I was using apache for my website and created the SSL for Apache. Then for some reason, I have to change my server from Apache to Node.js. To do that I just copied the SSL certificates path from Apache’s Vhost file and pasted it in the configuration for Node.js.

It is now working fine. But then I got an email that says “Action required: Let’s Encrypt certificate renewals”. I open ssh to my VPS and updated the Certbot. But when I tried to renew the SSL certificates. I got an error that says “Unable to find a virtual host …”. I have deleted the virtual hosts from apache’s configuration.

Now my question is it still trying to change the apache’s virtual host files. Because I have a web server for my domain which is listening on port 80 and 443.

If the certificate was created with “certbot --apache” or just “certbot”, Certbot would continue to use the apache plugin when renewing the certificate, yes.

What web server is listening on port 80 now? Port 443?

Are you still using Apache at all?

Is there a port forwarding or reverse proxy configuration involved?

What does “sudo certbot certificates” show?

What are the contents of the files in /etc/letsencrypt/renewal/?

Depending on the situation, you might want to validate using something like Certbot’s webroot plugin, or you might want to continue using the apache plugin for validation. (For example, you might have an Apache virtual host that otherwise just redirects to HTTPS, or reverse proxies to Node.js.)

You’ll probably also want to set up a Certbot deploy hook to reload or restart the Node.js server so that it uses the new certificate.

Can you also answer most of the questions below?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

Hello @mnordhoff, I am impressed with such a quick response. Here are the answers to your questions.
Yes, the certificates were created using “certbot --apache”. I am not 100% sure But at that time I was using apache as the primary server.

Nodejs is listening on both ports 80 and 443.

Yes, I am still using apache to serve the WordPress blog.

Yes, you guessed it right. I am using nodejs as reverse proxy to serve wordpress through apache. But Nodejs also serves some requests on its own. It only transfers those requests to apache that has URL path starting with “/blog”.

Output for “sudo certbot certificates”
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: admin.inkpothub.com
Domains: admin.inkpothub.com
Expiry Date: 2019-04-29 09:48:24+00:00 (VALID: 33 days)
Certificate Path: /etc/letsencrypt/live/admin.inkpothub.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/admin.inkpothub.com/privkey.pem
Certificate Name: inkpothub.com
Domains: inkpothub.com www.inkpothub.com
Expiry Date: 2019-06-04 05:21:22+00:00 (VALID: 68 days)
Certificate Path: /etc/letsencrypt/live/inkpothub.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/inkpothub.com/privkey.pem

In “/etc/letsencrypt/renewal” there are two files admin.inkpothub.com.conf and inkpothub.com.conf.
contents for inkpothub.com
# renew_before_expiry = 30 days
version = 0.26.1
archive_dir = /etc/letsencrypt/archive/inkpothub.com
cert = /etc/letsencrypt/live/inkpothub.com/cert.pem
privkey = /etc/letsencrypt/live/inkpothub.com/privkey.pem
chain = /etc/letsencrypt/live/inkpothub.com/chain.pem
fullchain = /etc/letsencrypt/live/inkpothub.com/fullchain.pem

Options used in the renewal process

[renewalparams]
installer = apache
server = https://acme-v02.api.letsencrypt.org/directory
authenticator = apache
account = a6c6b8fa00eb294215fee72c854f41ff

I don’t need admin.inkpothub.com domain anymore.

I am using Ubuntu 18.04 and have Full SSH access to it. I don’t use any control panel to manage this VPS.

My certbot veersion is: 0.31.0

Neither of those certificates is expiring particularly soon.

Certbot will start trying to renew the first one in 3 days, but if it fails, Let's Encrypt won't start to send you emails about it for almost 2 weeks.

What did the "Action required" email say?

What if you configure Node.js to reverse proxy requests for /.well-known/acme-challenge/ to Apache as well? Then you could still use the apache validator.

You'd still want to change Certbot's configuration to stop trying to configure Apache to use the certificate, and to reload or restart Node.js (unless Node.js handles that automatically?).

If the Node.js server is set up to serve static files from the filesystem, or can easily be changed to do so, you could change it to do that and change Certbot to use the webroot plugin.

If Apache is no longer using the certificate, you can use sudo certbot delete --cert-name admin.inkpothub.com to delete the certificate files.

Hi @amarjit-singh

the mail is sent 20 and 10 days before a certificate expires, if there is no newer certificate with the same domain name.

Your certificates:

There is no certificate with such an expiration date.

Is that an older tls-sni-01 - deprecated mail?

And your configuration is good, the newest certificate is used:

CN=inkpothub.com
	06.03.2019
	04.06.2019
expires in 69 days	inkpothub.com, www.inkpothub.com - 2 entries

@mnordhoff Yes, I still want to change Certbot’s configuration to stop trying to configure Apache to use the certificate, and to reload or restart Node.js.

yes, Node.js serves some static files from filesystem.

You can run with

certbot -a webroot -i none -d inkpothub.com -d www.inkpothub.com

I think -i none works for telling Certbot to stop trying to install the certificate in a web server (if it doesn’t, please let me know and I can research this question).

The first time that you do this, you’ll be prompted for the webroot (filesystem location where the top level of your static web site content can be found). Certbot will try to create .well-known/acme-challenge/somefile in this directory and expects that your Node server will then serve that file at http://inkpothub.com/.well-known/acme-challenge/somefile and https://www.inkpothub.com/.well-known/acme-challenge/somefile.

If the certificate issuance succeeds this way, Certbot will rememeber the webroot location that you specified and use it automatically for subsequent renewals.

@schoen I tried the command suggested by you
certbot -a webroot -i none -d inkpothub.com -d www.inkpothub.com

It returned me an error that the says webroot plugin is not installed. Then I tried running this command.
certbot certonly --webroot -w /path/to/document-root -d www.inkpothub.com -d inkpothub.com

It asked me to choose from following two options

1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)

I chose the second option and it worked without any error. Now I have renewed my certificates.

But I still have a doubt and that is,
do I have to renew my certificates on my own?
Or the certbot will do it on its own.

You could test this with certbot renew --dry-run, which does an test renewal using Let’s Encrypt’s staging server.

@schoen I tried running certbot renew --dry-run and sudo certbot renew --dry-run. But got the same output as follows

Saving debug log to /var/log/letsencrypt/letsencrypt.log

---

Processing /etc/letsencrypt/renewal/inkpothub.com.conf

---

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for inkpothub.com
http-01 challenge for www.inkpothub.com
Cleaning up challenges
Attempting to renew cert (inkpothub.com) from /etc/letsencrypt/renewal/inkpothub.com.conf produced an unexpected error: Missing command line flag or config entry for this setting:
Input the webroot for inkpothub.com:. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/inkpothub.com/fullchain.pem (failure)

---

** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/inkpothub.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)

---

1 renew failure(s), 0 parse failure(s)

Could you post the contents of /etc/letsencrypt/renewal/inkpothub.com.conf?

@schoen Here are the contents of /etc/letsencrypt/renewal/inkpothub.com.conf file.

# renew_before_expiry = 30 days

version = 0.31.0
archive_dir = /etc/letsencrypt/archive/inkpothub.com
cert = /etc/letsencrypt/live/inkpothub.com/cert.pem
privkey = /etc/letsencrypt/live/inkpothub.com/privkey.pem
chain = /etc/letsencrypt/live/inkpothub.com/chain.pem
fullchain = /etc/letsencrypt/live/inkpothub.com/fullchain.pem

# Options used in the renewal process

[renewalparams]
server = [https://acme-v02.api.letsencrypt.org/directory ](https://acme-v02.api.letsencrypt.org/directory)
authenticator = webroot
account = a6c6b8fa00eb294215fee72c854f41ff
webroot_path = /etc/tether/token-frontend/dist/ng-app/static-app,
[[webroot_map]]

Could you edit that file and remove the comma from the end of the webroot_path line, and also delete the [[webroot_map]] line?

@schoen I think now its working. Here is the output for certbot renew --dry-run

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/inkpothub.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for inkpothub.com
http-01 challenge for www.inkpothub.com
Using the webroot path /etc/tether/token-frontend/dist/ng-app/static-app for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Resetting dropped connection: acme-staging-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/inkpothub.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/inkpothub.com/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)

That looks like a good sign!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.