Error when expanding existing certificate

When expanding an existing certificate i get an error but the updates seems to work.
What does the error mean? Do I need to change any of the parameters?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: aocspiegel.nl

I ran this command: certbot-auto certonly --manual --preferred-challenges dns --manual-cleanup-hook /opt/etc/certbot-distribute -d aocspiegel.nl -d www.aocspiegel.nl etc… and -d newsub.aocspiegel.nl

It produced this output:

Before continuing, verify the record is deployed.
(This must be set up in addition to the previous challenges; do not remove,
replace, or undo the previous challenge tasks yet. Note that you might be
asked to create multiple distinct TXT records with the same name. This is
permitted by DNS standards.)


Press Enter to Continue
Waiting for verification…
Cleaning up challenges
Encountered exception during recovery:
Traceback (most recent call last):
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/error_handler.py”, line 124, in _call_registered
self.funcs-1
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/auth_handler.py”, line 220, in _cleanup_challenges
self.auth.cleanup(achalls)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/plugins/manual.py”, line 177, in cleanup
env = self.env.pop(achall)
KeyError: KeyAuthorizationAnnotatedChallenge(challb=ChallengeBody(chall=DNS01(token=‘kT\x16{\x8b\xd7H+9Q\xe8*\xd06\xad\xf9\xd13\x01I\xb0d\xf2uh\6\xb7\x01M\xad\xc2’), status=Status(pending), uri=u’https://acme-v02.api.letsencrypt.org/acme/challenge/FILSxvbJ33yvTr3ihtoqI3gjdrDx1s15JTk7Gjn2cM0/18186297857’, validated=None, _url=u’https://acme-v02.api.letsencrypt.org/acme/challenge/FILSxvbJ33yvTr3ihtoqI3gjdrDx1s15JTk7Gjn2cM0/18186297857’, error=None), domain=u’newsub.aocspiegel.nl’, account_key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPrivateKey object at 0x7f6872f5e7d0>)>))

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/vospiegel.nl/fullchain.pem

My web server is (include version): apache httpd 2.4.39

The operating system my web server runs on is (include version): CentOS7 7.6.1810

My hosting provider, if applicable, is: self-hosted

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.36.0

Hi @digidoc

there is no real problem.

You have created a new certificate

and you use it ( https://check-your-website.server-daten.de/?q=aocspiegel.nl ):

CN=aocspiegel.nl (11518)
	12.07.2019
	10.10.2019
expires in 90 days	aocspiegel.nl, app.aocspiegel.nl, develop.aocspiegel.nl, 
login.aocspiegel.nl, logon.aocspiegel.nl, preview.aocspiegel.nl, 
respondent.aocspiegel.nl, stress0.aocspiegel.nl, 
stress1.aocspiegel.nl, stress2.aocspiegel.nl, 
stress3.aocspiegel.nl, stress4.aocspiegel.nl, 
stress5.aocspiegel.nl, stress6.aocspiegel.nl, 
stress7.aocspiegel.nl, stress8.aocspiegel.nl, 
stress9.aocspiegel.nl, www.aocspiegel.nl - 
18 entries

But the cleanup script didn’t work, so your TXT entries are online.

nl

But that’s not critical.

Perhaps there is an updated cleanup script you should use.

More important: You don’t have redirects http -> https:

Domainname Http-Status redirect Sec. G
http://aocspiegel.nl/
193.26.9.191 200 0.080 H
http://www.aocspiegel.nl/
193.26.9.191 200 0.064 H
https://aocspiegel.nl/
193.26.9.191 200 0.784 B
https://www.aocspiegel.nl/
193.26.9.191 200 0.350 B

So http users are insecure.

Whether or not it’s causing you problems, it still sounds like a bug in Certbot.

If you have the time, would you mind reporting it on GitHub?

Edit: cc @schoen :smiley_cat:

Oh wauw, that quick! :slight_smile:
ok, thx 4 feedback, what cleanup script are your referring to?
these are the entries from my zone file, strange the top level gets repeated in the report.
_acme-challenge.app IN TXT "
_acme-challenge.develop IN TXT "
_acme-challenge IN TXT "
_acme-challenge.login IN TXT "
_acme-challenge.logon IN TXT "
_acme-challenge.preview IN TXT "
_acme-challenge.respondent IN TXT "
_acme-challenge.www IN TXT "
_acme-challenge.stress0 IN TXT "
_acme-challenge.stress1 IN TXT "
_acme-challenge.stress2 IN TXT "
_acme-challenge.stress3 IN TXT "
_acme-challenge.stress4 IN TXT "
_acme-challenge.stress5 IN TXT "
_acme-challenge.stress6 IN TXT "
_acme-challenge.stress7 IN TXT "
_acme-challenge.stress8 IN TXT "
_acme-challenge.stress9 IN TXT "
the redirect is temp switched off for some testing…
also “danke” for the nice domain tester, i am gonna use that more! :slight_smile:
i will log the issue on github.
regards,
Hoyte