Certbot renewal failed


#1

Hello, I installed certbot and got a certificate for my WordPress site on a Vultr server a while ago. I want to renew the certificate for the first time but encounter an error. I don’t know how to proceed from there. Any advice will be appreciated. Thank you.

The instruction I used to install a certificate is from https://www.vultr.com/docs/install-lets-encrypt-ssl-on-one-click-wordpress-app

The letsencrypt log is attached: https://www.dropbox.com/s/k157h4xikr252s5/certbot%20error%20log.txt?dl=0

My domain is: https://liu-kb.cc

I ran this command: certbot renew

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/liu-kb.cc.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for liu-kb.cc
nginx: [error] invalid PID number "" in "/var/run/nginx.pid"
Cleaning up challenges
nginx: [error] invalid PID number "" in "/var/run/nginx.pid"
Encountered exception during recovery:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 75,dle_authorizations
    resp = self._solve_challenges(aauthzrs)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 126olve_challenges
    resp = self.auth.perform(all_achalls)
  File "/usr/lib/python3/dist-packages/certbot_nginx/configurator.py", li, in perform
    self.restart()
  File "/usr/lib/python3/dist-packages/certbot_nginx/configurator.py", li in restart
    nginx_restart(self.conf('ctl'), self.nginx_conf)
  File "/usr/lib/python3/dist-packages/certbot_nginx/configurator.py", li, in nginx_restart
    "nginx restart failed:\n%s\n%s" % (out.read(), err.read()))
certbot.errors.MisconfigurationError: nginx restart failed:
b''
b''

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/error_handler.py", line 10call_registered
    self.funcs[-1]()
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 310leanup_challenges
    self.auth.cleanup(achalls)
  File "/usr/lib/python3/dist-packages/certbot_nginx/configurator.py", li, in cleanup
    self.restart()
  File "/usr/lib/python3/dist-packages/certbot_nginx/configurator.py", li in restart
    nginx_restart(self.conf('ctl'), self.nginx_conf)
  File "/usr/lib/python3/dist-packages/certbot_nginx/configurator.py", li, in nginx_restart
    "nginx restart failed:\n%s\n%s" % (out.read(), err.read()))
certbot.errors.MisconfigurationError: nginx restart failed:
b''
b''
Attempting to renew cert (liu-kb.cc) from /etc/letsencrypt/renewal/liu-kbf produced an unexpected error: nginx restart failed:
b''
b''. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/liu-kb.cc/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/liu-kb.cc/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

My web server is (include version): nginx on Vultr

The operating system my web server runs on is (include version): Ubuntu 16.04 x64 4.9.4

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no


#2

I would give certbot-auto a try: https://certbot.eff.org/docs/install.html#certbot-auto
and also ensure the challenge requests are via http:


#3

Thanks for comments.
I got it fixed by killing all nginx processes that were running and re-running the command “certbot renew”.


#4

Hi @terranan

that worked today. But the tls-sni-01 - challenge is deprecated.

February 2019, you have to use another validation method.


#5

Hi I did not know the info. Thanks for sharing.
Would you kindly guide me what I should do for switching from TLS-SNI-01 to other options?


#6

Use the http-01 - validation. Perhaps in combination with the webroot - option as authenticator. So you can use your running webserver.


#7

So the nginx certbot can also run for http-01 by adding --preferred-challenges to the command? Thank you!


#8

Yes, that should work.