Certbot Renew fail

Help
#1

My domain is: https://conceptys-france.com

I ran this command: certbot renew

It produced this output:

root@conceptys-france:/etc/letsencrypt# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/conceptys-france.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Attempting to parse the version 1.6.0 renewal configuration file found at /etc/letsencrypt/renewal/conceptys-france.com.conf with version 0.36.0 of Certbot. This might not work.
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for conceptys-france.com
http-01 challenge for formation.conceptys-france.com
http-01 challenge for gestion.conceptys-france.com
http-01 challenge for gestiontest.conceptys-france.com
http-01 challenge for sql.conceptys-france.com
http-01 challenge for test.conceptys-france.com
http-01 challenge for webmail.conceptys-france.com
http-01 challenge for www.conceptys-france.com
Attempting to renew cert (conceptys-france.com) from /etc/letsencrypt/renewal/conceptys-france.com.conf produced an unexpected error: module 'acme.challenges' has no attribute 'TLSSNI01'. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/conceptys-france.com/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/conceptys-france.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

My web server is (include version): Nginx

The operating system my web server runs on is (include version): Ubuntu 19.10

My hosting provider, if applicable, is: OVH france

I can login to a root shell on my machine : yes

I'm using a control panel to manage my site : no

The version of my client is : certbox 0.36.0 (just installed it, seems it wasnt installed before)

the conf file :

# renew_before_expiry = 30 days
version = 1.6.0
archive_dir = /etc/letsencrypt/archive/conceptys-france.com
cert = /etc/letsencrypt/live/conceptys-france.com/cert.pem
privkey = /etc/letsencrypt/live/conceptys-france.com/privkey.pem
chain = /etc/letsencrypt/live/conceptys-france.com/chain.pem
fullchain = /etc/letsencrypt/live/conceptys-france.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = standalone
rsa_key_size = 4096
account = LotsOfWeirdLettersAndNumbersIwontShowHere
server = https://acme-v02.api.letsencrypt.org/directory

My main question would be :

Is the acme-02 server still valid ?

1 Like
#2

Yes, that's the correct ACME endpoint. Your error isn't due to that.

Why did you install version 0.36.0? According to the output, you had version 1.6.0 installed. Were you using certbot-auto or the snapd version of certbot?

2 Likes
#3

I didn't install the server, the guy before me did, but leave without giving much indication

I installed 0.36.0 because I didnt see any "certbot" installed so I apt-get install certbot, but I may have made a big mistake here

I just run cert-bot auto and it updated to version 1.8.0

root@conceptys-france:/etc/letsencrypt# certbot --version
certbot 0.36.0
root@conceptys-france:/etc/letsencrypt# certbot-auto
Upgrading certbot-auto 1.6.0 to 1.8.0...
Replacing certbot-auto...
Creating virtual environment...
Installing Python packages...
Installation succeeded.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: conceptys-france.com
2: subdomain1.conceptys-france.com
3: subdomain2.conceptys-france.com
4: subdomain3.conceptys-france.com
5: subdomain4.conceptys-france.com
6: subdomain5.conceptys-france.com
7: www.conceptys-france.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): c
Please specify --domains, or --installer that will help in domain names autodiscovery, or --cert-name for an existing certificate name.

What should I do now ? certbot-auto renew ?

#4

I recon you were using certbot-auto all along, so yes, if I were you I'd try certbot-auto renew and see how it goes.

1 Like
#5

ok thanks

But now I have another error about port 80 and IPv4/IP v6:

root@conceptys-france:~# certbot-auto renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/conceptys-france.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for conceptys-france.com
http-01 challenge for subdomainXX.conceptys-france.com
http-01 challenge for subdomainXX.conceptys-france.com
http-01 challenge for subdomainXX.conceptys-france.com
http-01 challenge for subdomainXX.conceptys-france.com
http-01 challenge for subdomainXX.conceptys-france.com
http-01 challenge for webmail.conceptys-france.com
http-01 challenge for www.conceptys-france.com
Cleaning up challenges
Attempting to renew cert (conceptys-france.com) from /etc/letsencrypt/renewal/co                       nceptys-france.com.conf produced an unexpected error: Problem binding to port 80                       : Could not bind to IPv4 or IPv6.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/conceptys-france.com/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/conceptys-france.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

Should I open a new Topic maybe ?

#6

Hi @BenoitAdam94

that domain has a running website. So if you want to use standalone, you have to stop that website, so port 80 can be used.

May be use another authenticator, not standalone.

2 Likes
#7

ah yeah thanks I found the answer before even seeing your answer :slight_smile:

systemctl stop nginx
certbot-auto renew
systemctl start nginx

It worked ! Amazing guys !! :smiling_face_with_three_hearts: :heart_eyes: :star_struck: :kissing_smiling_eyes:

4 Likes
#8

Yes, that's possible.

But that interrupts your website, not good.

Normally, standalone is used if there is no webserver (sample: A certificate used with a mail server).

So switching to another authenticator doesn't interrupt your website.

3 Likes
#9

Going with what @JuergenAuer has mentioned, you could try:

certbot-auto certonly --cert-name conceptys-france.com -a nginx

Upon success you would then restart nginx to load the new certificate. That command will update your certificate configuration to use nginx for authentication for renewals.

You could also just try:

certbot-auto run --cert-name conceptys-france.com --nginx

Upon success nginx would automatically be restarted to load the new certificate. That command will update your certificate configuration to use nginx for authentication AND installation for renewals. Warning: there can be trouble if you use nginx for installation here. It modifies your configuration. If you run into trouble here, immediately run the following to undo the configuration problems:

certbot-auto rollback

1 Like
#10

ok will see that on next renewall !

1 Like