Certbot renew "works" then fails

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:www.bluestarline.org

I ran this command: certbot renew
(ignore references to www.littleclose.co.uk it is no longer active and is being removed)

It produced the following output

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/www.blake-online.net.conf

Cert not yet due for renewal

Processing /etc/letsencrypt/renewal/www.bluestarline.org.conf

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate for www1.blake-online.net and 3 more domains
Performing the following challenges:
http-01 challenge for www.littleclose.co.uk
Waiting for verification...
Challenge failed for domain www.littleclose.co.uk
http-01 challenge for www.littleclose.co.uk
Cleaning up challenges
Failed to renew certificate www.bluestarline.org with error: Some challenges have failed.

Processing /etc/letsencrypt/renewal/www.netunity.co.uk-0001.conf

Cert not yet due for renewal

Processing /etc/letsencrypt/renewal/www.netunity.co.uk.conf

Cert not yet due for renewal

The following certificates are not due for renewal yet:
/etc/letsencrypt/live/www.blake-online.net/fullchain.pem expires on 2022-08-04 (skipped)
/etc/letsencrypt/live/www.netunity.co.uk-0001/fullchain.pem expires on 2022-07-11 (skipped)
/etc/letsencrypt/live/www.netunity.co.uk/fullchain.pem expires on 2022-08-05 (skipped)
All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/www.bluestarline.org/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: www.littleclose.co.uk
  Type: dns
  Detail: DNS problem: NXDOMAIN looking up A for
  www.littleclose.co.uk - check that a DNS record exists for this
  domain; DNS problem: NXDOMAIN looking up AAAA for
  www.littleclose.co.uk - check that a DNS record exists for this
  domain

My web server is (include version): Apache 3.12.2

The operating system my web server runs on is (include version): NethServer release 7.9.2009 (final)

My hosting provider, if applicable, is: my own Nethserver host

I can login to a root shell on my machine (yes or no, or I don't know): log on as user then su

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 1.11.0

I got a message that some certificates were going to expire. No surprise there, I manually renew every time they do so, bu simply logging on and issuing the command from su.

This time I did so, and the domain www.bluestarline.org errored with "Failed to renew certificate www.bluestarline.org with error: Some challenges have failed."

I had a look round but couldn't see anything in the logs. I then issued on its own. The command appeared to complete, and when browsing to the site and looking at the certificate, there was a new one, no longer going to expire. Great, I thought, thats fixed that.

However, this morning, I reieced an email from the server saying the certificate was expiring, and sure enough, when I examined the certificate, it said:
Validity
Not Before: Feb 14 17:15:40 2022 GMT
Not After : May 15 17:15:39 2022 GMT
So I re-issued the command , which completed correctly, then reloaded the web site in my browser, and reexamined the certificate and saw:
Validity
Not Before: Sun, 08 May 2022 09:15:26 GMT
Not After: Sat, 06 Aug 2022 09:15:25 GMT

So weirdly, the fails, appears to work, but the new certificate is lost the following day. The warning popped up at around 0900, so not on the day/week/month boundary, so can anyone suggest what is happening and what I should do to address it?

Thanks

Jim

It looks like there is no littleclose.co.uk public domain assigned to anyone. Have you purchased that domain in the past? If yes, may be it is expired.

If you look at your certificate history such as crt.sh | bluestarline.org it looks like you are issuing multiple redundant certificates for your hostname.

Please show the output of the command:

sudo certbot certificates

Yes, you are right, I noted that in the writeup: littleclose was running for a
couple of years, but is now expired and will be removed. Would one failed domain affect another? Its bluestarline.org tht has the problem....

Here's the output from the command:

[root@bastion jim]# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: www.blake-online.net
Serial Number: 4ee8e05627e6ea16c17e17bc5f733924fbb
Key Type: RSA
Domains: www.bluestarline.org www.blake-online.net www.netunity.co.uk
Expiry Date: 2022-08-04 10:04:58+00:00 (VALID: 87 days)
Certificate Path: /etc/letsencrypt/live/www.blake-online.net/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.blake-online.net/privkey.pem
Certificate Name: www.bluestarline.org-0001
Serial Number: 3794b9e3e5bf9d68794ffd3e25a9eedb9d3
Key Type: RSA
Domains: www.bluestarline.org
Expiry Date: 2022-08-06 09:15:25+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/www.bluestarline.org-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.bluestarline.org-0001/privkey.pem
Certificate Name: www.bluestarline.org
Serial Number: 3696aa5a4f94c01ccca70d775238682518b
Key Type: RSA
Domains: www1.blake-online.net www.bluestarline.org www.littleclose.co.uk www.netunity.co.uk
Expiry Date: 2022-05-15 17:15:39+00:00 (VALID: 7 days)
Certificate Path: /etc/letsencrypt/live/www.bluestarline.org/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.bluestarline.org/privkey.pem
Certificate Name: www.netunity.co.uk-0001
Serial Number: 4211cd25dad9d1bc7361e47ee68d6528149
Key Type: RSA
Domains: www.netunity.co.uk
Expiry Date: 2022-07-11 05:41:34+00:00 (VALID: 63 days)
Certificate Path: /etc/letsencrypt/live/www.netunity.co.uk-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.netunity.co.uk-0001/privkey.pem
Certificate Name: www.netunity.co.uk
Serial Number: 480bef17fd9c897ef73ce3cb66901b0c8b0
Key Type: RSA
Domains: www1.blake-online.net www.bluestarline.org www.netunity.co.uk
Expiry Date: 2022-08-05 10:48:29+00:00 (VALID: 88 days)
Certificate Path: /etc/letsencrypt/live/www.netunity.co.uk/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.netunity.co.uk/privkey.pem

[root@bastion jim]#

I can access the web servers via the NethServer dashboard and can see the websites as shown in the attached jpeg.

Capture hosts2744×929 82.5 KB

Hope that helps

Jim

Yes. Every domain listed in a certificate must satisfy their challenge for the cert to be issued.

So, your certificate www.bluestarline.org which has 4 domain names in it will not succeed as it includes littleclose. If you don't reference that cert path in apache you can delete it with:

sudo certbot delete --cert-name www.bluestarline.org

Cert Details:

Certificate Name: www.bluestarline.org
Serial Number: 3696aa5a4f94c01ccca70d775238682518b
Key Type: RSA
Domains: www1.blake-online.net www.bluestarline.org www.littleclose.co.uk www.netunity.co.uk
Expiry Date: 2022-05-15 17:15:39+00:00 (VALID: 7 days)
Certificate Path: /etc/letsencrypt/live/www.bluestarline.org/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.bluestarline.org/privkey.pem

As a note, your cert name www.bluestarline.org-0001 looks to be the one you currently use in apache and has only that domain name in the cert.

Looks like that fixed it, I deleted the certificate as suggested and then tried a and it told me that there were no certificates due for renewal:

[root@bastion jim]# certbot delete --cert-name www.bluestarline.org
Saving debug log to /var/log/letsencrypt/letsencrypt.log

The following certificate(s) are selected for deletion:

• www.bluestarline.org

Are you sure you want to delete the above certificate(s)?

(Y)es/(N)o: y
Deleted all files relating to certificate www.bluestarline.org.
[root@bastion jim]# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/www.blake-online.net.conf

Cert not yet due for renewal

Processing /etc/letsencrypt/renewal/www.bluestarline.org-0001.conf

Cert not yet due for renewal

Processing /etc/letsencrypt/renewal/www.netunity.co.uk-0001.conf

Cert not yet due for renewal

Processing /etc/letsencrypt/renewal/www.netunity.co.uk.conf

Cert not yet due for renewal

The following certificates are not due for renewal yet:
/etc/letsencrypt/live/www.blake-online.net/fullchain.pem expires on 2022-08-04 (skipped)
/etc/letsencrypt/live/www.bluestarline.org-0001/fullchain.pem expires on 2022-08-06 (skipped)
/etc/letsencrypt/live/www.netunity.co.uk-0001/fullchain.pem expires on 2022-07-11 (skipped)
/etc/letsencrypt/live/www.netunity.co.uk/fullchain.pem expires on 2022-08-05 (skipped)
No renewals were attempted.

[root@bastion jim]#

I'll keep and eye on it for 24hours and report back, but meantime, thanks guys, I owe you!

Jim

Hi Guys, its run with no warning messages and a certificate with the correct expiry date, so it looks fixed. Thanks once again for all your help!

Jim

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.