Certbot no longer works

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: newstarmotel.dyn-o-saur.com, nsmrentalproperties.from-ca.com

I ran this command: sudo certbot --apache

It produced this output: Website not secure

My web server is (include version): Ubuntu 22.04

The operating system my web server runs on is (include version): Ubuntu 22.04

My hosting provider, if applicable, is: n/a

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): n/a

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.21.0

Hello--

I had several virtual websites working on my Ubuntu 22.04 server. For some reason, after I changed my router and my IP address changed, I lost the https security. So, I tried reinstalling the certificates. That did not work. So, I manually removed all domains in the /etc/letsencrypt directories {live, archive,csr,renewal}:

eg. sudo rm -rf /etc/letsencrypt/archive/newstarmotel.dyn-o-saur.com

That still did not work.

So, I uninstalled and reinstalled certbot. That still did not work.

For the domain newstarmotel.dyn-o-saur.com, now it says that I have to wait 2 days because there are 5 certs for this domain.

Please help.

I won't have any more time tonight to walk through all these issues.

But, your problem probably originated with the changed IP. Either your DNS was still pointing to the prior IP. Or, perhaps your ISP imposed new restrictions on port 80 and/or 443. Or a setting in your new router was faulty (like any NAT or port forwarding).

Right now I cannot reach either of your domains using HTTP (port 80) or HTTPS (port 443). And, Let's Debug and Let's Encrypt Staging system both fail to reach your domain using HTTP. I think something may be wrong with your comms config now. And, possibly even with Apache too.

How did you get the 5 certs that are now causing a rate limit for a 6th?

Did you read the Rate Limit page linked to in the error message? (This page) There is a work-around that may work for you given what I see in your cert history.

By the way, the method you used to delete certs was poor. There is a Certbot delete command for that and also you must remove all references to those deleted files from your Apache web server otherwise it will fail to start.

To safely delete certs see:
https://eff-certbot.readthedocs.io/en/latest/using.html#safely-deleting-certificates

Hi Mike--

Thanks for replying. I can access and http://newstarmotel.dyn-o-saur.com and http://nsmrentalproperties.from-ca.com . It just says Not Secure or Proceed with Caution without the security certificates. Perhaps you are using government computer, which may block it? IDK

I tried several times to run certbot; so maybe I exceed the limit. Although I can do the work around, my other sites that have not exceed the limit still are not secure.

Yes, I know now that I deleted the certs poorly. Too late now. I will use your suggested command below in the future.

Harry

Thanks so much Mike! I forgot to open port 443. Duh! Working now

Oh, I think I may have spoke too soon. I getting mixed results on different devices. Sigh

reboot the system so old apache processes are surly killed

Ok, so I narrowed down the problem to the domain https://newstarmotel.dyn-o-saur.com as the only one that is not working. On some browsers, the www is added automatically as in https://www.newstarmotel.dyn-o-saur.com. Then that one works. I cannot re-install the first certificate until 2 days from now.

You should resume getting a cert with both of those domain names on it like you were doing previously. That way both the www and the root name will both work.

At the link below you can see the certificate you got in May had both names. Since then you have gotten many certs with just one or the other

What do these show now

sudo certbot certificates
sudo apache2ctl -t-D DUMP_VHOSTS

The "sudo certbot certificates" command shows that the root domain name https://newstarmotel.dyn-o-saur.com is missing, but the www is there.

The "sudo apache2ctl -t-D DUMP_VHOSTS" command did not work.

I tried running "sudo certbot --apache" again, but it said I must wait until 7-17 or 168 hours. The date is inconsistent with that shown by the crt.sh list.

Please show the entire sudo certbot certificates output. We will need that to resolve the problem completely

And, sorry, I mistyped the other command. I omitted a space after -t. Please show output of

sudo apache2ctl -t -D DUMP_VHOSTS

Found the following certs:

Certificate Name: gilllab.dyndns-wiki.com
Serial Number: 3d1bef59449dcf937dc5d2afefa0a5b3c4a
Key Type: RSA
Domains: gilllab.dyndns-wiki.com
Expiry Date: 2024-10-14 04:03:27+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/gilllab.dyndns-wiki.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/gilllab.dyndns-wiki.com/privkey.pem

Certificate Name: newstarmotel.homelinux.com
Serial Number: 3d421822ecf91e2c899b1452361b6012cf6
Key Type: RSA
Domains: newstarmotel.homelinux.com
Expiry Date: 2024-10-14 03:18:16+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/newstarmotel.homelinux.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/newstarmotel.homelinux.com/privkey.pem

Certificate Name: nsmrentalproperties.from-ca.com
Serial Number: 4cd70c32b1852271e3de4bd0f5b6d1a8198
Key Type: RSA
Domains: nsmrentalproperties.from-ca.com
Expiry Date: 2024-10-14 02:08:45+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/nsmrentalproperties.from-ca.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/nsmrentalproperties.from-ca.com/privkey.pem

Certificate Name: www.newstarmotel.dyn-o-saur.com
Serial Number: 423c88b7dc8f250ef620b9fed6d06b2fe6f
Key Type: RSA
Domains: www.newstarmotel.dyn-o-saur.com
Expiry Date: 2024-10-14 03:10:19+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/www.newstarmotel.dyn-o-saur.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.newstarmotel.dyn-o-saur.com/privkey.pem

Certificate Name: www.newstarmotel.homelinux.com
Serial Number: 41abcb11f7d37db333e8876c4bec604b8c6
Key Type: RSA
Domains: www.newstarmotel.homelinux.com
Expiry Date: 2024-10-14 03:18:28+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/www.newstarmotel.homelinux.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.newstarmotel.homelinux.com/privkey.pem

Apache

*:443 is a NameVirtualHost
default server gilllab.dyndns-wiki.com (/etc/apache2/sites-enabled/gilllab-le-ssl.conf:2)
port 443 namevhost gilllab.dyndns-wiki.com (/etc/apache2/sites-enabled/gilllab-le-ssl.conf:2)
alias www.gilllab.dyndns-wiki.com
port 443 namevhost newstarmotel.homelinux.com (/etc/apache2/sites-enabled/homelinux-le-ssl.conf:2)
alias www.newstarmotel.homelinux.com
port 443 namevhost newstarmotel.dyn-o-saur.com (/etc/apache2/sites-enabled/newstarmotel-le-ssl.conf:2)
alias www.newstarmotel.dyn-o-saur.com
port 443 namevhost nsmrentalproperties.from-ca.com (/etc/apache2/sites-enabled/nsmrentalproperties-le-ssl.conf:2)
alias www.nsmrentalproperties.from-ca.com

*:80 is a NameVirtualHost
default server gilllab.dyndns-wiki.com (/etc/apache2/sites-enabled/gilllab.conf:1)
port 80 namevhost gilllab.dyndns-wiki.com (/etc/apache2/sites-enabled/gilllab.conf:1)
alias www.gilllab.dyndns-wiki.com
port 80 namevhost newstarmotel.homelinux.com (/etc/apache2/sites-enabled/homelinux.conf:1)
alias www.newstarmotel.homelinux.com
port 80 namevhost newstarmotel.dyn-o-saur.com (/etc/apache2/sites-enabled/newstarmotel-le-ssl.conf:23)
alias www.newstarmotel.dyn-o-saur.com
port 80 namevhost newstarmotel.dyn-o-saur.com (/etc/apache2/sites-enabled/newstarmotel-le-ssl.conf:44)
alias www.newstarmotel.dyn-o-saur.com
port 80 namevhost newstarmotel.dyn-o-saur.com (/etc/apache2/sites-enabled/newstarmotel-le-ssl.conf:62)
alias www.newstarmotel.dyn-o-saur.com
port 80 namevhost newstarmotel.dyn-o-saur.com (/etc/apache2/sites-enabled/newstarmotel.conf:1)
alias www.newstarmotel.dyn-o-saur.com
port 80 namevhost nsmrentalproperties.from-ca.com (/etc/apache2/sites-enabled/nsmrentalproperties.conf:1)
alias [www.nsmrentalproperties.from-ca.com](http://www.nsmrentalproperties.from-ca.com)

Those names are repeated four times.

The 3 extra VirtualHosts for port 80 somehow got put in the conf file for your port 443 VirtualHost (/etc/apache2/sites-enabled/newstarmotel-le-ssl.conf). While that is technically possible you already had a VirtualHost for port 80 in its own file and that usually works best.

Once you fix your config so there is just one port 80 VirtualHost for dyn-o-saur then show the result of below command. We want to create a single cert for all the names in a single VirtualHost. You have both the root name and its www subdomain in the same VirtualHost so we'll make a cert for those two (like you had before).

This is just a test command. The production command will be slightly different so just let us know result of this after fixing Apache config.

sudo certbot certonly --apache --dry-run --cert-name www.newstarmotel.dyn-o-saur.com -d www.newstarmotel.dyn-o-saur.com -d newstarmotel.dyn-o-saur.com

It will prompt you about adding a name to an existing cert. Confirm that.

I don't know why there were two duplicates in the conf file. But I now deleted them. Here is the output:

You are updating certificate www.newstarmotel.dyn-o-saur.com to include new
domain(s):

• newstarmotel.dyn-o-saur.com

You are also removing previously included domain(s):
(None)

Did you intend to make this change?

(U)pdate certificate/(C)ancel: u
Simulating renewal of an existing certificate for www.newstarmotel.dyn-o-saur.com and newstarmotel.dyn-o-saur.com
The dry run was successful.

There were 4 total VirtualHost for port 80 for the same set of domain names. There should (must) be only 1. So, overall there were 3 duplicates (probably all the ones in the le-ssl conf). The likely best one was in newstarmotel.conf

The --dry-run test was good. But, let's double-check your Apache config. Please show

sudo apache2ctl -t -D DUMP_VHOSTS

Why did certbot put three of the same entries into the newstarmotel-le-ssl.conf file? I deleted these *ssl files before I ran certbot.

VirtualHost configuration:

*:443 is a NameVirtualHost
default server gilllab.dyndns-wiki.com (/etc/apache2/sites-enabled/gilllab-le-ssl.conf:2)
port 443 namevhost gilllab.dyndns-wiki.com (/etc/apache2/sites-enabled/gilllab-le-ssl.conf:2)
alias www.gilllab.dyndns-wiki.com
port 443 namevhost newstarmotel.homelinux.com (/etc/apache2/sites-enabled/homelinux-le-ssl.conf:2)
alias www.newstarmotel.homelinux.com
port 443 namevhost newstarmotel.dyn-o-saur.com (/etc/apache2/sites-enabled/newstarmotel-le-ssl.conf:2)
alias www.newstarmotel.dyn-o-saur.com
port 443 namevhost nsmrentalproperties.from-ca.com (/etc/apache2/sites-enabled/nsmrentalproperties-le-ssl.conf:2)
alias www.nsmrentalproperties.from-ca.com

*:80 is a NameVirtualHost
default server gilllab.dyndns-wiki.com (/etc/apache2/sites-enabled/gilllab.conf:1)
port 80 namevhost gilllab.dyndns-wiki.com (/etc/apache2/sites-enabled/gilllab.conf:1)
alias www.gilllab.dyndns-wiki.com
port 80 namevhost newstarmotel.homelinux.com (/etc/apache2/sites-enabled/homelinux.conf:1)
alias www.newstarmotel.homelinux.com
port 80 namevhost newstarmotel.dyn-o-saur.com (/etc/apache2/sites-enabled/newstarmotel-le-ssl.conf:23)
alias www.newstarmotel.dyn-o-saur.com
port 80 namevhost newstarmotel.dyn-o-saur.com (/etc/apache2/sites-enabled/newstarmotel.conf:1)
alias www.newstarmotel.dyn-o-saur.com
port 80 namevhost nsmrentalproperties.from-ca.com (/etc/apache2/sites-enabled/nsmrentalproperties.conf:1)
alias [www.nsmrentalproperties.from-ca.com](http://www.nsmrentalproperties.from-ca.com)

Still a little confused; the newstarmotel-le-ssl.conf file has entries for both 443 and 80 ports (see below), while my other virtual sites like nsmrentalproperties-le-ssl.conf only has port 443.

<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster@localhost
ServerName newstarmotel.dyn-o-saur.com
ServerAlias www.newstarmotel.dyn-o-saur.com
DocumentRoot /var/www/newstarmotel.dyn-o-saur.com
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
# Some rewrite rules in this file were disabled on your HTTPS site,
# because they have the potential to create redirection loops.

# RewriteCond %{SERVER_NAME} =newstarmotel.dyn-o-saur.com [OR]
# RewriteCond %{SERVER_NAME} =www.newstarmotel.dyn-o-saur.com
# RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/www.newstarmotel.dyn-o-saur.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.newstarmotel.dyn-o-saur.com/privkey.pem
</VirtualHost>
</IfModule>
<IfModule mod_ssl.c>

<VirtualHost *:80>
ServerAdmin webmaster@localhost
ServerName newstarmotel.dyn-o-saur.com
ServerAlias www.newstarmotel.dyn-o-saur.com
DocumentRoot /var/www/newstarmotel.dyn-o-saur.com
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
# Some rewrite rules in this file were disabled on your HTTPS site,
# because they have the potential to create redirection loops.

# RewriteCond %{SERVER_NAME} =newstarmotel.dyn-o-saur.com [OR]
# RewriteCond %{SERVER_NAME} =www.newstarmotel.dyn-o-saur.com
# RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

RewriteCond %{SERVER_NAME} =www.newstarmotel.dyn-o-saur.com [OR]
RewriteCond %{SERVER_NAME} =newstarmotel.dyn-o-saur.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
</IfModule>

I don't know how that happened. With the --apache option Certbot will create a port 443 VirtualHost the first time it runs. But, it would not create one for port 80.

You should not need to delete VirtualHost or Apache config files during normal operation.

Yes, those others look correct. This "extra" port 80 VirtualHost in your le-ssl.conf is not correct. You should remove it. I do not know how it got there.

We need to see a "clean" dump_vhosts output before proceeding. Please run that apache2ctl command after making the above changes

Ok, removed the port 80 in the le-ssl.conf file. Here's the new ouput:

VirtualHost configuration:
*:443 is a NameVirtualHost
default server gilllab.dyndns-wiki.com (/etc/apache2/sites-enabled/gilllab-le-ssl.conf:2)
port 443 namevhost gilllab.dyndns-wiki.com (/etc/apache2/sites-enabled/gilllab-le-ssl.conf:2)
alias www.gilllab.dyndns-wiki.com
port 443 namevhost newstarmotel.homelinux.com (/etc/apache2/sites-enabled/homelinux-le-ssl.conf:2)
alias www.newstarmotel.homelinux.com
port 443 namevhost newstarmotel.dyn-o-saur.com (/etc/apache2/sites-enabled/newstarmotel-le-ssl.conf:2)
alias www.newstarmotel.dyn-o-saur.com
port 443 namevhost nsmrentalproperties.from-ca.com (/etc/apache2/sites-enabled/nsmrentalproperties-le-ssl.conf:2)
alias www.nsmrentalproperties.from-ca.com
*:80 is a NameVirtualHost
default server gilllab.dyndns-wiki.com (/etc/apache2/sites-enabled/gilllab.conf:1)
port 80 namevhost gilllab.dyndns-wiki.com (/etc/apache2/sites-enabled/gilllab.conf:1)
alias www.gilllab.dyndns-wiki.com
port 80 namevhost newstarmotel.homelinux.com (/etc/apache2/sites-enabled/homelinux.conf:1)
alias www.newstarmotel.homelinux.com
port 80 namevhost newstarmotel.dyn-o-saur.com (/etc/apache2/sites-enabled/newstarmotel.conf:1)
alias www.newstarmotel.dyn-o-saur.com
port 80 namevhost nsmrentalproperties.from-ca.com (/etc/apache2/sites-enabled/nsmrentalproperties.conf:1)
alias www.nsmrentalproperties.from-ca.com