Certbot renewal failed after trying multiple options

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
api.xxx.xx
I ran this command:
656 sudo certbot renew --force-renewal --cert-name api.xx.xx --dry-run
669 certbot certificates
670 sudo certbot update_symlinks
671 certbot certificates
673 certbot renew -force-renewal
675 certbot renew --force-renewal
678 sudo certbot renew --cert-name api.xx.xx --dry-run
679 sudo certbot renew --cert-name api.xx.xx --force-renewal
718 certbot --version
719 certbot-auto --version
721 certbot --version
722 sudo certbot renew --dry-run
723 sudo apt-get install --only-upgrade certbot
726 sudo ln -s /snap/bin/certbot /usr/bin/certbot
727 certbot certificates
728 sudo certbot certificates
729 sudo certbot update_symlinks
730 sudo certbot certificates
731 sudo certbot update_symlinks
732 sudo certbot renew --dry-run
735 certbot certificates
736 sudo certbot certificates
768 history | grep certbot

It produced this output:
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
Attempting to renew cert (xx.xx.no) from /etc/letsencrypt/renewal/api.xx.xx.conf produced an unexpected error: None of the preferred
challenges are supported by the selected plugin. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/api.xx.xx/fullchain.pem (failure)
My web server is (include version):

The operating system my web server runs on is (include version):
Ubuntu v20.04
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Could you please share the contents of this file?

Do you remember how you obtained the certificate originally?

3 Likes

Hi @jmorahan ,

I ran the following command :
sudo certbot certonly --domains api.xx.xx
and then selected standalone.

After running:

sudo cat /var/log/letsencrypt/letsencrypt.log

I received this:

"""
2021-11-25 11:10:01,718:DEBUG:certbot.log:Root logging level set at 20

2021-11-25 11:10:01,718:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log

2021-11-25 11:10:01,722:DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): r3.o.lencr.org:80

2021-11-25 11:10:01,879:DEBUG:urllib3.connectionpool:http://r3.o.lencr.org:80 "POST / HTTP/1.1" 200 503

2021-11-25 11:10:01,880:DEBUG:certbot.ocsp:OCSP response for certificate /etc/letsencrypt/live/api.xx.xx/cert.pem is signed by the certificate's issuer.

2021-11-25 11:10:01,881:DEBUG:certbot.ocsp:OCSP certificate status for /etc/letsencrypt/live/api.xx.xx/cert.pem is: OCSPCertStatus.GOOD
"""
The cert is now up and working according to CLI. Anything else I should do or just wait to propagate? I will also try setup an auto-renew service now.

Hmm.

It does seem that you have successfully obtained a new certificate. Although I'm not sure exactly how - perhaps one of your earlier commands succeeded? If you try certbot renew --dry-run again now, does it work correctly?

You probably need to reload or possibly restart the web server process so that it picks up the new/renewed certificate. You'll want to automate this step as part of the automated renewal, which can be done with the --deploy-hook option.

I'd still like to see what's in the /etc/letsencrypt/renewal/api.xx.xx.conf file.

3 Likes

Sure, here is the out from cat /etc/letsencypt/renewal/api.xx.xx.conf:


# renew_before_expiry = 30 days

version = 0.40.0

archive_dir = /etc/letsencrypt/archive/api.xx.xx

cert = /etc/letsencrypt/live/api.xx.xx/cert.pem

privkey = /etc/letsencrypt/live/api.xx.xx/privkey.pem

chain = /etc/letsencrypt/live/api.xx.xx/chain.pem

fullchain = /etc/letsencrypt/live/api.xx.xx/fullchain.pem

# Options used in the renewal process

[renewalparams]

account = [redacted]

authenticator = standalone

server = https://acme-v02.api.letsencrypt.org/directory

Okay, now I'm even more confused. I don't understand how that could possibly have produced the error message that you got. I'd still advise running another --dry-run to confirm that everything is working now.

Also, since you used "certonly" originally, you definitely need to do something to tell your web server that there's a new certificate. Probably reload or restart it, as I said above.

3 Likes

We are also in the process of setting up a wildcard *.xx.xx on AWS using ACM. We have created a CNAME. I suspect this is effecting it ?

Nothing I've seen so far seems to indicate that that could be related.

2 Likes

Which version of certbot did you say you were on?

The API is currently experiencing some issues so you may benefit from just waiting a few hours.

3 Likes

@webprofusion : Certbot version

(base) ubuntu@prod : ~ $ sudo certbot --version

certbot 0.40.0

@jmorahan here is output from running --dry-run
(base) ubuntu@prod : ~ $ sudo certbot renew --dry-run

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/api.xx.xx.conf


Cert not due for renewal, but simulating renewal for dry run

Plugins selected: Authenticator standalone, Installer None

Renewing an existing certificate

Performing the following challenges:

http-01 challenge for api.xx.xx

Waiting for verification...

Cleaning up challenges


new certificate deployed without reload, fullchain is

/etc/letsencrypt/live/api.xx.xx/fullchain.pem



** DRY RUN: simulating 'certbot renew' close to cert expiry

** (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:

/etc/letsencrypt/live/api.xx.xx/fullchain.pem (success)

** DRY RUN: simulating 'certbot renew' close to cert expiry

** (The test certificates above have not been saved.)


Ok, please see if you can update certbot to a modern version before proceeding, that one is a couple of years old.

Your "dry run" (test) looks ok though, so maybe you can try without the dry run.

3 Likes

Screenshot 2021-11-25 at 13.37.17

Do I need to uninstall and reinstall ?

Do uninstall the apt version.

2 Likes

I completed the command and version is now updated. Still not SSL on subdomain.

Did you try restarting your web server yet?

2 Likes

Yes, I have rebooted server (sudo reboot) and restart container application (docker start xxx)

Aha, there's a container application?

You might need to mount or copy the certificate into the container.

Do you remember how you did this originally?

3 Likes

This is the command run from the server:

command: "gunicorn -w ${GUNICORN_WORKERS} --certfile=fullchain.pem --keyfile=privkey.pem -b 0.0.0.0:${PORT} --access-logfile '-' src.server.app:create_app()"

Okay, but that's inside the docker container, right? So the gunicorn command is looking for a fullchain.pem and a privkey.pem inside the container.

You've renewed the certificate so now you have a new fullchain.pem and privkey.pem but they're presumably outside the container. So you (probably) need to figure out how to get them in.

Are there any other references to fullchain.pem and privkey.pem in your docker configuration?

4 Likes

Thank you for your assistance. What we did not do is move the new privkey and fullchain into the folder. I will be looking to create a .sh script to automate this now. Can you assist or perhaps provide some guidance on best practice here?

1 Like