Dry run failure

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: maillist.naturalintelligence.us

I ran this command: certbot renew --dry-run

It produced this output:

Processing /etc/letsencrypt/renewal/maillist.naturalintelligence.us-0001.conf

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for maillist.naturalintelligence.us
Cleaning up challenges
Attempting to renew cert (maillist.naturalintelligence.us-0001) from /etc/letsencrypt/renewal/maillist.naturalintelligence.us-0001.conf produced an unexpected error: Missing command line flag or config entry for this setting:
Input the webroot for maillist.naturalintelligence.us:. Skipping.

Processing /etc/letsencrypt/renewal/maillist.naturalintelligence.us.conf

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for maillist.naturalintelligence.us
http-01 challenge for www.maillist.naturalintelligence.us
Cleaning up challenges
Attempting to renew cert (maillist.naturalintelligence.us) from /etc/letsencrypt/renewal/maillist.naturalintelligence.us.conf produced an unexpected error: Missing command line flag or config entry for this setting:
Input the webroot for maillist.naturalintelligence.us:. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/maillist.naturalintelligence.us-0001/fullchain.pem (failure)
/etc/letsencrypt/live/maillist.naturalintelligence.us/fullchain.pem (failure)

** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/maillist.naturalintelligence.us-0001/fullchain.pem (failure)
/etc/letsencrypt/live/maillist.naturalintelligence.us/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)

2 renew failure(s), 0 parse failure(s)
root@localhost:/var/log/letsencrypt#

My web server is (include version): Apache/2.4.38 (Debian)

The operating system my web server runs on is (include version): Debian 10 (buster)

My hosting provider, if applicable, is: self

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

2

You probably got the cert using some partial manual input and now the renewal process is missing that input.

Let's have a look at the files:
/etc/letsencrypt/renewal/maillist.naturalintelligence.us-0001.conf
/etc/letsencrypt/renewal/maillist.naturalintelligence.us.conf

And the output of:
certbot certificates
[since you have two active confs for what appears to be the same domain(s)]

3

renew_before_expiry = 30 days

version = 0.31.0
archive_dir = /etc/letsencrypt/archive/maillist.naturalintelligence.us-0001
cert = /etc/letsencrypt/live/maillist.naturalintelligence.us-0001/cert.pem
privkey = /etc/letsencrypt/live/maillist.naturalintelligence.us-0001/privkey.pem
chain = /etc/letsencrypt/live/maillist.naturalintelligence.us-0001/chain.pem
fullchain = /etc/letsencrypt/live/maillist.naturalintelligence.us-0001/fullchain.pem

Options used in the renewal process

[renewalparams]
account = 27e1d0a64729e21395479cfe5d9728d5
authenticator = webroot
webroot_path = /var/lib/letsencrypt,
server = https://acme-v02.api.letsencrypt.org/directory
[[webroot_map]]

renew_before_expiry = 30 days

version = 0.31.0
archive_dir = /etc/letsencrypt/archive/maillist.naturalintelligence.us
cert = /etc/letsencrypt/live/maillist.naturalintelligence.us/cert.pem
privkey = /etc/letsencrypt/live/maillist.naturalintelligence.us/privkey.pem
chain = /etc/letsencrypt/live/maillist.naturalintelligence.us/chain.pem
fullchain = /etc/letsencrypt/live/maillist.naturalintelligence.us/fullchain.pem

Options used in the renewal process

[renewalparams]
account = 27e1d0a64729e21395479cfe5d9728d5
authenticator = webroot
webroot_path = /var/lib/letsencrypt,
server = https://acme-v02.api.letsencrypt.org/directory
[[webroot_map]]

certbot certificates

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: maillist.naturalintelligence.us-0001
Domains: maillist.naturalintelligence.us
Expiry Date: 2020-11-22 13:00:14+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/maillist.naturalintelligence.us-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/maillist.naturalintelligence.us-0001/privkey.pem
Certificate Name: maillist.naturalintelligence.us
Domains: maillist.naturalintelligence.us www.maillist.naturalintelligence.us
Expiry Date: 2020-11-22 13:35:11+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/maillist.naturalintelligence.us/fullchain.pem
Private Key Path: /etc/letsencrypt/live/maillist.naturalintelligence.us/privkey.pem

root@localhost:/var/log/letsencrypt#

4

Q1. Do you need (are you using) both of these names?

Q2. Did you have to manually provide the --webroot path during the initial install?

5

In the interim, try adding the webroot path to the map manually (if you can).
Edit maillist.naturalintelligence.us-0001.conf and add a new line at the bottom:

maillist.naturalintelligence.us = /var/lib/letsencrypt

Edit maillist.naturalintelligence.us.conf and add two new lines at the bottom:

maillist.naturalintelligence.us = /var/lib/letsencrypt
www.maillist.naturalintelligence.us = /var/lib/letsencrypt
6

I am not needing www.maillist.naturalintelligence.us but added it in case certbot insisted upon it.

no I did not have to provide a webroot path during the initial install

7

Thank you for your assistance! I have done all you have suggested. Now what would you like for me to do?

8

Try the dry-run again.

And if you don’t need the www, you can delete that cert (provided you aren’t using that one).

9

okay. that worked. however, now I get a browser error trying https://maillist.naturalintelligence.us saying ERR_TOO_MANY_REDIRECTS

10

That is not a cert created problem.

What does your webserver config look like?
[where it does the redirection]

11

<VirtualHost :80>
ServerName maillist.naturalintelligence.us
Redirect permanent / https://maillist.naturalintelligence.us/
RewriteEngine on
RewriteCond %{SERVER_NAME} =maillist.naturalintelligence.us
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
DocumentRoot /var/www/html/maillist.naturalintelligence.us/public_html
ErrorLog /var/www/html/maillist.naturalintelligence.us/logs/maillist.naturalintelligence.us-error.log
CustomLog /var/www/html/maillist.naturalintelligence.us/logs/maillist.naturalintelligence.us-access.log combined
Options ExecCGI
AddHandler cgi-script .pl

Options +ExecCGI
FcgidConnectTimeout 20
AddType application/x-httpd-php .php
AddHandler application/x-httpd-php .php
Alias /php7-fcgi /usr/lib/cgi-bin/php7-fcgi
ProxyPassMatch " ^/(..php(/.*)?)$" “unix:listen = /var/run/php/php7.3-fpm_example.com.sock|fcgi://localhost/var/www/html/example.com/public_html/”

12

What does the TLS/HTTPS/port 443 vhost config look like?

13

I get redirected by both HTTP and HTTPS (to HTTPS):

curl -Iki http://maillist.naturalintelligence.us/
HTTP/1.1 301 Moved Permanently
Date: Mon, 24 Aug 2020 18:51:24 GMT
Server: Apache/2.4.38 (Debian)
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Location: https://maillist.naturalintelligence.us/
Content-Type: text/html; charset=iso-8859-1

curl -Iki https://maillist.naturalintelligence.us/
HTTP/1.1 301 Moved Permanently
Date: Mon, 24 Aug 2020 18:51:32 GMT
Server: Apache/2.4.38 (Debian)
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Location: https://maillist.naturalintelligence.us/
Content-Type: text/html; charset=iso-8859-1
14
ServerName maillist.naturalintelligence.us Redirect permanent / https://maillist.naturalintelligence.us/ RewriteEngine on # Some rewrite rules in this file were disabled on your HTTPS site, # because they have the potential to create redirection loops.

RewriteCond %{SERVER_NAME} =maillist.naturalintelligence.us

RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

DocumentRoot /var/www/html/maillist.naturalintelligence.us/public_html
ErrorLog /var/www/html/maillist.naturalintelligence.us/logs/maillist.naturalintelligence.us-error.log
CustomLog /var/www/html/maillist.naturalintelligence.us/logs/maillist.naturalintelligence.us-access.log combined
Options ExecCGI
AddHandler cgi-script .pl

Options +ExecCGI
FcgidConnectTimeout 20
AddType application/x-httpd-php .php
AddHandler application/x-httpd-php .php
Alias /php7-fcgi /usr/lib/cgi-bin/php7-fcgi
ProxyPassMatch " ^/(..php(/.)?)$" “unix:listen = /var/run/php/php7.3-fpm_example.com.sock|fcgi://localhost/var/www/html/example.com/public_html/”

SSLCertificateFile /etc/letsencrypt/live/maillist.naturalintelligence.us/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/maillist.naturalintelligence.us/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf

15

Very difficult to read your post.

Please edit it and add three back ticks above and below your text.

Like

```
your text
```

16

‘’’

<VirtualHost *:443>
ServerName maillist.naturalintelligence.us
Redirect permanent / https://maillist.naturalintelligence.us/
RewriteEngine on

Some rewrite rules in this file were disabled on your HTTPS site,

because they have the potential to create redirection loops.

RewriteCond %{SERVER_NAME} =maillist.naturalintelligence.us

RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

DocumentRoot /var/www/html/maillist.naturalintelligence.us/public_html
ErrorLog /var/www/html/maillist.naturalintelligence.us/logs/maillist.naturalintelligence.us-error.log
CustomLog /var/www/html/maillist.naturalintelligence.us/logs/maillist.naturalintelligence.us-access.log combined
Options ExecCGI
AddHandler cgi-script .pl

Options +ExecCGI
FcgidConnectTimeout 20
AddType application/x-httpd-php .php
AddHandler application/x-httpd-php .php
Alias /php7-fcgi /usr/lib/cgi-bin/php7-fcgi
ProxyPassMatch " ^/(..php(/.)?)$" “unix:listen = /var/run/php/php7.3-fpm_example.com.sock|fcgi://localhost/var/www/html/example.com/public_html/”

SSLCertificateFile /etc/letsencrypt/live/maillist.naturalintelligence.us/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/maillist.naturalintelligence.us/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf


‘’’

17

You can safely remove these lines:

18

But you are probably running Apache and there may be some other overlapping vhosts to address.
Please show the output of:
apachectl -S

19

‘’’
[Mon Aug 24 13:49:32.316989 2020] [so:warn] [pid 8517] AH01574: module alias_module is already loaded, skipping
[Mon Aug 24 13:49:32.317218 2020] [so:warn] [pid 8517] AH01574: module proxy_module is already loaded, skipping
[Mon Aug 24 13:49:32.317295 2020] [so:warn] [pid 8517] AH01574: module proxy_fcgi_module is already loaded, skipping
VirtualHost configuration:
*:443 maillist.naturalintelligence.us (/etc/apache2/sites-enabled/maillist.naturalintelligence.us-le-ssl.conf:2)
*:80 maillist.naturalintelligence.us (/etc/apache2/sites-enabled/maillist.naturalintelligence.us.conf:1)
ServerRoot: “/etc/apache2”
Main DocumentRoot: “/var/www/html”
Main ErrorLog: “/var/log/apache2/error.log”
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex fcgid-pipe: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex fcgid-proctbl: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex ssl-cache: using_defaults
PidFile: “/var/run/apache2/apache2.pid”
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name=“www-data” id=33
Group: name=“www-data” id=33
‘’’

20

Have we looked at both of these files?: