Error renewing certificates while --dry-run succeeds

nrbrt · October 11, 2020, 5:27pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: lavaleriana.net, bb-stilltech.nl, scotspine.nl

I ran this command: certbot renew

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/lavaleriana.net.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator dns-cloudflare, Installer None
Attempting to renew cert (lavaleriana.net) from /etc/letsencrypt/renewal/lavaleriana.net.conf produced an unexpected error: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<requests.packages.urllib3.connection.VerifiedHTTPSConnection object at 0x7f0b6b697198>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution',)). Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/lavaleriana.net/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/lavaleriana.net/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

My web server is (include version): Apache 2.4.25

The operating system my web server runs on is (include version): Debian 9.13

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.40.1

Hi there,

I hope someone can point me in the right direction. My certificates have expired by now and I trying to get this situation resolved. The error message above appears if I try to renew my certificates and if I try again it will respond with this:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/lavaleriana.net.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator dns-cloudflare, Installer None
Renewing an existing certificate
Attempting to renew cert (lavaleriana.net) from /etc/letsencrypt/renewal/lavaleriana.net.conf produced an unexpected error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many certificates already issued for exact set of domains: *.bb-stilltech.nl,*.lavaleriana.net,*.scotspine.nl,bb-stilltech.nl,lavaleriana.net,scotspine.nl: see https://letsencrypt.org/docs/rate-limits/. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/lavaleriana.net/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/lavaleriana.net/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Running post-hook command: /usr/sbin/service apache2 reload
1 renew failure(s), 0 parse failure(s)

Running the renew command with --dry-run, produces no errors at all as you can see below:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/lavaleriana.net.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator dns-cloudflare, Installer None
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for bb-stilltech.nl
dns-01 challenge for lavaleriana.net
dns-01 challenge for scotspine.nl
dns-01 challenge for bb-stilltech.nl
dns-01 challenge for lavaleriana.net
dns-01 challenge for scotspine.nl
Waiting 10 seconds for DNS changes to propagate
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/lavaleriana.net/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/lavaleriana.net/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Running post-hook command: /usr/sbin/service apache2 reload

I am at a loss here. I could really use some help with this.

griffin · October 11, 2020, 5:35pm

Welcome to the Let's Encrypt Community

I don't know if there's anything in your control that can be done here. Let me have someone of authority look this over. They might not be around right, so please be patient.

@lestaff

nrbrt:

HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<requests.packages.urllib3.connection.VerifiedHTTPSConnection object at 0x7f0b6b697198>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution',)). Skipping.

Any ideas here?

Osiris · October 11, 2020, 5:37pm

I can perfectly resolve the URL, might me a local DNS issue with the staging server cached, but not production.

griffin · October 11, 2020, 5:40pm

@nrbrt

This, on the other hand...

nrbrt:

Attempting to renew cert (lavaleriana.net) from urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many certificates already issued for exact set of domains: *.bb-stilltech.nl,*.lavaleriana.net,*.scotspine.nl,bb-stilltech.nl,lavaleriana.net,scotspine.nl: see https://letsencrypt.org/docs/rate-limits/.
All renew

That means you've created too many duplicate certificates.

Renewals are treated specially: they don’t count against your Certificates per Registered Domain limit, but they are subject to a Duplicate Certificate limit of 5 per week. Note: renewals used to count against your Certificate per Registered Domain limit until March 2019, but they don’t anymore. Exceeding the Duplicate Certificate limit is reported with the error message too many certificates already issued for exact set of domains .

A certificate is considered a renewal (or a duplicate) of an earlier certificate if it contains the exact same set of hostnames, ignoring capitalization and ordering of hostnames. For instance, if you requested a certificate for the names [ www.example.com , example.com ], you could request four more certificates for [ www.example.com , example.com ] during the week. If you changed the set of hostnames by adding [ blog.example.com ], you would be able to request additional certificates.

Renewal handling ignores the public key and extensions requested. A certificate issuance can be considered a renewal even if you are using a new key.

griffin · October 11, 2020, 5:43pm

I concur, especially with hitting the rate limit afterwards. OP said not happening on staging server though. Related to 2vf?

rg305 · October 12, 2020, 1:56am

Dual IP stack......?

nrbrt · October 12, 2020, 4:03am

Yes, I saw the rate limit being hit, but I do not know why. Cron runs the certbot every 12 hours. This morning when I tried again to renew, after clearing the cache of my local dns servers, it came at the first try with this:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/lavaleriana.net.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator dns-cloudflare, Installer None
Renewing an existing certificate
Attempting to renew cert (lavaleriana.net) from /etc/letsencrypt/renewal/lavaleriana.net.conf produced an unexpected error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many certificates already issued for exact set of domains: *.bb-stilltech.nl,*.lavaleriana.net,*.scotspine.nl,bb-stilltech.nl,lavaleriana.net,scotspine.nl: see https://letsencrypt.org/docs/rate-limits/. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/lavaleriana.net/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/lavaleriana.net/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Running post-hook command: /usr/sbin/service apache2 reload
1 renew failure(s), 0 parse failure(s)

That was at the first try, so I do not understand the rate limit error.
My letsencrypt log showed this:

2020-10-12 05:48:01,848:DEBUG:certbot.main:certbot version: 0.40.1
2020-10-12 05:48:01,851:DEBUG:certbot.main:Arguments: []
2020-10-12 05:48:01,852:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#dns-cloudflare,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2020-10-12 05:48:01,868:DEBUG:certbot.log:Root logging level set at 20
2020-10-12 05:48:01,870:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2020-10-12 05:48:01,897:DEBUG:certbot.plugins.selection:Requested authenticator <certbot.cli._Default object at 0x7f235ffceef0> and installer <certbot.cli._Default object at 0x7f235ffceef0>
2020-10-12 05:48:01,918:DEBUG:certbot.storage:Should renew, less than 30 days before certificate expiry 2020-10-11 10:09:38 UTC.
2020-10-12 05:48:01,918:INFO:certbot.renewal:Cert is due for renewal, auto-renewing...
2020-10-12 05:48:01,919:DEBUG:certbot.plugins.selection:Requested authenticator dns-cloudflare and installer None
2020-10-12 05:48:01,922:DEBUG:certbot.plugins.selection:Single candidate plugin: * dns-cloudflare
Description: Obtain certificates using a DNS TXT record (if you are using Cloudflare for DNS).
Interfaces: IAuthenticator, IPlugin
Entry point: dns-cloudflare = certbot_dns_cloudflare.dns_cloudflare:Authenticator
Initialized: <certbot_dns_cloudflare.dns_cloudflare.Authenticator object at 0x7f235ffc3b70>
Prep: True
2020-10-12 05:48:01,924:DEBUG:certbot.plugins.selection:Selected authenticator <certbot_dns_cloudflare.dns_cloudflare.Authenticator object at 0x7f235ffc3b70> and installer None
2020-10-12 05:48:01,924:INFO:certbot.plugins.selection:Plugins selected: Authenticator dns-cloudflare, Installer None
2020-10-12 05:48:01,932:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(terms_of_service='https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf', body=Registration(status=None, only_return_existing=None, terms_of_service_agreed=None
, key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x7f235ffdf9e8>)>), contact=('mailto:norbertk@lavaleriana.net',), external_account_binding=None, agreement='https://letsencrypt.org/documents/LE-SA-v1.1.1-Augu
st-1-2016.pdf'), new_authzr_uri='https://acme-v01.api.letsencrypt.org/acme/new-authz', uri='https://acme-v01.api.letsencrypt.org/acme/reg/5792365'), ac1a5331297eafb85c42af82970f1136, Meta(creation_host='omega-r2.lavaleriana.net', creation_dt=datetime.datetime(
2016, 11, 2, 14, 9, 34, tzinfo=<UTC>)))>
2020-10-12 05:48:01,935:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2020-10-12 05:48:01,963:DEBUG:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
2020-10-12 05:48:02,622:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 658
2020-10-12 05:48:02,623:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 12 Oct 2020 03:48:01 GMT
Content-Type: application/json
Content-Length: 658
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "lpz4nhxhUKU": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2020-10-12 05:48:02,624:INFO:certbot.main:Renewing an existing certificate
2020-10-12 05:48:02,714:DEBUG:certbot.crypto_util:Generating key (2048 bits): /etc/letsencrypt/keys/0115_key-certbot.pem
2020-10-12 05:48:02,719:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0115_csr-certbot.pem
2020-10-12 05:48:02,720:DEBUG:acme.client:Requesting fresh nonce
2020-10-12 05:48:02,720:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2020-10-12 05:48:02,869:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2020-10-12 05:48:02,870:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 12 Oct 2020 03:48:02 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0004ow4nXpBTZN4L5BP26RX2DsG544U78KeG6pcT7YVEujg
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800


2020-10-12 05:48:02,870:DEBUG:acme.client:Storing nonce: 0004ow4nXpBTZN4L5BP26RX2DsG544U78KeG6pcT7YVEujg
2020-10-12 05:48:02,871:DEBUG:acme.client:JWS payload:
b'{\n  "identifiers": [\n    {\n      "value": "*.lavaleriana.net",\n      "type": "dns"\n    },\n    {\n      "value": "*.bb-stilltech.nl",\n      "type": "dns"\n    },\n    {\n      "value": "*.scotspine.nl",\n      "type": "dns"\n    },\n    {\n      "value": "bb-stilltech.nl",\n      "type": "dns"\n    },\n    {\n      "value": "lavaleriana.net",\n      "type": "dns"\n    },\n    {\n      "value": "scotspine.nl",\n      "type": "dns"\n    }\n  ]\n}'
2020-10-12 05:48:02,887:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInZhbHVlIjogIioubGF2YWxlcmlhbmEubmV0IiwKICAgICAgInR5cGUiOiAiZG5zIgogICAgfSwKICAgIHsKICAgICAgInZhbHVlIjogIiouYmItc3RpbGx0ZWNoLm5sIiwKICAgICAgInR5cGUiOiAiZG5zIgogICAgfSwKICAgIHsKICAgICAgInZhbHVlIjogIiouc2NvdHNwaW5lLm5sIiwKICAgICAgInR5cGUiOiAiZG5zIgogICAgfSwKICAgIHsKICAgICAgInZhbHVlIjogImJiLXN0aWxsdGVjaC5ubCIsCiAgICAgICJ0eXBlIjogImRucyIKICAgIH0sCiAgICB7CiAgICAgICJ2YWx1ZSI6ICJsYXZhbGVyaWFuYS5uZXQiLAogICAgICAidHlwZSI6ICJkbnMiCiAgICB9LAogICAgewogICAgICAidmFsdWUiOiAic2NvdHNwaW5lLm5sIiwKICAgICAgInR5cGUiOiAiZG5zIgogICAgfQogIF0KfQ",
  "signature": "KOxR09WxUvrJwHOur5YuSHHxqZcZDXUACmRaWi5mfQUzlBGOtOMm8Y254EENBibIxIBG8_fd9AcKsqJFqvN9S4bTdogcJpg4wqrkNG4-bfg7KL5jdXt6VyXSXUneIJ24ZgUkyykxkQHlsuDmaTe9VwWG2pahCG6dS0mWZtmowycbYDdAHow9pqmG107MgjzT3tSkI9i-PALHWIMTeWKhoRQh6stlLNHMVI7Yq-1PUxzApLVMsZyWITtzchoJ_8ciKgBve4LcokepKCHu4Y_C1aSyFRuYZWv0bTRO8XxCcVpUoHsE6vevPOaX6WyU6S5do-J63jkvvA8i_4ZOFIPd3U2J_HTPfsYI7xwEruTEy3HFaeilOu-waednQ4nZgaD84U93FHF76JvxDmUA7u08DmBigzAVRFmMwJenJbObMabqfUr4aeW1C9yFmS5BidI58xQjaQveXLTjg0WLf-godbrr8nYZuggh3A4iuuBU6uISzV-msiCHP2e7iJvvzZJ1QrXRpSgqBfeJcuBjQKgYwxxmJ6j89SzWN9iToVdB6RXLsgYDV7KKrTKDxvZgCQF6LJ6WZZG8VES1im1_o8Z-M_ydEYApIVQD4dVTBTOLoWwvGWnhtjwFI8wbUygaZ17WU7InDDwr9RgpWFzGZkXL8LZzBZPE7MnJmUMLrndnQQU",
  "protected": "eyJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvbmV3LW9yZGVyIiwgIm5vbmNlIjogIjAwMDRvdzRuWHBCVFpONEw1QlAyNlJYMkRzRzU0NFU3OEtlRzZwY1Q3WVZFdWpnIiwgImFsZyI6ICJSUzI1NiIsICJraWQiOiAiaHR0cHM6Ly9hY21lLXYwMS5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvcmVnLzU3OTIzNjUifQ"
}
2020-10-12 05:48:03,049:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 429 320
2020-10-12 05:48:03,050:DEBUG:acme.client:Received response:
HTTP 429
Server: nginx
Date: Mon, 12 Oct 2020 03:48:02 GMT
Content-Type: application/problem+json
Content-Length: 320
Connection: keep-alive
Boulder-Requester: 5792365
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0002fx3JcFi-Lo6pHnNdopK2hpp5McUuEDgrzEewlcH0v6M

{
  "type": "urn:ietf:params:acme:error:rateLimited",
  "detail": "Error creating new order :: too many certificates already issued for exact set of domains: *.bb-stilltech.nl,*.lavaleriana.net,*.scotspine.nl,bb-stilltech.nl,lavaleriana.net,scotspine.nl: see https://letsencrypt.org/docs/rate-limits/",
  "status": 429
}
2020-10-12 05:48:03,051:WARNING:certbot.renewal:Attempting to renew cert (lavaleriana.net) from /etc/letsencrypt/renewal/lavaleriana.net.conf produced an unexpected error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many certificates already issued for exact set of domains: *.bb-stilltech.nl,*.lavaleriana.net,*.scotspine.nl,bb-stilltech.nl,lavaleriana.net,scotspine.nl: see https://letsencrypt.org/docs/rate-limits/. Skipping.
2020-10-12 05:48:03,055:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
  File "/usr/local/lib/python3.5/dist-packages/certbot/renewal.py", line 449, in handle_renewal_request
    main.renew_cert(lineage_config, plugins, renewal_candidate)
  File "/usr/local/lib/python3.5/dist-packages/certbot/main.py", line 1208, in renew_cert
    renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
  File "/usr/local/lib/python3.5/dist-packages/certbot/main.py", line 116, in _get_and_save_cert
    renewal.renew_cert(config, domains, le_client, lineage)
  File "/usr/local/lib/python3.5/dist-packages/certbot/renewal.py", line 307, in renew_cert
    new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
  File "/usr/local/lib/python3.5/dist-packages/certbot/client.py", line 348, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/local/lib/python3.5/dist-packages/certbot/client.py", line 381, in _get_order_and_authorizations
    orderr = self.acme.new_order(csr_pem)
  File "/usr/local/lib/python3.5/dist-packages/acme/client.py", line 884, in new_order
    return self.client.new_order(csr_pem)
  File "/usr/local/lib/python3.5/dist-packages/acme/client.py", line 671, in new_order
    response = self._post(self.directory['newOrder'], order)
  File "/usr/local/lib/python3.5/dist-packages/acme/client.py", line 95, in _post
    return self.net.post(*args, **kwargs)
  File "/usr/local/lib/python3.5/dist-packages/acme/client.py", line 1195, in post
    return self._post_once(*args, **kwargs)
  File "/usr/local/lib/python3.5/dist-packages/acme/client.py", line 1209, in _post_once
    response = self._check_response(response, content_type=content_type)
  File "/usr/local/lib/python3.5/dist-packages/acme/client.py", line 1064, in _check_response
    raise messages.Error.from_json(jobj)
acme.messages.Error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many certificates already issued for exact set of domains: *.bb-stilltech.nl,*.lavaleriana.net,*.scotspine.nl,bb-stilltech.nl,lavaleriana.net,scotspine.nl: see https://letsencrypt.org/docs/rate-limits/

2020-10-12 05:48:03,055:ERROR:certbot.renewal:All renewal attempts failed. The following certs could not be renewed:
2020-10-12 05:48:03,056:ERROR:certbot.renewal:  /etc/letsencrypt/live/lavaleriana.net/fullchain.pem (failure)
2020-10-12 05:48:03,056:INFO:certbot.hooks:Running post-hook command: /usr/sbin/service apache2 reload
2020-10-12 05:48:03,310:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/local/bin/certbot", line 11, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.5/dist-packages/certbot/main.py", line 1378, in main
    return config.func(config, plugins)
  File "/usr/local/lib/python3.5/dist-packages/certbot/main.py", line 1287, in renew
    renewal.handle_renewal_request(config)
  File "/usr/local/lib/python3.5/dist-packages/certbot/renewal.py", line 474, in handle_renewal_request
    len(renew_failures), len(parse_failures)))
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)

rg305 · October 12, 2020, 2:31pm

If you can install snapd, I would remove the existing certbot and install it again from snapd.

nrbrt · October 12, 2020, 5:15pm

This is one of the first things I tried when I tried resolving the renewal issue I am having. I uninstalled the existing certbot, installed snapd and used snapd to install certbot and the cloudflare plugin. Unfortunately, it did not solve the problem. Also, --dry-run works without any errors.

rg305 · October 12, 2020, 5:17pm

Then it should work equally without the --dry-run.
Can you show both complete commands used?
[the one that passed with --dry-run and the one that failed]

rg305 · October 12, 2020, 5:19pm

And you need to be aware of the rate limits imposed on the production system.
They are much lower that the ones on staging - always use staging to test (first).

nrbrt · October 12, 2020, 5:20pm

I just do this:
certbot renew (fails)
and this:
certbot renew --dry-run (succeeds)

nrbrt · October 12, 2020, 5:24pm

My cron does this every 12 hours. I have disabled this now, just to be sure. It failed this morning at the first try at 05:48 while the last cron run attempt was at 0:00. That should not trigger a rate limit.

rg305 · October 12, 2020, 5:25pm

OK can you show the logs for the failure?

Twice a day is not enough to hit a rate limit.

nrbrt · October 12, 2020, 5:25pm

I have posted this above

rg305 · October 12, 2020, 5:26pm

If this:

Then you will have to wait a hour before trying again.

nrbrt · October 12, 2020, 5:28pm

It does not make any difference how long I wait. Its always fails with this error message. Even when I have not made any attempt for multiple hours.

rg305 · October 12, 2020, 5:29pm

Check for a job running under systemd.

nrbrt · October 12, 2020, 5:31pm

Should that not also produce a log entry in /var/log/letsencrypt/letsencrypt.log?
Because that shows only the scheduled cron attemps every 12 hours and my manual attempts.

rg305 · October 12, 2020, 5:32pm

(re)Reviewing the errors shown previously (above), it seems that there are multiple error types.
One says:

And that can easily be confirmed with: https://crt.sh/?q=scotspine.nl

Please show the output of:
certbot certificates