Error renewing certificates while --dry-run succeeds

nrbrt · October 12, 2020, 5:36pm

out put of certbot certificates is:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: lavaleriana.net
    Domains: *.lavaleriana.net *.bb-stilltech.nl *.scotspine.nl bb-stilltech.nl lavaleriana.net scotspine.nl
    Expiry Date: 2020-10-11 10:09:38+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/lavaleriana.net/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/lavaleriana.net/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

rg305 · October 12, 2020, 5:38pm

hmm...
Please show:
ls -la /etc/letsencrypt/live/

nrbrt · October 12, 2020, 5:41pm

total 16
drwx------ 3 root root 4096 Oct  9 10:41 .
drwxr-xr-x 9 root root 4096 Oct 12 19:36 ..
-rw-r--r-- 1 root root  740 Nov 11  2019 README
lrwxrwxrwx 1 root root   42 Oct 11 14:50 lavaleriana.net -> /etc/letsencrypt/live/lavaleriana.net-0002
drwxr-xr-x 2 root root 4096 Jul 13 13:09 lavaleriana.net-0002

rg305 · October 12, 2020, 5:44pm

That seems kind of weird...
Please show:
ls -la /etc/letsencrypt/live/lavaleriana.net-0002/

nrbrt · October 12, 2020, 5:45pm

total 12
drwxr-xr-x 2 root root 4096 Jul 13 13:09 .
drwx------ 3 root root 4096 Oct  9 10:41 ..
-rw-r--r-- 1 root root  692 Jul 13 13:04 README
lrwxrwxrwx 1 root root   44 Oct 11 14:50 cert.pem -> ../../archive/lavaleriana.net-0002/cert2.pem
lrwxrwxrwx 1 root root   45 Oct 11 14:50 chain.pem -> ../../archive/lavaleriana.net-0002/chain2.pem
lrwxrwxrwx 1 root root   49 Oct 11 14:50 fullchain.pem -> ../../archive/lavaleriana.net-0002/fullchain2.pem
lrwxrwxrwx 1 root root   47 Oct 11 14:50 privkey.pem -> ../../archive/lavaleriana.net-0002/privkey2.pem

rg305 · October 12, 2020, 5:48pm

nrbrt:

    Certificate Name: lavaleriana.net
    Domains: *.lavaleriana.net *.bb-stilltech.nl *.scotspine.nl bb-stilltech.nl lavaleriana.net scotspine.nl
    Expiry Date: 2020-10-11 10:09:38+00:00 (INVALID: EXPIRED)

And yet:

nrbrt:

lrwxrwxrwx 1 root root   44 Oct 11 14:50 cert.pem -> ../../archive/lavaleriana.net-0002/cert2.pem
lrwxrwxrwx 1 root root   45 Oct 11 14:50 chain.pem -> ../../archive/lavaleriana.net-0002/chain2.pem
lrwxrwxrwx 1 root root   49 Oct 11 14:50 fullchain.pem -> ../../archive/lavaleriana.net-0002/fullchain2.pem
lrwxrwxrwx 1 root root   47 Oct 11 14:50 privkey.pem -> ../../archive/lavaleriana.net-0002/privkey2.pem

Freshly issued certs ? ? ?

Your links are messing up the process.
I don't know how it got like that but we need to fix them or this will continue.

Try:
certbot update_symlinks

rg305 · October 12, 2020, 5:51pm

Just curious...
Please show:
ls -la /etc/letsencrypt/live/lavaleriana.net/
And
cat /etc/letsencrypt/renewal/lavaleriana.net.conf

nrbrt · October 12, 2020, 5:51pm

Saving debug log to /var/log/letsencrypt/letsencrypt.log

/var/log/letsecrypt/letsencrypt.log:

2020-10-12 19:49:26,602:DEBUG:certbot.main:certbot version: 0.40.1
2020-10-12 19:49:26,605:DEBUG:certbot.main:Arguments: []
2020-10-12 19:49:26,606:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#dns-cloudflare,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2020-10-12 19:49:26,619:DEBUG:certbot.log:Root logging level set at 20
2020-10-12 19:49:26,620:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log

should I try renewing again?

rg305 · October 12, 2020, 5:52pm

not yet - one second

rg305 · October 12, 2020, 5:53pm

Please show:
ls -la /etc/letsencrypt/live/lavaleriana.net-0002/
ls -la /etc/letsencrypt/live/lavaleriana.net/
and
cat /etc/letsencrypt/renewal/lavaleriana.net.conf

nrbrt · October 12, 2020, 5:55pm

root@omega-r2:~# ls -la /etc/letsencrypt/live/lavaleriana.net-0002/
total 12
drwxr-xr-x 2 root root 4096 Oct 12 19:49 .
drwx------ 3 root root 4096 Oct  9 10:41 ..
-rw-r--r-- 1 root root  692 Jul 13 13:04 README
lrwxrwxrwx 1 root root   39 Oct 12 19:49 cert.pem -> ../../archive/lavaleriana.net/cert2.pem
lrwxrwxrwx 1 root root   40 Oct 12 19:49 chain.pem -> ../../archive/lavaleriana.net/chain2.pem
lrwxrwxrwx 1 root root   44 Oct 12 19:49 fullchain.pem -> ../../archive/lavaleriana.net/fullchain2.pem
lrwxrwxrwx 1 root root   42 Oct 12 19:49 privkey.pem -> ../../archive/lavaleriana.net/privkey2.pem

root@omega-r2:~# ls -la /etc/letsencrypt/live/lavaleriana.net/
total 12
drwxr-xr-x 2 root root 4096 Oct 12 19:49 .
drwx------ 3 root root 4096 Oct  9 10:41 ..
-rw-r--r-- 1 root root  692 Jul 13 13:04 README
lrwxrwxrwx 1 root root   39 Oct 12 19:49 cert.pem -> ../../archive/lavaleriana.net/cert2.pem
lrwxrwxrwx 1 root root   40 Oct 12 19:49 chain.pem -> ../../archive/lavaleriana.net/chain2.pem
lrwxrwxrwx 1 root root   44 Oct 12 19:49 fullchain.pem -> ../../archive/lavaleriana.net/fullchain2.pem
lrwxrwxrwx 1 root root   42 Oct 12 19:49 privkey.pem -> ../../archive/lavaleriana.net/privkey2.pem

root@omega-r2:~# cat /etc/letsencrypt/renewal/lavaleriana.net.conf
# renew_before_expiry = 30 days
version = 0.40.1
archive_dir = /etc/letsencrypt/archive/lavaleriana.net
cert = /etc/letsencrypt/live/lavaleriana.net/cert.pem
privkey = /etc/letsencrypt/live/lavaleriana.net/privkey.pem
chain = /etc/letsencrypt/live/lavaleriana.net/chain.pem
fullchain = /etc/letsencrypt/live/lavaleriana.net/fullchain.pem

# Options used in the renewal process
[renewalparams]
dns_cloudflare_credentials = /root/.secrets/cloudflare.ini
authenticator = dns-cloudflare
pref_challs = dns-01,
server = https://acme-v02.api.letsencrypt.org/directory
account = ac1a5331297eafb85c42af82970f1136
post_hook = /usr/sbin/service apache2 reload

rg305 · October 12, 2020, 6:04pm

That seems like it should work.

I wonder if you have multiple versions of certbot installed...?
Please show:
certbot --version
which certbot
find / -name certbot

nrbrt · October 12, 2020, 6:11pm

root@omega-r2:~# certbot --version
certbot 0.40.1
root@omega-r2:~# which certbot
/usr/local/bin/certbot
root@omega-r2:~# find / -xdev -name certbot
/etc/cron.d/certbot
/etc/logrotate.d/certbot
/snap/bin/certbot
/snap/certbot
/root/snap/certbot
/var/snap/certbot
/usr/local/lib/python3.5/dist-packages/certbot
/usr/local/bin/certbot
/usr/lib/python2.7/dist-packages/certbot
/usr/lib/python3/dist-packages/certbot
/usr/bin/certbot

rg305 · October 12, 2020, 6:12pm

Please show:
/snap/bin/certbot --version
/usr/bin/certbot --version

nrbrt · October 12, 2020, 6:12pm

root@omega-r2:~# /snap/bin/certbot --version
certbot 1.9.0

nrbrt · October 12, 2020, 6:13pm

root@omega-r2:~# /usr/bin/certbot --version
certbot 1.9.0

rg305 · October 12, 2020, 6:13pm

Then the snap is the one you should be using.
[1.9.0 is much higher then 0.40.1]
You can remove the other one from apt.
sudo apt remove certbot
Then show:
which certbot

nrbrt · October 12, 2020, 6:16pm

root@omega-r2:~# which certbot
/usr/local/bin/certbot
root@omega-r2:~# /usr/local/bin/certbot --version
certbot 0.40.1

rg305 · October 12, 2020, 6:17pm

and also show:
ls -l /lib/systemd/system/certbot*

nrbrt · October 12, 2020, 6:18pm

root@omega-r2:~# sudo apt remove certbot
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Package 'certbot' is not installed, so not removed
The following packages were automatically installed and are no longer required:
  libicu64 linux-image-4.9.0-11-amd64 linux-image-4.9.0-9-amd64 python3-acme python3-augeas python3-certbot python3-configargparse python3-configobj python3-future python3-josepy python3-mock
  python3-parsedatetime python3-pbr python3-requests-toolbelt python3-rfc3339 python3-tz python3-zope.component python3-zope.event python3-zope.hookable python3-zope.interface
Use 'sudo apt autoremove' to remove them.
0 upgraded, 0 newly installed, 0 to remove and 5 not upgraded.

Should I just rm /usr/local/bin/certbot?

Topic		Replies	Views
Certbot renew --dry-run fails Help	6	4937	February 16, 2020
Certbot Renew --dry-run fails with a 400 message Help	3	774	August 9, 2020
Certificate renewal failure Help	3	2884	March 12, 2020
Cert renew --dry-run failed Help	3	720	July 30, 2020
Attempting to renew cert unexpected error Help	3	2707	May 16, 2020

Error renewing certificates while --dry-run succeeds

Related topics