Failure in renewal of certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.drallas.eu

I ran this command: sudo certbot --apache (and also sudo certbot renew)

It produced this output:
Attempting to renew cert (drallas.eu) from /etc/letsencrypt/renewal/drallas.eu.conf produced an unexpected error: Failed authorization procedure. drallas.eu (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://drallas.eu/.well-known/acme-challenge/vXvlRf5xDSDASeG6WYQQnZXewGw_q5gCDdhnUqXZQgU [192.95.25.65]: “\n\n403 Forbidden\n\n

Forbidden

\n<p”, www.drallas.eu (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.drallas.eu/.well-known/acme-challenge/zSnjQiYfOOs2_YtjRaOn_OyrHrKcydrfjszEiXMWe7I [192.95.25.65]: “\n\n403 Forbidden\n\n

Forbidden

\n<p”. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/drallas.eu/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/drallas.eu/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

My web server is (include version): Apache

The operating system my web server runs on is (include version): Debian 9 (recently upgraded from Debian 7)

My hosting provider, if applicable, is: OVH

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.28.0

Final remark : all renewals I did before upgrading the server to Debian 9 went OK, using cerbot-auto. After the upgrade, I (re-)installed certbot with “sudo apt-get install certbot python-certbot-apache -t stretch-backports”. This is the first renewal I’m doing since the upgrade and the (re-)installation of cerbot.

Thanks for your help

I think what might have happened is that in the upgrade from Wheezy to Stretch, one of the distro default ssl.conf vhosts might have been restored to your Apache configuration.

This results in vhost duplication, which causes issues with versions of Certbot <0.31, where it was fixed. Unfortunately Stretch is stuck at 0.28, which doesn’t have the fix.

To confirm this, could you run:

apachectl -t -D DUMP_VHOSTS

You could also:

  • Continue to use certbot-auto, which should just work because it’s always the latest version (currently 0.40.1)
  • Upgrade to Buster, which is on 0.31 and would also work
1 Like

Hi,
either with sudo or not, I always get “command not found” :

apacheclt -t -D DUMP_VHOSTS
-bash: apacheclt: command not found

I will reinstall certbot-auto to try your first solution…

Sorry, that was a typo. It’s meant to be apachectl.

Here is the output
sudo apachectl -t -D DUMP_VHOSTS
VirtualHost configuration:
*:80 drallas.eu (/etc/apache2/sites-enabled/000-default.conf:1)
*:443 drallas.eu (/etc/apache2/sites-enabled/default-le-ssl.conf:2)

Even after reinstalling certbot-auto, here is what I get :

/usr/local/bin/certbot-auto --help
Error: couldn’t get currently installed version for /opt/eff.org/certbot/venv/bin/letsencrypt:
Traceback (most recent call last):
File “/opt/eff.org/certbot/venv/bin/letsencrypt”, line 7, in
from certbot.main import main
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py”, line 10, in
import josepy as jose
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/josepy/init.py”, line 44, in
from josepy.interfaces import JSONDeSerializable
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/josepy/interfaces.py”, line 8, in
from josepy import errors, util
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/josepy/util.py”, line 4, in
import OpenSSL
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/OpenSSL/init.py”, line 8, in
from OpenSSL import crypto, SSL
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/OpenSSL/crypto.py”, line 1, in
import datetime
ImportError: No module named datetime

That’s a bizarre error. Is /opt/eff.org/certbot left over from Wheezy? Could you remove it and try run certbot-auto again to regenerate it?

sudo rm -rf /opt/eff.org/certbot
sudo certbot-auto renew --dry-run

That actually looks just fine, assuming it’s the full output. It’s not dupe vhosts like I thought.

Still running the renew --dry-run …
Since 15 minutes, it is stuck to this stage :
Creating virtual environment…
Installing Python packages…

Same error message than initially after running ```
sudo certbot-auto renew --dry-run