Issue with auto renew

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: baw.prod.ultramain.systems

I ran this command: No command ran I was expecting it to auto renew, When I run certbot renew it works fine but when it tries to do it automatically I get the ERROR:certbot._internal.renewal:Failed to renew certificate baw.prod.ultramain.systems with error: urn:ietf:params:acme:error:serverInternal :: The server experienced an internal error :: Error finalizing order

It produced this output: HTTP 500
Content-Length: 112
Cache-Control: public, max-age=0, no-cache
Server: nginx
Connection: keep-alive
Link: https://acme-staging-v02.api.letsencrypt.org/directory;rel="index"
Boulder-Requester: 11651561
Date: Mon, 26 Apr 2021 18:11:49 GMT
Content-Type: application/problem+json
Replay-Nonce: 0004tn9OcyPdA23ztDQmnCoUav-__7XvSOklxi4ceUnQGvg

{ "type": "urn:ietf:params:acme:error:serverInternal", "detail": "Error finalizing order", "status": 500 }

2021-04-26 18:11:49,080:ERROR:certbot._internal.renewal:Failed to renew certificate baw.prod.ultramain.systems with error: urn:ietf:params:acme:error:serverInternal :: The server experienced an internal error :: Error finalizing order
2021-04-26 18:11:49,095:DEBUG:certbot._internal.renewal:Traceback was:
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/certbot/_internal/renewal.py", line 471, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File "/usr/lib/python2.7/site-packages/certbot/_internal/main.py", line 1235, in renew_cert
renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
File "/usr/lib/python2.7/site-packages/certbot/_internal/main.py", line 124, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File "/usr/lib/python2.7/site-packages/certbot/_internal/renewal.py", line 331, in renew_cert
new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
File "/usr/lib/python2.7/site-packages/certbot/_internal/client.py", line 390, in obtain_certificate
cert, chain = self.obtain_certificate_from_csr(csr, orderr)
File "/usr/lib/python2.7/site-packages/certbot/_internal/client.py", line 292, in obtain_certificate_from_csr
fetch_alternative_chains=get_alt_chains)
File "/usr/lib/python2.7/site-packages/acme/client.py", line 925, in finalize_order
return self.client.finalize_order(orderr, deadline, fetch_alternative_chains)
File "/usr/lib/python2.7/site-packages/acme/client.py", line 752, in finalize_order
self._post(orderr.body.finalize, wrapped_csr)
File "/usr/lib/python2.7/site-packages/acme/client.py", line 97, in _post
return self.net.post(*args, **kwargs)
File "/usr/lib/python2.7/site-packages/acme/client.py", line 1201, in post
return self._post_once(*args, **kwargs)
File "/usr/lib/python2.7/site-packages/acme/client.py", line 1214, in _post_once
response = self._check_response(response, content_type=content_type)
File "/usr/lib/python2.7/site-packages/acme/client.py", line 1072, in _check_response
raise messages.Error.from_json(jobj)
Error: urn:ietf:params:acme:error:serverInternal :: The server experienced an internal error :: Error finalizing order

2021-04-26 18:11:49,095:DEBUG:certbot.display.util:Notifying user:


2021-04-26 18:11:49,095:ERROR:certbot._internal.renewal:All simulated renewals failed. The following certificates could not be renewed:
2021-04-26 18:11:49,095:ERROR:certbot._internal.renewal: /etc/letsencrypt/live/baw.prod.ultramain.systems/fullchain.pem (failure)
2021-04-26 18:11:49,095:DEBUG:certbot.display.util:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2021-04-26 18:11:49,097:INFO:certbot.compat.misc:Running post-hook command: systemctl restart nginx
2021-04-26 18:11:49,277:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/bin/certbot", line 9, in
load_entry_point('certbot==1.11.0', 'console_scripts', 'certbot')()
File "/usr/lib/python2.7/site-packages/certbot/main.py", line 15, in main
return internal_main.main(cli_args)
File "/usr/lib/python2.7/site-packages/certbot/_internal/main.py", line 1421, in main
return config.func(config, plugins)
File "/usr/lib/python2.7/site-packages/certbot/_internal/main.py", line 1318, in renew
renewal.handle_renewal_request(config)
File "/usr/lib/python2.7/site-packages/certbot/_internal/renewal.py", line 497, in handle_renewal_request
len(renew_failures), len(parse_failures)))
Error: 1 renew failure(s), 0 parse failure(s)
2021-04-26 18:11:49,278:ERROR:certbot._internal.log:1 renew failure(s), 0 parse failure(s)

My web server is (include version): Nginx 1.20.0

The operating system my web server runs on is (include version): Linux baw-prod-primary 4.14.232-176.381.amzn2.x86_64 #1 SMP Wed May 19 00:31:54 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don't know):Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 1.11.0

1 Like

Internal errors are usually due to some kind of hick-up at the Let's Encrypts systems. I'm not seeing any recent disturbance, so maybe you were just unlucky.

Could you try again and see if it works this time?

Also: is your server really having April 26 as the current date? Or are you showing us a very old log?

2 Likes

Hi Osiris,

So that is actually the only error that I found in my logs but our cert was set to expire in 5 days from now and it never auto renewed. When I went back into the logs that is the only error that I could find but the dates lined up since the cert only lasts for 90 days. Once I ran the command manually certbot renew I did not have any issues getting a new cert but if I don't run the command certbot will not renew on its own for some reason.

1 Like

Depending on how you've installed certbot, there might or might not have been a cronjob or systemd timer installed. Usually, one would run certbot renew twice a day through such a cronjob or systemd timer.

2 Likes

@Osiris I plan to uninstall my current version of certbot 1.11.0 and update to the latest version and see if that helps.

1 Like