Certbot-renew no certificate found?

My domains are :
shufflemix.com
shufflemix.de
shufflemix.nl

I ran this command:
sudo certbot renew --cert-name www.shufflemix.com --webroot -w /var/www/shufflemix.com/www --dry-run

It produced this output:
No certificate found with name www.shufflemix.com (expected /etc/letsencrypt/renewal/www.shufflemix.com.conf)

This is in the config file:

renew_before_expiry = 30 days

version = 0.31.0
archive_dir = /etc/letsencrypt/archive/shufflemix.com
cert = /etc/letsencrypt/live/shufflemix.com/cert.pem
privkey = /etc/letsencrypt/live/shufflemix.com/privkey.pem
chain = /etc/letsencrypt/live/shufflemix.com/chain.pem
fullchain = /etc/letsencrypt/live/shufflemix.com/fullchain.pem

Options used in the renewal process

[renewalparams]
account = 3593e5ff4ce64d0ebb5fd3807f843ce6
authenticator = webroot
server = https://acme-v02.api.letsencrypt.org/directory
[[webroot_map]]
shufflemix.com = /var/www/shufflemix.com/www
shufflemix.de = /var/www/shufflemix.com/www
shufflemix.nl = /var/www/shufflemix.com/www
www.shufflemix.com = /var/www/shufflemix.com/www
www.shufflemix.de = /var/www/shufflemix.com/www
www.shufflemix.nl = /var/www/shufflemix.com/www

My web server is (include version):
apache 2
The operating system my web server runs on is (include version):
Debian 10

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0

This has been working the last past months. So why are my domains not able to renew now? Can this be solved? Or d I have to remove all ande create the certs again (what files to -rm than?)

Please show the output of:
certbot certificates

1 Like
Found the following certs:
  Certificate Name: shufflemix.com
    Domains: shufflemix.com shufflemix.de shufflemix.nl www.shufflemix.com www.shufflemix.de www.shufflemix.nl
    Expiry Date: 2021-11-07 05:09:40+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/shufflemix.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/shufflemix.com/privkey.pem

It looks to me from your later posts that this should be:
--cert-name shufflemix.com

2 Likes

Well, that is not helping much and producing other errors instead.

Would you elaborate? Could be important clue to mystery

2 Likes

What I notice is that it says per example:
Domain: www.shufflemix.nl
Type: connection
Detail: Fetching
http://www.shufflemix.nl/.well-known/acme-challenge/2gItQJJPKu-2JWdOJ5oRCAXEPnBwZWprknfn9ROdeck:
Connection refused

That could be right, since its looking at "http" instead of "https. Since my config is rewriting http to https... So how to get certbot to look at https instead of http. (I can temp gray out the rewriting but that seems not the right way).

Ok, progress.

The http challenge always starts with http. The Lets Encrypt server will follow redirects but starts there.

But, I think your problem relates to IPv6. Your DNS has both IPv4 and IPv6 and Lets Encrypt server will prefer IPv6. But, I can only reach your site on IPv4.

Check your Apache conf to ensure it listens on IPv6 for each domain name. If you do not see anything, run sudo apachectl -S and post results here. Please use the preformatted text option in the menu (or Ctrl-E).

Or, remove IPv6 from your DNS.

2 Likes
*:443                  is a NameVirtualHost
         default server shufflemix.com (/etc/apache2/sites-enabled/shufflemix.com-ssl.conf:1)
         port 443 namevhost shufflemix.com (/etc/apache2/sites-enabled/shufflemix.com-ssl.conf:1)
                 alias shufflemix.com
                 alias www.shufflemix.com
                 alias https://shufflemix.com
         port 443 namevhost shufflemix.de (/etc/apache2/sites-enabled/shufflemix.de-ssl.conf:1)
                 alias shufflemix.de
                 alias www.shufflemix.de
         port 443 namevhost shufflemix.nl (/etc/apache2/sites-enabled/shufflemix.nl-ssl.conf:1)
                 alias shufflemix.nl
                 alias www.shufflemix.nl
*:80                   is a NameVirtualHost
port 80 namevhost shufflemix.com (/etc/apache2/sites-enabled/shufflemix.com.conf:1)
                 alias shufflemix.com
                 alias www.shufflemix.com
                 alias http://www.shufflemix.com
                 alias http://shufflemix.com
         port 80 namevhost shufflemix.de (/etc/apache2/sites-enabled/shufflemix.de.conf:1)
                 alias shufflemix.de
                 alias www.shufflemix.de
                 alias http://www.shufflemix.de
                 alias http://shufflemix.de
         port 80 namevhost shufflemix.nl (/etc/apache2/sites-enabled/shufflemix.nl.conf:1)
                 alias shufflemix.nl
                 alias www.shufflemix.nl
                 alias http://www.shufflemix.nl
                 alias http://shufflemix.nl
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default 
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
PidFile: "/var/run/apache2/apache2.pid"




tcp6       0      0 :::80                   :::*                    LISTEN      304/apache2         
tcp6       0      0 :::443                  :::*                    LISTEN      304/apache2

Hmm. That looks ok to me. Where are your servers hosted? Do they need IPv6 config at all? Like with AWS I need to setup my Security Group too.

Here is what I see and why I say IPv6 is likely culprit:

curl -I4 www.shufflemix.com   (testing IPv4)
HTTP/1.1 301 Moved Permanently
Date: Sun, 07 Nov 2021 19:04:03 GMT
Server: Apache/2.4.38 (Debian)
Location: https://www.shufflemix.com/
Content-Type: text/html; charset=iso-8859-1

curl -I6 www.shufflemix.com    (testing IPv6)
curl: (7) Failed to connect to www.shufflemix.com port 80: No route to host

curl -i6 ifconfig.co    (test I can reach other IPv6 site)
HTTP/1.1 200 OK
Date: Sun, 07 Nov 2021 19:07:50 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 40

Further, we see your error in first post is for http. Had LE server been able to reach it you would have redirected it to https. So, the error related to the initial http request.

1 Like

The server is a VPS. What could be a good workaround to get this running asp?

@mr_certbot Remove the AAAA record from the DNS. Then only IPv4 can be used to reach you.

See your current A (IPv4) and AAAA (IPv6) records easily here:
https://toolbox.googleapps.com/apps/dig/#AAAA/

Could check they are accurate. Maybe the AAAA is just wrong?

curl -4 ifconfig.co
curl -6 ifconfig.co

These will show your servers IP addresses. And confirm it can talk at least outbound with each.

2 Likes

I think I need to have a look at the IPv6 dns settings Need to have that in place for mail purposes. But the ip address might be wrong :slight_smile:
this is the ip 6 I get when running ```
curl -6 ifconfig.co

2a01:7c8:aaae:1b0:5054:ff:fea3:21ac
Which I can see in the ip a output as well.

I do not see an IPv6 address in the A record. I see:

nslookup www.shufflemix.com

Non-authoritative answer:
Name:   www.shufflemix.com
Address: 37.97.128.195
Name:   www.shufflemix.com
Address: 2a01:7c8:aaae:1b0::1

the first is the A, the second is AAAA
This is what I see on the googleapps dig tool too

1 Like

Aha :slight_smile: so the AAAA should be:

2a01:7c8:aaae:1b0:5054:ff:fea3:21ac

1 Like

Yes, should match the server IP. Did it resolve the Certbot problem?

For later, I would wonder how that could happen. Might need to add some monitoring to ensure your DNS stays in sync with your server IP addresses. Could create problems with other visitors to your site - not just Certbot.

1 Like

I can not access the dns record now to adapt. Need to contact someone tomorrow. But hopefully it will be the solution. Thanks for your help.

1 Like

You don't need to specify the protocol in the alias statement.

1 Like
Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/shufflemix.com/fullchain.pem (success)

So having the right IPv6 address in my dns record made it work :slight_smile:

1 Like