Certificate renewal failed

krekta · December 2, 2024, 9:22am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: sorrentino.test.builders

I ran this command:ping -c 4 letsencrypt.org

It produced this output: ping -c 4 letsencrypt.org
PING letsencrypt.org (3.75.10.80) 56(84) bytes of data.

--- letsencrypt.org ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3074ms

My web server is (include version): Apache/2.4.52 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 22.04.4 LTS

My hosting provider, if applicable, is: Digitalocean

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.21.0

I had an installed certificate for my test enviroment website, i noticed that some website certificates failed autorenewal, when i try to pinged service i get error.
This is the logs of my fails:
2024-12-02 02:10:44,529:ERROR:certbot._internal.renewal:The following renewals failed:
2024-12-02 02:10:44,529:ERROR:certbot._internal.renewal: /etc/letsencrypt/live/applifeamar.test.builders/fullchain.pem (failure)
/etc/letsencrypt/live/discoverlakecomolombardia.com/fullchain.pem (failure)
/etc/letsencrypt/live/gangofmonday.tech/fullchain.pem (failure)
/etc/letsencrypt/live/monitoring.acconsulting.tech/fullchain.pem (failure)
/etc/letsencrypt/live/my2024.lol/fullchain.pem (failure)
/etc/letsencrypt/live/oldfrigerio.test.builders/fullchain.pem (failure)
/etc/letsencrypt/live/sorrentino.test.builders/fullchain.pem (failure)
/etc/letsencrypt/live/template-wp.test.builders/fullchain.pem (failure)
/etc/letsencrypt/live/www.incacosmetics.test.builders/fullchain.pem (failure)
2024-12-02 02:10:44,529:DEBUG:certbot._internal.display.obj:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2024-12-02 02:10:44,529:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 33, in
sys.exit(load_entry_point('certbot==1.21.0', 'console_scripts', 'certbot')())
File "/usr/lib/python3/dist-packages/certbot/main.py", line 15, in main
return internal_main.main(cli_args)
File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1574, in main
return config.func(config, plugins)
File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1460, in renew
renewal.handle_renewal_request(config)
File "/usr/lib/python3/dist-packages/certbot/_internal/renewal.py", line 500, in handle_renewal_request
raise errors.Error("{0} renew failure(s), {1} parse failure(s)".format(
certbot.errors.Error: 9 renew failure(s), 0 parse failure(s)
2024-12-02 02:10:44,531:ERROR:certbot._internal.log:9 renew failure(s), 0 parse failure(s)

Osiris · December 2, 2024, 9:28am

You did not ping the "service" (I assume you mean the ACME service responsible for the certificate issuance), but the Let's Encrypt website, which are two different things. Which is also not pingable from my location. The ACME API is located at acme-v02.api.letsencrypt.org.

The snippet of the log you've shown actually don't give any helpful information I'm afraid. Please post more or preferably the entire log.

krekta · December 2, 2024, 9:37am

2024-12-02 02:10:44,529:ERROR:certbot._internal.renewal:The following renewals failed:
2024-12-02 02:10:44,529:ERROR:certbot._internal.renewal: /etc/letsencrypt/live/applifeamar.test.builders/fullchain.pem (failure)
/etc/letsencrypt/live/discoverlakecomolombardia.com/fullchain.pem (failure)
/etc/letsencrypt/live/gangofmonday.tech/fullchain.pem (failure)
/etc/letsencrypt/live/monitoring.acconsulting.tech/fullchain.pem (failure)
/etc/letsencrypt/live/my2024.lol/fullchain.pem (failure)
/etc/letsencrypt/live/oldfrigerio.test.builders/fullchain.pem (failure)
/etc/letsencrypt/live/sorrentino.test.builders/fullchain.pem (failure)
/etc/letsencrypt/live/template-wp.test.builders/fullchain.pem (failure)
/etc/letsencrypt/live/www.incacosmetics.test.builders/fullchain.pem (failure)
2024-12-02 02:10:44,529:DEBUG:certbot._internal.display.obj:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2024-12-02 02:10:44,529:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 33, in
sys.exit(load_entry_point('certbot==1.21.0', 'console_scripts', 'certbot')())
File "/usr/lib/python3/dist-packages/certbot/main.py", line 15, in main
return internal_main.main(cli_args)
File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1574, in main
return config.func(config, plugins)
File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1460, in renew
renewal.handle_renewal_request(config)
File "/usr/lib/python3/dist-packages/certbot/_internal/renewal.py", line 500, in handle_renewal_request
raise errors.Error("{0} renew failure(s), {1} parse failure(s)".format(
certbot.errors.Error: 9 renew failure(s), 0 parse failure(s)
2024-12-02 02:10:44,531:ERROR:certbot._internal.log:9 renew failure(s), 0 parse failure(s)
2024-12-02 09:41:55,831:DEBUG:certbot._internal.main:certbot version: 1.21.0
2024-12-02 09:41:55,832:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot
2024-12-02 09:41:55,832:DEBUG:certbot._internal.main:Arguments:
2024-12-02 09:41:55,832:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2024-12-02 09:41:55,840:DEBUG:certbot._internal.log:Root logging level set at 30
2024-12-02 09:41:55,842:DEBUG:certbot._internal.plugins.selection:Requested authenticator None and installer None
2024-12-02 09:41:55,898:DEBUG:certbot_apache._internal.configurator:Apache version is 2.4.52
2024-12-02 09:41:56,483:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server plugin
Interfaces: Installer, Authenticator, Plugin
Entry point: apache = certbot_apache._internal.entrypoint:ENTRYPOINT
Initialized: <certbot_apache._internal.override_debian.DebianConfigurator object at 0x7fe6ef353bb0>
Prep: True
2024-12-02 09:41:56,484:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot_apache._internal.override_debian.DebianConfigurator object at 0x7fe6ef353bb0> and installer <certbot_apache._internal.override_debian.DebianConfigurator object at 0x7fe6ef353bb0>
2024-12-02 09:41:56,484:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator apache, Installer apache
2024-12-02 09:41:56,538:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/1203319117', new_authzr_uri=None, terms_of_service=None), 8fe150ad65f809cc908546920133361b, Meta(creation_dt=datetime.datetime(2023, 7, 12, 13, 8, 5, tzinfo=), creation_host='cluster-01', register_to_eff=None))>
2024-12-02 09:41:56,539:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2024-12-02 09:41:56,541:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2024-12-02 09:41:56,922:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 746
2024-12-02 09:41:56,923:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 02 Dec 2024 08:41:56 GMT
Content-Type: application/json
Content-Length: 746
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"fvZ2wLjiCm0": "Adding random entries to the directory",
"keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf",
"website": "https://letsencrypt.org"
},
"newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
"renewalInfo": "https://acme-v02.api.letsencrypt.org/draft-ietf-acme-ari-03/renewalInfo",
"revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2024-12-02 09:42:35,554:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 33, in
sys.exit(load_entry_point('certbot==1.21.0', 'console_scripts', 'certbot')())
File "/usr/lib/python3/dist-packages/certbot/main.py", line 15, in main
return internal_main.main(cli_args)
File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1574, in main
return config.func(config, plugins)
File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1282, in run
domains, certname = _find_domains_or_certname(config, installer)
File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 466, in _find_domains_or_certname
raise errors.Error("Please specify --domains, or --installer that "
certbot.errors.Error: Please specify --domains, or --installer that will help in domain names autodiscovery, or --cert-name for an existing certificate name.
2024-12-02 09:42:35,556:ERROR:certbot._internal.log:Please specify --domains, or --installer that will help in domain names autodiscovery, or --cert-name for an existing certificate name.
this is the full log entry for today, i tried to run a command for a check

Osiris · December 2, 2024, 10:17am

I'm not sure what that last log from 09:4x is, because looking at:

It looks like you just ran certbot without any options? And it doesn't provide any information about renewing or even that it attempted as such. But the top part of the log from 02:10 does mention something about renewal..

Maybe you can run sudo certbot renew -vv so it will provide verbose logging to the command line and post that?

krekta · December 2, 2024, 3:07pm

that command was a certbot for just checking the website for wich i had the certificate. The log before was automatic, i had certbot installed before.
sudo certbot renew --cert-name sorrentino.test.builders -vv
i ran this command and all worked again i tried a dry run early before and failed but now is working.
Do you know if now certbot gonna try againt renewal in automatic?

MikeMcQ · December 2, 2024, 6:15pm

It depends how you installed Certbot. On Ubuntu 22 the recommend way is the snap install. But, I can tell you did not use that since your Certbot is v1.21.0. The current version is 3.x which snap keeps up-to-date automatically.

Please review the following topic for how to check if Certbot has auto-renew setup.

https://eff-certbot.readthedocs.io/en/latest/using.html#automated-renewals

And this if you want to change to snap install. Please follow steps carefully

Topic		Replies	Views
Cert Renewal Fails Help	6	2757	November 29, 2021
Certificate renewal fails Help	10	624	July 13, 2024
Renewing certificate fails Help	5	865	July 7, 2021
Renewing of letsencrypt certificate failed and now server is down Help	10	584	October 28, 2022
Renewal fails on existing letsencrypt certificate Help	18	942	November 30, 2020

Certificate renewal failed

Related topics