Help Renewing Wildcard Cert

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: *.clearpath.site

I ran this command: sudo certbot renew -v

It produced this output:

 sudo certbot renew -v
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/clearpath.site-0001.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate is due for renewal, auto-renewing...
Plugins selected: Authenticator dns-linode, Installer apache
Renewing an existing certificate for clearpath.site and *.clearpath.site
Performing the following challenges:
dns-01 challenge for clearpath.site
dns-01 challenge for clearpath.site
Unsafe permissions on credentials configuration file: /home/david/.secrets/certbot/linode.ini
Cleaning up challenges
Encountered exception during recovery: ValueError: invalid literal for int() with base 10: '[]'
Failed to renew certificate clearpath.site-0001 with error: invalid literal for int() with base 10: '[]'

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/clearpath.site.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewal configuration file /etc/letsencrypt/renewal/clearpath.site.conf is broken.
The error was: expected /etc/letsencrypt/live/clearpath.site/cert.pem to be a symlink
Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/clearpath.site-0001/fullchain.pem (failure)

Additionally, the following renewal configurations were invalid: 
  /etc/letsencrypt/renewal/clearpath.site.conf (parsefail)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 1 parse failure(s)

My web server is (include version): Apache

The operating system my web server runs on is (include version): Ubuntu 20.10

My hosting provider, if applicable, is: Linode

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.17.0

1 Like

Welcome Back to the Let's Encrypt Community, David :slightly_smiling_face:

Let's get to the bottom of this. :gloves:

What are the outputs of:

sudo certbot certificates
sudo ls -lRa /etc/letsencrypt
sudo apachectl -S
sudo ls -lRa /etc/apache2/sites-available
sudo ls -lRa /etc/apache2/sites-enabled

Please put 3 backticks above and below each output, like this:

```
output
```

2 Likes

Thanks for the fast response!

sudo certbot certifictaes

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/clearpath.site.conf produced an unexpected error: expected /etc/letsencrypt/live/clearpath.site/cert.pem to be a symlink. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: clearpath.site-0001
    Serial Number: 3f6ef929eaf84da10e31b2b3abcc4fd5dd8
    Key Type: RSA
    Domains: clearpath.site *.clearpath.site
    Expiry Date: 2021-07-06 19:45:16+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/clearpath.site-0001/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/clearpath.site-0001/privkey.pem

The following renewal configurations were invalid:
  /etc/letsencrypt/renewal/clearpath.site.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
sudo apachectl -S

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 173.230.154.79. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:443                  clearpath.site (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
*:80                   clearpath.site (/etc/apache2/sites-enabled/000-default.conf:1)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default 
Mutex watchdog-callback: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

sudo ls -lRa /etc/apache2/sites-available

/etc/apache2/sites-available:
total 20
drwxr-xr-x 2 root root 4096 Jun 22 06:46 .
drwxr-xr-x 8 root root 4096 Jul  6 21:56 ..
-rw-r--r-- 1 root root 2601 Apr  7 20:48 000-default-le-ssl.conf
-rw-r--r-- 1 root root 1666 Apr  7 20:54 000-default.conf
-rw-r--r-- 1 root root 2549 Apr  7 20:51 000-default.conf.save

sudo ls -lRa /etc/apache2/sites-enabled

/etc/apache2/sites-enabled:
total 8
drwxr-xr-x 2 root root 4096 Jun  5 15:44 .
drwxr-xr-x 8 root root 4096 Jul  6 21:56 ..
lrwxrwxrwx 1 root root   52 Jun  5 15:44 000-default-le-ssl.conf -> /etc/apache2/sites-available/000-default-le-ssl.conf
lrwxrwxrwx 1 root root   35 Jun  5 15:44 000-default.conf -> ../sites-available/000-default.conf

I skipped the sudo ls -lRa /etc/letsencrypt as it was causing my terminal to freak out when I tried to copy it. Please lmk if it is necessary still.

1 Like

Thanks for those. :slightly_smiling_face:

I do need the last bit.

This should be easier:

sudo ls -lRa /etc/letsencrypt > output.txt

Then just upload output.txt with the button in your next post.

2 Likes

Sweet. Here we go!

output.txt (23.1 KB)

1 Like

Someone has a really smart computer... [one that knows what you meant and did that instead]
OR
There has been a little bit of manual reconstruction.

1 Like

This is also concerning:

1 Like

One moment. Processing... :grin:

1 Like

I have an international meeting right now. Back as soon as I can. I see the problems and am fairly confident we can sort this without much trouble.

1 Like

In the meantime, what are the outputs of:

sudo cat /etc/apache2/sites-available/000-default.conf
sudo cat /etc/apache2/sites-available/000-default-le-ssl.conf
sudo cat /etc/apache2/sites-available/000-default.conf.save
sudo cat /etc/letsencrypt/renewal/clearpath.site.conf
sudo cat /etc/letsencrypt/renewal/clearpath.site-0001.conf
2 Likes

In the (meaningless) meantime...
Can we have a look at these two files?:

/etc/letsencrypt/renewal:
total 16
drwxr-xr-x 2 root root 4096 Jun  5 15:44 .
drwxr-xr-x 9 root root 4096 Jul  6 22:13 ..
-rw-r--r-- 1 root root  660 Apr  7 20:45 clearpath.site-0001.conf
-rw-r--r-- 1 root root  581 Apr  7 20:14 clearpath.site.conf
2 Likes
sudo cat /etc/apache2/sites-available/000-default.conf

<VirtualHost *:80>

        ServerName clearpath.site
        ServerAlias *.clearpath.site

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

RewriteEngine On
RewriteRule ^\.well-known\/acme-challenge\/ - [L]
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
</VirtualHost>
sudo cat /etc/apache2/sites-available/000-default-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>

        ServerName clearpath.site
        ServerAlias www.clearpath.site

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        Alias /static /home/david/clearpath_project/static

        DocumentRoot /home/david/clearpath_project

        <Directory /home/david/clearpath_project/static>
                Require all granted
        </Directory>

        Alias /media /home/david/clearpath_project/media
        <Directory /home/david/clearpath_project/media>
                Require all granted
        </Directory>

        <Directory /home/david/clearpath_project/config>
                <Files wsgi.py>
                        Require all granted
                </Files>
        </Directory>

        WSGIScriptAlias / /home/david/clearpath_project/config/wsgi.py
        WSGIDaemonProcess clearpath python-path=/home/david/clearpath_project python-home=/home/david/clearpath_project/venv
        WSGIProcessGroup clearpath
        WSGIPassAuthorization On



Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/clearpath.site-0001/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/clearpath.site-0001/privkey.pem
</VirtualHost>
</IfModule>
sudo cat /etc/apache2/sites-available/000-default.conf.save
<VirtualHost *:80>

        ServerName clearpath.site
        ServerAlias *.clearpath.site

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        Alias /static /home/david/clearpath_project/static

        DocumentRoot /home/david/clearpath_project

        <Directory /home/david/clearpath_project/static>
                Require all granted
        </Directory>

        Alias /media /home/david/clearpath_project/media
        <Directory /home/david/clearpath_project/media>
                Require all granted
        </Directory>

        <Directory /home/david/clearpath_project/config>
                <Files wsgi.py>
                        Require all granted
                </Files>
        </Directory>

        WSGIScriptAlias / /home/david/clearpath_project/config/wsgi.py
       # WSGIDaemonProcess clearpath python-path=/home/david/clearpath_project python-home=/home/david/clearpath_project/venv
        WSGIProcessGroup clearpath
        WSGIPassAuthorization On

RewriteEngine on
RewriteCond %{SERVER_NAME} =clearpath.site [OR]
RewriteCond %{SERVER_NAME} =www.clearpath.site
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

sudo cat /etc/letsencrypt/renewal/clearpath.site.conf
# renew_before_expiry = 30 days
version = 0.36.0
archive_dir = /etc/letsencrypt/archive/clearpath.site
cert = /etc/letsencrypt/live/clearpath.site/cert.pem
privkey = /etc/letsencrypt/live/clearpath.site/privkey.pem
chain = /etc/letsencrypt/live/clearpath.site/chain.pem
fullchain = /etc/letsencrypt/live/clearpath.site/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = 0db7788607bca1bcf498638309c036ed
authenticator = dns-linode
installer = apache
dns_linode_credentials = /home/david/linode.ini
server = https://acme-v02.api.letsencrypt.org/directory
sudo cat /etc/letsencrypt/renewal/clearpath.site-0001.conf
# renew_before_expiry = 30 days
version = 1.14.0
archive_dir = /etc/letsencrypt/archive/clearpath.site-0001
cert = /etc/letsencrypt/live/clearpath.site-0001/cert.pem
privkey = /etc/letsencrypt/live/clearpath.site-0001/privkey.pem
chain = /etc/letsencrypt/live/clearpath.site-0001/chain.pem
fullchain = /etc/letsencrypt/live/clearpath.site-0001/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = 0db7788607bca1bcf498638309c036ed
authenticator = dns-linode
installer = apache
dns_linode_propagation_seconds = 120
dns_linode_credentials = /home/david/.secrets/certbot/linode.ini
server = https://acme-v02.api.letsencrypt.org/directory
1 Like

Fwiw I have some old notes from the installation process I initially went through:

certbot \
  --dns-linode \
  --dns-linode-credentials ~/linode.ini \
  -i apache \
  -d clearpath.site \
  -d *.clearpath.site

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-linode, Installer apache
Obtaining a new certificate
Created an SSL vhost at /etc/apache2/sites-available/000-default-le-ssl.conf
Enabled Apache socache_shmcb module
Enabled Apache ssl module
Deploying Certificate to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/000-default-le-ssl.conf
No vhost exists with servername or alias for domain *.clearpath.site. No vhost was selected. Please specify ServerName or ServerAlias in the Apache config.
No vhost selected

IMPORTANT NOTES:
 - Unable to install the certificate
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/clearpath.site/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/clearpath.site/privkey.pem
   Your cert will expire on 2020-03-17. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"

david@clearpath:~$ sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: clearpath.site
    Domains: clearpath.site *.clearpath.site
    Expiry Date: 2020-03-17 19:43:26+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/clearpath.site/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/clearpath.site/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
david@clearpath:~$ sudo certbot --reinstall -d clearpath.site -d *.clearpath.site
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Cert not yet due for renewal
Keeping the existing certificate
Created an SSL vhost at /etc/apache2/sites-available/000-default-le-ssl.conf
Enabled Apache socache_shmcb module
Enabled Apache ssl module
Deploying Certificate to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/000-default-le-ssl.conf

Which VirtualHosts would you like to install the wildcard certificate for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: File: /etc/apache2/sites-available/000-default-le-ssl.conf
Addresses: *:443
Names: clearpath.site, *.clearpath.site
HTTPS: Yes
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 
Deploying Certificate to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Enabled Apache rewrite module
Redirecting vhost in /etc/apache2/sites-enabled/000-default.conf to ssl vhost in /etc/apache2/sites-available/000-default-le-ssl.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://clearpath.site and
https://*.clearpath.site

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=clearpath.site
https://www.ssllabs.com/ssltest/analyze.html?d=*.clearpath.site
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/clearpath.site/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/clearpath.site/privkey.pem
   Your cert will expire on 2020-03-17. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le
1 Like

IIRC I had to comment out the WSGI lines in the conf files before installing the cert. Is this correct?

1 Like

Yeah, so the reinstall didn't actually work because now I have SSL on the main domain but every subdomain gives me an Ubuntu error page.

1 Like

Noticeable differences:

1 Like

Probably due to lack of wildcard support (in the web server configuration):

[that "www" should probably be "*" (an asterisk)]

1 Like

I take it back. Now my main domain is 403 forbidden and the subdomains are all Ubuntu Apache error pages. Man, I think I messed this up..

1 Like

So this is what I have done... I added a new linode API key to the linode.ini file and tried to reinstall it.

The error I get is:

sudo certbot --reinstall -d clearpath.site -d *.clearpath.sitee logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
Saving debug log to /var/log/letsencrypt/letsencrypt.loge/000-default-le-ssl.conf
Certificate not yet due for renewal
Deploying certificate
Successfully deployed certificate for clearpath.site to /etc/apache2/sites-enabled/000-default-le-ssl.conf

Which VirtualHosts would you like to install the wildcard certificate for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: File: /etc/apache2/sites-enabled/000-default-le-ssl.conf
Addresses: *:443
Names: www.clearpath.site, clearpath.site
HTTPS: Yes

2: File: /etc/apache2/sites-enabled/000-default.conf
Addresses: *:80
Names: *.clearpath.site, clearpath.site
HTTPS: No
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 
Some rewrite rules copied from /etc/apache2/sites-enabled/000-default.conf were disabled in the vhost for your HTTPS site located at /etc/apache2/sites-available/000-default-le-ssl.conf because they have the potential to create redirection loops.
Could not install certificate
An unexpected error occurred:
augeas.AugeasValueError: Augeas.set() failed: Too many matches for path expression

What should I do from here?

1 Like

Break out of that (c to cancel) and modify the file:

Change the line:

To:
ServerAlias *.clearpath.site

[then restart Apache and rerun certbot]

and let's reconfirm which files are being used with:
sudo apachectl -S

3 Likes