Certbot OSX 10.13 unable to update cert since october

Help
1

I ran this command:
brew certbot
It produced this output:
error log below
My web server is (include version):
Apache
The operating system my web server runs on is (include version):
10.13.6
My hosting provider, if applicable, is:
N/A
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 1.21.0

Last login: Wed Dec 29 23:24:48 on ttys000
HOSTNAME2:~ username$ sudo -s
Password:
bash-3.2# cat /var/log/letsencrypt/letsencrypt.log
2021-11-29 10:35:17,788:DEBUG:certbot._internal.main:certbot version: 1.13.0
2021-11-29 10:35:17,791:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/local/Cellar/certbot/1.13.0/libexec/bin/certbot
2021-11-29 10:35:17,791:DEBUG:certbot._internal.main:Arguments: ['-v']
2021-11-29 10:35:17,791:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2021-11-29 10:35:18,118:DEBUG:certbot._internal.log:Root logging level set at 10
2021-11-29 10:35:18,119:INFO:certbot._internal.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2021-11-29 10:35:18,142:DEBUG:certbot._internal.plugins.selection:Requested authenticator None and installer None
2021-11-29 10:35:18,539:DEBUG:certbot_apache._internal.configurator:Apache version is 2.4.33
2021-11-29 10:35:19,269:WARNING:certbot_apache._internal.configurator:Could not find ssl_module; not disabling session tickets.
2021-11-29 10:35:19,299:DEBUG:certbot._internal.plugins.disco:No installation (PluginEntryPoint#nginx): Could not find a usable 'nginx' binary. Ensure nginx exists, the binary is executable, and your PATH is set correctly.
Traceback (most recent call last):
File "/usr/local/Cellar/certbot/1.13.0/libexec/lib/python3.9/site-packages/certbot/_internal/plugins/disco.py", line 150, in prepare
self._initialized.prepare()
File "/usr/local/Cellar/certbot/1.13.0/libexec/vendor/lib/python3.9/site-packages/certbot_nginx/_internal/configurator.py", line 188, in prepare
raise errors.NoInstallationError(
certbot.errors.NoInstallationError: Could not find a usable 'nginx' binary. Ensure nginx exists, the binary is executable, and your PATH is set correctly.
2021-11-29 10:35:19,304:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache._internal.entrypoint:ENTRYPOINT
Initialized: <certbot_apache._internal.override_darwin.DarwinConfigurator object at 0x1058ae3d0>
Prep: True
2021-11-29 10:35:19,305:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot_apache._internal.override_darwin.DarwinConfigurator object at 0x1058ae3d0> and installer <certbot_apache._internal.override_darwin.DarwinConfigurator object at 0x1058ae3d0>
2021-11-29 10:35:19,306:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator apache, Installer apache
2021-11-29 10:35:19,350:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/97198019', new_authzr_uri=None, terms_of_service=None), 8a774b7ad7c6fe619464d8b3c0416c86, Meta(creation_dt=datetime.datetime(2020, 9, 21, 7, 56, 18, tzinfo=), creation_host='HOSTNAME.macmedic.com.au', register_to_eff=None))>
2021-11-29 10:35:19,364:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2021-11-29 10:35:19,689:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2021-11-29 10:35:20,251:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 658
2021-11-29 10:35:20,252:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sun, 28 Nov 2021 23:35:20 GMT
Content-Type: application/json
Content-Length: 658
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"MBlh_lkMx0c": "Adding random entries to the directory",
"keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
"website": "https://letsencrypt.org"
},
"newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
"revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2021-11-29 10:35:48,808:DEBUG:certbot.display.util:Notifying user: Requesting a certificate for cat and /var/log/letsencrypt/letsencrypt.log
2021-11-29 10:35:48,840:DEBUG:certbot.crypto_util:Generating RSA key (2048 bits): /etc/letsencrypt/keys/0007_key-certbot.pem
2021-11-29 10:35:48,843:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0007_csr-certbot.pem
2021-11-29 10:35:48,844:DEBUG:acme.client:Requesting fresh nonce
2021-11-29 10:35:48,844:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2021-11-29 10:35:49,228:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2021-11-29 10:35:49,229:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sun, 28 Nov 2021 23:35:49 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: 0002RLUtXmxggBVL2sX4thmtImtjqz-mSpPNljtW8m-lpW0
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

2021-11-29 10:35:49,229:DEBUG:acme.client:Storing nonce: 0002RLUtXmxggBVL2sX4thmtImtjqz-mSpPNljtW8m-lpW0
2021-11-29 10:35:49,230:DEBUG:acme.client:JWS payload:
b'{\n "identifiers": [\n {\n "type": "dns",\n "value": "cat"\n },\n {\n "type": "dns",\n "value": "/var/log/letsencrypt/letsencrypt.log"\n }\n ]\n}'
2021-11-29 10:35:49,232:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvOTcxOTgwMTkiLCAibm9uY2UiOiAiMDAwMlJMVXRYbXhnZ0JWTDJzWDR0aG10SW10anF6LW1TcFBObGp0VzhtLWxwVzAiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL25ldy1vcmRlciJ9",
"signature": "VligyoMgJ898r-qjBe7I4N9AiJUdekBUWJhHG_iVRbfopkux-96Qri41KX_UAu9Nj15BDsOwEqJhC5glDHrgma724FAuzQVvBMkzEehtOhEZyZFxrijsvY9HZ1JFhWiNiZgitB-jznVOIxU0slGA8c9T5a-lcuSn-KEwQuPXUubZav50dwWyyeYY24udF2RirNuXhD5g7BbIAJ7fpLi3yZTbYJluQXB4WbTTcKFuN6S5Po_p5BY0R2kXNAJlSy-jFOVSc6oenTWw5mk4rfPxpSUYm8Nr9K7-ZBs1Xwiadf3e5lR_vLtuXciqsQ-0WSyMTpxJl3WE3mMalj5N5tkMjQ",
"payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogImNhdCIKICAgIH0sCiAgICB7CiAgICAgICJ0eXBlIjogImRucyIsCiAgICAgICJ2YWx1ZSI6ICIvdmFyL2xvZy9sZXRzZW5jcnlwdC9sZXRzZW5jcnlwdC5sb2ciCiAgICB9CiAgXQp9"
}
2021-11-29 10:35:49,439:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 400 862
2021-11-29 10:35:49,439:DEBUG:acme.client:Received response:
HTTP 400
Server: nginx
Date: Sun, 28 Nov 2021 23:35:49 GMT
Content-Type: application/problem+json
Content-Length: 862
Connection: keep-alive
Boulder-Requester: 97198019
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: 0002F3NPwhpqS-1bZIPrAWEeh95n8mNCDaYPDClfnzNT3n0

{
"type": "urn:ietf:params:acme:error:rejectedIdentifier",
"detail": "Error creating new order :: Cannot issue for "/var/log/letsencrypt/letsencrypt.log": Domain name contains an invalid character (and 1 more problems. Refer to sub-problems for more information.)",
"status": 400,
"subproblems": [
{
"type": "urn:ietf:params:acme:error:rejectedIdentifier",
"detail": "Error creating new order :: Domain name contains an invalid character",
"status": 400,
"identifier": {
"type": "dns",
"value": "/var/log/letsencrypt/letsencrypt.log"
}
},
{
"type": "urn:ietf:params:acme:error:rejectedIdentifier",
"detail": "Error creating new order :: Domain name needs at least one dot",
"status": 400,
"identifier": {
"type": "dns",
"value": "cat"
}
}
]
}
2021-11-29 10:35:49,440:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/local/Cellar/certbot/1.13.0/libexec/bin/certbot", line 33, in
sys.exit(load_entry_point('certbot==1.13.0', 'console_scripts', 'certbot')())
File "/usr/local/Cellar/certbot/1.13.0/libexec/lib/python3.9/site-packages/certbot/main.py", line 15, in main
return internal_main.main(cli_args)
File "/usr/local/Cellar/certbot/1.13.0/libexec/lib/python3.9/site-packages/certbot/_internal/main.py", line 1421, in main
return config.func(config, plugins)
File "/usr/local/Cellar/certbot/1.13.0/libexec/lib/python3.9/site-packages/certbot/_internal/main.py", line 1162, in run
new_lineage = _get_and_save_cert(le_client, config, domains,
File "/usr/local/Cellar/certbot/1.13.0/libexec/lib/python3.9/site-packages/certbot/_internal/main.py", line 134, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File "/usr/local/Cellar/certbot/1.13.0/libexec/lib/python3.9/site-packages/certbot/_internal/client.py", line 441, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File "/usr/local/Cellar/certbot/1.13.0/libexec/lib/python3.9/site-packages/certbot/_internal/client.py", line 374, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/usr/local/Cellar/certbot/1.13.0/libexec/lib/python3.9/site-packages/certbot/_internal/client.py", line 406, in _get_order_and_authorizations
orderr = self.acme.new_order(csr_pem)
File "/usr/local/Cellar/certbot/1.13.0/libexec/vendor/lib/python3.9/site-packages/acme/client.py", line 873, in new_order
return self.client.new_order(csr_pem)
File "/usr/local/Cellar/certbot/1.13.0/libexec/vendor/lib/python3.9/site-packages/acme/client.py", line 655, in new_order
response = self._post(self.directory['newOrder'], order)
File "/usr/local/Cellar/certbot/1.13.0/libexec/vendor/lib/python3.9/site-packages/acme/client.py", line 84, in _post
return self.net.post(*args, **kwargs)
File "/usr/local/Cellar/certbot/1.13.0/libexec/vendor/lib/python3.9/site-packages/acme/client.py", line 1188, in post
return self._post_once(*args, **kwargs)
File "/usr/local/Cellar/certbot/1.13.0/libexec/vendor/lib/python3.9/site-packages/acme/client.py", line 1201, in _post_once
response = self._check_response(response, content_type=content_type)
File "/usr/local/Cellar/certbot/1.13.0/libexec/vendor/lib/python3.9/site-packages/acme/client.py", line 1059, in _check_response
raise messages.Error.from_json(jobj)
acme.messages.Error: urn:ietf:params:acme:error:rejectedIdentifier :: The server will not issue certificates for the identifier :: Error creating new order :: Cannot issue for "/var/log/letsencrypt/letsencrypt.log": Domain name contains an invalid character (and 1 more problems. Refer to sub-problems for more information.)
2021-11-29 10:35:49,446:ERROR:certbot._internal.log:An unexpected error occurred:
2021-11-29 10:35:49,446:ERROR:certbot._internal.log:The server will not issue certificates for the identifier :: Error creating new order :: Cannot issue for "/var/log/letsencrypt/letsencrypt.log": Domain name contains an invalid character (and 1 more problems. Refer to sub-problems for more information.)
bash-3.2#

VERSION OF CURL
$ /usr/local/opt/curl/bin/curl -V

curl 7.80.0 (x86_64-apple-darwin17.7.0) libcurl/7.80.0 (SecureTransport) OpenSSL/1.1.1l zlib/1.2.11 brotli/1.0.9 zstd/1.5.0 libidn2/2.3.2 libssh2/1.10.0 nghttp2/1.46.0 librtmp/2.3 OpenLDAP/2.6.0

Release-Date: 2021-11-10

Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp

Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz MultiSSL NTLM NTLM_WB SPNEGO SSL TLS-SRP UnixSockets zstd

CONTENTS OF sudo certbot certificates

HOSTNAME:~ sadmin$ sudo certbot certificates
Password:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: sub.domain.com.au
Serial Number: 5de960636eb371a5c6c2422bc657882a23522
Key Type: RSA
Domains: sub.domain.com.au
Expiry Date: 2021-12-31 07:21:08+00:00 (VALID: 1 day)
Certificate Path: /etc/letsencrypt/live/sub.domain.com.au/fullchain.pem
Private Key Path: /etc/letsencrypt/live/sub.domain.com.au/privkey.pem

HOSTNAME:~ sadmin$ sudo -s
bash-3.2# cd /etc/letsencrypt/
bash-3.2#
bash-3.2# ls
.updated-options-ssl-apache-conf-digest.txt csr options-ssl-apache.conf
accounts keys renewal
archive live renewal-hooks
bash-3.2# ls -l
total 16
-rw-r--r-- 1 root wheel 64 29 Nov 10:35 .updated-options-ssl-apache-conf-digest.txt
drwx------ 3 root wheel 102 21 Sep 2020 accounts
drwx------ 3 root wheel 102 21 Sep 2020 archive
drwxr-xr-x 10 root wheel 340 29 Nov 10:35 csr
drwx------ 10 root wheel 340 29 Nov 10:35 keys
drwx------ 4 root wheel 136 21 Sep 2020 live
-rw-r--r-- 1 root wheel 924 29 Nov 10:35 options-ssl-apache.conf
drwxr-xr-x 3 root wheel 102 2 Oct 18:21 renewal
drwxr-xr-x 5 root wheel 170 21 Sep 2020 renewal-hooks
bash-3.2# cd archive/

2

You're trying to get a certificate with a hostname "/var/log/letsencrypt/letsencrypt.log", which of course is not a hostname. You're also trying to get a certificate for the hostname "cat".

Did you copy/paste the correct log file or is this indeed the issue here?

3 Likes
3

Thankyou Osiris !

I copied the log file but If i do a dry run this is the result >

bash-3.2# certbot renew --dry-run

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/sub.domain.com.au.conf

Account registered.

Simulating renewal of an existing certificate for sub.domain.com.au

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:

Domain: sub.domain.com.au

Type: connection

Detail: Fetching http://sub.domain.com.au/.well-known/acme-challenge/03677ix-hH25stv0caZ506NTPqNNoZz9gcEqNGfrEHo: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Failed to renew certificate sub.domain.com.au with error: Some challenges have failed.

All simulated renewals failed. The following certificates could not be renewed:

/etc/letsencrypt/live/sub.domain.com.au/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

So I dont think the previous log is correct ? ???
My ports opened are 80 8080 8081 443 8443

I used to use acme.sh but it doesnt seem to support standalone mode for me anymore (no DNS available)

4

Here is the old script that worked for a long time (it would be awesome to have continue to work, im just unsure of the actual command thats failing)

#!/bin/sh

Change the domain variable to the domain/subdomain for which you would like

an SSL Certificate

DOMAIN="sub.domain.com.au"

Change the contact email address to your real email address so that Let's Encrypt

can contact you if there are any problems #>

EMAIL="support@domain.com.au"

Enter the path to your FileMaker Server directory, ending in a slash

SERVER_PATH="/Library/FileMaker Server/"

--- you shouldn't need to edit anything below this line

WEB_ROOT="${SERVER_PATH}HTTPServer/htdocs"

Get the certificate

certbot certonly --webroot -w "$WEB_ROOT" -d $DOMAIN --agree-tos -m "$EMAIL" --preferred-challenges "http" -n

cp "/etc/letsencrypt/live/${DOMAIN}/fullchain.pem" "${SERVER_PATH}CStore/fullchain.pem"

cp "/etc/letsencrypt/live/${DOMAIN}/privkey.pem" "${SERVER_PATH}CStore/privkey.pem"

chmod 640 "${SERVER_PATH}CStore/privkey.pem"

Move an old certificate, if there is one, to prevent an error

mv "${SERVER_PATH}CStore/serverKey.pem" "${SERVER_PATH}CStore/serverKey-old.pem"

Remove the old certificate

fmsadmin certificate delete

Install the certificate

fmsadmin certificate import "${SERVER_PATH}CStore/fullchain.pem" --keyfile "${SERVER_PATH}CStore/privkey.pem" -y

Stop FileMaker Server

launchctl stop com.filemaker.fms

Wait 15 seconds for it to stop

sleep 15s

Start FileMaker Server again

launchctl start com.filemaker.fms

5

Port 80 needs to be open for the validation to succeed.

2 Likes
6

I had the following ports opened

My ports opened are 80 8080 8081 443 8443 and pointing to correct server

IS this supported anymore ? (over httP not httpS)

certbot certonly --webroot -w "$WEB_ROOT" -d $DOMAIN --agree-tos -m "$EMAIL" --preferred-challenges "http" -n

7

Well, the LE validation server seems unable to connect to HTTP on port 80. So it seems it isn't open totally. Please check any firewall, including regional filters or spam filters et cetera.

Also check that the IP address returned by the DNS server is properly configured. Including IPv6 if applicable.

3 Likes
8

you were perfectly correct - Thankyou very much ! There was another service stealing port 80
many thanks for your help !

2 Likes
9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.