Error Renewing Certificate Today : too many currently pending authorizations

Help
1

Hello,

I tried to renew the certificate manually as usual but it didn't work.

Please find the details below.
Our domain is dev1.chavdi.com

I ran below command.

Blockquote
certbot renew --cert-name dev1.chavdi.com-0002
Blockquote
Output of command.

Blockquote Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/dev1.chavdi.com-0002.conf

Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Attempting to renew cert (dev1.chavdi.com-0002) from /etc/letsencrypt/renewal/dev1.chavdi.com-0002.conf produced an unexpected error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new authz :: too many currently pending authorizations. Skipping.

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/dev1.chavdi.com-0002/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

My OS is Ubuntu 16.04, webserver is Nginx, method of installation is automatic from https://certbot.eff.org/#ubuntuxenial-nginx and certbot version is 0.17.0. Hosting is on our own server in office.

I never had such problem before this.
As this is development server, the renewal is strictly manual or no cron job to update certificate.

2

Hi @mobifilia,

Could you look in /var/log/letsencrypt to see if there’s evidence of Certbot being run automatically at times that you didn’t expect? If so, can you look in or post one of those logs to see if it’s crashing part way through the process?

3

I'm not running certbot manually neither I have set it up as cron job.
But interestingly the log generated for much more number of times as below.

root@git:/var/log/letsencrypt# ls -lt
total 16528
-rw-r--r-- 1 root root 40166 Aug 22 00:01 letsencrypt.log
-rw-r--r-- 1 root root 15121 Aug 21 16:03 letsencrypt.log.1
-rw-r--r-- 1 root root 15179 Aug 21 15:46 letsencrypt.log.2
-rw-r--r-- 1 root root 15121 Aug 21 15:30 letsencrypt.log.3
-rw-r--r-- 1 root root 8670 Aug 21 12:43 letsencrypt.log.4
-rw-r--r-- 1 root root 93481 Aug 21 12:36 letsencrypt.log.5
-rw-r--r-- 1 root root 93605 Aug 21 12:35 letsencrypt.log.6
-rw-r--r-- 1 root root 95419 Aug 21 12:29 letsencrypt.log.7
-rw-r--r-- 1 root root 15158 Aug 21 12:29 letsencrypt.log.8
-rw-r--r-- 1 root root 40187 Aug 21 12:23 letsencrypt.log.9
-rw-r--r-- 1 root root 40104 Aug 21 12:20 letsencrypt.log.10
-rw-r--r-- 1 root root 40166 Aug 21 12:02 letsencrypt.log.11
-rw-r--r-- 1 root root 40205 Aug 21 11:59 letsencrypt.log.12
-rw-r--r-- 1 root root 40205 Aug 21 10:04 letsencrypt.log.13
-rw-r--r-- 1 root root 38851 Aug 21 09:58 letsencrypt.log.14
-rw-r--r-- 1 root root 38851 Aug 21 09:35 letsencrypt.log.15
-rw-r--r-- 1 root root 38851 Aug 21 09:33 letsencrypt.log.16
-rw-r--r-- 1 root root 42157 Aug 21 09:33 letsencrypt.log.17
-rw-r--r-- 1 root root 112438 Aug 21 00:35 letsencrypt.log.18
-rw-r--r-- 1 root root 112438 Aug 20 12:16 letsencrypt.log.19
-rw-r--r-- 1 root root 112437 Aug 20 00:29 letsencrypt.log.20
-rw-r--r-- 1 root root 112437 Aug 19 12:14 letsencrypt.log.21
-rw-r--r-- 1 root root 112440 Aug 19 00:59 letsencrypt.log.22
-rw-r--r-- 1 root root 112439 Aug 18 12:18 letsencrypt.log.23
-rw-r--r-- 1 root root 112438 Aug 18 00:33 letsencrypt.log.24
-rw-r--r-- 1 root root 112437 Aug 17 12:12 letsencrypt.log.25
-rw-r--r-- 1 root root 112439 Aug 17 00:39 letsencrypt.log.26
-rw-r--r-- 1 root root 112438 Aug 16 12:45 letsencrypt.log.27
-rw-r--r-- 1 root root 112440 Aug 16 00:07 letsencrypt.log.28
-rw-r--r-- 1 root root 112439 Aug 15 12:17 letsencrypt.log.29
-rw-r--r-- 1 root root 112438 Aug 15 00:13 letsencrypt.log.30
-rw-r--r-- 1 root root 38812 Aug 14 12:38 letsencrypt.log.31
-rw-r--r-- 1 root root 42118 Aug 14 00:32 letsencrypt.log.32
-rw-r--r-- 1 root root 112437 Aug 13 12:33 letsencrypt.log.33
-rw-r--r-- 1 root root 112438 Aug 13 00:24 letsencrypt.log.34
-rw-r--r-- 1 root root 112441 Aug 12 12:04 letsencrypt.log.35
-rw-r--r-- 1 root root 112438 Aug 12 00:47 letsencrypt.log.36
-rw-r--r-- 1 root root 112437 Aug 11 12:21 letsencrypt.log.37
-rw-r--r-- 1 root root 112438 Aug 11 00:22 letsencrypt.log.38
-rw-r--r-- 1 root root 112440 Aug 10 12:33 letsencrypt.log.39
-rw-r--r-- 1 root root 112439 Aug 10 00:28 letsencrypt.log.40

Here is the output of the latest log.

root@git:/var/log/letsencrypt# cat letsencrypt.log
2017-08-21 18:31:25,506:DEBUG:certbot.main:certbot version: 0.17.0
2017-08-21 18:31:25,506:DEBUG:certbot.main:Arguments: ['-q']
2017-08-21 18:31:25,506:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2017-08-21 18:31:25,525:DEBUG:certbot.log:Root logging level set at 30
2017-08-21 18:31:25,526:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2017-08-21 18:31:25,534:DEBUG:certbot.plugins.selection:Requested authenticator <certbot.cli._Default object at 0x7f1d2fc4d810> and installer <certbot.cli._Default object at 0x7f1d2fc4d810>
2017-08-21 18:31:25,534:DEBUG:certbot.cli:Default Detector is Namespace(account=<certbot.cli._Default object at 0x7f1d2fcad610>, agree_dev_preview=None, allow_subset_of_names=<certbot.cli._Default object at 0x7f1d2fcada10>, apache=<certbot.cli._Default object at 0x7f1d2fc4db10>, authenticator=<certbot.cli._Default object at 0x7f1d2fc4d810>, break_my_certs=<certbot.cli._Default object at 0x7f1d2fc98ed0>, cert_path=<certbot.cli._Default object at 0x7f1d2fc4afd0>, certname=<certbot.cli._Default object at 0x7f1d2fc98810>, chain_path=<certbot.cli._Default object at 0x7f1d2fc4d310>, checkpoints=<certbot.cli._Default object at 0x7f1d2fc4aad0>, config_dir=<certbot.cli._Default object at 0x7f1d2fc4d410>, config_file=None, configurator=<certbot.cli._Default object at 0x7f1d2fc4d810>, csr=<certbot.cli._Default object at 0x7f1d2fc4a8d0>, debug=<certbot.cli._Default object at 0x7f1d2fc9f950>, debug_challenges=<certbot.cli._Default object at 0x7f1d2fc9fd50>, deploy_hook=<certbot.cli._Default object at 0x7f1d2fc4a250>, dialog=None, dns_cloudflare=<certbot.cli._Default object at 0x7f1d2fc52050>, dns_cloudxns=<certbot.cli._Default object at 0x7f1d2fc52150>, dns_digitalocean=<certbot.cli._Default object at 0x7f1d2fc52250>, dns_dnsimple=<certbot.cli._Default object at 0x7f1d2fc52350>, dns_dnsmadeeasy=<certbot.cli._Default object at 0x7f1d2fc52450>, dns_google=<certbot.cli._Default object at 0x7f1d2fc52550>, dns_luadns=<certbot.cli._Default object at 0x7f1d2fc52650>, dns_nsone=<certbot.cli._Default object at 0x7f1d2fc52750>, dns_rfc2136=<certbot.cli._Default object at 0x7f1d2fc52850>, dns_route53=<certbot.cli._Default object at 0x7f1d2fc52950>, domains=<certbot.cli._Default object at 0x7f1d2fc98990>, dry_run=<certbot.cli._Default object at 0x7f1d2fc98650>, duplicate=<certbot.cli._Default object at 0x7f1d2fcad490>, eff_email=<certbot.cli._Default object at 0x7f1d2fc98050>, email=<certbot.cli._Default object at 0x7f1d2fc981d0>, expand=<certbot.cli._Default object at 0x7f1d2fc9fc90>, force_interactive=<certbot.cli._Default object at 0x7f1d2fc98b10>, fullchain_path=<certbot.cli._Default object at 0x7f1d2fc4d210>, func=<function renew at 0x7f1d29c110c8>, hsts=<certbot.cli._Default object at 0x7f1d2fca59d0>, http01_address=<certbot.cli._Default object at 0x7f1d2fc98bd0>, http01_port=<certbot.cli._Default object at 0x7f1d2fc988d0>, ifaces=<certbot.cli._Default object at 0x7f1d2fc4add0>, init=<certbot.cli._Default object at 0x7f1d2fc4abd0>, installer=<certbot.cli._Default object at 0x7f1d2fc4d810>, key_path=<certbot.cli._Default object at 0x7f1d2fc4d110>, logs_dir=<certbot.cli._Default object at 0x7f1d2fc4d610>, manual=<certbot.cli._Default object at 0x7f1d2fc4de10>, manual_auth_hook=<certbot.cli._Default object at 0x7f1d2fc52a90>, manual_cleanup_hook=<certbot.cli._Default object at 0x7f1d2fc52bd0>, manual_public_ip_logging_ok=<certbot.cli._Default object at 0x7f1d2fc52cd0>, max_log_backups=<certbot.cli._Default object at 0x7f1d2fc98e10>, must_staple=<certbot.cli._Default object at 0x7f1d2fc9ef90>, nginx=<certbot.cli._Default object at 0x7f1d2fc4dc10>, no_bootstrap=<certbot.cli._Default object at 0x7f1d2fcad050>, no_self_upgrade=<certbot.cli._Default object at 0x7f1d2fcad190>, no_verify_ssl=<certbot.cli._Default object at 0x7f1d2fc9f790>, noninteractive_mode=<certbot.cli._Default object at 0x7f1d2fc98c90>, num=<certbot.cli._Default object at 0x7f1d2fc4a5d0>, os_packages_only=<certbot.cli._Default object at 0x7f1d2fcad310>, post_hook=<certbot.cli._Default object at 0x7f1d2fc4a050>, pre_hook=<certbot.cli._Default object at 0x7f1d2fcadf10>, pref_challs=<certbot.cli._Default object at 0x7f1d2fcade10>, prepare=<certbot.cli._Default object at 0x7f1d2fc4acd0>, quiet=True, reason=<certbot.cli._Default object at 0x7f1d2fc4a9d0>, redirect=<certbot.cli._Default object at 0x7f1d2fca5490>, register_unsafely_without_email=<certbot.cli._Default object at 0x7f1d2fc984d0>, reinstall=<certbot.cli._Default object at 0x7f1d2fc9fe10>, renew_by_default=<certbot.cli._Default object at 0x7f1d2fc9f850>, renew_hook=<certbot.cli._Default object at 0x7f1d2fc4a150>, renew_with_new_domains=<certbot.cli._Default object at 0x7f1d2fcadb90>, rsa_key_size=<certbot.cli._Default object at 0x7f1d2fc9e210>, server=<certbot.cli._Default object at 0x7f1d2fc4d710>, staging=<certbot.cli._Default object at 0x7f1d2fcadd90>, standalone=<certbot.cli._Default object at 0x7f1d2fc4dd10>, standalone_supported_challenges=<certbot.cli._Default object at 0x7f1d2fc52e10>, staple=<certbot.cli._Default object at 0x7f1d2fcad250>, strict_permissions=<certbot.cli._Default object at 0x7f1d2fcad850>, text_mode=<certbot.cli._Default object at 0x7f1d2fc98f90>, tls_sni_01_address=<certbot.cli._Default object at 0x7f1d2fc98590>, tls_sni_01_port=<certbot.cli._Default object at 0x7f1d2fc98290>, tos=<certbot.cli._Default object at 0x7f1d2fcad790>, uir=<certbot.cli._Default object at 0x7f1d2fca5f50>, update_registration=<certbot.cli._Default object at 0x7f1d2fc98350>, user_agent=<certbot.cli._Default object at 0x7f1d2fc4a6d0>, user_agent_comment=<certbot.cli._Default object at 0x7f1d2fc4a7d0>, validate_hooks=<certbot.cli._Default object at 0x7f1d2fc4a350>, verb='renew', verbose_count=<certbot.cli._Default object at 0x7f1d2fc9e150>, webroot=<certbot.cli._Default object at 0x7f1d2fc4df10>, webroot_map=<certbot.cli._Default object at 0x7f1d2fc57050>, webroot_path=<certbot.cli._Default object at 0x7f1d2fc52a50>, work_dir=<certbot.cli._Default object at 0x7f1d2fc4d510>)
2017-08-21 18:31:25,562:DEBUG:certbot.storage:Should renew, less than 30 days before certificate expiry 2017-08-20 09:44:00 UTC.
2017-08-21 18:31:25,562:INFO:certbot.renewal:Cert is due for renewal, auto-renewing...
2017-08-21 18:31:25,562:DEBUG:certbot.plugins.selection:Requested authenticator standalone and installer None
2017-08-21 18:31:25,873:DEBUG:certbot.plugins.selection:Single candidate plugin: * standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:Authenticator
Initialized: <certbot.plugins.standalone.Authenticator object at 0x7f1d2fc9fdd0>
Prep: True
2017-08-21 18:31:25,873:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.standalone.Authenticator object at 0x7f1d2fc9fdd0> and installer None
2017-08-21 18:31:25,876:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(status=None, contact=(u'mailto:rahul.athale@mobifilia.com',), agreement=u'https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf', key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x7f1d2edbd190>)>)), uri=u'https://acme-v01.api.letsencrypt.org/acme/reg/2494552', new_authzr_uri=u'https://acme-v01.api.letsencrypt.org/acme/new-authz', terms_of_service=u'https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf'), 0fd4d28e950c0d50f85e1ee29b493274, Meta(creation_host=u'dev1.chavdi.com', creation_dt=datetime.datetime(2016, 7, 5, 11, 29, 59, tzinfo=)))>
2017-08-21 18:31:25,877:DEBUG:acme.client:Sending GET request to https://acme-v01.api.letsencrypt.org/directory.
2017-08-21 18:31:25,880:DEBUG:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2017-08-21 18:31:27,581:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 460
2017-08-21 18:31:27,583:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 460
Boulder-Request-Id: sQLNzzU-xTebhn7_rW9VeGfhT8qCc7FACcHRQ0npbeM
Replay-Nonce: 2qipdn1MePtE72HexS-luSu7g0orewBSj4hsF5H2WPE
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Mon, 21 Aug 2017 18:31:27 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 21 Aug 2017 18:31:27 GMT
Connection: keep-alive

{
"key-change": "https://acme-v01.api.letsencrypt.org/acme/key-change",
"meta": {
"terms-of-service": "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf"
},
"new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz",
"new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert",
"new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg",
"revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert"
}
2017-08-21 18:31:27,584:INFO:certbot.main:Renewing an existing certificate
2017-08-21 18:31:27,587:DEBUG:acme.client:Requesting fresh nonce
2017-08-21 18:31:27,587:DEBUG:acme.client:Sending HEAD request to https://acme-v01.api.letsencrypt.org/acme/new-authz.
2017-08-21 18:31:28,412:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 "HEAD /acme/new-authz HTTP/1.1" 405 0
2017-08-21 18:31:28,414:DEBUG:acme.client:Received response:
HTTP 405
Server: nginx
Content-Type: application/problem+json
Content-Length: 91
Allow: POST
Boulder-Request-Id: WoXMxJZdfArqIfXOjkLlNfoki5L4UkhFCbwkcC0UR18
Replay-Nonce: G7R-LQRvWvDN3PjdLqVV80ZUnJTgD8OfPkv6E72Ul3M
Expires: Mon, 21 Aug 2017 18:31:28 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 21 Aug 2017 18:31:28 GMT
Connection: keep-alive

2017-08-21 18:31:28,415:DEBUG:acme.client:Storing nonce: G7R-LQRvWvDN3PjdLqVV80ZUnJTgD8OfPkv6E72Ul3M
2017-08-21 18:31:28,416:DEBUG:acme.client:JWS payload:
{
"identifier": {
"type": "dns",
"value": "dev1.chavdi.com"
},
"resource": "new-authz"
}
2017-08-21 18:31:28,426:DEBUG:acme.client:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/new-authz:
{
"protected": "eyJub25jZSI6ICJHN1ItTFFSdld2RE4zUGpkTHFWVjgwWlVuSlRnRDhPZlBrdjZFNzJVbDNNIiwgImFsZyI6ICJSUzI1NiIsICJqd2siOiB7ImUiOiAiQVFBQiIsICJrdHkiOiAiUlNBIiwgIm4iOiAid3FSUXNmY0FjVm5DV2lYUTVEcmR1WTRKclM2OUpDWDNuZWcwNXZQNms0am5Ob2ROcTBnS09ZMW14RVYxMGRINHFCcGliTWJmamZuS0RMWXBVRTQzNWM2cWhaMm5SenlFdHFBdmtkZ0d2U2luVmpDcjlxMWc0dlI1QjJ1Y3kzVkY3MnhuU1l2c1ZZcXZUUVlSVnhRV0lVbk05UC0yTTY4Q0JxaHZrVnBOc1lLVjRXcXhBQm4zNFZ0TjE4V1ZnOVFXek1qZU5uLUxSRjRZTjhOYmlNRFZVNzZxRGc3cXRhUW5tX19fV1JadGJaWmR5cE5MT3loT2tRYUd5V0dHOVZ3Uk1xcHNwSzBabVBRVFNwR0JLWWVPZm9aZXM2U2h5X0JaaDJxRGlUTXpLTDZsTk01U0ZLcjh0b3U2UktqZHB4Q3NxczFPUnU4cFZsRFdibWg4SDdOQmlRIn19",
"payload": "ewogICJpZGVudGlmaWVyIjogewogICAgInR5cGUiOiAiZG5zIiwgCiAgICAidmFsdWUiOiAiZGV2MS5jaGF2ZGkuY29tIgogIH0sIAogICJyZXNvdXJjZSI6ICJuZXctYXV0aHoiCn0",
"signature": "dxefib9uAqSL0WBSkwXHHMzdXruIA9ghQcow2INFjcZ4qggp_v1txgSTYB_NmW9NRXB4rBZhQYWVIEngjRv8gWFEUKRnP04FuNdYgoWW5fW3Upxu19yd0AnBSlbNxacMx585puw_J_IFO6RMBXqyE9t3X0jLv3_hjnCbn_WEZlU_n_h6y_uMRgMg-m7WkCqUIAczhpmLxxMYHi5tnXFiAd07ljvUsC5kzYXPhMEQ966aFFN6vQs2gmCJC3HS9UZolnZjGJfcNkxgkJOHBXyxyi_OcgU45nKCjK0f0WO942ni30pQT6I2MB-Jq7HLLsuk-D2rghtyaoU4Jkn2ApSLgg"
}
2017-08-21 18:31:28,794:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 "POST /acme/new-authz HTTP/1.1" 429 144
2017-08-21 18:31:28,796:DEBUG:acme.client:Received response:
HTTP 429
Server: nginx
Content-Type: application/problem+json
Content-Length: 144
Boulder-Request-Id: P4WE2M3MkqUaawrZK2rDuu-SuGEaSeq0_6EnN9gpf6g
Boulder-Requester: 2494552
Replay-Nonce: PIWY1Zc9xUIqL_RXQuP7mwoPZqE5JLya3Ut7vxr-DOs
Expires: Mon, 21 Aug 2017 18:31:28 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 21 Aug 2017 18:31:28 GMT
Connection: close

{
"type": "urn:acme:error:rateLimited",
"detail": "Error creating new authz :: too many currently pending authorizations",
"status": 429
}
2017-08-21 18:31:28,797:DEBUG:acme.client:Storing nonce: PIWY1Zc9xUIqL_RXQuP7mwoPZqE5JLya3Ut7vxr-DOs
2017-08-21 18:31:28,797:WARNING:certbot.renewal:Attempting to renew cert (dev1.chavdi.com-0002) from /etc/letsencrypt/renewal/dev1.chavdi.com-0002.conf produced an unexpected error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new authz :: too many currently pending authorizations. Skipping.
2017-08-21 18:31:28,800:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/certbot/renewal.py", line 421, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 650, in renew_cert
_get_and_save_cert(le_client, config, lineage=lineage)
File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 77, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File "/usr/lib/python2.7/dist-packages/certbot/renewal.py", line 297, in renew_cert
new_certr, new_chain, new_key, _ = le_client.obtain_certificate(domains)
File "/usr/lib/python2.7/dist-packages/certbot/client.py", line 318, in obtain_certificate
self.config.allow_subset_of_names)
File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 66, in get_authorizations
self.authzr[domain] = self.acme.request_domain_challenges(domain)
File "/usr/lib/python2.7/dist-packages/acme/client.py", line 212, in request_domain_challenges
typ=messages.IDENTIFIER_FQDN, value=domain), new_authzr_uri)
File "/usr/lib/python2.7/dist-packages/acme/client.py", line 191, in request_challenges
response = self.net.post(self.directory.new_authz, new_authz)
File "/usr/lib/python2.7/dist-packages/acme/client.py", line 682, in post
return self._post_once(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/acme/client.py", line 695, in _post_once
return self._check_response(response, content_type=content_type)
File "/usr/lib/python2.7/dist-packages/acme/client.py", line 582, in _check_response
raise messages.Error.from_json(jobj)
Error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new authz :: too many currently pending authorizations

2017-08-21 18:31:28,808:DEBUG:certbot.storage:Should renew, less than 30 days before certificate expiry 2017-07-10 12:30:00 UTC.
2017-08-21 18:31:28,809:INFO:certbot.renewal:Cert is due for renewal, auto-renewing...
2017-08-21 18:31:28,810:DEBUG:certbot.plugins.selection:Requested authenticator standalone and installer None
2017-08-21 18:31:28,937:DEBUG:certbot.plugins.selection:Single candidate plugin: * standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:Authenticator
Initialized: <certbot.plugins.standalone.Authenticator object at 0x7f1d29401bd0>
Prep: True
2017-08-21 18:31:28,938:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.standalone.Authenticator object at 0x7f1d29401bd0> and installer None
2017-08-21 18:31:28,941:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(status=None, contact=(u'mailto:rahul.athale@mobifilia.com',), agreement=u'https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf', key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x7f1d29401e10>)>)), uri=u'https://acme-v01.api.letsencrypt.org/acme/reg/2494552', new_authzr_uri=u'https://acme-v01.api.letsencrypt.org/acme/new-authz', terms_of_service=u'https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf'), 0fd4d28e950c0d50f85e1ee29b493274, Meta(creation_host=u'dev1.chavdi.com', creation_dt=datetime.datetime(2016, 7, 5, 11, 29, 59, tzinfo=)))>
2017-08-21 18:31:28,941:DEBUG:acme.client:Sending GET request to https://acme-v01.api.letsencrypt.org/directory.
2017-08-21 18:31:28,943:DEBUG:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2017-08-21 18:31:29,594:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 460
2017-08-21 18:31:29,596:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 460
Boulder-Request-Id: Ij0MIY9uNrv8o7oUhqL3iR3Z1B39sFnbLOHYcsn1VOo
Replay-Nonce: thLQcD3RXw2_fQM11r7o30cfitjcVpdt-7OXO7wNLDs
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Mon, 21 Aug 2017 18:31:29 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 21 Aug 2017 18:31:29 GMT
Connection: keep-alive

{
"key-change": "https://acme-v01.api.letsencrypt.org/acme/key-change",
"meta": {
"terms-of-service": "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf"
},
"new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz",
"new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert",
"new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg",
"revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert"
}
2017-08-21 18:31:29,597:INFO:certbot.main:Renewing an existing certificate
2017-08-21 18:31:29,600:DEBUG:acme.client:Requesting fresh nonce
2017-08-21 18:31:29,600:DEBUG:acme.client:Sending HEAD request to https://acme-v01.api.letsencrypt.org/acme/new-authz.
2017-08-21 18:31:29,917:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 "HEAD /acme/new-authz HTTP/1.1" 405 0
2017-08-21 18:31:29,919:DEBUG:acme.client:Received response:
HTTP 405
Server: nginx
Content-Type: application/problem+json
Content-Length: 91
Allow: POST
Boulder-Request-Id: SCp4npz4WH6x--np8XFJezcw0wwdLcTowNGEkYgVctQ
Replay-Nonce: 6eVZvkfiWoZBCVaBUbkmU-46ixxDhvDMJRfePpZ01nU
Expires: Mon, 21 Aug 2017 18:31:29 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 21 Aug 2017 18:31:29 GMT
Connection: keep-alive

2017-08-21 18:31:29,919:DEBUG:acme.client:Storing nonce: 6eVZvkfiWoZBCVaBUbkmU-46ixxDhvDMJRfePpZ01nU
2017-08-21 18:31:29,920:DEBUG:acme.client:JWS payload:
{
"identifier": {
"type": "dns",
"value": "dev1.chavdi.com"
},
"resource": "new-authz"
}
2017-08-21 18:31:29,930:DEBUG:acme.client:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/new-authz:
{
"protected": "eyJub25jZSI6ICI2ZVZadmtmaVdvWkJDVmFCVWJrbVUtNDZpeHhEaHZETUpSZmVQcFowMW5VIiwgImFsZyI6ICJSUzI1NiIsICJqd2siOiB7ImUiOiAiQVFBQiIsICJrdHkiOiAiUlNBIiwgIm4iOiAid3FSUXNmY0FjVm5DV2lYUTVEcmR1WTRKclM2OUpDWDNuZWcwNXZQNms0am5Ob2ROcTBnS09ZMW14RVYxMGRINHFCcGliTWJmamZuS0RMWXBVRTQzNWM2cWhaMm5SenlFdHFBdmtkZ0d2U2luVmpDcjlxMWc0dlI1QjJ1Y3kzVkY3MnhuU1l2c1ZZcXZUUVlSVnhRV0lVbk05UC0yTTY4Q0JxaHZrVnBOc1lLVjRXcXhBQm4zNFZ0TjE4V1ZnOVFXek1qZU5uLUxSRjRZTjhOYmlNRFZVNzZxRGc3cXRhUW5tX19fV1JadGJaWmR5cE5MT3loT2tRYUd5V0dHOVZ3Uk1xcHNwSzBabVBRVFNwR0JLWWVPZm9aZXM2U2h5X0JaaDJxRGlUTXpLTDZsTk01U0ZLcjh0b3U2UktqZHB4Q3NxczFPUnU4cFZsRFdibWg4SDdOQmlRIn19",
"payload": "ewogICJpZGVudGlmaWVyIjogewogICAgInR5cGUiOiAiZG5zIiwgCiAgICAidmFsdWUiOiAiZGV2MS5jaGF2ZGkuY29tIgogIH0sIAogICJyZXNvdXJjZSI6ICJuZXctYXV0aHoiCn0",
"signature": "LIIJR36vyMpmo6gadNl5Jk5uqE7MTP21L1fNQw8Bn7lDahYUkydI-HIjU22dw-zT_7C5ycTQ3VF3UZE7FCS1jyfRfTzr0yuORgds5nWX-eO_J6HkHN2GsUCVLwhV5wqgg_ZJDQGmXx2r41HCFUs09xrQQr1C8INODYAWi2YOObbmIX44C8F6WwmRjCEtEsb2zLwre6s1bezS2yiB4q_FcnOkiPJIm8X3GbnelSDC1xI3-icjKr6nFWdmDoMGEJVbq8FsaSaTecKg7t8oGHHGQ1Dlcml6WuX1fVIdQpaS9Fp87DLuw1PyH3_zcFbd3ClTfxx0vbqb55atih7TAXvXYw"
}
2017-08-21 18:31:30,267:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 "POST /acme/new-authz HTTP/1.1" 429 144
2017-08-21 18:31:30,270:DEBUG:acme.client:Received response:
HTTP 429
Server: nginx
Content-Type: application/problem+json
Content-Length: 144
Boulder-Request-Id: NopZFbfOkuN-Csg8b98cqE0KIPfMpNv0q2pbx-O_frs
Boulder-Requester: 2494552
Replay-Nonce: T3UYstHzNidGPUeavypMa0itVYGTcIhlYTTVx63P4Ko
Expires: Mon, 21 Aug 2017 18:31:30 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 21 Aug 2017 18:31:30 GMT
Connection: close

{
"type": "urn:acme:error:rateLimited",
"detail": "Error creating new authz :: too many currently pending authorizations",
"status": 429
}
2017-08-21 18:31:30,272:DEBUG:acme.client:Storing nonce: T3UYstHzNidGPUeavypMa0itVYGTcIhlYTTVx63P4Ko
2017-08-21 18:31:30,275:WARNING:certbot.renewal:Attempting to renew cert (dev1.chavdi.com-0001) from /etc/letsencrypt/renewal/dev1.chavdi.com-0001.conf produced an unexpected error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new authz :: too many currently pending authorizations. Skipping.
2017-08-21 18:31:30,277:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/certbot/renewal.py", line 421, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 650, in renew_cert
_get_and_save_cert(le_client, config, lineage=lineage)
File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 77, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File "/usr/lib/python2.7/dist-packages/certbot/renewal.py", line 297, in renew_cert
new_certr, new_chain, new_key, _ = le_client.obtain_certificate(domains)
File "/usr/lib/python2.7/dist-packages/certbot/client.py", line 318, in obtain_certificate
self.config.allow_subset_of_names)
File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 66, in get_authorizations
self.authzr[domain] = self.acme.request_domain_challenges(domain)
File "/usr/lib/python2.7/dist-packages/acme/client.py", line 212, in request_domain_challenges
typ=messages.IDENTIFIER_FQDN, value=domain), new_authzr_uri)
File "/usr/lib/python2.7/dist-packages/acme/client.py", line 191, in request_challenges
response = self.net.post(self.directory.new_authz, new_authz)
File "/usr/lib/python2.7/dist-packages/acme/client.py", line 682, in post
return self._post_once(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/acme/client.py", line 695, in _post_once
return self._check_response(response, content_type=content_type)
File "/usr/lib/python2.7/dist-packages/acme/client.py", line 582, in _check_response
raise messages.Error.from_json(jobj)
Error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new authz :: too many currently pending authorizations

2017-08-21 18:31:30,285:DEBUG:certbot.storage:Should renew, less than 30 days before certificate expiry 2017-07-10 12:30:00 UTC.
2017-08-21 18:31:30,285:INFO:certbot.renewal:Cert is due for renewal, auto-renewing...
2017-08-21 18:31:30,286:DEBUG:certbot.plugins.selection:Requested authenticator standalone and installer None
2017-08-21 18:31:30,494:DEBUG:certbot.plugins.selection:Single candidate plugin: * standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:Authenticator
Initialized: <certbot.plugins.standalone.Authenticator object at 0x7f1d2fc98390>
Prep: True
2017-08-21 18:31:30,494:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.standalone.Authenticator object at 0x7f1d2fc98390> and installer None
2017-08-21 18:31:30,497:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(status=None, contact=(u'mailto:rahul.athale@mobifilia.com',), agreement=u'https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf', key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x7f1d2fc98a90>)>)), uri=u'https://acme-v01.api.letsencrypt.org/acme/reg/2494552', new_authzr_uri=u'https://acme-v01.api.letsencrypt.org/acme/new-authz', terms_of_service=u'https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf'), 0fd4d28e950c0d50f85e1ee29b493274, Meta(creation_host=u'dev1.chavdi.com', creation_dt=datetime.datetime(2016, 7, 5, 11, 29, 59, tzinfo=)))>
2017-08-21 18:31:30,497:DEBUG:acme.client:Sending GET request to https://acme-v01.api.letsencrypt.org/directory.
2017-08-21 18:31:30,498:DEBUG:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2017-08-21 18:31:31,259:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 460
2017-08-21 18:31:31,261:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 460
Boulder-Request-Id: g3BLpUsmc2YU3Y7Y9mk9RYMwCALULst8bTzOS7KoflE
Replay-Nonce: rv7g6qUofkTPc9-dQBHbe_VXBVTCqBLv_kxOYfi_K2c
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Mon, 21 Aug 2017 18:31:31 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
...
...
Server: nginx
Content-Type: application/problem+json
Content-Length: 144
Boulder-Request-Id: j6Qm5pnA8aiCeoA8My7sQ9l2lbw_y6_bUFe7KPYhn2Y
Boulder-Requester: 2494552
Replay-Nonce: b1SOB4Qhjg4GptCZ50Ag--JNWc5YaGyf2Bv_OHokToE
Expires: Mon, 21 Aug 2017 18:31:33 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 21 Aug 2017 18:31:33 GMT
Connection: close

{
"type": "urn:acme:error:rateLimited",
"detail": "Error creating new authz :: too many currently pending authorizations",
"status": 429
}
2017-08-21 18:31:33,611:DEBUG:acme.client:Storing nonce: b1SOB4Qhjg4GptCZ50Ag--JNWc5YaGyf2Bv_OHokToE
2017-08-21 18:31:33,615:WARNING:certbot.renewal:Attempting to renew cert (m3dev.dev1.chavdi.com) from /etc/letsencrypt/renewal/m3dev.dev1.chavdi.com.conf produced an unexpected error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new authz :: too many currently pending authorizations. Skipping.
2017-08-21 18:31:33,617:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/certbot/renewal.py", line 421, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 650, in renew_cert
_get_and_save_cert(le_client, config, lineage=lineage)
File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 77, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File "/usr/lib/python2.7/dist-packages/certbot/renewal.py", line 297, in renew_cert
new_certr, new_chain, new_key, _ = le_client.obtain_certificate(domains)
File "/usr/lib/python2.7/dist-packages/certbot/client.py", line 318, in obtain_certificate
self.config.allow_subset_of_names)
File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 66, in get_authorizations
self.authzr[domain] = self.acme.request_domain_challenges(domain)
File "/usr/lib/python2.7/dist-packages/acme/client.py", line 212, in request_domain_challenges
typ=messages.IDENTIFIER_FQDN, value=domain), new_authzr_uri)
File "/usr/lib/python2.7/dist-packages/acme/client.py", line 191, in request_challenges
response = self.net.post(self.directory.new_authz, new_authz)
File "/usr/lib/python2.7/dist-packages/acme/client.py", line 682, in post
return self._post_once(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/acme/client.py", line 695, in _post_once
return self._check_response(response, content_type=content_type)
File "/usr/lib/python2.7/dist-packages/acme/client.py", line 582, in _check_response
raise messages.Error.from_json(jobj)
Error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new authz :: too many currently pending authorizations

2017-08-21 18:31:33,620:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 11, in
load_entry_point('certbot==0.17.0', 'console_scripts', 'certbot')()
File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 753, in main
return config.func(config, plugins)
File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 703, in renew
renewal.handle_renewal_request(config)
File "/usr/lib/python2.7/dist-packages/certbot/renewal.py", line 439, in handle_renewal_request
len(renew_failures), len(parse_failures)))
Error: 4 renew failure(s), 0 parse failure(s)

I'm not able to locate crash log in above.

4

Is it possible that there's a file in /etc/cron.d or /etc/cron.daily that runs it?

Unfortunately, this log isn't old enough to be useful; it shows that you were forbidden from requesting a new authorization because of the "too many currently pending authorizations" error, which is the same error that you already knew about. The log that explains how this happened must be older. (Maybe one of the logs that has a very different size contains records of a very different interaction with the server?)

5

Yes, I found certbot in /etc/cron.d/ please find the script below.

/etc/cron.d/certbot: crontab entries for the certbot package

Upstream recommends attempting renewal twice a day

Eventually, this will be an opportunity to validate certificates
haven't been revoked, etc. Renewal will only occur if expiration
is within 30 days.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
0 */12 * * * root test -x /usr/bin/certbot -a ! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew

Log from letsencrypt.log.18

2017-08-20 19:05:23,763:INFO:certbot.main:Renewing an existing certificate
2017-08-20 19:05:23,766:DEBUG:acme.client:Requesting fresh nonce
2017-08-20 19:05:23,766:DEBUG:acme.client:Sending HEAD request to https://acme-v01.api.letsencrypt.org/acme/new-authz.
2017-08-20 19:05:24,237:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 "HEAD /acme/new-authz HTTP/1.1" 405 0
2017-08-20 19:05:24,239:DEBUG:acme.client:Received response:
HTTP 405
Server: nginx
Content-Type: application/problem+json
Content-Length: 91
Allow: POST
Boulder-Request-Id: 5nl_wQpeAzoohiGntQPyRA6zmMgI_sN6k6jcaX7fEuc
Replay-Nonce: m5RWPKJFFLrPavihieqPz9slMv1zgNgQy4oJO1q3mHs
Expires: Sun, 20 Aug 2017 19:05:24 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 20 Aug 2017 19:05:24 GMT
Connection: keep-alive
2017-08-20 19:05:24,239:DEBUG:acme.client:Storing nonce: m5RWPKJFFLrPavihieqPz9slMv1zgNgQy4oJO1q3mHs
2017-08-20 19:05:24,240:DEBUG:acme.client:JWS payload:
{
"identifier": {
"type": "dns",
"value": "m3dev.dev1.chavdi.com"
},
"resource": "new-authz"
}
2017-08-20 19:05:24,250:DEBUG:acme.client:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/new-authz:
{
"header": {
"alg": "RS256",
"jwk": {
"e": "AQAB",
"kty": "RSA",
"n": "wqRQsfcAcVnCWiXQ5DrduY4JrS69JCX3neg05vP6k4jnNodNq0gKOY1mxEV10dH4qBpibMbfjfnKDLYpUE435c6qhZ2nRzyEtqAvkdgGvSinVjCr9q1g4vR5B2ucy3VF72xnSYvsVYqvTQYRVxQWIUnM9P-2M68CBqhvkVpNsYKV4WqxABn34VtN18WVg9QWzMjeNn-LRF4YN8NbiMDVU76qDg7qtaQnm___WRZtbZZdypNLOyhOkQaGyWGG9VwRMqpspK0ZmPQTSpGBKYeOfoZes6Shy_BZh2qDiTMzKL6lNM5SFKr8tou6RKjdpxCsqs1ORu8pVlDWbmh8H7NBiQ"
}
},
"protected": "eyJub25jZSI6ICJtNVJXUEtKRkZMclBhdmloaWVxUHo5c2xNdjF6Z05nUXk0b0pPMXEzbUhzIn0",
"payload": "ewogICJpZGVudGlmaWVyIjogewogICAgInR5cGUiOiAiZG5zIiwgCiAgICAidmFsdWUiOiAibTNkZXYuZGV2MS5jaGF2ZGkuY29tIgogIH0sIAogICJyZXNvdXJjZSI6ICJuZXctYXV0aHoiCn0",
"signature": "tILsTqck18POSieiq9pZiWcJIQW1JtGfMjTEXAX9ddP-uCI3Yh6PY7_i3KFT9bAL6y3Oy9XExTYiH2Jq9tFkfBB7mmCCHdOV-2O-uBqXbk_aX45VegDjjOEQS1NiVS7QrsL19l8DhPe4TIFc2aGgS_YcucxzRNEXHno5xbJDoTzTuPRcyPG8qpA7eG_REPUH0JpX2QWRiXYXb0HrLeN3gJxoJQrrzARqWT8G8dc8eDzXYZwfJwxvhw57Stmu1plAZoBe2sSnR0D6Sqz5KT5H965rquNJ5tjSRQnhkop9Ts_auH499otDIOshTdtS65xkfWXG2n1F7wAsyVpYounCkw"
}
2017-08-20 19:05:24,707:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 "POST /acme/new-authz HTTP/1.1" 201 1009
2017-08-20 19:05:24,709:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Content-Type: application/json
Content-Length: 1009
Boulder-Request-Id: Bk_6eqJFNM6KOMYcE9GTAsQHEcPb79eBAEsXBuQCEv0
Boulder-Requester: 2494552
Link: https://acme-v01.api.letsencrypt.org/acme/new-cert;rel="next"
Location: https://acme-v01.api.letsencrypt.org/acme/authz/cl9HWW1Dr5uCW6zgefynpIHlInibsxw8YYKgKfIoOa4
Replay-Nonce: eCWF4j9-YtwVw98hysE9pQgA9dd2Z4iTC2zG_MEcf1U
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Sun, 20 Aug 2017 19:05:24 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 20 Aug 2017 19:05:24 GMT
Connection: keep-alive
{
"identifier": {
"type": "dns",
"value": "m3dev.dev1.chavdi.com"
},
"status": "pending",
"expires": "2017-08-27T19:05:24.545723952Z",
"challenges": [
{
"type": "dns-01",
"status": "pending",
"uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/cl9HWW1Dr5uCW6zgefynpIHlInibsxw8YYKgKfIoOa4/1797310255",
"token": "i2BsrbEn6u4O5ZzlPj_iMIVkWAN-vXGEy32DCvZf1zE"
},
{
"type": "tls-sni-01",
"status": "pending",
"uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/cl9HWW1Dr5uCW6zgefynpIHlInibsxw8YYKgKfIoOa4/1797310256",
"token": "oRPJAEZchHehPkTsiAtSPOqKoSbNeXfuMC7xKokUo5A"
},
{
"type": "http-01",
"status": "pending",
"uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/cl9HWW1Dr5uCW6zgefynpIHlInibsxw8YYKgKfIoOa4/1797310257",
"token": "IKRczPPn1If4QzO6DDcsWMh410nvmKHXKf41Qe6QC28"
}
],
"combinations": [
[
2
],
[
1
],
[
0
]
]
}
2017-08-20 19:05:24,709:DEBUG:acme.client:Storing nonce: eCWF4j9-YtwVw98hysE9pQgA9dd2Z4iTC2zG_MEcf1U
2017-08-20 19:05:24,712:DEBUG:acme.client:JWS payload:
{
"identifier": {
"type": "dns",
"value": "swadev.dev1.chavdi.com"
},
"resource": "new-authz"
}
2017-08-20 19:05:24,721:DEBUG:acme.client:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/new-authz:
{
"header": {
"alg": "RS256",
"jwk": {
"e": "AQAB",
"kty": "RSA",
"n": "wqRQsfcAcVnCWiXQ5DrduY4JrS69JCX3neg05vP6k4jnNodNq0gKOY1mxEV10dH4qBpibMbfjfnKDLYpUE435c6qhZ2nRzyEtqAvkdgGvSinVjCr9q1g4vR5B2ucy3VF72xnSYvsVYqvTQYRVxQWIUnM9P-2M68CBqhvkVpNsYKV4WqxABn34VtN18WVg9QWzMjeNn-LRF4YN8NbiMDVU76qDg7qtaQnm___WRZtbZZdypNLOyhOkQaGyWGG9VwRMqpspK0ZmPQTSpGBKYeOfoZes6Shy_BZh2qDiTMzKL6lNM5SFKr8tou6RKjdpxCsqs1ORu8pVlDWbmh8H7NBiQ"
}
},
"protected": "eyJub25jZSI6ICJlQ1dGNGo5LVl0d1Z3OThoeXNFOXBRZ0E5ZGQyWjRpVEMyekdfTUVjZjFVIn0",
"payload": "ewogICJpZGVudGlmaWVyIjogewogICAgInR5cGUiOiAiZG5zIiwgCiAgICAidmFsdWUiOiAic3dhZGV2LmRldjEuY2hhdmRpLmNvbSIKICB9LCAKICAicmVzb3VyY2UiOiAibmV3LWF1dGh6Igp9",
"signature": "uNbh4iQA2jy7Dtk_8i4BB_ndu8g2tPQXZO-gSuCQKTH2svTopKQGOBx5KDqh1okubbJYK_80sq2awDhLSPviHkLUiVoFMrVp-_fMXUmkzMHq5VovBN0oWQ_o18L9NSV1MNFVw9k79exJyLY5g2kb1mR0Ua-WBPDHOh2TuYcE5D_8245oQTCqiXNKI6DHbSvqaWvBEDShJbCGvDfXN5-GnLOYmcxExosa0TdsYzrEh1Q1r5TfjhGf_Q9AusYA-5Kbt8gorFjVkZFUhLV6Akfjgh75x681utbYcXhM25kyIvxrdQdFwxQB2Swit3RuqNnMhGiUqK2ob21LYjAaqoIZNQ"
}
2017-08-20 19:05:25,129:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 "POST /acme/new-authz HTTP/1.1" 201 1010
2017-08-20 19:05:25,132:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Content-Type: application/json
Content-Length: 1010
Boulder-Request-Id: g_jzFvSqlfu2qoP_6HYFOpPrIKeCJDdcv0QYuuRphUs
Boulder-Requester: 2494552
Link: https://acme-v01.api.letsencrypt.org/acme/new-cert;rel="next"
Location: https://acme-v01.api.letsencrypt.org/acme/authz/Qc-Q-5vmNOvx5KPo9VQPLLsvP42PtXi50vpzzTOMbus
Replay-Nonce: tTwOO-vP2ktq1tqJXHBphCMtGDXtfMfZqU2f56LpLes
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Sun, 20 Aug 2017 19:05:25 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 20 Aug 2017 19:05:25 GMT
Connection: keep-alive
{
"identifier": {
"type": "dns",
"value": "swadev.dev1.chavdi.com"
},
"status": "pending",
"expires": "2017-08-27T19:05:24.977680519Z",
"challenges": [
{
"type": "tls-sni-01",
"status": "pending",
"uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/Qc-Q-5vmNOvx5KPo9VQPLLsvP42PtXi50vpzzTOMbus/1797310285",
"token": "ntAZmJ9hiavfDT7LQzwIz9rxKzcig8jaPkzZqdW2yJg"
},
{
"type": "http-01",
"status": "pending",
"uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/Qc-Q-5vmNOvx5KPo9VQPLLsvP42PtXi50vpzzTOMbus/1797310286",
"token": "Tm3mBH9YrXUDphaIAg5evK7yoAXu4wrfbscSkBb1URw"
},
{
"type": "dns-01",
"status": "pending",
"uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/Qc-Q-5vmNOvx5KPo9VQPLLsvP42PtXi50vpzzTOMbus/1797310287",
"token": "3mHfqbmluQ3KKAdrD_GI-tsRQbEF0EkBE-ZdvV2jksE"
}
],
"combinations": [
[
2
],
[
0
],
[
1
]
]
}
2017-08-20 19:05:25,132:DEBUG:acme.client:Storing nonce: tTwOO-vP2ktq1tqJXHBphCMtGDXtfMfZqU2f56LpLes
2017-08-20 19:05:25,135:DEBUG:acme.client:JWS payload:
{
"identifier": {
"type": "dns",
"value": "tmr2dev.dev1.chavdi.com"
},
"resource": "new-authz"
}
2017-08-20 19:05:25,144:DEBUG:acme.client:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/new-authz:
{
"header": {
"alg": "RS256",
"jwk": {
"e": "AQAB",
"kty": "RSA",
"n": "wqRQsfcAcVnCWiXQ5DrduY4JrS69JCX3neg05vP6k4jnNodNq0gKOY1mxEV10dH4qBpibMbfjfnKDLYpUE435c6qhZ2nRzyEtqAvkdgGvSinVjCr9q1g4vR5B2ucy3VF72xnSYvsVYqvTQYRVxQWIUnM9P-2M68CBqhvkVpNsYKV4WqxABn34VtN18WVg9QWzMjeNn-LRF4YN8NbiMDVU76qDg7qtaQnm___WRZtbZZdypNLOyhOkQaGyWGG9VwRMqpspK0ZmPQTSpGBKYeOfoZes6Shy_BZh2qDiTMzKL6lNM5SFKr8tou6RKjdpxCsqs1ORu8pVlDWbmh8H7NBiQ"
}
},
"protected": "eyJub25jZSI6ICJ0VHdPTy12UDJrdHExdHFKWEhCcGhDTXRHRFh0Zk1mWnFVMmY1NkxwTGVzIn0",
"payload": "ewogICJpZGVudGlmaWVyIjogewogICAgInR5cGUiOiAiZG5zIiwgCiAgICAidmFsdWUiOiAidG1yMmRldi5kZXYxLmNoYXZkaS5jb20iCiAgfSwgCiAgInJlc291cmNlIjogIm5ldy1hdXRoeiIKfQ",
"signature": "BBa9XKmJvVDMO0aO77ncoXlhdZHfzhGEtpMngpd8t1mNkvsaKGH_vrOy8ILtUoU7IE4SNHP_YN4aNFKbUPST_HH5Vzd9i23RRRNv2x4RfU649UAMFey38sy3oZselFxPNgSeXHZCESTbpO7of8qTUa28fwi2wO8r3FoBvlrtcZm3cqVe3JYfgLjHizA6ogAXKWUlXHAnh378qCv2yTvwhCUv4ixmjvlSYzXu-kWw7Z1NqUZdWWkbjrfnP0GdpTWRApFQM5O368Dvlq_N1bjwOyrhEI--F6Boz3fNdcBKM3i3n6izVJlfLyc5HsEUuE6tFoXMTCKQ49Ib_Z8_GnzJ4Q"
}
2017-08-20 19:05:25,495:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 "POST /acme/new-authz HTTP/1.1" 201 1011
2017-08-20 19:05:25,497:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Content-Type: application/json
Content-Length: 1011
Boulder-Request-Id: 2za2K1U1v7Vhr06Ge5J_CEkequlKYQuiGxjocugTqWU
Boulder-Requester: 2494552
Link: https://acme-v01.api.letsencrypt.org/acme/new-cert;rel="next"
Location: https://acme-v01.api.letsencrypt.org/acme/authz/Y-9a6WspPziad7gpiA4z24ol3tbRNKaQ8L0Hal1fPKY
Replay-Nonce: TxySEIwEx9gN6K9heSDKYUztemQ70wn4lMCWr6nBsl4
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Sun, 20 Aug 2017 19:05:25 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 20 Aug 2017 19:05:25 GMT
Connection: keep-alive
{
"identifier": {
"type": "dns",
"value": "tmr2dev.dev1.chavdi.com"
},
"status": "pending",
"expires": "2017-08-27T19:05:25.347327997Z",
"challenges": [
{
"type": "http-01",
"status": "pending",
"uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/Y-9a6WspPziad7gpiA4z24ol3tbRNKaQ8L0Hal1fPKY/1797310348",
"token": "FhMDMCBLsPpvBhjhxtRlwYUDQ9YMswuJ2twSKVpbfCs"
},
{
"type": "tls-sni-01",
"status": "pending",
"uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/Y-9a6WspPziad7gpiA4z24ol3tbRNKaQ8L0Hal1fPKY/1797310349",
"token": "fu6m3k30iEFZDyh-0f34XlertdsEHg2aNp9djJXtATo"
},
{
"type": "dns-01",
"status": "pending",
"uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/Y-9a6WspPziad7gpiA4z24ol3tbRNKaQ8L0Hal1fPKY/1797310350",
"token": "CU53h6cJPsCK0AlxBxuZYPQ3HrUS7qXSpdXCVNz3eeY"
}
],
"combinations": [
[
1
],
[
2
],
[
0
]
]
}
2017-08-20 19:05:25,498:DEBUG:acme.client:Storing nonce: TxySEIwEx9gN6K9heSDKYUztemQ70wn4lMCWr6nBsl4
2017-08-20 19:05:25,499:INFO:certbot.auth_handler:Performing the following challenges:
2017-08-20 19:05:25,500:INFO:certbot.auth_handler:tls-sni-01 challenge for m3dev.dev1.chavdi.com
2017-08-20 19:05:25,500:INFO:certbot.auth_handler:tls-sni-01 challenge for swadev.dev1.chavdi.com
2017-08-20 19:05:25,500:INFO:certbot.auth_handler:tls-sni-01 challenge for tmr2dev.dev1.chavdi.com
2017-08-20 19:05:25,502:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 115, in _solve_challenges
resp = self.auth.perform(self.achalls)
File "/usr/lib/python2.7/dist-packages/certbot/plugins/standalone.py", line 211, in perform
return [self._try_perform_single(achall) for achall in achalls]
File "/usr/lib/python2.7/dist-packages/certbot/plugins/standalone.py", line 218, in _try_perform_single
_handle_perform_error(error)
File "/usr/lib/python2.7/dist-packages/certbot/plugins/standalone.py", line 271, in _handle_perform_error
raise errors.PluginError(msg)
PluginError: Could not bind TCP port 443 because it is already in use by another process on this system (such as a web server). Please stop the program in question and then try again.
2017-08-20 19:05:25,502:DEBUG:certbot.error_handler:Calling registered functions
2017-08-20 19:05:25,502:INFO:certbot.auth_handler:Cleaning up challenges
2017-08-20 19:05:25,506:WARNING:certbot.renewal:Attempting to renew cert from /etc/letsencrypt/renewal/m3dev.dev1.chavdi.com.conf produced an unexpected error: Could not bind TCP port 443 because it is already in use by another process on this system (such as a web server). Please stop the program in question and then try again.. Skipping.
2017-08-20 19:05:25,508:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/certbot/renewal.py", line 418, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 640, in renew_cert
_get_and_save_cert(le_client, config, lineage=lineage)
File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 77, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File "/usr/lib/python2.7/dist-packages/certbot/renewal.py", line 296, in renew_cert
new_certr, new_chain, new_key, _ = le_client.obtain_certificate(domains)
File "/usr/lib/python2.7/dist-packages/certbot/client.py", line 313, in obtain_certificate
self.config.allow_subset_of_names)
File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 74, in get_authorizations
resp = self._solve_challenges()
File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 115, in _solve_challenges
resp = self.auth.perform(self.achalls)
File "/usr/lib/python2.7/dist-packages/certbot/plugins/standalone.py", line 211, in perform
return [self._try_perform_single(achall) for achall in achalls]
File "/usr/lib/python2.7/dist-packages/certbot/plugins/standalone.py", line 218, in _try_perform_single
_handle_perform_error(error)
File "/usr/lib/python2.7/dist-packages/certbot/plugins/standalone.py", line 271, in _handle_perform_error
raise errors.PluginError(msg)
PluginError: Could not bind TCP port 443 because it is already in use by another process on this system (such as a web server). Please stop the program in question and then try again.
2017-08-20 19:05:25,511:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 11, in
load_entry_point('certbot==0.14.2', 'console_scripts', 'certbot')()
File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 742, in main
return config.func(config, plugins)
File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 692, in renew
renewal.handle_renewal_request(config)
File "/usr/lib/python2.7/dist-packages/certbot/renewal.py", line 435, in handle_renewal_request
len(renew_failures), len(parse_failures)))
Error: 4 renew failure(s), 0 parse failure(s)

This was the last log which does not include pending authorizations error, so hopefully has the reason, why it failed.

6

Yep! It looks like it does have the reason.

Do you remember using --standalone or choosing the standalone authenticator from a menu when you originally got your certificate? Do you know why you made that choice?

7

@bmw, it looks like this is a somewhat straightforward way of leaking pending authzs—the exception caused by trying to bind a port that’s already in use left the authz pending when it exited. Do you think that would still be true in the current Certbot?

8

Yes, very much I manually stopped nginx and did the renewal by issuing "certbot certonly --standalone" and restarted the nginx. As the old version from Ubuntu did not have nginx plugin then.

9

@mobifilia, I’ve understood why you’re getting this error but I would like to know if there’s something about your configuration that led you to intentionally use --standalone. It looks to me like --standalone is not the correct authentication method for your environment.

At the same time, there seems to be a bug in Certbot that causes the much less helpful error about pending authorizations under this circumstance, instead of consistently giving a comparatively easier-to-diagnose error about the port-binding conflict.

10

As the old version of certbot from Ubuntu did not have nginx plugin then.
I upgraded to ppa after that.

11

OK, so I think we're zeroing in on why this is happening (so it's great that you could post the log here!).

  • certbot renew is running by itself repeatedly every day because of the cron.d task that was created by the OS package
  • It doesn't know that it has to do the service nginx stop and service nginx restart that you did manually, and so it doesn't do them
  • As a result, it runs into a conflict trying to use port 443, which is already in use by nginx
  • Due to a Certbot bug, it then crashes in a way that leaves some server-side resources still tied up
  • After this has happened several times, the server complains that the client is making an unreasonable use of server resources and is not allowed to request certificates anymore

One solution to this would be to edit the renewal configuration file in /etc/letsencrypt/renewal and add

pre-hook = "service nginx stop"
post-hook = "service nginx start"

in the [renewalparams] section. That would probably make the port conflict go away and make the renewal succeed. (If I remember correctly, it would not actually stop and then restart nginx every day, only on infrequent occasions when it decides that it's time to renew the certificate for you.)

Unfortunately, the "pending authorizations" problem will probably prevent you from making any new renewal attempts for about a week unless we can tell the server to clear them.

A user on this forum did create a tool for trying to do this:

The idea is that you can find the authz URLs in the logs (in particular the logs like the second one you posted that show a crash due to a port conflict, rather than the logs that just say "too many currently pending authorizations") and then acmecancel them using a private key in /etc/letsencrypt/accounts. This would then remove the restriction on making new attempts sooner.

12

@schoen One more thing, I have earlier revoked superseded certificates. But the renewal still has them. And probably attempting renewal of those too. How to stop this?
As this will help reduce unnecessary requests.

13

I was hesitating to use "certbot delete".
Now I have deleted all the unwanted certificates as they were revoked earlier and superseded by the one I'm trying to renew.

I have added the pre and post hooks as given by you.

I did try using that by installing go-lang.
The acmecancel works only with ECDSA P256 keys, but my certbot installation has created RSA keys.

Could you suggest anything more which I can try to remove “pending authorizations” restrictions?

Thanks for all the help you have extended.

14

I guess we need to modify acmecancel so that it understands other key types, or else wait what I think is about a week for the pending authorizations to time out.

15

Yes, current versions of Certbot would have this same behavior. We could potentially add code to try and deactivate pending authorizations before we crash.

16

I think that would be helpful to quite a few people.

17

I have exactly same issue, had a crontab entry that was using letsencrypt renew, but was not stopping nginx first, hence failing. Now won’t renew: I have just added the nginx plugin for certbot, so hopefuly won’t be an issue again, bur still have to get rid of current requests…here is snip from letsencrypt.log

Content-Type: application/problem+json
Content-Length: 144
Boulder-Request-Id: 0MArl3otVSvBZyBJWWMb67Add1ZGIFEG6m21A3589Cg
Boulder-Requester: 6934496
Replay-Nonce: 8SQgbHhS6rbq9e7C_66IYxMpMvZaIy1zAH8gCW3Ngl0
Expires: Wed, 23 Aug 2017 08:54:51 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 23 Aug 2017 08:54:51 GMT
Connection: close

{
“type”: “urn:acme:error:rateLimited”,
“detail”: “Error creating new authz :: too many currently pending
authorizations”,
“status”: 429
}
2017-08-23 08:54:51,379:DEBUG:acme.client:Storing nonce: 8SQgbHhS6rb
q9e7C_66IYxMpMvZaIy1zAH8gCW3Ngl0
2017-08-23 08:54:51,380:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/certbot”, line 11, in
load_entry_point(‘certbot==0.17.0’, ‘console_scripts’, ‘certbot’
)()
File “/usr/lib/python2.7/dist-packages/certbot/main.py”, line 753,
in main
return config.func(config, plugins)
File “/usr/lib/python2.7/dist-packages/certbot/main.py”, line 606,
in run
certname, lineage)
File “/usr/lib/python2.7/dist-packages/certbot/main.py”, line 82,
in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certn
ame)
File “/usr/lib/python2.7/dist-packages/certbot/client.py”, line 35
7, in obtain_and_enroll_certificate
certr, chain, key, _ = self.obtain_certificate(domains)
File “/usr/lib/python2.7/dist-packages/certbot/client.py”, line 31
8, in obtain_certificate
self.config.allow_subset_of_names)
File “/usr/lib/python2.7/dist-packages/certbot/auth_handler.py”, l
ine 66, in get_authorizations
self.authzr[domain] = self.acme.request_domain_challenges(domain
)
File “/usr/lib/python2.7/dist-packages/acme/client.py”, line 212,
in request_domain_challenges
typ=messages.IDENTIFIER_FQDN, value=domain), new_authzr_uri)
File “/usr/lib/python2.7/dist-packages/acme/client.py”, line 191,
in request_challenges
response = self.net.post(self.directory.new_authz, new_authz)
File “/usr/lib/python2.7/dist-packages/acme/client.py”, line 682,
in post
return self._post_once(*args, **kwargs)
File “/usr/lib/python2.7/dist-packages/acme/client.py”, line 695,
in _post_once
return self._check_response(response, content_type=content_type)
File “/usr/lib/python2.7/dist-packages/acme/client.py”, line 582,
in _check_response
raise messages.Error.from_json(jobj)
Error: urn:acme:error:rateLimited :: There were too many requests of
a given type :: Error creating new authz :: too many currently pend
ing authorizations

Am I using the right keys, so Can I use the github project to cancel these requests ?

18

The error starts on log.83 file, where the port binding to 443 fails. i must have changed my renewal process about tis time.

Pretty sure using RSA certs, so acmecancel is not an option, so guess I have to wait a week, which is annoying as cert has expired.

2017-07-20 23:50:17,849:DEBUG:acme.client:Sending GET request to htt
ps://acme-v01.api.letsencrypt.org/directory.
2017-07-20 23:50:17,852:DEBUG:requests.packages.urllib3.connectionpo
ol:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2017-07-20 23:50:18,113:DEBUG:requests.packages.urllib3.connectionpo
ol:https://acme-v01.api.letsencrypt.org:443 “GET /directory HTTP/1.1
” 200 352
2017-07-20 23:50:18,115:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 352
Boulder-Request-Id: ABHBwDlUMCkRVmx3xwmnehwdnneXYKmU3tVUjM2w_iM
/
…skipping
2017-07-20 23:50:18,118:DEBUG:acme.client:Requesting fresh nonce
2017-07-20 23:50:18,118:DEBUG:acme.client:Sending HEAD request to ht
tps://acme-v01.api.letsencrypt.org/acme/new-authz.
2017-07-20 23:50:18,311:DEBUG:requests.packages.urllib3.connectionpo
ol:https://acme-v01.api.letsencrypt.org:443 “HEAD /acme/new-authz HT
TP/1.1” 405 0
2017-07-20 23:50:18,313:DEBUG:acme.client:Received response:
HTTP 405
Server: nginx
Content-Type: application/problem+json
Content-Length: 91
Allow: POST
Boulder-Request-Id: CiOs6YT3CUTAD0ts_AYnFVPVJl8Gy2wHywzcfKKaDIQ
/
…skipping
sK4Hgld35O_cnR4EN3VHd96_ffyGjJX2SBxFNy6sEziDNXxGvxrLaIm5nud2lnfQbUX3
Pq1tMOTk5giqoYTyKA"
}
2017-07-20 23:50:18,537:DEBUG:requests.packages.urllib3.connectionpo
ol:https://acme-v01.api.letsencrypt.org:443 “POST /acme/new-authz HT
TP/1.1” 201 1007
2017-07-20 23:50:18,539:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Content-Type: application/json
Content-Length: 1007
Boulder-Request-Id: 9ZZoCZAygxzZvDjAAyolkxrB3K-36FzeROTArC_LyzE
Boulder-Requester: 6934496
/
…skipping
File “/usr/lib/python2.7/dist-packages/certbot/plugins/standalone.
py”, line 271, in _handle_perform_error
raise errors.PluginError(msg)
PluginError: Could not bind TCP port 443 because it is already in us
e by another process on this system (such as a web server). Please s
top the program in question and then try again.

2017-07-20 23:50:18,546:DEBUG:certbot.error_handler:Calling register
ed functions
2017-07-20 23:50:18,546:INFO:certbot.auth_handler:Cleaning up challe
nges
2017-07-20 23:50:18,546:WARNING:certbot.renewal:Attempting to renew
c

root@crowthorne:~/go# cd /var/log/letsencrypt/
root@crowthorne:/var/log/letsencrypt# pwd
/var/log/letsencrypt
root@crowthorne:/var/log/letsencrypt# ls -lt
total 8632
-rw-r–r-- 1 root root 10261 Aug 23 09:54 letsencrypt.log
-rw-r–r-- 1 root root 10234 Aug 23 09:49 letsencrypt.log.1
-rw-r–r-- 1 root root 695 Aug 23 09:46 letsencrypt.log.2
-rw-r–r-- 1 root root 695 Aug 23 09:45 letsencrypt.log.3
-rw-r–r-- 1 root root 672 Aug 23 09:44 letsencrypt.log.4
-rw-r–r-- 1 root root 672 Aug 23 09:41 letsencrypt.log.5
-rw-r–r-- 1 root root 8626 Aug 23 05:15 letsencrypt.log.6
-rw-r–r-- 1 root root 8626 Aug 23 05:14 letsencrypt.log.7
-rw-r–r-- 1 root root 8626 Aug 23 04:59 letsencrypt.log.8
-rw-r–r-- 1 root root 23665 Aug 23 04:59 letsencrypt.log.9
-rw-r–r-- 1 root root 88851 Aug 23 00:47 letsencrypt.log.10
-rw-r–r-- 1 root root 23665 Aug 22 17:58 letsencrypt.log.11
-rw-r–r-- 1 root root 88901 Aug 22 17:57 letsencrypt.log.12
-rw-r–r-- 1 root root 88859 Aug 22 12:17 letsencrypt.log.13
-rw-r–r-- 1 root root 84717 Aug 22 00:48 letsencrypt.log.14
-rw-r–r-- 1 root root 84717 Aug 21 12:44 letsencrypt.log.15
-rw-r–r-- 1 root root 84760 Aug 21 02:30 letsencrypt.log.16
-rw-r–r-- 1 root root 70912 Aug 21 00:09 letsencrypt.log.17
-rw-r–r-- 1 root root 84714 Aug 20 12:57 letsencrypt.log.18
-rw-r–r-- 1 root root 84717 Aug 20 00:02 letsencrypt.log.19
-rw-r–r-- 1 root root 84716 Aug 19 12:12 letsencrypt.log.20
-rw-r–r-- 1 root root 84716 Aug 19 00:14 letsencrypt.log.21
-rw-r–r-- 1 root root 84711 Aug 18 12:22 letsencrypt.log.22
-rw-r–r-- 1 root root 84716 Aug 18 00:49 letsencrypt.log.23
-rw-r–r-- 1 root root 84715 Aug 17 12:41 letsencrypt.log.24
-rw-r–r-- 1 root root 84715 Aug 17 00:53 letsencrypt.log.25
-rw-r–r-- 1 root root 84716 Aug 16 12:36 letsencrypt.log.26
-rw-r–r-- 1 root root 84718 Aug 16 00:35 letsencrypt.log.27
-rw-r–r-- 1 root root 84718 Aug 15 12:46 letsencrypt.log.28
-rw-r–r-- 1 root root 84716 Aug 15 00:47 letsencrypt.log.29
-rw-r–r-- 1 root root 84716 Aug 14 12:14 letsencrypt.log.30
-rw-r–r-- 1 root root 84758 Aug 14 02:30 letsencrypt.log.31
-rw-r–r-- 1 root root 84718 Aug 14 00:43 letsencrypt.log.32
-rw-r–r-- 1 root root 84715 Aug 13 12:03 letsencrypt.log.33
-rw-r–r-- 1 root root 70917 Aug 13 00:32 letsencrypt.log.34
-rw-r–r-- 1 root root 84715 Aug 12 12:06 letsencrypt.log.35
-rw-r–r-- 1 root root 84716 Aug 12 00:21 letsencrypt.log.36
-rw-r–r-- 1 root root 84715 Aug 11 12:01 letsencrypt.log.37
-rw-r–r-- 1 root root 84717 Aug 11 00:56 letsencrypt.log.38
-rw-r–r-- 1 root root 84716 Aug 10 12:38 letsencrypt.log.39
-rw-r–r-- 1 root root 84713 Aug 10 00:09 letsencrypt.log.40
-rw-r–r-- 1 root root 84717 Aug 9 12:49 letsencrypt.log.41
-rw-r–r-- 1 root root 84713 Aug 9 00:51 letsencrypt.log.42
-rw-r–r-- 1 root root 84718 Aug 8 12:45 letsencrypt.log.43
-rw-r–r-- 1 root root 84718 Aug 8 00:35 letsencrypt.log.44
-rw-r–r-- 1 root root 84717 Aug 7 12:48 letsencrypt.log.45
-rw-r–r-- 1 root root 84760 Aug 7 02:30 letsencrypt.log.46
-rw-r–r-- 1 root root 84714 Aug 7 00:51 letsencrypt.log.47
-rw-r–r-- 1 root root 84717 Aug 6 12:02 letsencrypt.log.48
-rw-r–r-- 1 root root 84716 Aug 6 00:50 letsencrypt.log.49
-rw-r–r-- 1 root root 84716 Aug 5 12:00 letsencrypt.log.50
-rw-r–r-- 1 root root 14475 Aug 5 00:54 letsencrypt.log.51
-rw-r–r-- 1 root root 84715 Aug 4 12:08 letsencrypt.log.52
-rw-r–r-- 1 root root 84714 Aug 4 00:28 letsencrypt.log.53
-rw-r–r-- 1 root root 84500 Aug 3 12:57 letsencrypt.log.54
-rw-r–r-- 1 root root 84500 Aug 3 00:35 letsencrypt.log.55
-rw-r–r-- 1 root root 84501 Aug 2 12:33 letsencrypt.log.56
-rw-r–r-- 1 root root 84500 Aug 2 00:32 letsencrypt.log.57
-rw-r–r-- 1 root root 84500 Aug 1 12:12 letsencrypt.log.58
-rw-r–r-- 1 root root 84499 Aug 1 00:41 letsencrypt.log.59
-rw-r–r-- 1 root root 84500 Jul 31 12:58 letsencrypt.log.60
-rw-r–r-- 1 root root 84543 Jul 31 02:30 letsencrypt.log.61
-rw-r–r-- 1 root root 70696 Jul 31 00:02 letsencrypt.log.62
-rw-r–r-- 1 root root 84501 Jul 30 12:41 letsencrypt.log.63
-rw-r–r-- 1 root root 84501 Jul 30 00:53 letsencrypt.log.64
-rw-r–r-- 1 root root 84501 Jul 29 12:49 letsencrypt.log.65
-rw-r–r-- 1 root root 84498 Jul 29 00:25 letsencrypt.log.66
-rw-r–r-- 1 root root 84717 Jul 28 12:13 letsencrypt.log.67
-rw-r–r-- 1 root root 84717 Jul 28 00:36 letsencrypt.log.68
-rw-r–r-- 1 root root 84500 Jul 27 12:40 letsencrypt.log.69
-rw-r–r-- 1 root root 84496 Jul 27 00:50 letsencrypt.log.70
-rw-r–r-- 1 root root 84501 Jul 26 12:42 letsencrypt.log.71
-rw-r–r-- 1 root root 84498 Jul 26 00:48 letsencrypt.log.72
-rw-r–r-- 1 root root 84502 Jul 25 12:21 letsencrypt.log.73
-rw-r–r-- 1 root root 84500 Jul 25 00:55 letsencrypt.log.74
-rw-r–r-- 1 root root 84501 Jul 24 12:04 letsencrypt.log.75
-rw-r–r-- 1 root root 84543 Jul 24 02:30 letsencrypt.log.76
-rw-r–r-- 1 root root 84498 Jul 24 00:54 letsencrypt.log.77
-rw-r–r-- 1 root root 84494 Jul 23 12:24 letsencrypt.log.78
-rw-r–r-- 1 root root 57330 Jul 23 00:28 letsencrypt.log.79
-rw-r–r-- 1 root root 84500 Jul 22 12:49 letsencrypt.log.80
-rw-r–r-- 1 root root 84500 Jul 22 00:43 letsencrypt.log.81
-rw-r–r-- 1 root root 84499 Jul 21 12:04 letsencrypt.log.82
-rw-r–r-- 1 root root 84496 Jul 21 00:50 letsencrypt.log.83
-rw-r–r-- 1 root root 5554 Jul 20 12:04 letsencrypt.log.84
-rw-r–r-- 1 root root 5554 Jul 20 00:39 letsencrypt.log.85
-rw-r–r-- 1 root root 5554 Jul 19 12:30 letsencrypt.log.86
-rw-r–r-- 1 root root 5554 Jul 19 00:35 letsencrypt.log.87
-rw-r–r-- 1 root root 5554 Jul 18 12:42 letsencrypt.log.88
-rw-r–r-- 1 root root 5554 Jul 18 00:12 letsencrypt.log.89
-rw-r–r-- 1 root root 5554 Jul 17 12:08 letsencrypt.log.90
-rw-r–r-- 1 root root 5593 Jul 17 02:30 letsencrypt.log.91
-rw-r–r-- 1 root root 5554 Jul 17 00:51 letsencrypt.log.92
-rw-r–r-- 1 root root 37986 Jul 16 16:33 letsencrypt.log.93
-rw-r–r-- 1 root root 5554 Jul 16 12:51 letsencrypt.log.94
-rw-r–r-- 1 root root 5554 Jul 16 00:15 letsencrypt.log.95
-rw-r–r-- 1 root root 28953 Jul 15 23:20 letsencrypt.log.96
-rw-r–r-- 1 root root 20165 Jul 15 23:19 letsencrypt.log.97
-rw-r–r-- 1 root root 15521 Jul 15 23:19 letsencrypt.log.98
-rw-r–r-- 1 root root 5480 Jul 15 12:45 letsencrypt.log.99
-rw-r–r-- 1 root root 5480 Jul 15 00:27 letsencrypt.log.100
-rw-r–r-- 1 root root 5480 Jul 14 12:14 letsencrypt.log.101

19

@schoen

Fortunately our certificates were renewed today by manually running

certbot renew --pre-hook "systemctl stop nginx" --post-hook "systemctl start nginx"

From log I found out that it was still having port conflict errors in spite of adding below lines verbatim in /etc/letsencrypt/renewal in the [renewalparams] section.

I was wondering why would port conflict happen with both hooks present.
But after successful renewal I found following in /etc/letsencrypt/renewal file.

post_hook = systemctl start nginx
pre_hook = systemctl stop nginx

The difference is "" around hook string not present.

Just gave this as someone else having same issue will get benefited.

20

I wondered about this at the time that I gave you that advice, but I did a different test that suggested to me that it doesn't matter. I'm actually quite confused about why it would make a difference, but I'll remember to suggest the latter form in the future. Thanks for letting me know, and sorry for the apparently mistaken advice!