Certbot renew does not work anymore


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.uebleis.at

I ran this command:
certbot --version || certbot-auto --version
grep '^pref_challs.tls-sni-01’ /etc/letsencrypt/renewal/

sudo /opt/bitnami/ctlscript.sh stop apache
sudo certbot renew

It produced this output:
bitnami@linux:~ certbot --version || certbot-auto --version certbot 0.28.0 bitnami@linux:~ grep '^pref_challs.tls-sni-01’ /etc/letsencrypt/renewal/
bitnami@linux:~ sudo /opt/bitnami/ctlscript.sh stop apache [sudo] password for bitnami: Syntax OK /opt/bitnami/apache2/scripts/ctl.sh : httpd stopped bitnami@linux:~ sudo certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/www.uebleis.at.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.uebleis.at
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (www.uebleis.at) from /etc/letsencrypt/renewal/www.uebleis.at.conf produced an unexpected error: Failed authorization procedure. www.uebleis.at (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.uebleis.at/.well-known/acme-challenge/M0Uq_dId-TADgL2jNk0J8yGI4CECFqmBLGYcVNIn6_8: “\n<html lang=“de-de” dir=“ltr”>\n\n\t<meta charset=“utf-8” />\n\t404 - Kategorie nicht gefunden\n\t<”. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.uebleis.at/fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.uebleis.at/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: www.uebleis.at
    Type: unauthorized
    Detail: Invalid response from
    http://www.uebleis.at/.well-known/acme-challenge/M0Uq_dId-TADgL2jNk0J8yGI4CECFqmBLGYcVNIn6_8:
    “\n<html lang=“de-de”
    dir=“ltr”>\n\n\t<meta charset=“utf-8” />\n\t404 -
    Kategorie nicht gefunden\n\t<”

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.
    bitnami@linux:~$

My web server is (include version):
apache2 from 2.4.7-1

The operating system my web server runs on is (include version):
ubuntu4.21
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.28.0

I have succesfully renewed my certificate several times always stopping apache and running certbot renew. This time I am receiving the above error messages.

I have a peculiar setup, maybe that is the problem, but this setup has not changed since I installed certbot.

My Fritzbox transfers requests on port 80 to my homepage web server and https requests to the linux owncloud server.
I also tried to request the certificate without stopping my linux apache but this does not work either. Unfortunately I have no idea what certbot does, so I cannot really help myself. I also do not understand the error message.

Here is the output when I dont stop the apache server:

[spoiler]bitnami@linux:~$ sudo certbot renew
[sudo] password for bitnami:
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/www.uebleis.at.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.uebleis.at
Error while running apache2ctl graceful.
httpd not running, trying to start
Action ‘graceful’ failed.
The Apache error log may have more information.

AH00558: apache2: Could not reliably determine the server’s fully qualified domain name, using 127.0.0.1. Set the ‘ServerName’ directive globally to suppress this message
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs

Unable to restart apache using [‘apache2ctl’, ‘graceful’]
Cleaning up challenges
Error while running apache2ctl graceful.
httpd not running, trying to start
Action ‘graceful’ failed.
The Apache error log may have more information.

AH00558: apache2: Could not reliably determine the server’s fully qualified domain name, using 127.0.0.1. Set the ‘ServerName’ directive globally to suppress this message
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs

Unable to restart apache using [‘apache2ctl’, ‘graceful’]
Encountered exception during recovery:
Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 2184, in _reload
util.run_script(self.option(“restart_cmd”))
File “/usr/lib/python3/dist-packages/certbot/util.py”, line 86, in run_script
raise errors.SubprocessError(msg)
certbot.errors.SubprocessError: Error while running apache2ctl graceful.
httpd not running, trying to start
Action ‘graceful’ failed.
The Apache error log may have more information.

AH00558: apache2: Could not reliably determine the server’s fully qualified domain name, using 127.0.0.1. Set the ‘ServerName’ directive globally to suppress this message
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 75, in handle_authorizations
resp = self._solve_challenges(aauthzrs)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 132, in _solve_challenges
resp = self.auth.perform(all_achalls)
File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 2286, in perform
self.restart()
File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 2174, in restart
self._reload()
File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 2202, in _reload
raise errors.MisconfigurationError(error)
certbot.errors.MisconfigurationError: Error while running apache2ctl graceful.
httpd not running, trying to start
Action ‘graceful’ failed.
The Apache error log may have more information.

AH00558: apache2: Could not reliably determine the server’s fully qualified domain name, using 127.0.0.1. Set the ‘ServerName’ directive globally to suppress this message
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 2184, in _reload
util.run_script(self.option(“restart_cmd”))
File “/usr/lib/python3/dist-packages/certbot/util.py”, line 86, in run_script
raise errors.SubprocessError(msg)
certbot.errors.SubprocessError: Error while running apache2ctl graceful.
httpd not running, trying to start
Action ‘graceful’ failed.
The Apache error log may have more information.

AH00558: apache2: Could not reliably determine the server’s fully qualified domain name, using 127.0.0.1. Set the ‘ServerName’ directive globally to suppress this message
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot/error_handler.py”, line 108, in _call_registered
self.funcs-1
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 316, in _cleanup_challenges
self.auth.cleanup(achalls)
File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 2311, in cleanup
self.restart()
File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 2174, in restart
self._reload()
File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 2202, in _reload
raise errors.MisconfigurationError(error)
certbot.errors.MisconfigurationError: Error while running apache2ctl graceful.
httpd not running, trying to start
Action ‘graceful’ failed.
The Apache error log may have more information.

AH00558: apache2: Could not reliably determine the server’s fully qualified domain name, using 127.0.0.1. Set the ‘ServerName’ directive globally to suppress this message
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs

Attempting to renew cert (www.uebleis.at) from /etc/letsencrypt/renewal/www.uebleis.at.conf produced an unexpected error: Error while running apache2ctl graceful.
httpd not running, trying to start
Action ‘graceful’ failed.
The Apache error log may have more information.

AH00558: apache2: Could not reliably determine the server’s fully qualified domain name, using 127.0.0.1. Set the ‘ServerName’ directive globally to suppress this message
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs
. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.uebleis.at/fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.uebleis.at/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)
bitnami@linux:~$[/spoiler]


#2

Hi @mikeww1

tls-sni-01 validation is deprecated, Certbot replaces that, perhaps this is part of the problem.

But:

Is this your running Apache server?

If yes, can you find the webroot? Because your general configuration ( https://check-your-website.server-daten.de/?q=uebleis.at )


Domainname Http-Status redirect Sec. G
http://uebleis.at/
77.119.253.169 200 1.487 H
http://www.uebleis.at/
77.119.253.169 200 1.206 H
https://uebleis.at/
77.119.253.169 200 2.223 N
Certificate error: RemoteCertificateNameMismatch
https://www.uebleis.at/
77.119.253.169 200 1.796 B
http://uebleis.at/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
77.119.253.169 404 0.377 A
Not Found
http://www.uebleis.at/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
77.119.253.169 404 0.377 A
Not Found

is ok. If you want to use http-01 validation, you need a running webserver with port 80. Then Certbot creates a file under

/.well-known/acme-challenge

with a random name, Letsencrypt checks this file.

Your webserver sends the (correct) http status 404 when fetching such a file.

So find your webroot, then use it:

certbot run -a webroot -i apache -w pathToYourWebroot -d uebleis.at -d www.uebleis.at

So you split authentication (-a) and installation (-i) and you can use your running webserver.


#3

Two servers are running at the moment.
One Windows apache server is on port 80
The linux apache with the certificate is running on 443
As I have always turned off the linux apache server before renewing I guess that letsencrypt was talking to my webserver when it did the renewal.
Is there a reason why this does not work anymore ?

So we are talking about the webroot of the of the port 80 server yes ?
But what is the pathToYourWebroot ?
The linux machine cannot access the file system on the windows machine or do I misunderstand something. I am sorry for my lack of knowledge. I just installed certbot following the documentation in 2017 and since that it worked fine.

Certbot is running only on the linux machine.The windows machine has no certificate yet.
I know I have to change that by implementing a reverse proxy in the future.


#4

Probably because it used to “work” over port 443 but now requires 80.

You could just add an HTTP to HTTPS redirection on the Windows server.
For the challenge folder requests and for those domains that will only be served via HTTPS.


#5

I would like to thank you all.I could solve the issue by temporary connecting port 80 to the linux apache getting the new certificate and then disconnecting again.Your hints were very helpful !