Fullchain.pem failure

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
www.a-wizard.com.au
I ran this command:
sudo certbot renew --force-renew -v
It produced this output:
The following renewals failed:
/etc/letsencrypt/live/a-wizard.com.au/fullchain.pem (failure)
My web server is (include version):
Ubuntu 22.04.5
The operating system my web server runs on is (include version):
Ubuntu 22.04.5
My hosting provider, if applicable, is:
Self
I can login to a root shell on my machine (yes or no, or I don't know):
I can
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.21.0

2
  1. need fuller log,
  2. --force-renew is just ask for new certificate even if you already have valid one, and server won't get kinder and give you new certificate even if you use that, more likely you'll hit ratelimit.
1 Like
3

This is the full log after the certificate. I hope that helps.
2025-05-21 09:29:06,419:DEBUG:acme.client:Storing nonce: yVRbjWxmG3ukBV8Z_G-CMxVngP8hKqJRjwNyHPDjOdcCkW1MefI
2025-05-21 09:29:06,422:DEBUG:certbot._internal.storage:Writing new private key to /etc/letsencrypt/archive/mail.a-wizard.au/privkey11.pem.
2025-05-21 09:29:06,422:DEBUG:certbot._internal.storage:Writing certificate to /etc/letsencrypt/archive/mail.a-wizard.au/cert11.pem.
2025-05-21 09:29:06,422:DEBUG:certbot._internal.storage:Writing chain to /etc/letsencrypt/archive/mail.a-wizard.au/chain11.pem.
2025-05-21 09:29:06,423:DEBUG:certbot._internal.storage:Writing full chain to /etc/letsencrypt/archive/mail.a-wizard.au/fullchain11.pem.
2025-05-21 09:29:06,424:DEBUG:certbot._internal.storage:Writing new config /etc/letsencrypt/renewal/mail.a-wizard.auBkp.conf.new.
2025-05-21 09:29:06,425:DEBUG:certbot.plugins.storage:Plugin storage file /etc/letsencrypt/.pluginstorage.json was empty, no values loaded
2025-05-21 09:29:06,425:DEBUG:certbot._internal.display.obj:Notifying user: Reloading apache server after certificate renewal
2025-05-21 09:29:06,524:DEBUG:certbot._internal.plugins.selection:Requested authenticator apache and installer apache
2025-05-21 09:29:06,525:DEBUG:certbot._internal.plugins.selection:Selecting plugin: * apache
Description: Apache Web Server plugin
Interfaces: Installer, Authenticator, Plugin
Entry point: apache = certbot_apache._internal.entrypoint:ENTRYPOINT
Initialized: <certbot_apache._internal.override_debian.DebianConfigurator object at 0x7f13e05ca830>
Prep: True
2025-05-21 09:29:06,525:DEBUG:certbot._internal.display.obj:Notifying user:

2025-05-21 09:29:06,525:DEBUG:certbot._internal.display.obj:Notifying user: The following renewals succeeded:
2025-05-21 09:29:06,525:DEBUG:certbot._internal.display.obj:Notifying user: /etc/letsencrypt/live/a-wizard.au-0001/fullchain.pem (success)
/etc/letsencrypt/live/a-wizard.au-0002/fullchain.pem (success)
/etc/letsencrypt/live/a-wizard.au-0003/fullchain.pem (success)
/etc/letsencrypt/live/a-wizard.au/fullchain.pem (success)
/etc/letsencrypt/live/a-wizard.com.au-0001/fullchain.pem (success)
/etc/letsencrypt/live/mail.a-wizard.au/fullchain.pem (success)

2025-05-21 09:29:06,525:ERROR:certbot._internal.renewal:The following renewals failed:
2025-05-21 09:29:06,525:ERROR:certbot._internal.renewal: /etc/letsencrypt/live/a-wizard.com.au/fullchain.pem (failure)
2025-05-21 09:29:06,525:DEBUG:certbot._internal.display.obj:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2025-05-21 09:29:06,526:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 33, in
sys.exit(load_entry_point('certbot==1.21.0', 'console_scripts', 'certbot')())
File "/usr/lib/python3/dist-packages/certbot/main.py", line 15, in main
return internal_main.main(cli_args)
File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1574, in main
return config.func(config, plugins)
File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1460, in renew
renewal.handle_renewal_request(config)
File "/usr/lib/python3/dist-packages/certbot/_internal/renewal.py", line 500, in handle_renewal_request
raise errors.Error("{0} renew failure(s), {1} parse failure(s)".format(
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)
2025-05-21 09:29:06,526:ERROR:certbot._internal.log:1 renew failure(s), 0 parse failure(s)

4

you already have /a-wizard.com.au-0001 but old config /a-wizard.com.au has invalid config:
just delete that with certbot delete and con't make webserver cert in live/a-wizard.com.au-0001

5

So to clarify, I should delete a-wizard.com.au using certbot delete. But how do I ensure a-wizard.com.au-0001 will then be used?

6

Is the correct syntax for the deletion:
sudo certbot delete a-wizard.com.au
I don't want to stuff anything else up.

7

sudo certbot delete --cert-name a-wizard.com.au
you for some reason a lot of single domain certificate (and two for a-wizard.au)
you can just remove no postfixed one with that command annd config servers to point any of new cert in dir, and don't use --force-renew

you have a lot of duplicate certificates

8

After running sudo certbot delete --cert-name a-wizard.com.au I now don't seem to have any certificate for A-Wizard.com.au. I still have the one for A-Wizard.au
Should I request a new certificate for A-Wizard.com.au?

9

what happen to /live/a-wizard.com.au-0001 ?

10

I think it was deleted by running the certbot delete command.

11

better run certbot --apache to get a new one then

12

I did that and it returned:
Deploying certificate

Error in checking parameter list: AH00526: Syntax error on line 44 of /etc/apache2/sites-enabled/a-wizard.au-le-ssl.conf:

Invalid command 'RewriteEngine', perhaps misspelled or defined by a module not included in the server configuration
I removed some sites-enabled that seem to be invalid.
I now have a certificate for www-a-wizard.com.au so i will see how that goes.
Do you know why I have all those other certificates and if I need tham? Can I delete them all?

13 
sudo a2enmod rewrite && sudo service apache2 restart

not sure if certbot rolled back or it kept config

14

Well thanks SO much for your help. It is really appreciated. I'll see how I go with it now. Have a good day.

15

Hello again. It seems that something is still wrong with the certificate implementation. I can connect to my site with HTTP but not with HTTPS. Do you have any idea of what might be missing?

16

you should visit apache config to each vhosts to listen on ssl at port 443 too

1 Like
17

Looks like your port 443 might be closed: SSL Checker

Check your VirtualHosts with this. See if the one for port 443 got setup by Certbot

sudo apache2ctl -t -D DUMP_VHOSTS
1 Like
18

Hi Mike,
apache2ctl returned:

VirtualHost configuration:
*:443                  is a NameVirtualHost
         default server static-n49-176-232-64.meb2.vic.optusnet.com.au (/etc/apache2/sites-enabled/010-ssl.conf:1)
         port 443 namevhost static-n49-176-232-64.meb2.vic.optusnet.com.au (/etc/apache2/sites-enabled/010-ssl.conf:1)
         port 443 namevhost static-n49-176-232-64.meb2.vic.optusnet.com.au (/etc/apache2/sites-enabled/default-ssl.conf:1)
*:80                   is a NameVirtualHost
         default server a-wizard.au (/etc/apache2/sites-enabled/a-wizard.au.conf:1)
         port 80 namevhost a-wizard.au (/etc/apache2/sites-enabled/a-wizard.au.conf:1)
         port 80 namevhost a-wizard.com.au (/etc/apache2/sites-enabled/a-wizard.com.au.conf:1)
         port 80 namevhost a-wizard.com.au (/etc/apache2/sites-enabled/postfixadmin.conf:1)
         port 80 namevhost a-wizard.au (/etc/apache2/sites-enabled/roundcube.conf:1)

Which I think is OK.
I tried SSL Checker and it says 443 is closed, but I checked the router, it is there and I disabled UFW but it still says it is closed.

19

No, there are some problems but I am signing off for the day.

In port 80 configs you have the same domain name and port in two different config files. Only one will ever work.

In this section you do not have a VirtualHost for either of your "a-wizard" domains. Both would get processed by the default server which is probably not what you want.

The IP addresses in the DNS are the same so something should reply to HTTPS (port 443) so you need to check more of your comms config to make sure that happens.

Do you have a router? Do you have port forwarding or NAT setup correctly for port 443?

2 Likes