Impossible to renew certificate with certbot 0.10.2-1

Hi everyone,

We just got an expired certificate for domain www.komodal.co.

I have access to the server (only sudo user not root).
Server is Ubuntu 17.07
Certbot version 0.10.2-1

Whatever command I try to renew the certificate, it will use ACMEv1 API and so I got the error : HTTPSConnectionPool(host=‘[acme-v01.api.letsencrypt.org ](http://acme-v01.api.letsencrypt.org/)’, port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError(’<requests.packages.urllib3.connection.VerifiedHTTPSConnection object at 0x7fd384d92bd0>: Failed to establish a new connection: [Errno -2] Name or service not known’,))

When trying to update Certbot, it says 0.10.2-1 is the latest version...

Trying to force --server https://acme-v02.api.letsencrypt.org/directory

Gives me this :

sudo certbot -d komodal.co --manual --preferred-challenges dns certonly --server https://acme-v02.api.letsencrypt.org/directory
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Attempting to parse the version 1.9.0 renewal configuration file found at /etc/letsencrypt/renewal/XXXXXXX.com.conf with version 0.10.2 of Certbot. This might not work.
Attempting to parse the version 1.9.0 renewal configuration file found at /etc/letsencrypt/renewal/XXXXXXXX.com.conf with version 0.10.2 of Certbot. This might not work.
Attempting to parse the version 1.9.0 renewal configuration file found at /etc/letsencrypt/renewal/XXXXXXXX.com.conf with version 0.10.2 of Certbot. This might not work.
Obtaining a new certificate
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
An unexpected error occurred:
ConnectionError: HTTPSConnectionPool(host='acme-v01.api.letsencrypt.org', port=443): Max retries exceeded with url: /acme/new-authz (Caused by NewConnectionError('<requests.packages.urllib3.connection.VerifiedHTTPSConnection object at 0x7f7ff3b6c590>: Failed to establish a new connection: [Errno -2] Name or service not known',))
Please see the logfiles in /var/log/letsencrypt for more details.

So it looks like it's using ACMEv2 at the beginning, then 'obtaining a new certificate' and then try to connect again to old API...

Can you help me figuring out how to create a new certificate for my website ?

I just can add that I'm in the process of moving the website komodal.co to our own server soon.

The person who used to manage this server kind of left without giving us any info or process for the server etc... so I won't risk to update Ubuntu for ex. on this server.

Hope you can help me !

My domain is: komodal.co

I ran this command:

It produced this output:

My web server is (include version): Apache/2.4.29 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 17.07

My hosting provider, if applicable, is: OVH

I can login to a root shell on my machine (yes or no, or I don't know): sudo user, not root

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): nope

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.10.2-1

What what whaaaaat?

6 Likes

Hi Osiris... Yes I know I would have had a reaction like this...

It's complicated, but the biiiip who left the company without giving us root access or procedure or anything still have access to the server and managed somehow to renew 1 domain this morning. Even if all domains are down, he just did this one because that's the last domain he got to maintain.

So my guess is that, it's possible to renew the other domains, even on this old ubuntu and old certbot...but I guess I don't want to ask the biiiiip for help and would like to manage it on my own.

Is there a way to bypass certbot and do things manually ?

Thanks for your help...i'm the one who needs to deal with that...

2 Likes

Two things:

  • The warning "Attempting to parse the version 1.9.0 renewal configuration file (…) with version 0.10.2 of Certbot. This might not work." suggests there might be a version 1.9.0 of Certbot laying around. You could have a look if you have multiple instances of Certbot installed somehow;
  • It might be possible to renew the now non-renewing certificates by changing some configuration files from the ACMEv1 URL to the ACMEv2 URL.. However, from the part of the output you're showing currently, I find it difficult to tell where that would be. You could do a grep -R acme-v01 /etc/letsencrypt/ to see where configuration files are still referring to the old API and perhaps change ot to the v02 URL?

That said, if I were you I'd spin up an up to date version of a server parallel to the old one, install all the necessary applications on that one, transfer over all the configuration files and other required files, test if everything works and just trash that ancient server from Biblical times to /dev/null.

Not sure if this is something to be proud of, but I think this is probably the oldest instance of server software/Certbot version we've seen here on the Community :stuck_out_tongue: Although I understand it's not your fault with personnel changes and stuff like that.

6 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.