Certbot renew error without change since last renewal

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: bk-asp-hst.dpi.bfi.org.uk

I ran this command: sudo certbot renew --debug

It produced this output:
[root@BK-ASP-HST letsencrypt]# sudo certbot renew --debug
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/bk-asp-hst.dpi.bfi.org.uk.conf


Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Attempting to renew cert (bk-asp-hst.dpi.bfi.org.uk) from /etc/letsencrypt/renewal/bk-asp-hst.dpi.bfi.org.uk.conf produced an unexpected error: str returned non-string (type Error). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/bk-asp-hst.dpi.bfi.org.uk/fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/bk-asp-hst.dpi.bfi.org.uk/fullchain.pem (failure)


Exiting abnormally:
Traceback (most recent call last):
File "/bin/certbot", line 9, in
load_entry_point('certbot==0.35.1', 'console_scripts', 'certbot')()
File "/usr/lib/python2.7/site-packages/certbot/main.py", line 1379, in main
return config.func(config, plugins)
File "/usr/lib/python2.7/site-packages/certbot/main.py", line 1284, in renew
renewal.handle_renewal_request(config)
File "/usr/lib/python2.7/site-packages/certbot/renewal.py", line 474, in handle_renewal_request
len(renew_failures), len(parse_failures)))
Error: 1 renew failure(s), 0 parse failure(s)
Please see the logfiles in /var/log/letsencrypt for more details.

My web server is (include version): HA-Proxy version 1.8.13 2018/07/30

The operating system my web server runs on is (include version): CentOS Linux 7 (Core)

My hosting provider, if applicable, is: n/a

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.35.1

From log in /var/log/letsencrypt:
2021-11-25 09:58:34,554:DEBUG:certbot.main:certbot version: 0.35.1
2021-11-25 09:58:34,554:DEBUG:certbot.main:Arguments: ['--debug']
2021-11-25 09:58:34,554:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2021-11-25 09:58:34,567:DEBUG:certbot.log:Root logging level set at 20
2021-11-25 09:58:34,567:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2021-11-25 09:58:34,575:DEBUG:certbot.plugins.selection:Requested authenticator <certbot.cli._Default object at 0x7ffabb407b50> and installer <certbot.cli._Default object at 0x7ffabb407b50>
2021-11-25 09:58:34,583:DEBUG:certbot.storage:Should renew, less than 30 days before certificate expiry 2021-11-29 22:07:10 UTC.
2021-11-25 09:58:34,583:INFO:certbot.renewal:Cert is due for renewal, auto-renewing...
2021-11-25 09:58:34,583:DEBUG:certbot.plugins.selection:Requested authenticator standalone and installer None
2021-11-25 09:58:34,584:DEBUG:certbot.plugins.selection:Single candidate plugin: * standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:Authenticator
Initialized: <certbot.plugins.standalone.Authenticator object at 0x7ffabb44c650>
Prep: True
2021-11-25 09:58:34,584:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.standalone.Authenticator object at 0x7ffabb44c650> and installer None
2021-11-25 09:58:34,584:INFO:certbot.plugins.selection:Plugins selected: Authenticator standalone, Installer None
2021-11-25 09:58:34,598:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(status=None, terms_of_service_agreed=None, agreement=None, only_return_existing=None, contact=(), key=None, external_account_binding=None), uri=u'https://acme-v02.api.letsencrypt.org/acme/acct/58183770', new_a$
2021-11-25 09:58:34,599:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2021-11-25 09:58:34,601:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
2021-11-25 09:58:34,853:WARNING:certbot.renewal:Attempting to renew cert (bk-asp-hst.dpi.bfi.org.uk) from /etc/letsencrypt/renewal/bk-asp-hst.dpi.bfi.org.uk.conf produced an unexpected error: str returned non-string (type Error). Skipping.
2021-11-25 09:58:34,855:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/certbot/renewal.py", line 449, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File "/usr/lib/python2.7/site-packages/certbot/main.py", line 1203, in renew_cert
le_client = _init_le_client(config, auth, installer)
File "/usr/lib/python2.7/site-packages/certbot/main.py", line 613, in _init_le_client
return client.Client(config, acc, authenticator, installer, acme=acme)
File "/usr/lib/python2.7/site-packages/certbot/client.py", line 262, in init
acme = acme_from_config_key(config, self.account.key, self.account.regr)
File "/usr/lib/python2.7/site-packages/certbot/client.py", line 47, in acme_from_config_key
return acme_client.BackwardsCompatibleClientV2(net, key, config.server)
File "/usr/lib/python2.7/site-packages/acme/client.py", line 813, in init
directory = messages.Directory.from_json(net.get(server).json())
File "/usr/lib/python2.7/site-packages/acme/client.py", line 1146, in get
self._send_request('GET', url, **kwargs), content_type=content_type)
File "/usr/lib/python2.7/site-packages/acme/client.py", line 1095, in _send_request
response = self.session.request(method, url, *args, **kwargs)
File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 464, in request
resp = self.send(prep, **send_kwargs)
File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 576, in send
r = adapter.send(request, **kwargs)
File "/usr/lib/python2.7/site-packages/requests/adapters.py", line 370, in send
timeout=timeout
File "/usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py", line 544, in urlopen
body=body, headers=headers)
File "/usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py", line 344, in _make_request
self._raise_timeout(err=e, url=url, timeout_value=conn.timeout)
File "/usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py", line 314, in _raise_timeout
if 'timed out' in str(err) or 'did not complete (read)' in str(err): # Python 2.6
TypeError: str returned non-string (type Error)

2021-11-25 09:58:34,855:ERROR:certbot.renewal:All renewal attempts failed. The following certs could not be renewed:
2021-11-25 09:58:34,855:ERROR:certbot.renewal: /etc/letsencrypt/live/bk-asp-hst.dpi.bfi.org.uk/fullchain.pem (failure)
2021-11-25 09:58:34,855:ERROR:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File "/bin/certbot", line 9, in
load_entry_point('certbot==0.35.1', 'console_scripts', 'certbot')()
File "/usr/lib/python2.7/site-packages/certbot/main.py", line 1379, in main
return config.func(config, plugins)
File "/usr/lib/python2.7/site-packages/certbot/main.py", line 1284, in renew
renewal.handle_renewal_request(config)
File "/usr/lib/python2.7/site-packages/certbot/renewal.py", line 474, in handle_renewal_request
len(renew_failures), len(parse_failures)))
Error: 1 renew failure(s), 0 parse failure(s)

I updated certbot using yum, it is now on version 1.11.0 - same error from certbot renew:

[root@BK-ASP-HST letsencrypt]# sudo certbot renew --debug
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/bk-asp-hst.dpi.bfi.org.uk.conf


Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Failed to renew certificate bk-asp-hst.dpi.bfi.org.uk with error: str returned non-string (type Error)


All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/bk-asp-hst.dpi.bfi.org.uk/fullchain.pem (failure)


Exiting abnormally:
Traceback (most recent call last):
File "/bin/certbot", line 9, in
load_entry_point('certbot==1.11.0', 'console_scripts', 'certbot')()
File "/usr/lib/python2.7/site-packages/certbot/main.py", line 15, in main
return internal_main.main(cli_args)
File "/usr/lib/python2.7/site-packages/certbot/_internal/main.py", line 1421, in main
return config.func(config, plugins)
File "/usr/lib/python2.7/site-packages/certbot/_internal/main.py", line 1318, in renew
renewal.handle_renewal_request(config)
File "/usr/lib/python2.7/site-packages/certbot/_internal/renewal.py", line 497, in handle_renewal_request
len(renew_failures), len(parse_failures)))
Error: 1 renew failure(s), 0 parse failure(s)
Please see the logfiles in /var/log/letsencrypt for more details.

And from the log with the new certbot version - I think this is identical:

2021-11-25 10:43:09,893:DEBUG:certbot._internal.main:certbot version: 1.11.0
2021-11-25 10:43:09,893:DEBUG:certbot._internal.main:Location of certbot entry point: /bin/certbot
2021-11-25 10:43:09,893:DEBUG:certbot._internal.main:Arguments: ['--debug']
2021-11-25 10:43:09,893:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2021-11-25 10:43:09,909:DEBUG:certbot._internal.log:Root logging level set at 20
2021-11-25 10:43:09,909:INFO:certbot._internal.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2021-11-25 10:43:09,910:DEBUG:certbot.display.util:Notifying user: Processing /etc/letsencrypt/renewal/bk-asp-hst.dpi.bfi.org.uk.conf
2021-11-25 10:43:09,917:DEBUG:certbot._internal.plugins.selection:Requested authenticator <certbot._internal.cli.cli_utils._Default object at 0x7f5ca8f210d0> and installer <certbot._internal.cli.cli_utils._Default object at 0x7f5ca8f210d0>
2021-11-25 10:43:09,953:DEBUG:certbot.ocsp:Querying OCSP for /etc/letsencrypt/archive/bk-asp-hst.dpi.bfi.org.uk/cert13.pem
2021-11-25 10:43:09,953:DEBUG:certbot.ocsp:openssl ocsp -no_nonce -issuer /etc/letsencrypt/archive/bk-asp-hst.dpi.bfi.org.uk/chain13.pem -cert /etc/letsencrypt/archive/bk-asp-hst.dpi.bfi.org.uk/cert13.pem -CAfile /etc/letsencrypt/archive/bk-asp-hst.dpi.bfi.org.uk/chain13.pem -verify_other /etc/letsencrypt/archive/b$
2021-11-25 10:43:10,131:DEBUG:certbot._internal.storage:Should renew, less than 30 days before certificate expiry 2021-11-29 22:07:10 UTC.
2021-11-25 10:43:10,131:INFO:certbot._internal.renewal:Cert is due for renewal, auto-renewing...
2021-11-25 10:43:10,132:DEBUG:certbot._internal.plugins.selection:Requested authenticator standalone and installer None
2021-11-25 10:43:10,133:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot._internal.plugins.standalone:Authenticator
Initialized: <certbot._internal.plugins.standalone.Authenticator object at 0x7f5cab314410>
Prep: True
2021-11-25 10:43:10,134:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot._internal.plugins.standalone.Authenticator object at 0x7f5cab314410> and installer None
2021-11-25 10:43:10,134:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator standalone, Installer None
2021-11-25 10:43:10,136:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(status=None, terms_of_service_agreed=None, agreement=None, only_return_existing=None, contact=(), key=None, external_account_binding=None), uri=u'https://acme-v02.api.letsencrypt.org/acme/acct/581837$
2021-11-25 10:43:10,137:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2021-11-25 10:43:10,143:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
2021-11-25 10:43:10,405:ERROR:certbot._internal.renewal:Failed to renew certificate bk-asp-hst.dpi.bfi.org.uk with error: str returned non-string (type Error)
2021-11-25 10:43:10,408:DEBUG:certbot._internal.renewal:Traceback was:
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/certbot/_internal/renewal.py", line 471, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File "/usr/lib/python2.7/site-packages/certbot/_internal/main.py", line 1233, in renew_cert
le_client = _init_le_client(config, auth, installer)
File "/usr/lib/python2.7/site-packages/certbot/_internal/main.py", line 659, in _init_le_client
return client.Client(config, acc, authenticator, installer, acme=acme)
File "/usr/lib/python2.7/site-packages/certbot/_internal/client.py", line 255, in init
acme = acme_from_config_key(config, self.account.key, self.account.regr)
File "/usr/lib/python2.7/site-packages/certbot/_internal/client.py", line 43, in acme_from_config_key
return acme_client.BackwardsCompatibleClientV2(net, key, config.server)
File "/usr/lib/python2.7/site-packages/acme/client.py", line 831, in init
directory = messages.Directory.from_json(net.get(server).json())
File "/usr/lib/python2.7/site-packages/acme/client.py", line 1168, in get
self._send_request('GET', url, **kwargs), content_type=content_type)
File "/usr/lib/python2.7/site-packages/acme/client.py", line 1118, in _send_request
response = self.session.request(method, url, *args, **kwargs)
File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 464, in request
resp = self.send(prep, **send_kwargs)
File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 576, in send
r = adapter.send(request, **kwargs)
File "/usr/lib/python2.7/site-packages/requests/adapters.py", line 370, in send
timeout=timeout
File "/usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py", line 544, in urlopen
body=body, headers=headers)
File "/usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py", line 344, in _make_request
self._raise_timeout(err=e, url=url, timeout_value=conn.timeout)
File "/usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py", line 314, in _raise_timeout
if 'timed out' in str(err) or 'did not complete (read)' in str(err): # Python 2.6
TypeError: str returned non-string (type Error)

2021-11-25 10:43:10,408:DEBUG:certbot.display.util:Notifying user:


2021-11-25 10:43:10,408:ERROR:certbot._internal.renewal:All renewals failed. The following certificates could not be renewed:
2021-11-25 10:43:10,408:ERROR:certbot._internal.renewal: /etc/letsencrypt/live/bk-asp-hst.dpi.bfi.org.uk/fullchain.pem (failure)
2021-11-25 10:43:10,408:DEBUG:certbot.display.util:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2021-11-25 10:43:10,408:ERROR:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/bin/certbot", line 9, in
load_entry_point('certbot==1.11.0', 'console_scripts', 'certbot')()
File "/usr/lib/python2.7/site-packages/certbot/main.py", line 15, in main
return internal_main.main(cli_args)
File "/usr/lib/python2.7/site-packages/certbot/_internal/main.py", line 1421, in main
return config.func(config, plugins)
File "/usr/lib/python2.7/site-packages/certbot/_internal/main.py", line 1318, in renew
renewal.handle_renewal_request(config)
File "/usr/lib/python2.7/site-packages/certbot/_internal/renewal.py", line 497, in handle_renewal_request
len(renew_failures), len(parse_failures)))
Error: 1 renew failure(s), 0 parse failure(s)

I fixed it using the advice here: Run certbot showing ValueError: ('Expected version spec in' - #2 by _az

2 Likes