened to cover the same name as the first cert, so, the new cert name would have conflicted - thus the appended "-0001" to the new cert.

Which of those names do you still need a cert for?

2 Likes

I still need the second one with the three names...

That's actually the first one you got. The -0001 was the second one in the series.

And, I can see your server is currently using the one with 3 names. So, if you don't use that -0001 one with just one name you could (and should) delete it like:

sudo certbot delete --cert-name portman.no-ip.biz-0001

BUT, this does not fix the problem with your DNS resolving.

2 Likes

Thanks.... it was a dns issue with only one pc? The others connected, but my server, for some reason, refused to use the DNS settings... now it is!

2 Likes

Thanks MikeMcQ,
I fixed the DNS issue on the server... don't know why it was ignore the DNS settings, but that is fixed.
I also did delete the non-used cert, and ran the renew script and now my system is working again.

Thank you for your assistance.... much appreciated.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.