Help renewing cert

beehaw · July 9, 2023, 12:46am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

askbiblescholars.com

I ran this command:

I cannot recall the specific command but it failed.

It produced this output:

N/A

My web server is (include version):

Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-152-generic x86_64)

The operating system my web server runs on is (include version):

Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-152-generic x86_64)

My hosting provider, if applicable, is:

Digital Ocean

I can login to a root shell on my machine (yes or no, or I don't know):

Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 0.40.0

schoen · July 9, 2023, 1:43am

Hi @beehaw,

Could you please try the renewal again and note down what the command was and what it said when it failed? There are many different errors possible, and the specific error message will help us to give you advice about what to do about it.

beehaw · July 9, 2023, 1:55am

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/askbiblescholars.com.conf

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for askbiblescholars.com
Cleaning up challenges
Attempting to renew cert (askbiblescholars.com) from /etc/letsencrypt/renewal/askbiblescholars.com.conf produced an unexpected error: Problem binding to port 80: Could not bind to IPv4 or IPv6.. Skipping.

Processing /etc/letsencrypt/renewal/www.askbiblescholars.com.conf

Attempting to parse the version 2.6.0 renewal configuration file found at /etc/letsencrypt/renewal/www.askbiblescholars.com.conf with version 0.40.0 of Certbot. This might not work.
Cert not yet due for renewal
Could not choose appropriate plugin for updaters: Could not select or initialize the requested installer nginx.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/askbiblescholars.com/fullchain.pem (failure)

The following certs are not due for renewal yet:
/etc/letsencrypt/live/www.askbiblescholars.com/fullchain.pem expires on 2023-09-19 (skipped)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/askbiblescholars.com/fullchain.pem (failure)

rg305 · July 9, 2023, 2:35am

It seems that during your last renewal/issuance certbot was running in standalone mode.
This is not the preferred method when there is a working web service.
That said, you could probably stop your web server and renew the cert and then restart the web server.
Again, that is not an ideal renewal process.
If you can take the time to figure out how to use the web server OR use --webroot through the web server, you may be able to automate this in a manner that won't stop your web site [while renewing].

Osiris · July 9, 2023, 8:18am

That's not what is meant by that question. This question meant the actual software used to serve the website, e.g. Apache/nginx/Caddy/whatever.

beehaw · July 9, 2023, 12:41pm

I stopped the web server and tried again only to get the following (Again):

root@askbiblescholars:/# sudo certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/askbiblescholars.com.conf

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for askbiblescholars.com
Cleaning up challenges
Attempting to renew cert (askbiblescholars.com) from /etc/letsencrypt/renewal/askbiblescholars.com.conf produced an unexpected error: Problem binding to port 80: Could not bind to IPv4 or IPv6.. Skipping.

Processing /etc/letsencrypt/renewal/www.askbiblescholars.com.conf

Attempting to parse the version 2.6.0 renewal configuration file found at /etc/letsencrypt/renewal/www.askbiblescholars.com.conf with version 0.40.0 of Certbot. This might not work.
Cert not yet due for renewal
Could not choose appropriate plugin for updaters: Could not select or initialize the requested installer nginx.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/askbiblescholars.com/fullchain.pem (failure)

The following certs are not due for renewal yet:
/etc/letsencrypt/live/www.askbiblescholars.com/fullchain.pem expires on 2023-09-19 (skipped)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/askbiblescholars.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

Osiris · July 9, 2023, 12:47pm

Which is?

Well, apparently something is still listening on port 80. You could use e.g. sudo netstat -nap | grep 80 to find out which process.

This is weird. So currently you're using Certbot 0.40.0, a very old version, but somewhere in the past you've also used Certbot 2.6.0, one of the most recent versions? Did you install Certbot using multiple methods? E.g. apt and snap perhaps? Is there currently just a single Certbot installed or multiple?

Looks like you have two separate certificates for the same domain. Can you please show the output of sudo certbot certificates ?

beehaw · July 9, 2023, 1:29pm

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Attempting to parse the version 2.6.0 renewal configuration file found at /etc/letsencrypt/renewal/www.askbiblescholars.com.conf with version 0.40.0 of Certbot. This might not work.

Found the following certs:
Certificate Name: askbiblescholars.com
Domains: askbiblescholars.com
Expiry Date: 2023-07-14 17:01:00+00:00 (VALID: 5 days)
Certificate Path: /etc/letsencrypt/live/askbiblescholars.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/askbiblescholars.com/privkey.pem
Certificate Name: www.askbiblescholars.com
Domains: www.askbiblescholars.com
Expiry Date: 2023-09-19 18:58:58+00:00 (VALID: 72 days)
Certificate Path: /etc/letsencrypt/live/www.askbiblescholars.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.askbiblescholars.com/privkey.pem

MikeMcQ · July 9, 2023, 1:58pm

The goal is to use nginx to get/renew your certs. And, your root name askbiblescholars.com should give the same results as your www subdomain.

Getting to that takes several steps. I see your root domain responding poorly to various routine requests. So, let's fix that first. Can you upload the file from this command? If not, please post entire (long) output here with 3 backticks before and after the output.

sudo nginx -T >upload.txt

If you must paste it like this
```
output from command
```

beehaw · July 9, 2023, 2:55pm

A colleague of mine was able to get this fixed for me. Thanks to everyone ITT for your time and attention!

system · August 8, 2023, 2:56pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
SSL Renew Issue Help	15	663	January 19, 2023
Certificate renewal issues Help	4	1054	December 15, 2022
Error renewing certificate Help	11	469	June 26, 2022
Unable to renew Help	8	1045	March 14, 2021
Attempting to renew cert Help	2	811	November 21, 2020

Help renewing cert

Related topics