Error I try to renew my domain

Help
1

root@worker:~# /opt/letsencrypt/letsencrypt-auto certonly --config /etc/letsencrypt/cli.ini -d djlive.pl -d www.djlive.pl -d api.djlive.pl -d img.djlive.pl -d live.djlive.pl -d sys.djlive.pl -d edge.live.djlive.pl -d app.djlive.pl -d live-hls.djlive.pl -d v1.djlive.pl && /etc/init.d/nginx reload > /dev/null 2>&1
Upgrading certbot-auto 0.19.0 to 0.20.0…
Replacing certbot-auto…
Creating virtual environment…
Installing Python packages…
Installation succeeded.
Use of --agree-dev-preview is deprecated.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
[(‘PEM routines’, ‘PEM_read_bio’, ‘no start line’)]
Traceback (most recent call last):
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/crypto_util.py”, line 310, in _load_cert_or_req
return load_func(typ, cert_or_req_str)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/OpenSSL/crypto.py”, line 1661, in load_certificate
_raise_current_error()
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/OpenSSL/_util.py”, line 48, in exception_from_error_queue
raise exception_type(errors)
Error: [(‘PEM routines’, ‘PEM_read_bio’, ‘no start line’)]
An unexpected error occurred:
Error: [(‘PEM routines’, ‘PEM_read_bio’, ‘no start line’)]
Please see the logfiles in /var/log/letsencrypt for more details.
root@worker:~# nano /var/log/letsencrypt

3 months worked well

please help

2

Please post /etc/letsencrypt/cli.ini and the relevant log files from /var/log/letsencrypt/.

Also:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

3

/var/log/letsencrypt/

2017-12-24 22:05:20,010:DEBUG:certbot.main:certbot version: 0.20.0
2017-12-24 22:05:20,010:DEBUG:certbot.main:Arguments: ['--config', '/etc/letsencrypt/cli.ini', '-d', 'djlive.pl', '-d', 'www.djlive.pl', '-d', 'api.djlive.pl', '-d', 'img.djlive.pl', '-d', 'live.djlive.pl', '-d', 'sys.djlive.pl', '-d', $
2017-12-24 22:05:20,010:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2017-12-24 22:05:20,108:DEBUG:certbot.log:Root logging level set at 20
2017-12-24 22:05:20,108:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2017-12-24 22:05:20,112:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2017-12-24 22:05:20,116:DEBUG:certbot.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
Initialized: <certbot.plugins.webroot.Authenticator object at 0x7f94cf0d4bd0>
Prep: True
2017-12-24 22:05:20,116:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x7f94cf0d4bd0> and installer None
2017-12-24 22:05:20,116:INFO:certbot.plugins.selection:Plugins selected: Authenticator webroot, Installer None
2017-12-24 22:05:20,190:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(status=None, contact=(u'mailto:thekrzos@gmail.com',), agreement=u'https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf$
2017-12-24 22:05:20,191:DEBUG:acme.client:Sending GET request to https://acme-v01.api.letsencrypt.org/directory.
2017-12-24 22:05:20,194:DEBUG:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2017-12-24 22:05:20,515:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 562
2017-12-24 22:05:20,516:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 562
Replay-Nonce: n6qmIjMAFvXbHYX26XxrvB4AGEhwJuzh4esYfBeAytQ
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Sun, 24 Dec 2017 22:05:20 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 24 Dec 2017 22:05:20 GMT
Connection: keep-alive

{
  "key-change": "https://acme-v01.api.letsencrypt.org/acme/key-change",
  "meta": {
    "terms-of-service": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf"
  },
  "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz",
  "new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert",
  "new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg",
  "revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert",
  "uG44SZkLZMY": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417"
}
2017-12-24 22:05:20,919:ERROR:certbot.crypto_util:[('PEM routines', 'PEM_read_bio', 'no start line')]
Traceback (most recent call last):
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/crypto_util.py", line 310, in _load_cert_or_req
    return load_func(typ, cert_or_req_str)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/OpenSSL/crypto.py", line 1661, in load_certificate
    _raise_current_error()
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/OpenSSL/_util.py", line 48, in exception_from_error_queue
    raise exception_type(errors)
Error: [('PEM routines', 'PEM_read_bio', 'no start line')]
2017-12-24 22:05:20,920:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 11, in <module>
    sys.exit(main())
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 861, in main
    return config.func(config, plugins)

File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 779, in certonly
should_get_cert, lineage = _find_cert(config, domains, certname)
File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 221, in _find_cert
action, lineage = _find_lineage_for_domains_and_certname(config, domains, certname)
File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 237, in _find_lineage_for_domains_and_certname
return _find_lineage_for_domains(config, domains)
File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 203, in _find_lineage_for_domains
ident_names_cert, subset_names_cert = cert_manager.find_duplicative_certs(config, domains)
File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/cert_manager.py", line 144, in find_duplicative_certs
return _search_lineages(config, update_certs_for_domain_matches, (None, None))
File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/cert_manager.py", line 359, in _search_lineages
rv = func(candidate_lineage, rv, *args)
File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/cert_manager.py", line 132, in update_certs_for_domain_matches
candidate_names = set(candidate_lineage.names())
File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/storage.py", line 851, in names
return crypto_util.get_names_from_cert(f.read())
File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/crypto_util.py", line 364, in get_names_from_cert
csr, OpenSSL.crypto.load_certificate, typ)
File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/crypto_util.py", line 338, in _get_names_from_cert_or_req
loaded_cert_or_req = _load_cert_or_req(cert_or_req, load_func, typ)
File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/crypto_util.py", line 310, in _load_cert_or_req
return load_func(typ, cert_or_req_str)
File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/OpenSSL/crypto.py", line 1661, in load_certificate
_raise_current_error()
File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/OpenSSL/_util.py", line 48, in exception_from_error_queue
raise exception_type(errors)
Error: [('PEM routines', 'PEM_read_bio', 'no start line')]
2017-12-24 22:05:20,921:ERROR:certbot.log:An unexpected error occurred:

cli

authenticator = webroot
webroot-path = /var/www/html/djliveeu
renew-by-default
agree-dev-preview
agree-tos
email = kontakt@djlive.pl

4

Reading through the Certbot source code, it looks like it has encountered an issue reading your existing certificates.

I would check that every cert file in the archive directory is a valid PEM-encoded certificate:

find /etc/letsencrypt/archive -type f -name 'cert*.pem' -printf '%p = ' -exec openssl x509 -in {} -noout -subject \;

If you get any errors, there’s your problem.

You also have the nuclear option of just wiping /etc/letsencrypt and re-installing Certbot.

5

/etc/letsencrypt/archive/djlive.pl-0002/cert2.pem = unable to load certificate
140597432784528:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: TRUSTED CERTIFICATE
/etc/letsencrypt/archive/djlive.pl-0002/cert1.pem = subject= /CN=djlive.pl
/etc/letsencrypt/archive/djlive.pl-0001/cert7.pem = subject= /CN=djlive.pl
/etc/letsencrypt/archive/djlive.pl-0001/cert13.pem = subject= /CN=djlive.pl
/etc/letsencrypt/archive/djlive.pl-0001/cert15.pem = subject= /CN=djlive.pl
/etc/letsencrypt/archive/djlive.pl-0001/cert4.pem = subject= /CN=djlive.pl
/etc/letsencrypt/archive/djlive.pl-0001/cert10.pem = subject= /CN=djlive.pl
/etc/letsencrypt/archive/djlive.pl-0001/cert2.pem = subject= /CN=djlive.pl
/etc/letsencrypt/archive/djlive.pl-0001/cert11.pem = subject= /CN=djlive.pl
/etc/letsencrypt/archive/djlive.pl-0001/cert14.pem = subject= /CN=djlive.pl
/etc/letsencrypt/archive/djlive.pl-0001/cert17.pem = subject= /CN=djlive.pl
/etc/letsencrypt/archive/djlive.pl-0001/cert1.pem = subject= /CN=djlive.pl
/etc/letsencrypt/archive/djlive.pl-0001/cert6.pem = subject= /CN=djlive.pl
/etc/letsencrypt/archive/djlive.pl-0001/cert16.pem = subject= /CN=djlive.pl
/etc/letsencrypt/archive/djlive.pl-0001/cert8.pem = subject= /CN=djlive.pl
/etc/letsencrypt/archive/djlive.pl-0001/cert18.pem = subject= /CN=djlive.pl
/etc/letsencrypt/archive/djlive.pl-0001/cert19.pem = subject= /CN=djlive.pl
/etc/letsencrypt/archive/djlive.pl-0001/cert3.pem = subject= /CN=djlive.pl
/etc/letsencrypt/archive/djlive.pl-0001/cert5.pem = subject= /CN=djlive.pl
/etc/letsencrypt/archive/djlive.pl-0001/cert12.pem = subject= /CN=djlive.pl
/etc/letsencrypt/archive/djlive.pl-0001/cert9.pem = subject= /CN=djlive.pl
/etc/letsencrypt/archive/pzs.thekrzos.eu/cert1.pem = subject= /CN=pzs.thekrzos.eu
/etc/letsencrypt/archive/thekrzos.eu/cert1.pem = subject= /CN=thekrzos.eu
/etc/letsencrypt/archive/djlive.eu/cert4.pem = subject= /CN=djlive.eu
/etc/letsencrypt/archive/djlive.eu/cert2.pem = subject= /CN=djlive.eu
/etc/letsencrypt/archive/djlive.eu/cert1.pem = subject= /CN=djlive.eu
/etc/letsencrypt/archive/djlive.eu/cert6.pem = subject= /CN=djlive.eu
/etc/letsencrypt/archive/djlive.eu/cert3.pem = subject= /CN=djlive.eu
/etc/letsencrypt/archive/djlive.eu/cert5.pem = subject= /CN=djlive.eu
/etc/letsencrypt/archive/djlive.pl/cert4.pem = subject= /CN=djlive.pl
/etc/letsencrypt/archive/djlive.pl/cert2.pem = subject= /CN=djlive.pl
/etc/letsencrypt/archive/djlive.pl/cert1.pem = subject= /CN=djlive.pl
/etc/letsencrypt/archive/djlive.pl/cert3.pem = subject= /CN=djlive.pl
/etc/letsencrypt/archive/djlive.pl/cert5.pem = subject= /CN=djlive.pl

6

Great. We found the culprit.

Open this file and paste it here. Don't worry, nothing private is in it (certificates are public data).

7

my file is empty :slight_smile: :slight_smile:

8

That’s a problem…

I’m actually not sure what the correct solution to corruption like this is because I’m not hugely familiar with Certbot myself. Maybe @schoen can take a look after Christmas.

For now, I think just renaming:

/etc/letsencrypt/archive/djlive.pl-0002/cert2.pem

to

cert2.pem.backup

will let you continue with what you were doing before.

9

different problem

/opt/letsencrypt/letsencrypt-auto certonly --config /etc/letsencrypt/cli.ini -d djlive.pl -d www.djlive.pl -d api.djlive.pl -d img.djlive.pl -d live.djlive.pl -d sys.djlive.pl -d edge.live.djlive.pl -d app.djlive.pl -d live-hls.djlive.pl -d v1.djlive.pl && /etc/init.d/nginx reload > /dev/null 2>&1
Use of --agree-dev-preview is deprecated.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for djlive.pl
http-01 challenge for www.djlive.pl
http-01 challenge for api.djlive.pl
http-01 challenge for img.djlive.pl
http-01 challenge for live.djlive.pl
http-01 challenge for sys.djlive.pl
http-01 challenge for edge.live.djlive.pl
http-01 challenge for app.djlive.pl
http-01 challenge for live-hls.djlive.pl
http-01 challenge for v1.djlive.pl
Using the webroot path /var/www/html/djliveeu for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. sys.djlive.pl (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://sys.djlive.pl/.well-known/acme-challenge/qfOM-TEVw45pPiLm_Syd2E5TEk5M4bXy1-AIJMa31K0: "

404 Not Found

404 Not Found

", live-hls.djlive.pl (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://live-hls.djlive.pl/.well-known/acme-challenge/YJzQemJDx_Cg6gIJHbVC8KXTVGhgKxypDgVHUFT3Onc: " 404 Not Found

404 Not Found

", djlive.pl (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://djlive.pl/.well-known/acme-challenge/gqr0uLHteCp3nbzejAO5JZihU9o_Z2CzZy4vdSIDPJM: " 404 Not Found

404 Not Found

", live.djlive.pl (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://live.djlive.pl/.well-known/acme-challenge/D6SRqtqJUMICabYIUr4RKPBx3so2FlWJ_bIx_7YhvmI: " 404 Not Found

404 Not Found

", api.djlive.pl (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://api.djlive.pl/.well-known/acme-challenge/Wsw3BnUnnGVRb9UCqtbKklazZffY8Kcqns-71vewDZo: " 404 Not Found

404 Not Found

", v1.djlive.pl (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://v1.djlive.pl/.well-known/acme-challenge/JJz8T2G3934DQY6GGeThLs7PyzdtqbQxUzz8DyfaeT8: " 404 Not Found

404 Not Found

", edge.live.djlive.pl (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://edge.live.djlive.pl/.well-known/acme-challenge/cBNYgSLiFHpeHZk4a9GXSViqJCR-trNywlEBCKcxO0k: " 404 Not Found

404 Not Found

", app.djlive.pl (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://app.djlive.pl/.well-known/acme-challenge/wL_sanpEV96H5-KOPymDhAs8f8PRvhMbnQ8FZRLD1Ss: " 404 Not Found

404 Not Found

", img.djlive.pl (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://img.djlive.pl/.well-known/acme-challenge/LsSVfzmpWDIVqlOYL4g8Kew7foE-VlMctxQNPbsqTlo: " 404 Not Found

404 Not Found

", www.djlive.pl (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.djlive.pl/.well-known/acme-challenge/-olrdL8QjEy1xh15w1Vq7_eNODEIMdIFPS2bn-y0RVc: " 404 Not Found

404 Not Found

"

IMPORTANT NOTES:

10

I’m glad we fixed the first issue.

This new issue is because you have not configured your webroots correctly. Please refer to the documentation for webroot.

Make sure ALL of those domains serve http://$DOMAIN/.well-known/acme-challenge/ out of the your webroot-path. For example, you can include this in each of their server blocks:

location /.well-known/acme-challenge/ {
    root /var/www/html/djliveeu; # this is your configured webroot-path from cli.ini
}
11

which file to configure

12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.