Error while auto-renewing with certbot-auto

Server
1

There are many threads with this same error, which basically makes the website unusable as the certificate is now out of date.

My specific situation is that while trying Lets Encrypt and certbot, I had created a test domain for thearcofluzerne.org. Our real domain is thearcofluzernecounty.org. Now we do not need that older domain. How can I tell the certbot script to NOT include that old domain? I’ve removed it from the conf file.

Error message while renewing:

> Unable to clean up challenge directory /home/thearc/.well-known/acme-challenge
> Attempting to renew cert from /etc/letsencrypt/renewal/thearcofluzernecounty.org.conf produced an unexpected error: Failed authorization procedure. thearcofluzerne.org (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://thearcofluzerne.org/.well-known/acme-challenge/VGVNSv6zPP1oT7MxjJ-ZSjWVNFKLX09NapLcgSXAUnA: "<!DOCTYPE html>...". Skipping.

The text inside my file thearcofluzernecounty.org.conf is as follows:

# renew_before_expiry = 30 days
version = 0.11.1
archive_dir = /etc/letsencrypt/archive/thearcofluzernecounty.org
cert = /etc/letsencrypt/live/thearcofluzernecounty.org/cert.pem
privkey = /etc/letsencrypt/live/thearcofluzernecounty.org/privkey.pem
chain = /etc/letsencrypt/live/thearcofluzernecounty.org/chain.pem
fullchain = /etc/letsencrypt/live/thearcofluzernecounty.org/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = webroot
installer = None
account = 51ab0aa536a6ad6568546ed62976de99
post_hook = service nginx reload
[[webroot_map]]
thearcofluzernecounty.org = /home/thearc

The directory /home/thearc (root folder) has 755 chmod-ed .well-known/acme-challenge/ directories. But this doesn’t work, because the cert is outdated now? It shows me the usual Chrome error message as you can see for yourself:

https://thearcofluzernecounty.org/.well-known/acme-challenge/test.htm

How can I renew this cert? The certbot-auto is fairly useless.

2

Hi @NearlyNormal,

As you saw, certbot-auto renew tries to get a new cert which is substantially identical to the previous cert. If you no longer control or are simply no longer using one of the domains in the previous cert, that will be an error—the exact error that you encountered.

To change the contents of an existing cert, including which domain names it applies to, you should run certbot certonly with the appropriate details. This replaces the existing cert with one with the new properties that you specify.

In this case you could run

certbot-auto certonly --force-renewal --cert-name thearcofluzernecounty.org -d thearcofluzernecounty.org

The --cert-name option is used here to specify which particular certificate you want to modify. This is mandatory when removing names from an existing cert.

If you wanted other domains to be in the certificate, you could add additional -d options at the end of this command to include them too (for example, perhaps -d www.thearcofluzernecounty.org to include the www form, if you want). In this case, not specifying -d thearcofluzerne.org (the old domain) will result in its being excluded from the new cert.

After you have done this successfully once, future uses of certbot-auto renew would no longer attempt to renew for the old domain that is no longer mentioned in your cert.

2 Likes
3

Thank you for sharing this. It should be more easily accessible in the documentation. I was trying to find out how to remove a domain name from the scripts that Letsencrypt uses.

I tried the command you helpfully shared. Doesn’t work. Here’s the output:

[root@uzi ~]# /root/certbot-auto certonly --force-renewal --cert-name thearcofluzernecounty.org -d thearcofluzernecounty.org

Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
-------------------------------------------------------------------------------
1: Apache Web Server plugin - Beta (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
-------------------------------------------------------------------------------
Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 3
An unexpected error occurred:
ReadTimeout: HTTPSConnectionPool(host='acme-v01.api.letsencrypt.org', port=443): Read timed out. (read timeout=45)
Please see the logfiles in /var/log/letsencrypt for more details.

I chose option #3 above, because I don’t use Apache, and I’m not sure what a temporary web server is. We are on Nginx.

The log file, if it helps, is:

2017-05-19 11:04:32,097:DEBUG:acme.client:Sending GET request to https://acme-v01.api.letsencrypt.org/directory.
2017-05-19 11:04:32,107:DEBUG:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2017-05-19 11:05:17,216:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/root/.local/share/letsencrypt/bin/letsencrypt", line 11, in <module>
    sys.exit(main())
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/certbot/main.py", line 742, in main
    return config.func(config, plugins)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/certbot/main.py", line 666, in certonly
    le_client = _init_le_client(config, auth, installer)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/certbot/main.py", line 389, in _init_le_client
    return client.Client(config, acc, authenticator, installer, acme=acme)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/certbot/client.py", line 230, in __init__
    acme = acme_from_config_key(config, self.account.key)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/certbot/client.py", line 44, in acme_from_config_key
    return acme_client.Client(config.server, key=key, net=net)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/acme/client.py", line 71, in __init__
    self.net.get(directory).json())
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/acme/client.py", line 646, in get
    self._send_request('GET', url, **kwargs), content_type=content_type)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/acme/client.py", line 619, in _send_request
    response = self.session.request(method, url, *args, **kwargs)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/requests/sessions.py", line 488, in request
    resp = self.send(prep, **send_kwargs)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/requests/sessions.py", line 609, in send
    r = adapter.send(request, **kwargs)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/requests/adapters.py", line 499, in send
    raise ReadTimeout(e, request=request)
ReadTimeout: HTTPSConnectionPool(host='acme-v01.api.letsencrypt.org', port=443): Read timed out. (read timeout=45)

What now? While I wait for all these technicalities to be resolved, our website is down.

4

Looks like that domain is down.

curl https://acme-v01.api.letsencrypt.org -I
HTTP/1.1 504 Gateway Time-out
Server: AkamaiGHost
Mime-Version: 1.0
Content-Type: text/html
Content-Length: 175
Expires: Fri, 19 May 2017 11:14:48 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Fri, 19 May 2017 11:14:48 GMT
Connection: keep-alive

It’s stupid. What’s the point of a “free” Service if the service to manage certificates is down, which takes our whole website down and makes it inaccessible. Highly unprofessional.

5

This error is a result of an ongoing service disruption. Please follow status.letsencrypt.org for more information. We should have all of the remaining issues resolved shortly.

1 Like
6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.