Certbot renew fails

thomas.s.k · July 28, 2023, 12:13pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: mecadtron.de

I ran this command: certbot -v renew

It produced this output: 1 renew failure(s), 0 parse failure(s)

My web server is (include version): apache 2.4.57_1

The operating system my web server runs on is (include version): FreeBSD 13.2

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 2.6.0

thomas.s.k · July 28, 2023, 12:19pm

2023-07-28 14:10:34,592:DEBUG:certbot._internal.main:certbot version: 2.6.0 2023-07-28 14:10:34,593:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/local/bin/certbot 
2023-07-28 14:10:34,593:DEBUG:certbot._internal.main:Arguments: ['-v'] 
2023-07-28 14:10:34,593:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot) 
2023-07-28 14:10:34,625:DEBUG:certbot._internal.log:Root logging level set at 
20 2023-07-28 14:10:34,627:DEBUG:certbot._internal.display.obj:Notifying user: Processing /usr/local/etc/letsencrypt/renewal/mecadtron.de.conf 
2023-07-28 14:10:34,650:DEBUG:certbot._internal.plugins.selection:Requested authenticator <certbot._internal.cli.cli_utils._Default object at 0x87171d5b0> and installer <certbot._internal.cli.cli_utils._Default object at 0x87171d5b0> 
2023-07-28 14:10:34,675:DEBUG:certbot._internal.storage:Should renew, less than 30 days before certificate expiry 2023-07-11 21:07:56 UTC. 
2023-07-28 14:10:34,676:INFO:certbot._internal.renewal:Certificate is due for renewal, auto-renewing... 
2023-07-28 14:10:34,676:DEBUG:certbot._internal.plugins.selection:Requested authenticator apache and installer apache 
2023-07-28 14:10:34,763:DEBUG:certbot_apache._internal.configurator:Apache version is 2.4.57 
2023-07-28 14:10:34,977:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * apache Description: Apache Web Server plugin Interfaces: Authenticator, Installer, Plugin Entry point: apache = certbot_apache._internal.entrypoint:ENTRYPOINT Initialized: <certbot_apache._internal.configurator.ApacheConfigurator object at 0x871723970> Prep: True 
2023-07-28 14:10:34,978:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * apache Description: Apache Web Server plugin Interfaces: Authenticator, Installer, Plugin Entry point: apache = certbot_apache._internal.entrypoint:ENTRYPOINT Initialized: <certbot_apache._internal.configurator.ApacheConfigurator object at 0x871723970> Prep: True 
2023-07-28 14:10:34,978:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot_apache._internal.configurator.ApacheConfigurator object at 0x871723970> and installer <certbot_apache._internal.configurator.ApacheConfigurator object at 0x871723970> 
2023-07-28 14:10:34,978:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator apache, Installer apache 
2023-07-28 14:10:35,003:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/325584200', new_authzr_uri=None, terms_of_service=None), b3f2c32bfa23de8a85fcdbff4348a9d4, Meta(creation_dt=datetime.datetime(2021, 12, 17, 19, 43, 41, tzinfo=<UTC>), creation_host='booster.mecadtron.de', register_to_eff=None))> 
2023-07-28 14:10:35,004:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory. 
2023-07-28 14:10:35,007:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443 
2023-07-28 14:10:35,536:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 752 
2023-07-28 14:10:35,537:DEBUG:acme.client:Received response: HTTP 200 Server: nginx Date: Fri, 28 Jul 2023 12:10:35 GMT Content-Type: application/json Content-Length: 752 Connection: keep-alive Cache-Control: public, max-age=0, no-cache X-Frame-Options: DENY Strict-Transport-Security: max-age=604800 { "keyChange": ["https://acme-v02.api.letsencrypt.org/acme/key-change"](https://acme-v02.api.letsencrypt.org/acme/key-change), "meta": { "caaIdentities": [ "letsencrypt.org" ], "termsOfService": ["https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf"](https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf), "website": ["https://letsencrypt.org"](https://letsencrypt.org) }, "newAccount": ["https://acme-v02.api.letsencrypt.org/acme/new-acct"](https://acme-v02.api.letsencrypt.org/acme/new-acct), "newNonce": ["https://acme-v02.api.letsencrypt.org/acme/new-nonce"](https://acme-v02.api.letsencrypt.org/acme/new-nonce), "newOrder": ["https://acme-v02.api.letsencrypt.org/acme/new-order"](https://acme-v02.api.letsencrypt.org/acme/new-order), "renewalInfo": ["https://acme-v02.api.letsencrypt.org/draft-ietf-acme-ari-01/renewalInfo/"](https://acme-v02.api.letsencrypt.org/draft-ietf-acme-ari-01/renewalInfo/), "revokeCert": ["https://acme-v02.api.letsencrypt.org/acme/revoke-cert"](https://acme-v02.api.letsencrypt.org/acme/revoke-cert), "sYEI2V-NoHw": ["https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417"](https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417) } 
2023-07-28 14:10:35,538:DEBUG:certbot._internal.display.obj:Notifying user: Renewing an existing certificate for mecadtron.de and [www.mecadtron.de](http://www.mecadtron.de) 
2023-07-28 14:10:35,556:DEBUG:acme.client:Requesting fresh nonce 2023-07-28 14:10:35,556:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce. 
2023-07-28 14:10:35,731:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0 
2023-07-28 14:10:35,731:DEBUG:acme.client:Received response: HTTP 200 Server: nginx Date: Fri, 28 Jul 2023 12:10:35 GMT Connection: keep-alive Cache-Control: public, max-age=0, no-cache Link: [<https://acme-v02.api.letsencrypt.org/directory>](https://acme-v02.api.letsencrypt.org/directory);rel="index" Replay-Nonce: F70ETraj5SqIELwmkUTsIDTVmheJJYPo7qbtjrQb1CXi6_0 X-Frame-Options: DENY Strict-Transport-Security: max-age=604800 2023-07-28 14:10:35,732:DEBUG:acme.client:Storing nonce: F70ETraj5SqIELwmkUTsIDTVmheJJYPo7qbtjrQb1CXi6_0 
2023-07-28 14:10:35,732:DEBUG:acme.client:JWS payload: b'{\n "identifiers": [\n {\n "type": "dns",\n "value": "mecadtron.de"\n },\n {\n "type": "dns",\n "value": "[www.mecadtron.de](http://www.mecadtron.de)"\n }\n ]\n}' 
2023-07-28 14:10:35,734:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order: { "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMzI1NTg0MjAwIiwgIm5vbmNlIjogIkY3MEVUcmFqNVNxSUVMd21rVVRzSURUVm1oZUpKWVBvN3FidGpyUWIxQ1hpNl8wIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9uZXctb3JkZXIifQ", "signature": "SwahTHdvkNDeUVK67fa9syZQ031HIgOwFxieyAGQLeVL4pLn2pMa-jSWxHZ8V2EIMHXXnlGNxovoZDE0xUnALO-PeZKwNKbsohmUPq8LfkR1S3dJx3vxcFJZkyWULMy6HQbSSxB3pNahlCE5SfNhhld-vkAPNhmMqe6kW8tyVtpI9dn9oSyfSQHKDhDZcBDIEIU6d_Jrp8Axd-zg3gk0ltIaSXWLjSxzECP6XeX8BHVqb7ZrHE2Vfuq6wYbsM4F8OIh_DcYsJXT0kERXNGzZ5A8NyzdaGMDvEIBPepfpqj9kW0FzN1A6XKZDjtpjLUAm6xQesj1lKriV9YksQMU4Vw", "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogIm1lY2FkdHJvbi5kZSIKICAgIH0sCiAgICB7CiAgICAgICJ0eXBlIjogImRucyIsCiAgICAgICJ2YWx1ZSI6ICJ3d3cubWVjYWR0cm9uLmRlIgogICAgfQogIF0KfQ" } 
2023-07-28 14:10:35,924:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 429 213 
2023-07-28 14:10:35,925:DEBUG:acme.client:Received response: HTTP 429 Server: nginx Date: Fri, 28 Jul 2023 12:10:35 GMT Content-Type: application/problem+json Content-Length: 213 Connection: keep-alive Boulder-Requester: 325584200 Cache-Control: public, max-age=0, no-cache Link: [<https://acme-v02.api.letsencrypt.org/directory>](https://acme-v02.api.letsencrypt.org/directory);rel="index" Replay-Nonce: C400_9563wZnq419pNpO-al4bO-9reAPV7qiecXcbrVVTgE { "type": "urn:ietf:params:acme:error:rateLimited", "detail": "Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/failed-validation-limit/", "status": 429 } 
2023-07-28 14:10:35,926:ERROR:certbot._internal.renewal:Failed to renew certificate mecadtron.de with error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/failed-validation-limit/ 
2023-07-28 14:10:35,928:DEBUG:certbot._internal.renewal:Traceback was: Traceback (most recent call last): File "*/usr/local/lib/python3.9/site-packages/certbot/*_internal/renewal.py", line 533, in handle_renewal_request main.renew_cert(lineage_config, plugins, renewal_candidate) File "*/usr/local/lib/python3.9/site-packages/certbot/*_internal/main.py", line 1547, in renew_cert renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage) File "*/usr/local/lib/python3.9/site-packages/certbot/*_internal/main.py", line 129, in _get_and_save_cert renewal.renew_cert(config, domains, le_client, lineage) File "*/usr/local/lib/python3.9/site-packages/certbot/*_internal/renewal.py", line 395, in renew_cert new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key) File "*/usr/local/lib/python3.9/site-packages/certbot/*_internal/client.py", line 428, in obtain_certificate orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names) File "*/usr/local/lib/python3.9/site-packages/certbot/*_internal/client.py", line 478, in _get_order_and_authorizations orderr = self.acme.new_order(csr_pem) File "/usr/local/lib/python3.9/site-packages/acme/client.py", line 138, in new_order response = self._post(self.directory['newOrder'], order) File "/usr/local/lib/python3.9/site-packages/acme/client.py", line 366, in _post return self.net.post(*args, **kwargs) File "/usr/local/lib/python3.9/site-packages/acme/client.py", line 739, in post return self._post_once(*args, **kwargs) File "/usr/local/lib/python3.9/site-packages/acme/client.py", line 752, in _post_once response = self._check_response(response, content_type=content_type) File "/usr/local/lib/python3.9/site-packages/acme/client.py", line 603, in _check_response raise messages.Error.from_json(jobj) acme.messages.Error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/failed-validation-limit/ 
2023-07-28 14:10:35,929:DEBUG:certbot._internal.display.obj:Notifying user: 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
2023-07-28 14:10:35,929:ERROR:certbot._internal.renewal:All renewals failed. The following certificates could not be renewed: 
2023-07-28 14:10:35,930:ERROR:certbot._internal.renewal: /usr/local/etc/letsencrypt/live/mecadtron.de/fullchain.pem (failure) 
2023-07-28 14:10:35,930:DEBUG:certbot._internal.display.obj:Notifying user: 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
2023-07-28 14:10:35,930:DEBUG:certbot._internal.log:Exiting abnormally: Traceback (most recent call last): File "/usr/local/bin/certbot", line 33, in <module> sys.exit(load_entry_point('certbot==2.6.0', 'console_scripts', 'certbot')()) File "/usr/local/lib/python3.9/site-packages/certbot/main.py", line 19, in main return internal_main.main(cli_args) File "*/usr/local/lib/python3.9/site-packages/certbot/*_internal/main.py", line 1864, in main return config.func(config, plugins) File "*/usr/local/lib/python3.9/site-packages/certbot/*_internal/main.py", line 1636, in renew renewal.handle_renewal_request(config) File "*/usr/local/lib/python3.9/site-packages/certbot/*_internal/renewal.py", line 559, in handle_renewal_request raise errors.Error( certbot.errors.Error: 1 renew failure(s), 0 parse failure(s) 
2023-07-28 14:10:35,931:ERROR:certbot._internal.log:1 renew failure(s), 0 parse failure(s)

thomas.s.k · July 28, 2023, 1:11pm

I can answer my question myself:
This is a problem within Freebsd and can be fixed like documented in:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268318
from Miroslav Lachman 2023-05-05 09:20:26 UTC comment 18

Osiris · July 28, 2023, 1:32pm

Glad you find the answer yourself. But note that the log that you've shown does not represent that error, but is showing the "too much failed authorization limit" rate limit, which is the result of multiple failed authorizations in the last hour. Thus, the log is actually "conceiling" the actual reason why Certbot is failing.

For future readers: please use the staging environment for testing if the production environment fails to prevent you from hitting the too much failed authorization rate limit. Also is mentioning the "failed authorization limit" itself never helpful, as there is always an underlying other issue why the authorization fails in the first place.

system · August 27, 2023, 1:32pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.