Error renew ssl certbot

Help Ayuda (en Español)
1

Por favor, complete los campos del siguiente formulario para que podamos ayudarle de la mejor forma posible. Nota: debe proporcionar su nombre de dominio para obtener ayuda. Los nombres de dominio de los certificados emitidos se hacen públicos en los registros de Transparencia de Certificados (por ejemplo, crt.sh | example.com), por lo que esconder aquí su nombre de dominio no sirve de nada, únicamente nos dificulta prestarle la ayuda solicitada.

Puedo leer las respuestas en Inglés (sí o no):
Si
Mi dominio es:
casaroca.org
Ejecuté este comando:
sudo certbot renew --dry-run
Produjo esta salida:
The following certs could not be renewed:
/etc/letsencrypt/live/casaroca.org/fullchain.pem (failure)
Mi servidor web es (incluya la versión):
Apache
El sistema operativo en el que se ejecuta mi servidor web es (incluya la versión):
Debian 10
Mi proveedor de alojamiento web (si aplica) es:
GCP
Puedo iniciar una sesión en una shell root en mi servidor (sí, no o no lo sé):
Si
Estoy usando un panel de control para administrar mi sitio (no o proporcione el nombre y la versión del panel de control):

La versión de mi cliente es (por ejemplo, si usa certbot, muestre la salida de certbot --version o certbot-auto --version): Certbot

2

Hola @jchavezpe,

¿No había ninguna otra salida?

4 Likes
3

Hola gracias por tu ayuda.

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/casaroca.org-0001.conf

Cert not yet due for renewal

Processing /etc/letsencrypt/renewal/casaroca.org.conf

Attempting to parse the version 1.22.0 renewal configuration file found at /etc/letsencrypt/renewal/casaroca.org.conf with version 0.31.0 of Certbot. This might not work.
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.casaroca.org
http-01 challenge for casaroca.org
Cleaning up challenges
Attempting to renew cert (casaroca.org) from /etc/letsencrypt/renewal/casaroca.org.conf produced an unexpected error: Missing command line flag or config entry for this setting:
Input the webroot for www.casaroca.org:. Skipping.

Processing /etc/letsencrypt/renewal/donaciones.casaroca.org.conf

Cert not yet due for renewal
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/casaroca.org/fullchain.pem (failure)

The following certs are not due for renewal yet:
/etc/letsencrypt/live/casaroca.org-0001/fullchain.pem expires on 2023-02-15 (skipped)
/etc/letsencrypt/live/donaciones.casaroca.org/fullchain.pem expires on 2023-02-15 (skipped)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/casaroca.org/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

4

Please show this file:
/etc/letsencrypt/renewal/casaroca.org.conf

2 Likes
5 
# renew_before_expiry = 30 days
version = 1.22.0
archive_dir = /etc/letsencrypt/archive/casaroca.org
cert = /etc/letsencrypt/live/casaroca.org/cert.pem
privkey = /etc/letsencrypt/live/casaroca.org/privkey.pem
chain = /etc/letsencrypt/live/casaroca.org/chain.pem
fullchain = /etc/letsencrypt/live/casaroca.org/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = 336d9efba695cd78826556d6dac6ef51
authenticator = webroot
server = https://acme-v02.api.letsencrypt.org/directory
6

That's missing the webroot path statement.
Let's get that path and then add it back in.
Starting with the output:
apachectl -t -D DUMP_VHOSTS

2 Likes
7

#AH00526: Syntax error on line 35 of /etc/apache2/sites-enabled/000-default-le-ssl.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/casaroca.site/fullchain.pem' does not exist or is empty
Action '-t -D DUMP_VHOSTS' failed.
The Apache error log may have more information.

8

Try:
sudo apachectl -t -D DUMP_VHOSTS

2 Likes
9

root@instance-1:~# sudo apachectl -t -D DUMP_VHOSTS
AH00526: Syntax error on line 35 of /etc/apache2/sites-enabled/000-default-le-ssl.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/casaroca.site/fullchain.pem' does not exist or is empty
Action '-t -D DUMP_VHOSTS' failed.
The Apache error log may have more information.

11

hmm...
Looks like some files were deleted manually.

Show:
ls -l /etc/letsencrypt/live/casaroca.site/*
ls -l /etc/letsencrypt/live/*
ls -l /etc/apache2/sites-enabled/*
ls -l /etc/apache2/sites-available/*

3 Likes
12

ls -l /etc/letsencrypt/live/*

-rw-r--r-- 1 root root  740 Jun 22  2021 /etc/letsencrypt/live/README

/etc/letsencrypt/live/casaroca.org:

total 4
-rw-r--r-- 1 root root 692 Dec 13  2021 README
lrwxrwxrwx 1 root root  36 Dec 14  2021 cert.pem -> ../../archive/casaroca.org/cert3.pem
lrwxrwxrwx 1 root root  37 Dec 14  2021 chain.pem -> ../../archive/casaroca.org/chain3.pem
lrwxrwxrwx 1 root root  41 Dec 14  2021 fullchain.pem -> ../../archive/casaroca.org/fullchain3.pem
lrwxrwxrwx 1 root root  39 Dec 14  2021 privkey.pem -> ../../archive/casaroca.org/privkey3.pem

/etc/letsencrypt/live/casaroca.org-0001:

total 4
-rw-r--r-- 1 root root 692 Jan 20  2022 README
lrwxrwxrwx 1 root root  41 Nov 17 03:01 cert.pem -> ../../archive/casaroca.org-0001/cert7.pem
lrwxrwxrwx 1 root root  42 Nov 17 03:01 chain.pem -> ../../archive/casaroca.org-0001/chain7.pem
lrwxrwxrwx 1 root root  46 Nov 17 03:01 fullchain.pem -> ../../archive/casaroca.org-0001/fullchain7.pem
lrwxrwxrwx 1 root root  44 Nov 17 03:01 privkey.pem -> ../../archive/casaroca.org-0001/privkey7.pem

/etc/letsencrypt/live/donaciones.casaroca.org:

total 4
-rw-r--r-- 1 root root 692 Jan 20  2022 README
lrwxrwxrwx 1 root root  47 Nov 17 03:02 cert.pem -> ../../archive/donaciones.casaroca.org/cert8.pem
lrwxrwxrwx 1 root root  48 Nov 17 03:02 chain.pem -> ../../archive/donaciones.casaroca.org/chain8.pem
lrwxrwxrwx 1 root root  52 Nov 17 03:02 fullchain.pem -> ../../archive/donaciones.casaroca.org/fullchain8.pem
lrwxrwxrwx 1 root root  50 Nov 17 03:02 privkey.pem -> ../../archive/donaciones.casaroca.org/privkey8.pem

ls -l /etc/apache2/sites-enabled/*

lrwxrwxrwx 1 root root 52 Jun 22  2021 /etc/apache2/sites-enabled/000-default-le-ssl.conf -> /etc/apache2/sites-available/000-default-le-ssl.conf
lrwxrwxrwx 1 root root 35 Jun 22  2021 /etc/apache2/sites-enabled/000-default.conf -> ../sites-available/000-default.conf

ls -l /etc/apache2/sites-available/*

-rw-r--r-- 1 root root 1565 Jun 22  2021 /etc/apache2/sites-available/000-default-le-ssl.conf
-rw-r--r-- 1 root root 1514 Jun 22  2021 /etc/apache2/sites-available/000-default.conf
-rw-r--r-- 1 root root 6338 Jun 22  2021 /etc/apache2/sites-available/default-ssl.conf
13

Show this file:
[Let's look in it to see which cert it tries to use]

And show which certs you have, with:
certbot certificates

2 Likes
14 
<IfModule mod_ssl.c>
<VirtualHost *:443>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        #ServerName www.example.com

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf


ServerName casaroca.site
Include /etc/letsencrypt/options-ssl-apache.conf
ServerAlias www.casaroca.site
SSLCertificateFile /etc/letsencrypt/live/casaroca.site/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/casaroca.site/privkey.pem
</VirtualHost>
</IfModule>

certbot certificates

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Attempting to parse the version 1.22.0 renewal configuration file found at /etc/letsencrypt/renewal/casaroca.org.conf with version 0.31.0 of Certbot. This might not work.
OCSP check failed for /etc/letsencrypt/live/casaroca.org/cert.pem (are we offline?)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: casaroca.org-0001
    Domains: *.casaroca.org
    Expiry Date: 2023-02-15 07:01:13+00:00 (VALID: 58 days)
    Certificate Path: /etc/letsencrypt/live/casaroca.org-0001/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/casaroca.org-0001/privkey.pem
  Certificate Name: casaroca.org
    Domains: casaroca.org www.casaroca.org
    Expiry Date: 2022-03-14 14:31:46+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/casaroca.org/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/casaroca.org/privkey.pem
  Certificate Name: donaciones.casaroca.org
    Domains: casaroca.org blog.casaroca.org clasificados.casaroca.org consejeros.casaroca.org devocional.casaroca.org donaciones.casaroca.org
    Expiry Date: 2023-02-15 07:02:25+00:00 (VALID: 58 days)
    Certificate Path: /etc/letsencrypt/live/donaciones.casaroca.org/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/donaciones.casaroca.org/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
15

You have only one HTTPS server block.
And it covers a name you have no cert for:

One of the certs is expired:

[but your Apache config isn't using it]

You have a wildcard cert, but it is for the ".org" TLD.

I can't see how you can "fix" the secure site [from what you have].
It may be better to remove it and start over.

If you want to go that route:
Step #1:

  • a2dissite /etc/apache2/sites-enabled/000-default-le-ssl.conf
    Then check
    apachectl -t -D DUMP_VHOSTS

Step #2:

  • make all the HTTP vhost configs
    [to cover all the names you need]
    Then check
    apachectl -t -D DUMP_VHOSTS

Step #3:

  • reinstall any certificate that you plan on keeping
    certbot --reinstall
    [and follow the instructions]

Step #4:

  • delete any certificates that you don't need
    certbot delete --cert-name {the-cert-name}

Step #5:

  • obtain any missing certificates
3 Likes
16

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.