Certbot renew not working when testing

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: svn.boberglund.com

I ran this command: sudo certbot renew --dry-run

It produced this output:

The following certs could not be renewed:
/etc/letsencrypt/live/svn.boberglund.com/fullchain.pem (failure)

** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

The following certs were successfully renewed:
/etc/letsencrypt/live/video.boberglund.com/fullchain.pem (success)

The following certs could not be renewed:
/etc/letsencrypt/live/svn.boberglund.com/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)

My web server is (include version):
Server version: Apache/2.4.29 (Ubuntu)
Server built: 2019-07-16T18:14:45

The operating system my web server runs on is (include version): Ubuntu 18.04.3 LTS

My hosting provider, if applicable, is: none

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

My Ubuntu server sits on my home LAN with dynamic dns pointing to the fiber router’s Internet address.
I have forwarded ports 80 and 443 on the router to the Ubuntu server’s internal address. The server is used for my videos and for subversion.
Originally Apache was set up as part of installation of Apache Subversion and used a self-signed certificate. Later I added my video site as a virtual host into Apache and used certbot to get a cert that would not barf at you every time in a browser.
I used instructions on how to retrieve a cert to be used with subversion on Digital ocean and thought that I was all done…

However now that I checked the renewal process as described above I see that the cert for svn will not be renewed. What to do???

Hi @Bob_Swede

checking your domain. That looks like you should ignore the problem.

There are two certificates - https://check-your-website.server-daten.de/?q=svn.boberglund.com#ct-logs

Both have svn as domain name.

But your domain uses the newest certificate

CN=video.boberglund.com
	10.08.2019
	08.11.2019
expires in 88 days	
svn.boberglund.com, video.boberglund.com - 2 entries

Looks like the config file of the not working certificate is wrong. But ignore it - you have already a working certificate.

Use

certbot certificates

to find your certificates, then certbot delete certificatename to delete the certificate you don't use.

What was the rest of Certbot’s output? Did it include an error message explaining why the certificate couldn’t be renewed?

Here is the complete text:

[code]- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/svn.boberglund.com.conf

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for svn.boberglund.com
http-01 challenge for video.boberglund.com
Cleaning up challenges
Attempting to renew cert (svn.boberglund.com) from /etc/letsencrypt/renewal/svn.boberglund.com.conf produced an unexpected error: Missing command line flag or config entry for this setting:
Input the webroot for svn.boberglund.com:. Skipping.

Processing /etc/letsencrypt/renewal/video.boberglund.com.conf

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for video.boberglund.com
Waiting for verification…
Cleaning up challenges

new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/video.boberglund.com/fullchain.pem

The following certs could not be renewed:
/etc/letsencrypt/live/svn.boberglund.com/fullchain.pem (failure)

** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

The following certs were successfully renewed:
/etc/letsencrypt/live/video.boberglund.com/fullchain.pem (success)

The following certs could not be renewed:
/etc/letsencrypt/live/svn.boberglund.com/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)

1 renew failure(s), 0 parse failure(s)
[/code]

Ah. Normally, Certbot saves all the information necessary to renew the certificate in /etc/letsencrypt/renewal/svn.boberglund.com.conf. But there's a bug in version 0.31.0 that can cause it to forget the webroot.

(It's been fixed, but the Ubuntu packages have not been updated yet.)

There are at least three ways to fix the configuration, but I'm not sure which one is best.

Can you post the contents of /etc/letsencrypt/renewal/svn.boberglund.com.conf?

Apparently I cannot make the "code" formatting work in this forum...
So here is the text as is (I am not making some lines bold! It is the forum's doing).

; renew_before_expiry = 30 days
version = 0.31.0
archive_dir = /etc/letsencrypt/archive/svn.boberglund.com
cert = /etc/letsencrypt/live/svn.boberglund.com/cert.pem
privkey = /etc/letsencrypt/live/svn.boberglund.com/privkey.pem
chain = /etc/letsencrypt/live/svn.boberglund.com/chain.pem
fullchain = /etc/letsencrypt/live/svn.boberglund.com/fullchain.pem

;Options used in the renewal process
[renewalparams]
account = b5058df1c187177209688fe263dcd9e9
pref_challs = http-01,
authenticator = webroot
server = https://acme-v02.api.letsencrypt.org/directory

And note that I originally intended to open port 80 only as a temprary measure to get the cert after which I closed the port. But it seems like the renewal also needs it open.

That's wrong. You need an open port 80 if you want to create certificates. If you renew a certificate, you create a certificate.

OK, let me try a summary:

1. I have two certs right now, one is for subdomains svn + video and the other is for svn only.
2. The svn one is not intended for a website, it is only meant to be used for Subversion itself over port 443
3. The svn cert cannot be updated partly because there is no regular website associated with it.
4. Last time I tried certbot to create the video cert I had read that one could specify several URL:s for the cert so I tested also mentioning svn. That is why it is handling 2 subdomains.
5. The cert pointed to for the SVN system (the default site) was edited by me in the conf file to point to the svn only cert. Maybe I should change this to point it to the video + svn cert?
6. I also have a 3rd subdomain named “home”, if possible I would like to add this into the svn + video cert so I can use the same one for all sites. How can this be done? Do I create a new cert for all 3 subdomains and then certbot will figure out the details?
   Note that all of these subdomain point to the same IP address in DNS. So the validating http website would be the same too (I hope it will be video).
7. In any case by using the video+svn cert for subversion too I can delete the svn only cert and leave the other in place. This is the one that could be updated by certbot provided port 80 is forwarded to my server.

Is this about right?

Can you also post the output of “sudo certbot certificates”?

When you create a new certificate for a superset of the names in an existing certificate, Certbot should offer to save it on top of the existing one. The svn.boberglund.com certificate may already have been replaced. If so, you don’t have to do anything else to delete it.

Here is the output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: svn.boberglund.com
Domains: video.boberglund.com svn.boberglund.com
Expiry Date: 2019-11-08 20:14:13+00:00 (VALID: 88 days)
Certificate Path: /etc/letsencrypt/live/svn.boberglund.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/svn.boberglund.com/privkey.pem
Certificate Name: video.boberglund.com
Domains: video.boberglund.com
Expiry Date: 2019-11-03 17:35:20+00:00 (VALID: 83 days)
Certificate Path: /etc/letsencrypt/live/video.boberglund.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/video.boberglund.com/privkey.pem

Oops, it seems like I have got it wrong! It is the video subdomain that needs to be using the combined cert for subdomain svn, right?

That's your decision.

• one certificate with both domain names, used from one vHost
• one certificate with both domain names, used from two vHosts
• two certificates, two vHosts

Or one certificate with three domain names, used from two virtual hosts and Subversion.
I.e. only a single updatable cert used for all 3 sites.

Thanks for all the help!
I will proceed with this later tonight and check that the nightly svnsync still works.

So I have done this:

• Set both svn and video sites to use the same cert
• Deleted the old video only cert via certbot
• Verified that the sites do work, they do.
• Ran the certbot renew --dry-run command and it failed!
• So since I had gotten the svn cert by using the certonly flag I decided to run it again but allow installation. It seemed to complete OK.
• But the certbot renew command still fails in the same way.

I cannot understand why since I do have browser access to both svn and video subdomains. The video one redirects to https, which the svn one does not. Both display the expected page.

So the system as it is does work, it is just the problem that in 82 days it will stop working due to the inability to renew the cert.

This is what my dry-run test outputs now that one cert is deleted:

bosse@ubuntuserv:/etc/apache2/sites-available$ sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/svn.boberglund.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for svn.boberglund.com
Cleaning up challenges
Attempting to renew cert (svn.boberglund.com) from /etc/letsencrypt/renewal/svn.boberglund.com.conf produced an unexpected error: Missing command line flag or config entry for this setting:
Input the webroot for svn.boberglund.com:. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/svn.boberglund.com/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/svn.boberglund.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

Why does it say that it is missing the command line flag?
How can I enter the webroot for svn.boberglund.com? I thought it would look at the apache config for that virtual host and there the webroot is clearly entered. Would not work to display index.html otherwise…

No, Certbot's webroot plugin doesn't examine the Apache configuration at all. It relies on the information (that it failed to save) in /etc/letsencrypt/renewal/svn.boberglund.com.conf.

Can you post the contents of that file again? It might have changed since before.

Here is a cat of the file:

$ cat /etc/letsencrypt/renewal/svn.boberglund.com.conf
# renew_before_expiry = 30 days
version = 0.31.0
archive_dir = /etc/letsencrypt/archive/svn.boberglund.com
cert = /etc/letsencrypt/live/svn.boberglund.com/cert.pem
privkey = /etc/letsencrypt/live/svn.boberglund.com/privkey.pem
chain = /etc/letsencrypt/live/svn.boberglund.com/chain.pem
fullchain = /etc/letsencrypt/live/svn.boberglund.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = b5058df1c187177209688fe263dcd9e9
pref_challs = http-01,
authenticator = webroot
server = https://acme-v02.api.letsencrypt.org/directory

And if it is meant for certbot to save the webroot path in this file it sure has failed…
Can I edit it and enter the correct path?

Yes, you can.

Check

https://certbot.eff.org/docs/using.html#configuration-file

there is a sample.

Thanks, I modified the conf file by adding this line just before the server line:

webroot-path = /var/www/svn.boberglund.com/public_html

Then I ran the renew test command again with the same result:

$ sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/svn.boberglund.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for svn.boberglund.com
Cleaning up challenges
Attempting to renew cert (svn.boberglund.com) from /etc/letsencrypt/renewal/svn.boberglund.com.conf produced an unexpected error: Missing command line flag or config entry for this setting:
Input the webroot for svn.boberglund.com:. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/svn.boberglund.com/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/svn.boberglund.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

And it does not matter if I put webroot-path into the top section of the conf file before the section name [renewalparams], same error on the test.

If I use my browser to access the svn webroot it does produce a page rendering of my index.html, so the webroot is in fact accessible via port 80.

So maybe the Ubuntu 18 LTS distro is giving me a too old certbot. (Must be happening for many others as well.)
Is there a way to update certbot past the version from Ubuntu?

Switch to Certbot-auto, if you use http-01 validation.

How do I switch to “Certbot-auto”???
Googling for it only lands me with certbot itself…