Expired certificad

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:speedtest.ciabrasnet.com.br:8080

I ran this command:letsencrypt renew

It produced this output:Cert is due for renewal, auto-renewing

Plugins selected: Authenticator standalone, Installer apache
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Attempting to renew cert (speedtest.ciabrasnet.com.br) from /etc/letsencrypt/renewal/speedtest.ciabrasnet.com.br.conf produced an unexpected error: urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Error creating new authz :: Validations for new domains are disabled in the V1 API (End of Life Plan for ACMEv1). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/speedtest.ciabrasnet.com.br/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/speedtest.ciabrasnet.com.br/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)
root@SpeedOokla:~# ^C
root@SpeedOokla:~# ^C
root@SpeedOokla:~# letsencrypt renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/speedtest.ciabrasnet.com.br.conf

Cert is due for renewal, auto-renewing

Plugins selected: Authenticator standalone, Installer apache
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Attempting to renew cert (speedtest.ciabrasnet.com.br) from /etc/letsencrypt/renewal/speedtest.ciabrasnet.com.br.conf produced an unexpected error: urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Error creating new authz :: Validations for new domains are disabled in the V1 API (End of Life Plan for ACMEv1). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/speedtest.ciabrasnet.com.br/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/speedtest.ciabrasnet.com.br/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

My web server is (include version):Linux SpeedOokla 4.4.0-131-generic #157-Ubuntu SMP Thu Jul 12 15:51:36 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

My hosting provider, if applicable, is:speedtest

I can login to a root shell on my machine yes

2 Likes
2

Your acme client is outdated as it is using V1 and not V2.

2 Likes
3

Hi @mateus

please read your error message.

You have all required informations to fix that problem.

3 Likes
4

@JuergenAuer
Didn’t know you were responding. Got there 2 seconds before you. :wink:

2 Likes
5

I’m a bit of a layman on the subject, I updated the version and used the command again:
Cert is due for renewal, auto-renewing

Plugins selected: Authenticator standalone, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for speedtest.ciabrasnet.com.br
Cleaning up challenges
Attempting to renew cert (speedtest.ciabrasnet.com.br) from /etc/letsencrypt/renewal/speedtest.c iabrasnet.com.br.conf produced an unexpected error: Problem binding to port 80: Could not bind t o IPv4 or IPv6
 Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/speedtest.ciabrasnet.com.br/fullchain.pem (failure)

2 Likes
6

OlĂĄ @mateus,

When you use --standalone to obtain the certificate, it assumes that there is no existing web server running on the same system. But here, Apache is running. Apache uses port 80, so Certbot can’t use it this way to prove your control over the domain name.

One option is to switch from --standalone to a different method, like --apache (for example sudo certbot certonly --apache -d speedtest.ciabrasnet.com.br), which will use Certbot’s Apache integration instead of trying to take over port 80 for itself.

Another option is to stop Apache temporarily during the renewal process, like sudo service apache2 stop or something similar. This has the disadvantage that you can’t get automated unattended renewals this way, although if it works, you can automate the process by using Certbot’s --pre-hook and --post-hook options, like

certbot certonly --standalone -d speedtest.ciabrasnet.com.br --pre-hook "service apache2 stop" --post-hook "service apache2 start"

If that succeeds, then it will probably work unattended (noninteractively, without human intervention) on subsequent renewals, since Certbot saves the most recent set of options used when requesting a certificate and uses them again during renewals.

2 Likes
7

first option
root@SpeedOokla:~# sudo certbot certonly --apache -d speedtest.ciabrasnet.com.br
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Cert is due for renewal, auto-renewing

Renewing an existing certificate
Performing the following challenges:
http-01 challenge for speedtest.ciabrasnet.com.br
Error while running apache2ctl graceful.
httpd not running, trying to start
Action ‘graceful’ failed.
The Apache error log may have more information.

AH00558: apache2: Could not reliably determine the server’s fully qualified domain name, using 191.253.24.20. Set the ‘ServerName’ directive globally to suppress this message
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs

Unable to restart apache using [‘apache2ctl’, ‘graceful’]
Cleaning up challenges
Error while running apache2ctl graceful.
httpd not running, trying to start
Action ‘graceful’ failed.
The Apache error log may have more information.

AH00558: apache2: Could not reliably determine the server’s fully qualified domain name, using 191.253.24.20. Set the ‘ServerName’ directive globally to suppress this message
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs

Unable to restart apache using [‘apache2ctl’, ‘graceful’]
Encountered exception during recovery:
Traceback (most recent call last):
File “/usr/lib/python2.7/dist-packages/certbot/error_handler.py”, line 108, in _call_registered
self.funcs-1
File “/usr/lib/python2.7/dist-packages/certbot/auth_handler.py”, line 310, in _cleanup_challenges
self.auth.cleanup(achalls)
File “/usr/lib/python2.7/dist-packages/certbot_apache/configurator.py”, line 2132, in cleanup
self.restart()
File “/usr/lib/python2.7/dist-packages/certbot_apache/configurator.py”, line 1995, in restart
self._reload()
File “/usr/lib/python2.7/dist-packages/certbot_apache/configurator.py”, line 2023, in _reload
raise errors.MisconfigurationError(error)
MisconfigurationError: Error while running apache2ctl graceful.
httpd not running, trying to start
Action ‘graceful’ failed.
The Apache error log may have more information.

AH00558: apache2: Could not reliably determine the server’s fully qualified domain name, using 191.253.24.20. Set the ‘ServerName’ directive globally to suppress this message
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs

Error while running apache2ctl graceful.
httpd not running, trying to start
Action ‘graceful’ failed.
The Apache error log may have more information.

AH00558: apache2: Could not reliably determine the server’s fully qualified domain name, using 191.253.24.20. Set the ‘ServerName’ directive globally to suppress this message
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs

second option
root@SpeedOokla:~# sudo service apache2 stop
root@SpeedOokla:~# ertbot certonly --standalone -d speedtest.ciabrasnet.com.br --pre-hook “service apache2 stop” --post-hook “service apache2 start”
ertbot: comando nĂŁo encontrado
root@SpeedOokla:~# sudo service apache2 stop
root@SpeedOokla:~# certbot certonly --standalone -d speedtest.ciabrasnet.com.br --pre-hook “service apache2 stop” --post-hook “service apache2 start”
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Cert is due for renewal, auto-renewing

Running pre-hook command: service apache2 stop
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for speedtest.ciabrasnet.com.br
Cleaning up challenges
Running post-hook command: service apache2 start
Problem binding to port 80: Could not bind to IPv4 or IPv6.

1 Like
8

Do you use more than one version of Apache on this server, or also use some other web server? Is there some other process listening on port 80?

1 Like
9

this server is installed only oolka speed test and the certificate but I will have other servers running here.

root@SpeedOokla:~# apache2 -v
Server version: Apache/2.4.18 (Ubuntu)
Server built: 2019-10-08T13:31:25

10

root@SpeedOokla:~# sudo netstat -tlpn | grep 80
tcp 0 0 0.0.0.0:8080 0.0.0.0:* OUÇA 1 698/OoklaServer
tcp 0 0 0.0.0.0:80 0.0.0.0:* OUÇA 2 849/nginx -g daemo
tcp6 0 0 :::80 :::* OUÇA 2 849/nginx -g daemo

1 Like
11

OK, that explains some of the problem here.

Certbot needs to use port 80 in order to obtain the certificate.

If you use certbot --standalone, Certbot needs to use port 80 itself. (It’s not OK to have Apache or nginx using it while Certbot is running.)

If you use certbot --apache, Certbot needs Apache to be able to use port 80. (In that case, it’s not OK to have nginx using it while Certbot is running.)

If you use certbot --nginx, Certbot needs nginx to be able to use port 80. (In that case, it’s not OK to have Apache using it while Certbot is running.)

Does that make sense?

2 Likes
12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.