Homebrew certbot renew fails

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: farces.com

I ran this command: sudo certbot renew

It produced this output: Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/moriarty.farces.com.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator apache, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for farces.com
http-01 challenge for moriarty.farces.com
http-01 challenge for www.farces.com
Cleaning up challenges
Attempting to renew cert (moriarty.farces.com) from /etc/letsencrypt/renewal/moriarty.farces.com.conf produced an unexpected error: Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80… Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/moriarty.farces.com/fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/moriarty.farces.com/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)

My web server is (include version): Homebrew Apache 2.4.41

The operating system my web server runs on is (include version): macOS Catalina 10.15.2

My hosting provider, if applicable, is: Self-hosted

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 1.0.0

1 Like

Is there a virtual host listening on port 80?

1 Like

Thanks for the quick response.

In httpd.conf are the following lines:

Listen 80

[#] Virtual hosts
Include /usr/local/etc/httpd/extra/httpd-vhosts.conf

In httpd-vhosts.conf is the following section:

<VirtualHost *:80>
ServerAdmin mfraase@farces.com
DocumentRoot “/usr/local/var/www”
ServerName moriarty.farces.com
ServerAlias www.farces.com
ServerAlias farces.com
ErrorLog “/usr/local/var/log/httpd/error_log”
CustomLog “/usr/local/var/log/httpd/access_log” common

1 Like

Hello? My cert expires 11 January 2020. Anyone have any other ideas?

Out of desperation, I thought hey! I wonder what will happen if I try to generate a new cert. No luck, and here’s the transcript of my ssh session:

mfraase@further ~ % ssh www.farces.com
Password:
Last login: Sat Dec 28 19:25:33 2019 from 23.25.155.113
mfraase@moriarty ~ % sudo certbot certonly --rsa-key-size 4096
Password:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?


1: Apache Web Server plugin (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)


Select the appropriate number [1-3] then [enter] (press ‘c’ to cancel): 1
Plugins selected: Authenticator apache, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter ‘c’
to cancel): moriarty.farces.com, www.farces.com, farces.com
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for farces.com
http-01 challenge for moriarty.farces.com
http-01 challenge for www.farces.com
Cleaning up challenges
Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.
mfraase@moriarty ~ %

Am I missing something? Because all three challenges were successful, doesn’t that indicate that the virtual hosts listening on port 80 are there and were found by certbot?

For what it’s worth, sudo certbot renew has worked flawlessly – through certbot 0.37.1 – until certbot 1.0.0 was released.

Am I missing something else? If it worked on certbot 0.37.1 and broke on certbot 1.0.0, is that not a bug? If not a bug, it dang sure is causing a lot of problems as evidenced by a simple Google search: “add a virtual host for port 80” returning a full page of certbot-specific problems.

Out of even more desperation, I added the following to the “Main” section of my httpd.conf file:

<VirtualHost *:80>
    ServerAdmin mfraase@farces.com
    DocumentRoot "/usr/local/var/www"
    ServerName moriarty.farces.com
    ServerAlias www.farces.com
    ServerAlias farces.com
    ErrorLog "/usr/local/var/log/httpd/error_log"
    CustomLog "/usr/local/var/log/httpd/access_log" common
</VirtualHost>`

And commented out the [*] Virtual hosts include:

[#] Virtual hosts
#Include /usr/local/etc/httpd/extra/httpd-vhosts.conf

That didn’t work either. Beginning to pull remaining hair out in 3… 2… 1.

Hi @mfraase

I’m not firm with macOS.

If your vHost doesn’t work: Is there something like

apachectl -S

Thanks for your reply.

macOS is built upon BSD, so its underpinnings are UNIX. So as not to disturb these underpinnings, homebrew installs everything in a /usr/local/... directory structure.

Where this gets to be not much fun at all is when you want to replace some native macOS services (like Apache) with homebrew services. In the specific case of Apache, the native macOS must first be disabled like so:

sudo apachectl stop
sudo launchctl unload -w /System/Library/LaunchDaemons/org.apache.httpd.plist 2>/dev/null

Only then can homebrew Apache be installed like so:

brew install httpd
sudo brew services start httpd

Unfortunately, when it comes to reporting directory structures, apachectl reports the native macOS structures, not the homebrew structures. The end result is that a command like apachectl -S reports the native macOS information, not the homebrew equivalents:

apachectl -S
VirtualHost configuration:
ServerRoot: "/usr"
Main DocumentRoot: "/Library/WebServer/Documents"
Main ErrorLog: "/private/var/log/apache2/error_log"
Mutex default: dir="/private/var/run/" mechanism=default 
Mutex mpm-accept: using_defaults
PidFile: "/private/var/run/httpd.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="_www" id=70 not_used
Group: name="_www" id=70 not_used

The homebrew document root, for example is /usr/local/var/www.

1 Like

I reinstalled Homebrew Apache (brew reinstall httpd) and was able to renew my certbot certificate.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.