Certbot Renew Failure: Nginx Restart Failed


#1

Hey all, I’m having some issues renewing one of my domains… My site is down as a result. All I’m seeing is an nginx restart failed, I checked a tail on the debug log and couldn’t find much else of use:

2018-06-12 06:20:55,728:WARNING:certbot.renewal:Attempting to renew cert (domainhidden) from /etc/letsencrypt/renewal/www.domainhidden.com.conf produced an unexpected error: nginx restart failed:
b’’
b’’. Skipping.
2018-06-12 06:20:55,730:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot/renewal.py”, line 422, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1102, in renew_cert
_get_and_save_cert(le_client, config, lineage=lineage)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 113, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File “/usr/lib/python3/dist-packages/certbot/renewal.py”, line 297, in renew_cert
new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 294, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 330, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 72, in handle_authorizations
resp = self._solve_challenges(aauthzrs)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 124, in _solve_challenges
resp = self.auth.perform(all_achalls)
File “/usr/lib/python3/dist-packages/certbot_nginx/configurator.py”, line 972, in perform
self.restart()
File “/usr/lib/python3/dist-packages/certbot_nginx/configurator.py”, line 787, in restart
nginx_restart(self.conf(‘ctl’), self.nginx_conf)
File “/usr/lib/python3/dist-packages/certbot_nginx/configurator.py”, line 1042, in nginx_restart
“nginx restart failed:\n%s\n%s” % (out.read(), err.read()))
certbot.errors.MisconfigurationError: nginx restart failed:
b’’
b’’

2018-06-12 06:20:55,735:INFO:certbot.renewal:Cert not yet due for renewal
2018-06-12 06:20:55,736:ERROR:certbot.renewal:All renewal attempts failed. The following certs could not be renewed:
2018-06-12 06:20:55,736:ERROR:certbot.renewal: /etc/letsencrypt/live/www.domainhidden.com/fullchain.pem (failure)
2018-06-12 06:20:55,736:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/certbot”, line 11, in
load_entry_point(‘certbot==0.22.2’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1266, in main
return config.func(config, plugins)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1179, in renew
renewal.handle_renewal_request(config)
File “/usr/lib/python3/dist-packages/certbot/renewal.py”, line 443, in handle_renewal_request
len(renew_failures), len(parse_failures)))
certbot.errors.Error: 1 renew failure(s), 1 parse failure(s)

My domain is: domainhidden.com

I ran this command: certbot renew

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/images.domainhidden.com.conf

Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/www.domainhidden.com-0001.conf

renewal config file {} is missing a required file reference
Renewal configuration file /etc/letsencrypt/renewal/www.domainhidden.com-0001.conf is broken. Skipping.


Processing /etc/letsencrypt/renewal/chat.domainhidden.com.conf

Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/domainhidden.com.conf

Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/board.domainhidden.com.conf

Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/www.domainhidden.com.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for domainhidden.com
tls-sni-01 challenge for board.domainhidden.com
tls-sni-01 challenge for chat.domainhidden.com
tls-sni-01 challenge for images.domainhidden.com
tls-sni-01 challenge for scenes.domainhidden.com
tls-sni-01 challenge for www.board.domainhidden.com
tls-sni-01 challenge for www.domainhidden.com
tls-sni-01 challenge for www.images.domainhidden.com
tls-sni-01 challenge for www.scenes.domainhidden.com
nginx: [emerg] duplicate listen options for [::]:443 in /etc/nginx/sites-enabled/domainhidden.com:154
Cleaning up challenges
Attempting to renew cert (www.domainhidden.com) from /etc/letsencrypt/renewal/www.domainhidden.com.conf produced an unexpected error: nginx restart failed:
b’’
b’’. Skipping.


Processing /etc/letsencrypt/renewal/scenes.domainhidden.com.conf

Cert not yet due for renewal
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.domainhidden.com/fullchain.pem (failure)


The following certs are not due for renewal yet:
/etc/letsencrypt/live/images.domainhidden.com/fullchain.pem expires on 2018-07-23 (skipped)
/etc/letsencrypt/live/chat.domainhidden.com/fullchain.pem expires on 2018-08-11 (skipped)
/etc/letsencrypt/live/domainhidden.com/fullchain.pem expires on 2018-07-22 (skipped)
/etc/letsencrypt/live/board.domainhidden.com/fullchain.pem expires on 2018-07-23 (skipped)
/etc/letsencrypt/live/scenes.domainhidden.com/fullchain.pem expires on 2018-07-23 (skipped)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.domainhidden.com/fullchain.pem (failure)

Additionally, the following renewal configuration files were invalid:
/etc/letsencrypt/renewal/www.domainhidden.com-0001.conf (parsefail)

1 renew failure(s), 1 parse failure(s)

My web server is (include version): nginx/1.10.3 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 16.04 LTS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No


#2

I fixed this issue. Removed the duplicate SSL entry in my host config which was for ipv6 always on, then disabled ipv6 in Ubuntu. Letsencrypt was unable to verify my server’s IP because the external facing address was ipv6.


#3

It’s not necessary to disable IPv6.

It’s only necessary to remove the duplicate options from one of the affected listen directives.

https://nginx.org/en/docs/http/ngx_http_core_module.html#listen

If it was “ipv6only=on”, that’s the default in modern versions of Nginx, so you can just remove it from both.

(And Let’s Encrypt fully suppotrs IPv6.)


#4

I had a similar issue. In my case it was the certbot that was adding a duplicate listen option. Before running renew, I had this as my listen directive for port 80 in the nginx.conf:

listen 80 default_server deferred;

and a certbot renewal attempt using http-01 challenge appended this to the nginx.conf:

listen 80 deferred;

That failed, of course. I think certbot-nginx should not copy over any of the socket-related parameters for the listen directive if it’s binding to an existing address:port pair.


#5

@PeterG

If you still use deferred and recent versions of Certbot still have issues with it, can you file a bug? The goal is to handle everything correctly but, well, it’s not perfect (yet).


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.