Certbot renew error occurs since software update


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: loto765.info

I ran this command:
certbot -q renew

It produced this output: excerpt error message from /ver/log/letsencrypt/letencrypt.log

Description: Nginx Web Server plugin - Alpha
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: nginx = certbot_nginx.configurator:NginxConfigurator
Initialized: <certbot_nginx.configurator.NginxConfigurator object at 0x7f1368c63
c18>
2018-12-19 00:54:40,936:ERROR:certbot.renewal:All renewal attempts failed. The f
ollowing certs could not be renewed:
2018-12-19 00:54:40,936:ERROR:certbot.renewal: /etc/letsencrypt/live/loto765.in
fo/fullchain.pem (failure)
2018-12-19 00:54:40,937:INFO:certbot.hooks:Running post-hook command: /bin/run-p
arts /etc/letsencrypt/post-hook.d/
2018-12-19 00:54:40,942:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/certbot”, line 11, in <module>
load_entry_point(‘certbot==0.28.0’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1340, in main
return config.func(config, plugins)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1247, in renew
renewal.handle_renewal_request(config)
File “/usr/lib/python3/dist-packages/certbot/renewal.py”, line 455, in handle_
renewal_request
len(renew_failures), len(parse_failures)))
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)

My web server is (include version):
Nginx 1.12.2

The operating system my web server runs on is (include version):
Ubuntu 14.04.5

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

It seems that after I applied ubuntu software-update and python version has been updated, since then certbot does not work properly, so I have update certbot by apt-get install and updated it from 0.26.0 to 0.28.0.
However this did not work.

I have also installed certbot-auto from git hoping certbot-auto --install-only option removes the problem.
But never ran it for fear of messing things up and decided to ask here for help first.

Can somebody please help me.
Thanks in advance.

yochi


#2

Could you post the full /var/log/letsencrypt/letsencrypt.log? The excerpt you posted is missing the important bits :frowning: .


#3

Hi -az,
Thank you the reply.
The log file is 130KB in size.
I’m afraid if I can past it all here.
Is it OK to paste the link to the file in a cloud storage (Google drive)?


#4

Of course, or anywhere else like https://dpaste.de


#5

Here it is,

letsencrypt.log


#6

Thanks.

So what it looks like is that you have Certbot configured to write the webroot challenges to /tmp/letsencrypt/.

Something to know about the /tmp directory is that it is often not persistent. That is to say, in some circumstances it will be emptied, such as when rebooting your server.

I think you should be able to get Certbot working again by just running:

mkdir /tmp/letsencrypt
certbot renew

but the proper fix is probably to change the webroot path to somewhere outside of /tmp.


#7

I will do certbot renew --dry-run after making /tmp/letsencrypt directory for testing.

As you mention I need to change the directory.

Where is the proper location to make the directory and how ?
Please be a little specific.
Which file do I need to modify to point to the ‘proper’ location?

Thank you anyway.


#8

Well, literally anywhere else would be valid. One suggestion might be /var/tmp/letsencrypt (but you’ll need to create it first).

At least two files:

  1. Any /etc/nginx configuration which references the old location
  2. Any of the files in /etc/letsencrypt/renewal/*.conf that reference the old location

#9

dry-run ran successfully.
I found 2 files referencing to the old location.
I’ll modify them and try ‘certbot renew’ when I can reboot the web server.

Thanks a lot :grin:


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.