Help with Certbot renewal & plugins


#1

I am getting this error

Is renewal mean I have to plug all info back in again

Certbot doesn’t know how to automatically configure the web server on this system. However, it can still get a certificate for you. Please run “certbot-auto certonly” to do so. You’ll need to manually configure your web server to use the resulting certificate.
root@vorman:~/lets#


Auto-Renew Failing on HTTPS-only Server
#2

Did you try that already?


#3

What command gives that error?


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):


#4

I am trying to renew my cert expires dec 25


#5

What command did you use to get the current certificate?

What happens if you run “certbot-auto renew”?


#6

Domain: vorman.mooo.com
Type: unauthorized
Detail: Invalid response from
http://vorman.mooo.com/.well-known/acme-challenge/d6eX_XETMOkG_Ggc2Y3dj-CesUIUW1ooS7W2Fn06VV4:
"<?xml version=\"1.0\" encoding=\"iso-8859-1\"?>\n<!DOCTYPE html
PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN”\n
http://www.”

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.


#7

Can you show the renewal file?
might be at:
/etc/letsencrypt/renewal/{your.domain}.conf


#8

GNU nano 2.7.4 File: vorman.mooo.com.conf

renew_before_expiry = 30 days

version = 0.27.1
archive_dir = /etc/letsencrypt/archive/vorman.mooo.com
cert = /etc/letsencrypt/live/vorman.mooo.com/cert.pem
privkey = /etc/letsencrypt/live/vorman.mooo.com/privkey.pem
chain = /etc/letsencrypt/live/vorman.mooo.com/chain.pem
fullchain = /etc/letsencrypt/live/vorman.mooo.com/fullchain.pem

Options used in the renewal process

[renewalparams]
authenticator = webroot
account = removed
server = https://acme-v02.api.letsencrypt.org/directory
[[webroot_map]]
vorman.mooo.com = /var/www/html

[ Read 15 lines ]
^G Get Help ^O Write Out ^W Where Is ^K Cut Text ^J Justify ^C Cur Pos ^Y Prev Page
^X Exit^R Read File ^\ Replace ^U Uncut Text ^T To Spell ^_ Go To Line ^V Next Page
GNU nano 2.7.4 File: vorman.mooo.com.conf
GNU nano 2.7.4 File: vorman.mooo.com.conf

renew_before_expiry = 30 days

version = 0.27.1
archive_dir = /etc/letsencrypt/archive/vorman.mooo.com
cert = /etc/letsencrypt/live/vorman.mooo.com/cert.pem
privkey = /etc/letsencrypt/live/vorman.mooo.com/privkey.pem
chain = /etc/letsencrypt/live/vorman.mooo.com/chain.pem
fullchain = /etc/letsencrypt/live/vorman.mooo.com/fullchain.pem

Options used in the renewal process

[renewalparams]
authenticator = webroot
account =removed
server = https://acme-v02.api.letsencrypt.org/directory
[[webroot_map]]
vorman.mooo.com = /var/www/html
GNU nano 2.7.4 File: vorman.mooo.com.conf

renew_before_expiry = 30 days

version = 0.27.1
archive_dir = /etc/letsencrypt/archive/vorman.mooo.com
cert = /etc/letsencrypt/live/vorman.mooo.com/cert.pem
privkey = /etc/letsencrypt/live/vorman.mooo.com/privkey.pem
chain = /etc/letsencrypt/live/vorman.mooo.com/chain.pem
fullchain = /etc/letsencrypt/live/vorman.mooo.com/fullchain.pem

Options used in the renewal process

[renewalparams]
authenticator = webroot
account = REMOVED
server = https://acme-v02.api.letsencrypt.org/directory
[[webroot_map]]
vorman.mooo.com = /var/www/html

^G Get Help ^O Write Out ^W Where Is ^K Cut Text ^J Justify ^C Cur Pos ^Y Prev Page
^X Exit^R Read File ^\ Replace ^U Uncut Text ^T To Spell ^_ Go To Line ^V Next Page


#9

Have you made any changes to the vhost config?
Like moved the document root or how it handles the acme-challenge requests.

Can you show the vhost config?


#10

Hi @Soydepr

we need the complete log from

/var/log/letsencrypt/letsencrypt.log

so we can read the complete error message.

But: Checked your domain via https://check-your-website.server-daten.de/?q=vorman.mooo.com

Host T IP-Address
vorman.mooo.com A 148.75.65.185
www.vorman.mooo.com No such host is known
ns1.afraid.org

You use afraid.org as nameserver.

Do you know that everyone can create subdomains of your domain?

There are 2833 active Letsencrypt certificates (created in the last 90 days) with your domain name:

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:false;include_subdomains:true;domain:mooo.com;issuer_uid:4428624498008853827&lu=cert_search

So you may hit the 50 certificates / per week / per domain - limit.


#11

I am not creating but renewing’’

In rewind you have to answer all same questions when u created ?

GNU nano 2.7.4 File: letsencrypt.log
2018-12-06 17:08:47,354:DEBUG:certbot.main:certbot version: 0.29.1
2018-12-06 17:08:47,357:DEBUG:certbot.main:Arguments:
2018-12-06 17:08:47,357:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,Plu$2018-12-06 17:08:47,444:DEBUG:certbot.log:Root logging level set at 20
2018-12-06 17:08:47,447:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2018-12-06 17:08:47,665:DEBUG:certbot.plugins.selection:Requested authenticator <certbot.cli.Default obje$2018-12-06 17:08:47,864:DEBUG:certbot.storage:Should renew, less than 30 days before certificate expiry 20$2018-12-06 17:08:47,865:INFO:certbot.renewal:Cert is due for renewal, auto-renewing…
2018-12-06 17:08:47,866:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2018-12-06 17:08:47,893:DEBUG:certbot.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
Initialized: <certbot.plugins.webroot.Authenticator object at 0x75b131f0>
Prep: True
2018-12-06 17:08:47,897:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.webroot.Au$2018-12-06 17:08:47,898:INFO:certbot.plugins.selection:Plugins selected: Authenticator webroot, Installer $[ Read 349 lines ]
^G Get Help ^O Write Out ^W Where Is ^K Cut Text ^J Justify ^C Cur Pos ^Y Prev Page
^X Exit^R Read File ^\ Replace ^U Uncut Text ^T To Spell ^
Go To Line ^V Next Page
GNU nano 2.7.4 File: letsencrypt.log
GNU nano 2.7.4 File: letsencrypt.log
2018-12-06 17:08:47,354:DEBUG:certbot.main:certbot version: 0.29.1
2018-12-06 17:08:47,357:DEBUG:certbot.main:Arguments:
2018-12-06 17:08:47,357:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,Plu$2018-12-06 17:08:47,444:DEBUG:certbot.log:Root logging level set at 20
2018-12-06 17:08:47,447:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2018-12-06 17:08:47,665:DEBUG:certbot.plugins.selection:Requested authenticator <certbot.cli._Default obje$2018-12-06 17:08:47,864:DEBUG:certbot.storage:Should renew, less than 30 days before certificate expiry 20$2018-12-06 17:08:47,865:INFO:certbot.renewal:Cert is due for renewal, auto-renewing…
2018-12-06 17:08:47,866:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2018-12-06 17:08:47,893:DEBUG:certbot.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
Initialized: <certbot.plugins.webroot.Authenticator object at 0x75b131f0>
Prep: True
2018-12-06 17:08:47,897:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.webroot.Au$2018-12-06 17:08:47,898:INFO:certbot.plugins.selection:Plugins selected: Authenticator webroot, Installer $2018-12-06 17:08:47,910:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration$2018-12-06 17:08:47,915:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/dire$ GNU nano 2.7.4 File: letsencrypt.log
2018-12-06 17:08:47,354:DEBUG:certbot.main:certbot version: 0.29.1
2018-12-06 17:08:47,357:DEBUG:certbot.main:Arguments:
2018-12-06 17:08:47,357:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,Plu$2018-12-06 17:08:47,444:DEBUG:certbot.log:Root logging level set at 20
2018-12-06 17:08:47,447:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2018-12-06 17:08:47,665:DEBUG:certbot.plugins.selection:Requested authenticator <certbot.cli.Default obje$2018-12-06 17:08:47,864:DEBUG:certbot.storage:Should renew, less than 30 days before certificate expiry 20$2018-12-06 17:08:47,865:INFO:certbot.renewal:Cert is due for renewal, auto-renewing…
2018-12-06 17:08:47,866:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2018-12-06 17:08:47,893:DEBUG:certbot.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
Initialized: <certbot.plugins.webroot.Authenticator object at 0x75b131f0>
Prep: True
2018-12-06 17:08:47,897:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.webroot.Au$2018-12-06 17:08:47,898:INFO:certbot.plugins.selection:Plugins selected: Authenticator webroot, Installer $
^G Get Help ^O Write Out ^W Where Is ^K Cut Text ^J Justify ^C Cur Pos ^Y Prev Page
^X Exit^R Read File ^\ Replace ^U Uncut Text ^T To Spell ^
Go To Line ^V Next Page


#12

Your log is incomplete. There is no error.

Please use another platform (like pastebin etc.) or split your log in parts.


#13

In this case I believe mooo.com is a domain owned by the operator of afraid.org and @Soydepr is using a subdomain as intended. However you are quite right about the risk of hitting the rate limits as mooo.com is not on the public suffix list.


#14

https://pastebin.com/2SXwKiUS


#15

Please show the vhost config file.


#16

Don’t have vhost file only one domain here , and is use root document to point to server


#17

Ok, then please show the config file.


#18

Thanks.

Ok, you use the webroot and Letsencrypt can’t validate the file, because your server sends a 404.

So there are two options:

  • Your webroot is wrong
  • There are additional redirects

So create a file in /var/www/html/.well-known/acme-challenge (file namel 1234) and try to load this file via

http://vorman.mooo.com/.well-known/acme-challenge/1234

#19

please clarify , what goes in the file 1234 and what do you mean by load


#20

Create a simple text file, write the word “Hello” in this text file.

To load / check, use your browser:

http://vorman.mooo.com/.well-known/acme-challenge/1234