Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com ), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: *.clearpath.site
I ran this command: sudo certbot renew -v
It produced this output:
sudo certbot renew -v
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/clearpath.site-0001.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate is due for renewal, auto-renewing...
Plugins selected: Authenticator dns-linode, Installer apache
Renewing an existing certificate for clearpath.site and *.clearpath.site
Performing the following challenges:
dns-01 challenge for clearpath.site
dns-01 challenge for clearpath.site
Unsafe permissions on credentials configuration file: /home/david/.secrets/certbot/linode.ini
Cleaning up challenges
Encountered exception during recovery: ValueError: invalid literal for int() with base 10: '[]'
Failed to renew certificate clearpath.site-0001 with error: invalid literal for int() with base 10: '[]'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/clearpath.site.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewal configuration file /etc/letsencrypt/renewal/clearpath.site.conf is broken.
The error was: expected /etc/letsencrypt/live/clearpath.site/cert.pem to be a symlink
Skipping.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/clearpath.site-0001/fullchain.pem (failure)
Additionally, the following renewal configurations were invalid:
/etc/letsencrypt/renewal/clearpath.site.conf (parsefail)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 1 parse failure(s)
My web server is (include version): Apache
The operating system my web server runs on is (include version): Ubuntu 20.10
My hosting provider, if applicable, is: Linode
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.17.0
1 Like
Welcome Back to the Let's Encrypt Community, David
Let's get to the bottom of this.
What are the outputs of:
sudo certbot certificates
sudo ls -lRa /etc/letsencrypt
sudo apachectl -S
sudo ls -lRa /etc/apache2/sites-available
sudo ls -lRa /etc/apache2/sites-enabled
Please put 3 backticks above and below each output, like this:
```
2 Likes
Thanks for the fast response!
sudo certbot certifictaes
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/clearpath.site.conf produced an unexpected error: expected /etc/letsencrypt/live/clearpath.site/cert.pem to be a symlink. Skipping.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: clearpath.site-0001
Serial Number: 3f6ef929eaf84da10e31b2b3abcc4fd5dd8
Key Type: RSA
Domains: clearpath.site *.clearpath.site
Expiry Date: 2021-07-06 19:45:16+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/clearpath.site-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/clearpath.site-0001/privkey.pem
The following renewal configurations were invalid:
/etc/letsencrypt/renewal/clearpath.site.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
sudo apachectl -S
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 173.230.154.79. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:443 clearpath.site (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
*:80 clearpath.site (/etc/apache2/sites-enabled/000-default.conf:1)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex watchdog-callback: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33
sudo ls -lRa /etc/apache2/sites-available
/etc/apache2/sites-available:
total 20
drwxr-xr-x 2 root root 4096 Jun 22 06:46 .
drwxr-xr-x 8 root root 4096 Jul 6 21:56 ..
-rw-r--r-- 1 root root 2601 Apr 7 20:48 000-default-le-ssl.conf
-rw-r--r-- 1 root root 1666 Apr 7 20:54 000-default.conf
-rw-r--r-- 1 root root 2549 Apr 7 20:51 000-default.conf.save
sudo ls -lRa /etc/apache2/sites-enabled
/etc/apache2/sites-enabled:
total 8
drwxr-xr-x 2 root root 4096 Jun 5 15:44 .
drwxr-xr-x 8 root root 4096 Jul 6 21:56 ..
lrwxrwxrwx 1 root root 52 Jun 5 15:44 000-default-le-ssl.conf -> /etc/apache2/sites-available/000-default-le-ssl.conf
lrwxrwxrwx 1 root root 35 Jun 5 15:44 000-default.conf -> ../sites-available/000-default.conf
I skipped the sudo ls -lRa /etc/letsencrypt as it was causing my terminal to freak out when I tried to copy it. Please lmk if it is necessary still.
1 Like
Thanks for those.
I do need the last bit.
This should be easier:
sudo ls -lRa /etc/letsencrypt > output.txt
Then just upload output.txt with the button in your next post.
2 Likes
rg305
July 6, 2021, 11:06pm
6
Someone has a really smart computer... [one that knows what you meant and did that instead]
1 Like
One moment. Processing...
1 Like
I have an international meeting right now. Back as soon as I can. I see the problems and am fairly confident we can sort this without much trouble.
1 Like
In the meantime, what are the outputs of:
sudo cat /etc/apache2/sites-available/000-default.conf
sudo cat /etc/apache2/sites-available/000-default-le-ssl.conf
sudo cat /etc/apache2/sites-available/000-default.conf.save
sudo cat /etc/letsencrypt/renewal/clearpath.site.conf
sudo cat /etc/letsencrypt/renewal/clearpath.site-0001.conf
2 Likes
rg305
July 6, 2021, 11:40pm
11
In the (meaningless) meantime...
/etc/letsencrypt/renewal:
total 16
drwxr-xr-x 2 root root 4096 Jun 5 15:44 .
drwxr-xr-x 9 root root 4096 Jul 6 22:13 ..
-rw-r--r-- 1 root root 660 Apr 7 20:45 clearpath.site-0001.conf
-rw-r--r-- 1 root root 581 Apr 7 20:14 clearpath.site.conf
2 Likes
sudo cat /etc/apache2/sites-available/000-default.conf
<VirtualHost *:80>
ServerName clearpath.site
ServerAlias *.clearpath.site
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine On
RewriteRule ^\.well-known\/acme-challenge\/ - [L]
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
</VirtualHost>
sudo cat /etc/apache2/sites-available/000-default-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName clearpath.site
ServerAlias www.clearpath.site
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
Alias /static /home/david/clearpath_project/static
DocumentRoot /home/david/clearpath_project
<Directory /home/david/clearpath_project/static>
Require all granted
</Directory>
Alias /media /home/david/clearpath_project/media
<Directory /home/david/clearpath_project/media>
Require all granted
</Directory>
<Directory /home/david/clearpath_project/config>
<Files wsgi.py>
Require all granted
</Files>
</Directory>
WSGIScriptAlias / /home/david/clearpath_project/config/wsgi.py
WSGIDaemonProcess clearpath python-path=/home/david/clearpath_project python-home=/home/david/clearpath_project/venv
WSGIProcessGroup clearpath
WSGIPassAuthorization On
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/clearpath.site-0001/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/clearpath.site-0001/privkey.pem
</VirtualHost>
</IfModule>
sudo cat /etc/apache2/sites-available/000-default.conf.save
<VirtualHost *:80>
ServerName clearpath.site
ServerAlias *.clearpath.site
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
Alias /static /home/david/clearpath_project/static
DocumentRoot /home/david/clearpath_project
<Directory /home/david/clearpath_project/static>
Require all granted
</Directory>
Alias /media /home/david/clearpath_project/media
<Directory /home/david/clearpath_project/media>
Require all granted
</Directory>
<Directory /home/david/clearpath_project/config>
<Files wsgi.py>
Require all granted
</Files>
</Directory>
WSGIScriptAlias / /home/david/clearpath_project/config/wsgi.py
# WSGIDaemonProcess clearpath python-path=/home/david/clearpath_project python-home=/home/david/clearpath_project/venv
WSGIProcessGroup clearpath
WSGIPassAuthorization On
RewriteEngine on
RewriteCond %{SERVER_NAME} =clearpath.site [OR]
RewriteCond %{SERVER_NAME} =www.clearpath.site
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
sudo cat /etc/letsencrypt/renewal/clearpath.site.conf
# renew_before_expiry = 30 days
version = 0.36.0
archive_dir = /etc/letsencrypt/archive/clearpath.site
cert = /etc/letsencrypt/live/clearpath.site/cert.pem
privkey = /etc/letsencrypt/live/clearpath.site/privkey.pem
chain = /etc/letsencrypt/live/clearpath.site/chain.pem
fullchain = /etc/letsencrypt/live/clearpath.site/fullchain.pem
# Options used in the renewal process
[renewalparams]
account = 0db7788607bca1bcf498638309c036ed
authenticator = dns-linode
installer = apache
dns_linode_credentials = /home/david/linode.ini
server = https://acme-v02.api.letsencrypt.org/directory
sudo cat /etc/letsencrypt/renewal/clearpath.site-0001.conf
# renew_before_expiry = 30 days
version = 1.14.0
archive_dir = /etc/letsencrypt/archive/clearpath.site-0001
cert = /etc/letsencrypt/live/clearpath.site-0001/cert.pem
privkey = /etc/letsencrypt/live/clearpath.site-0001/privkey.pem
chain = /etc/letsencrypt/live/clearpath.site-0001/chain.pem
fullchain = /etc/letsencrypt/live/clearpath.site-0001/fullchain.pem
# Options used in the renewal process
[renewalparams]
account = 0db7788607bca1bcf498638309c036ed
authenticator = dns-linode
installer = apache
dns_linode_propagation_seconds = 120
dns_linode_credentials = /home/david/.secrets/certbot/linode.ini
server = https://acme-v02.api.letsencrypt.org/directory
1 Like
Fwiw I have some old notes from the installation process I initially went through:
certbot \
--dns-linode \
--dns-linode-credentials ~/linode.ini \
-i apache \
-d clearpath.site \
-d *.clearpath.site
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-linode, Installer apache
Obtaining a new certificate
Created an SSL vhost at /etc/apache2/sites-available/000-default-le-ssl.conf
Enabled Apache socache_shmcb module
Enabled Apache ssl module
Deploying Certificate to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/000-default-le-ssl.conf
No vhost exists with servername or alias for domain *.clearpath.site. No vhost was selected. Please specify ServerName or ServerAlias in the Apache config.
No vhost selected
IMPORTANT NOTES:
- Unable to install the certificate
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/clearpath.site/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/clearpath.site/privkey.pem
Your cert will expire on 2020-03-17. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
david@clearpath:~$ sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: clearpath.site
Domains: clearpath.site *.clearpath.site
Expiry Date: 2020-03-17 19:43:26+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/clearpath.site/fullchain.pem
Private Key Path: /etc/letsencrypt/live/clearpath.site/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
david@clearpath:~$ sudo certbot --reinstall -d clearpath.site -d *.clearpath.site
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Cert not yet due for renewal
Keeping the existing certificate
Created an SSL vhost at /etc/apache2/sites-available/000-default-le-ssl.conf
Enabled Apache socache_shmcb module
Enabled Apache ssl module
Deploying Certificate to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/000-default-le-ssl.conf
Which VirtualHosts would you like to install the wildcard certificate for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: File: /etc/apache2/sites-available/000-default-le-ssl.conf
Addresses: *:443
Names: clearpath.site, *.clearpath.site
HTTPS: Yes
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Deploying Certificate to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Enabled Apache rewrite module
Redirecting vhost in /etc/apache2/sites-enabled/000-default.conf to ssl vhost in /etc/apache2/sites-available/000-default-le-ssl.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://clearpath.site and
https://*.clearpath.site
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=clearpath.site
https://www.ssllabs.com/ssltest/analyze.html?d=*.clearpath.site
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/clearpath.site/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/clearpath.site/privkey.pem
Your cert will expire on 2020-03-17. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
1 Like
IIRC I had to comment out the WSGI lines in the conf files before installing the cert. Is this correct?
1 Like
Yeah, so the reinstall didn't actually work because now I have SSL on the main domain but every subdomain gives me an Ubuntu error page.
1 Like
rg305
July 7, 2021, 1:29am
18
Probably due to lack of wildcard support (in the web server configuration):
[that "www" should probably be "*" (an asterisk)]
1 Like
I take it back. Now my main domain is 403 forbidden and the subdomains are all Ubuntu Apache error pages. Man, I think I messed this up..
1 Like
So this is what I have done... I added a new linode API key to the linode.ini file and tried to reinstall it.
The error I get is:
sudo certbot --reinstall -d clearpath.site -d *.clearpath.sitee logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
Saving debug log to /var/log/letsencrypt/letsencrypt.loge/000-default-le-ssl.conf
Certificate not yet due for renewal
Deploying certificate
Successfully deployed certificate for clearpath.site to /etc/apache2/sites-enabled/000-default-le-ssl.conf
Which VirtualHosts would you like to install the wildcard certificate for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: File: /etc/apache2/sites-enabled/000-default-le-ssl.conf
Addresses: *:443
Names: www.clearpath.site, clearpath.site
HTTPS: Yes
2: File: /etc/apache2/sites-enabled/000-default.conf
Addresses: *:80
Names: *.clearpath.site, clearpath.site
HTTPS: No
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Some rewrite rules copied from /etc/apache2/sites-enabled/000-default.conf were disabled in the vhost for your HTTPS site located at /etc/apache2/sites-available/000-default-le-ssl.conf because they have the potential to create redirection loops.
Could not install certificate
An unexpected error occurred:
augeas.AugeasValueError: Augeas.set() failed: Too many matches for path expression
What should I do from here?
1 Like
rg305
July 7, 2021, 1:34am
21
Break out of that (c to cancel) and modify the file:
Change the line:
To:ServerAlias *.clearpath.site
[then restart Apache and rerun certbot]
and let's reconfirm which files are being used with:sudo apachectl -S
3 Likes
