Deleted cerbot certificates and now facing issue

My domain is:
https://suvarnakar.store/
I ran this command:
Many commands including delete certbot, update certbot, sudo certbot etc
It produced this output:
sudo cat /var/log/letsencrypt/letsencrypt.log
2022-03-05 14:06:02,639:DEBUG:certbot.main:certbot version: 0.31.0
2022-03-05 14:06:02,640:DEBUG:certbot.main:Arguments:
2022-03-05 14:06:02,640:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2022-03-05 14:06:02,654:DEBUG:certbot.log:Root logging level set at 20
2022-03-05 14:06:02,655:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2022-03-05 14:06:02,655:DEBUG:certbot.plugins.selection:Requested authenticator None and installer None
2022-03-05 14:06:02,772:ERROR:certbot.util:Error while running apache2ctl configtest.
Action 'configtest' failed.
The Apache error log may have more information.

apache2: Syntax error on line 225 of /etc/apache2/apache2.conf: Syntax error on line 41 of /etc/apache2/sites-enabled/suvrnakar-le-ssl.conf: Could not open configuration file /etc/letsencrypt/options-ssl-apache.conf: No such file or directory

2022-03-05 14:06:02,772:DEBUG:certbot.plugins.disco:Misconfigured PluginEntryPoint#apache: Error while running apache2ctl configtest.
Action 'configtest' failed.
The Apache error log may have more information.

apache2: Syntax error on line 225 of /etc/apache2/apache2.conf: Syntax error on line 41 of /etc/apache2/sites-enabled/suvrnakar-le-ssl.conf: Could not open configuration file /etc/letsencrypt/options-ssl-apache.conf: No such file or directory
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot_apache/configurator.py", line 2212, in config_test
util.run_script(self.option("conftest_cmd"))
File "/usr/lib/python3/dist-packages/certbot/util.py", line 86, in run_script
raise errors.SubprocessError(msg)
certbot.errors.SubprocessError: Error while running apache2ctl configtest.
Action 'configtest' failed.
The Apache error log may have more information.

apache2: Syntax error on line 225 of /etc/apache2/apache2.conf: Syntax error on line 41 of /etc/apache2/sites-enabled/suvrnakar-le-ssl.conf: Could not open configuration file /etc/letsencrypt/options-ssl-apache.conf: No such file or directory

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/plugins/disco.py", line 132, in prepare
self._initialized.prepare()
File "/usr/lib/python3/dist-packages/certbot_apache/configurator.py", line 235, in prepare
self.config_test()
File "/usr/lib/python3/dist-packages/certbot_apache/configurator.py", line 2214, in config_test
raise errors.MisconfigurationError(str(err))
certbot.errors.MisconfigurationError: Error while running apache2ctl configtest.
Action 'configtest' failed.
The Apache error log may have more information.

apache2: Syntax error on line 225 of /etc/apache2/apache2.conf: Syntax error on line 41 of /etc/apache2/sites-enabled/suvrnakar-le-ssl.conf: Could not open configuration file /etc/letsencrypt/options-ssl-apache.conf: No such file or directory

2022-03-05 14:06:02,776:DEBUG:certbot.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT
Initialized: <certbot_apache.override_debian.DebianConfigurator object at 0x7f7fdee039b0>
Prep: Error while running apache2ctl configtest.
Action 'configtest' failed.
The Apache error log may have more information.

apache2: Syntax error on line 225 of /etc/apache2/apache2.conf: Syntax error on line 41 of /etc/apache2/sites-enabled/suvrnakar-le-ssl.conf: Could not open configuration file /etc/letsencrypt/options-ssl-apache.conf: No such file or directory

2022-03-05 14:06:02,777:DEBUG:certbot.plugins.selection:Selected authenticator None and installer None
ubuntu@ip-172-31-28-223:/var/www/html$

sudo cat /var/log/letsencrypt/letsencrypt.log
2022-03-05 14:06:02,639:DEBUG:certbot.main:certbot version: 0.31.0
2022-03-05 14:06:02,640:DEBUG:certbot.main:Arguments:
2022-03-05 14:06:02,640:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2022-03-05 14:06:02,654:DEBUG:certbot.log:Root logging level set at 20
2022-03-05 14:06:02,655:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2022-03-05 14:06:02,655:DEBUG:certbot.plugins.selection:Requested authenticator None and installer None
2022-03-05 14:06:02,772:ERROR:certbot.util:Error while running apache2ctl configtest.
Action 'configtest' failed.
The Apache error log may have more information.

apache2: Syntax error on line 225 of /etc/apache2/apache2.conf: Syntax error on line 41 of /etc/apache2/sites-enabled/suvrnakar-le-ssl.conf: Could not open configuration file /etc/letsencrypt/options-ssl-apache.conf: No such file or directory

2022-03-05 14:06:02,772:DEBUG:certbot.plugins.disco:Misconfigured PluginEntryPoint#apache: Error while running apache2ctl configtest.
Action 'configtest' failed.
The Apache error log may have more information.

apache2: Syntax error on line 225 of /etc/apache2/apache2.conf: Syntax error on line 41 of /etc/apache2/sites-enabled/suvrnakar-le-ssl.conf: Could not open configuration file /etc/letsencrypt/options-ssl-apache.conf: No such file or directory
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot_apache/configurator.py", line 2212, in config_test
util.run_script(self.option("conftest_cmd"))
File "/usr/lib/python3/dist-packages/certbot/util.py", line 86, in run_script
raise errors.SubprocessError(msg)
certbot.errors.SubprocessError: Error while running apache2ctl configtest.
Action 'configtest' failed.
The Apache error log may have more information.

apache2: Syntax error on line 225 of /etc/apache2/apache2.conf: Syntax error on line 41 of /etc/apache2/sites-enabled/suvrnakar-le-ssl.conf: Could not open configuration file /etc/letsencrypt/options-ssl-apache.conf: No such file or directory

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/plugins/disco.py", line 132, in prepare
self._initialized.prepare()
File "/usr/lib/python3/dist-packages/certbot_apache/configurator.py", line 235, in prepare
self.config_test()
File "/usr/lib/python3/dist-packages/certbot_apache/configurator.py", line 2214, in config_test
raise errors.MisconfigurationError(str(err))
certbot.errors.MisconfigurationError: Error while running apache2ctl configtest.
Action 'configtest' failed.
The Apache error log may have more information.

apache2: Syntax error on line 225 of /etc/apache2/apache2.conf: Syntax error on line 41 of /etc/apache2/sites-enabled/suvrnakar-le-ssl.conf: Could not open configuration file /etc/letsencrypt/options-ssl-apache.conf: No such file or directory

2022-03-05 14:06:02,776:DEBUG:certbot.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT
Initialized: <certbot_apache.override_debian.DebianConfigurator object at 0x7f7fdee039b0>
Prep: Error while running apache2ctl configtest.
Action 'configtest' failed.
The Apache error log may have more information.

apache2: Syntax error on line 225 of /etc/apache2/apache2.conf: Syntax error on line 41 of /etc/apache2/sites-enabled/suvrnakar-le-ssl.conf: Could not open configuration file /etc/letsencrypt/options-ssl-apache.conf: No such file or directory

2022-03-05 14:06:02,777:DEBUG:certbot.plugins.selection:Selected authenticator None and installer None
ubuntu@ip-172-31-28-223:/var/www/html$

For sudo cerbot:
sudo certbot
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Error while running apache2ctl configtest.
Action 'configtest' failed.
The Apache error log may have more information.

apache2: Syntax error on line 225 of /etc/apache2/apache2.conf: Syntax error on line 41 of /etc/apache2/sites-enabled/suvrnakar-le-ssl.conf: Could not open configuration file /etc/letsencrypt/options-ssl-apache.conf: No such file or directory

Certbot doesn't know how to automatically configure the web server on this system. However, it can still get a certificate for you. Please run "certbot certonly" to do so. You'll need to manually configure your web server to use the resulting certificate.

My web server is (include version):
Apache
The operating system my web server runs on is (include version):
ubuntu 18.04
My hosting provider, if applicable, is:
AWS
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.31.0

Go on line 41 of that file and remove that include. (or just disable that virtualhost)

3 Likes

Please see the Certbot documentation about deleting certificates: User Guide β€” Certbot 1.24.0 documentation

This is also true for related files like the options-ssl-apache.conf.

Bottom line is: you shouldn't have deleted those files without fixing/removing the references to those files in your Apache configuration files.

Easiest way to fix it is to fetch /etc/letsencrypt/ from a recent backup. You DID make a backup when you deleted /etc/letsencrypt/, right?

3 Likes

I assume that's what the certbot rollback command is for. But I have never actually seen it in action.

2 Likes

I'm not sure if certbot rollback would work when Apache itself isn't working..

Also, rollback to what? Maybe the apache plugin has modified the configuration multiple times. Maybe it'll do more damage, not sure.

3 Likes

No, it probably won't even start if you obliterated /etc/letsencrypt

You can tell it how many times to go back.

2 Likes

But then you need to know how far to go back. Personally, I wouldn't use it. I would have absolutely no clue what Certbot would rollback into.

3 Likes

Neither would I. But then, I wouldn't use an installer plugin either. :smiley:

3 Likes

After removing include files.
I ran sudo certbot and get the error below
I also checked DNS A and it is showing server ip

:ERROR
Failed authorization procedure. www.suvarnakar.store (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.suvarnakar.store/.well-known/acme-challenge/hni9mLFbgaioHGI4GNF2LhSdlgA2R7OKEEAaftsT6iY: Timeout during connect (likely firewall problem), suvarnakar.store (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://suvarnakar.store/.well-known/acme-challenge/KvFouN7-odDr3kOXzsZ-G3NKloTuUR1vzurluUFzeQ0: Timeout during connect (likely firewall problem)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: www.suvarnakar.store
    Type: connection
    Detail: Fetching
    http://www.suvarnakar.store/.well-known/acme-challenge/hni9mLFbgaioHGI4GNF2LhSdlgA2R7OKEEAaftsT6iY:
    Timeout during connect (likely firewall problem)

    Domain: suvarnakar.store
    Type: connection
    Detail: Fetching
    http://suvarnakar.store/.well-known/acme-challenge/KvFouN7-odDr3kOXzsZ-G3NKloTuUR1vzurluUFzeQ0:
    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you're using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

  • Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal.

1 Like

Is your webserver actually running?

What command did you use to invoke certbot?

2 Likes

I ran it and now facing error below
ubuntu@ip-172-31-28-223:~$ systemctl status apache2.service
● apache2.service - The Apache HTTP Server
Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
Drop-In: /lib/systemd/system/apache2.service.d
└─apache2-systemd.conf
Active: active (running) since Sat 2022-03-05 18:07:01 UTC; 20s ago
Process: 17274 ExecStart=/usr/sbin/apachectl start (code=exited, status=0/SUCCESS)
Main PID: 17293 (apache2)
Tasks: 7 (limit: 1135)
CGroup: /system.slice/apache2.service
β”œβ”€17293 /usr/sbin/apache2 -k start
β”œβ”€17298 /usr/sbin/apache2 -k start
β”œβ”€17299 /usr/sbin/apache2 -k start
β”œβ”€17300 /usr/sbin/apache2 -k start
β”œβ”€17301 /usr/sbin/apache2 -k start
β”œβ”€17302 /usr/sbin/apache2 -k start
└─17320 /usr/sbin/apache2 -k start

Mar 05 18:07:01 ip-172-31-28-223 systemd[1]: Starting The Apache HTTP Server...
Mar 05 18:07:01 ip-172-31-28-223 systemd[1]: Started The Apache HTTP Server.

netstat -nltp
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 :::443 :::* LISTEN -
ubuntu@ip-172-31-28-223:~$ sudo certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?


1: suvarnakar.store
2: www.suvarnakar.store


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1,2
Requesting a certificate for suvarnakar.store and www.suvarnakar.store

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: suvarnakar.store
Type: connection
Detail: Fetching http://suvarnakar.store/.well-known/acme-challenge/g9a4ZWbY3BNWY6gAjsJ9zdD2QhBJOHMOin3KEYoyoQM: Timeout during connect (likely firewall problem)

Domain: www.suvarnakar.store
Type: connection
Detail: Fetching http://www.suvarnakar.store/.well-known/acme-challenge/3MQz2PsyP5HLB0-AL2j-PG0rkpJDH06fYCJAaGsFtwY: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

1 Like

Also I dont have backup of those deleted files. :disappointed_relieved:

1 Like

It looks like your webserver is only listening on ipv6 but you don't have an AAAA record. Is this on purpose?

1 Like

not sure about that should I add AAAA record?

1 Like

Eventually, sure.

I'd first make sure your webserver listens on ipv4.

2 Likes

I recently was corrected on this same issue. Some systems show tcp6 but actually indicates is listening on both.

Also, need sudo netstat ... to see all columns of datea

4 Likes

So was I, but I remember it the opposite way. (show tcp but mean both)

Ubuntu shouldn't be one of those, tho.

Actually, 18.04 could be one of those:

# nmap -p80,443  www.suvarnakar.store
Starting Nmap 7.80 ( https://nmap.org ) at 2022-03-05 19:36 CET
Nmap scan report for www.suvarnakar.store (3.129.141.202)
Host is up (0.10s latency).
rDNS record for 3.129.141.202: ec2-3-129-141-202.us-east-2.compute.amazonaws.com

PORT    STATE    SERVICE
80/tcp  filtered http
443/tcp open     https

Nmap done: 1 IP address (1 host up) scanned in 2.17 seconds
# nmap -p80,443  suvarnakar.store
Starting Nmap 7.80 ( https://nmap.org ) at 2022-03-05 19:36 CET
Nmap scan report for suvarnakar.store (3.129.141.202)
Host is up (0.097s latency).
rDNS record for 3.129.141.202: ec2-3-129-141-202.us-east-2.compute.amazonaws.com

PORT    STATE    SERVICE
80/tcp  filtered http
443/tcp open     https

Nmap done: 1 IP address (1 host up) scanned in 2.05 seconds

80 closed and 443 open? Webserver not listening?

2 Likes

Getting Below Error

Requesting a certificate for suvarnakar.store and www.suvarnakar.store
An unexpected error occurred:
There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see Rate Limits - Let's Encrypt
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

1 Like

What was your command?

Try adding --dry-run or --test-cert

Also, what were the errors before this? (five in the last hour alone)

Check that your website works without https, please.

3 Likes

Command with full error
sudo certbot certonly --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?


1: suvarnakar.store
2: www.suvarnakar.store


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1,2
Requesting a certificate for suvarnakar.store and www.suvarnakar.store
An unexpected error occurred:
There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see Rate Limits - Let's Encrypt
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

2 Likes