Certificate renewal failed

ydrea · August 23, 2024, 11:12am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
suhozid.hr
I ran this command:
certbot renew --force-renewal --cert-name suhozid.hr
It produced this output:

Processing /etc/letsencrypt/renewal/www.suhozid.hr.conf

Renewing an existing certificate for www.suhozid.hr
Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.

(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs

Unable to restart apache using ['apache2ctl', 'graceful']
Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.

(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs

Unable to restart apache using ['apache2ctl', 'graceful']
Encountered exception during recovery: certbot.errors.MisconfigurationError: Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.

(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs
Failed to renew certificate www.suhozid.hr with error: Error while running apache2ctl graceful.
httpd not running, trying to start
Action 'graceful' failed.
The Apache error log may have more information.

(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs

All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/www.suhozid.hr/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

My web server is (include version):
apache2.4.52
The operating system my web server runs on is (include version):
ubuntu 22.04

My hosting provider, if applicable, is:
orbis.hr >> aws Route 53

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
2.11.0

rg305 · August 23, 2024, 11:19am

That doesn't fix anything - don't use it.
What shows?:

- `certbot certificates`

- cat /etc/letsencrypt/renewal/www.suhozid.hr.conf

Also, note:

Name:      suhozid.hr
Addresses: 65.8.178.66
           65.8.178.17
           65.8.178.4
           65.8.178.56

ydrea · August 23, 2024, 11:40am

ok.

$ cat /etc/letsencrypt/renewal/www.suhozid.hr.conf

# renew_before_expiry = 30 days
version = 2.10.0
archive_dir = /etc/letsencrypt/archive/www.suhozid.hr
cert = /etc/letsencrypt/live/www.suhozid.hr/cert.pem
privkey = /etc/letsencrypt/live/www.suhozid.hr/privkey.pem
chain = /etc/letsencrypt/live/www.suhozid.hr/chain.pem
fullchain = /etc/letsencrypt/live/www.suhozid.hr/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = 0767909cd4f13bf268b1c2ae6f20f9c7
authenticator = apache
installer = apache
server = https://acme-v02.api.letsencrypt.org/directory
key_type = ecdsa

what does this mean in the context of my question?

rg305 · August 23, 2024, 11:42am

It means that your server may be behind a load-balancer.
When using HTTP-01 authentication, you have to be sure that the HTTP challenge requests reach the system in question.

rg305 · August 23, 2024, 11:45am

That is a confusing error message:

Given:

Which is explained by:

It seems something is already running on port 80.

What shows?:

`ss -plnt | grep 80`

rg305 · August 23, 2024, 11:51am

I didn't see your response to this:

ydrea · August 23, 2024, 12:36pm

$ ss -plnt | grep 80
LISTEN 0 511 *:80 :
ubuntu@ip-172-31-27-140:~$ certbot certificates

The following error was encountered:
[Errno 13] Permission denied: '/var/log/letsencrypt/.certbot.lock'
Either run as root, or set --config-dir, --work-dir, and --logs-dir to writeable paths.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/certbot-log-r3k0keit/log or re-run Certbot with -v for more details.
ubuntu@ip-172-31-27-140:~$

ydrea · August 23, 2024, 12:39pm

the first issue might not be relevant: apache was down, I rebooted the system and got it running...

ydrea · August 23, 2024, 12:41pm

upon running '
certbot certificates' with sudo:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: suhozid.hr-0001
Serial Number: 4889173f6a8af8d6d894bda722fc885d2a8
Key Type: ECDSA
Domains: suhozid.hr
Expiry Date: 2024-09-22 13:09:00+00:00 (VALID: 30 days)
Certificate Path: /etc/letsencrypt/live/suhozid.hr-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/suhozid.hr-0001/privkey.pem
Certificate Name: suhozid.hr
Serial Number: 37177c633d535a7ce3051632eabe2277538
Key Type: ECDSA
Domains: suhozid.hr www.suhozid.hr
Expiry Date: 2024-07-11 11:56:05+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/suhozid.hr/fullchain.pem
Private Key Path: /etc/letsencrypt/live/suhozid.hr/privkey.pem
Certificate Name: www.suhozid.hr
Serial Number: 3c98780c83d4ba5a8fcb851c4b502c919ef
Key Type: ECDSA
Domains: www.suhozid.hr
Expiry Date: 2024-07-24 12:54:41+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/www.suhozid.hr/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.suhozid.hr/privkey.pem

rg305 · August 23, 2024, 12:44pm

That seems a bit messy.
Which cert(s) are you actually using?

ydrea · August 23, 2024, 12:48pm

I don't know

rg305 · August 23, 2024, 12:49pm

Show the output of this:
sudo apachectl -t -D DUMP_VHOSTS

ydrea · August 23, 2024, 12:50pm

VirtualHost configuration:
*:80 suhozid.hr (/etc/apache2/sites-enabled/suhozid.hr.conf:11)
*:443 suhozid.hr (/etc/apache2/sites-enabled/suhozid.hr.conf:40)

rg305 · August 23, 2024, 12:51pm

Perfect.
Let's have a look at that file:
cat /etc/apache2/sites-enabled/suhozid.hr.conf

ydrea · August 23, 2024, 12:53pm

#ServerName suhozid.hr

LoadModule wsgi_module "/home/ubuntu/dev/lib/python3.10/site-packages/mod_wsgi/server/mod_wsgi-py310.cpython-310-x86_64-linux-gnu.so"
WSGIPythonHome "/home/ubuntu/dev"

WSGIApplicationGroup %{GLOBAL}


#HTTP
<VirtualHost *:80>

    #WSGIPassAuthorization on
    #WSGIDaemonProcess arches python-home=/home/ubuntu/dev/ python-path=/home/ubuntu/suhozid
    #WSGIScriptAlias / /home/ubuntu/suhozid/suhozid/wsgi.py process-group=arches
    
    WSGIApplicationGroup %{GLOBAL}
    # WSGIDaemonProcess arches 
    # WSGIProcessGroup arches
    # WSGIScriptAlias / /home/ubuntu/suhozid/suhozid/wsgi.py process-group=arches
    
    ServerName suhozid.hr
    ServerAlias 3.124.4.144
    
    Redirect permanent / https://suhozid.hr/

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    # This is optional, in case you want to redirect people
    # from http to https automatically.
    #RewriteEngine On
    #RewriteCond %{SERVER_PORT} !^443$
    #RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]

</VirtualHost>


#HTTPS
<VirtualHost *:443>
    WSGIPassAuthorization on
    WSGIDaemonProcess arches python-home=/home/ubuntu/dev/ python-path=/home/ubuntu/suhozid
    WSGIScriptAlias / /home/ubuntu/suhozid/suhozid/wsgi.py process-group=arches

    <Directory /home/ubuntu/suhozid/>
                Options Indexes FollowSymLinks
                AllowOverride None
                Require all granted
    </Directory>

    Alias /static/ /home/ubuntu/suhozid/suhozid/static/
    <Directory /home/ubuntu/suhozid/suhozid/static>
                Options Indexes FollowSymLinks
                AllowOverride None
                Require all granted
    </Directory>

    Alias /files/uploadedfiles /home/ubuntu/suhozid/suhozid/uploadedfiles
    <Directory /home/ubuntu/suhozid/suhozid/files/uploadedfiles>
                Options Indexes FollowSymLinks
                AllowOverride None
                Require all granted
    </Directory>

    #RedirectMatch permanent ^(.*)$ https://suhozid.hr$1

    ServerName suhozid.hr
    #ServerAdmin admin@localhost
    ServerAlias 3.124.4.144
    #DocumentRoot /var/www/default
    #DocumentRoot /home/ubuntu/suhozid

    LogLevel debug
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/suhozid.hr-0001/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/suhozid.hr-0001/privkey.pem
    Include /etc/letsencrypt/options-ssl-apache.conf

</VirtualHost>

rg305 · August 23, 2024, 12:55pm

It's using the first cert.
But that one doesn't have both names on it.
I would edit that file to use the second cert [with both names on it].

    SSLCertificateFile /etc/letsencrypt/live/suhozid.hr/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/suhozid.hr/privkey.pem

Then restart Apache.
Then delete the two unused certs.

ydrea · August 23, 2024, 12:57pm

I see, but the secod one is expired!

rg305 · August 23, 2024, 1:03pm

Good catch!

Then we must renew it first.
certbot renew --cert-name suhozid.hr

[although that sounds like where you started... you also said you recently rebooted]

ydrea · August 23, 2024, 1:04pm

yes...

Processing /etc/letsencrypt/renewal/suhozid.hr.conf

Renewing an existing certificate for suhozid.hr and www.suhozid.hr

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: www.suhozid.hr
Type: dns
Detail: DNS problem: NXDOMAIN looking up A for www.suhozid.hr - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for www.suhozid.hr - check that a DNS record exists for this domain

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Failed to renew certificate suhozid.hr with error: Some challenges have failed.

All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/suhozid.hr/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

rg305 · August 23, 2024, 1:17pm

Well that explains this:

To quote the maintainer of that:
"DNS resolution was awfully slow: Like 56 seconds just to get an A record."

You need to verify/fix DNS first.

Topic		Replies	Views
How to renew Let's Encrypt SSL Certificate Help	7	3406	April 27, 2020
Fail to restore config and restart server Help	4	2495	June 28, 2019
Ubuntu with Apache2 on AWS - can't get cert Help	14	761	August 17, 2022
Ubuntu 20.04 switch from Apache2 to Nginx - Do I need new certificates? Help	7	1162	March 28, 2022
All renewal attempts failed Help	7	1644	June 1, 2021

Certificate renewal failed

- certbot certificates

ss -plnt | grep 80

Related topics

- `certbot certificates`

`ss -plnt | grep 80`