LetsEncrypt SSL renewal - cannot renew cert

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: puric.hr

I ran this command: sudo certbot renew --dry-run

It produced this output:

My web server is (include version): - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/shop.puric.hr.conf


Simulating renewal of an existing certificate for shop.puric.hr and testshop.puric.hr

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: testshop.puric.hr
Type: dns
Detail: DNS problem: NXDOMAIN looking up A for testshop.puric.hr - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for testshop.puric.hr - check that a DNS record exists for this domain

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Failed to renew certificate shop.puric.hr with error: Some challenges have failed.

The operating system my web server runs on is (include version): CentOS 7

My hosting provider, if applicable, is: local server + dnsmadeeasy.com

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.6.0

Hi @igulan, and welcome to the LE community forum :slight_smile:

I see the same problem:
8.8.8.8 can't find testshop.puric.hr: Non-existent domain

The instructions are pretty clear:

Who controls the DNS records for this domain?
Has something changed since your last renewal?

3 Likes

OK, I think I see "the problem":
shop.puric.hr resolves to an IP.
testshop.puric.hr does NOT resolve to an IP.

Do you need to remove the "testshop" name from the current cert?

3 Likes

Thank you guys

teshshop.puric.hr is not important to me, that domain is not being published.
shop.puric.hr is important, it can resolve, but can't be renewed by certbot.

I tried to remove testshop cert from server, but now I have total faliure:

Error while running apachectl configtest.

[Mon Jun 19 09:45:15.691700 2023] [so:warn] [pid 2140] AH01574: module wsgi_modu le is already loaded, skipping
[Mon Jun 19 09:45:15.698094 2023] [so:warn] [pid 2140] AH01574: module php7_modu le is already loaded, skipping
AH00526: Syntax error on line 34 of /etc/httpd/conf/httpd-le-ssl.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/testshop.puric.hr/cert.pem' does not exist or is empty

Failed to renew certificate shop.puric.hr with error: The apache plugin is not w orking; there may be problems with your existing configuration.
The error was: MisconfigurationError("Error while running apachectl configtest.\ n\n[Mon Jun 19 09:45:15.691700 2023] [so:warn] [pid 2140] AH01574: module wsgi_m odule is already loaded, skipping\n[Mon Jun 19 09:45:15.698094 2023] [so:warn] [ pid 2140] AH01574: module php7_module is already loaded, skipping\nAH00526: Synt ax error on line 34 of /etc/httpd/conf/httpd-le-ssl.conf:\nSSLCertificateFile: f ile '/etc/letsencrypt/live/testshop.puric.hr/cert.pem' does not exist or is empt y\n")


All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/shop.puric.hr/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See t he logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for mo re details.

1 Like

What shows?:
certbot certificates

2 Likes

Found the following certs:
Certificate Name: shop.puric.hr
Serial Number: 3a2bbf647911e585d5c0665ca20a6ec6ab9
Key Type: RSA
Domains: shop.puric.hr testshop.puric.hr
Expiry Date: 2023-06-17 16:41:56+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/shop.puric.hr/fullchain.pem
Private Key Path: /etc/letsencrypt/live/shop.puric.hr/privkey.pem

This is the only manged cert [and it contains both names]:

This cert no longer exists and should not be used in your Apache config:

Please show:
sudo apachectl -t -D DUMP_VHOSTS

2 Likes

Yes, should I delete that cert than and create a new one?

This command shows following:
Passing arguments to httpd using apachectl is no longer supported.
You can only start/stop/restart httpd using this script.
If you want to pass extra arguments to httpd, edit the
/etc/sysconfig/httpd config file.
[Mon Jun 19 10:13:15.141200 2023] [so:warn] [pid 2940] AH01574: module wsgi_module is already loaded, skipping
[Mon Jun 19 10:13:15.146083 2023] [so:warn] [pid 2940] AH01574: module php7_module is already loaded, skipping
AH00526: Syntax error on line 34 of /etc/httpd/conf/httpd-le-ssl.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/testshop.puric.hr/cert.pem' does not exist or is empty

After I deleted testshop.puric.hr from configuration httpd, now I have following output which is ok:

VirtualHost configuration:
*:443 is a NameVirtualHost
default server shop.puric.hr (/etc/httpd/conf/httpd-le-ssl.conf:2)
port 443 namevhost shop.puric.hr (/etc/httpd/conf/httpd-le-ssl.conf:2)
alias shop.puric.hr
port 443 namevhost testshop.puric.hr (/etc/httpd/conf/httpd-le-ssl.conf:22)
alias testshop.puric.hr

You don't need this ServerName in this file anymore [or remove entire server block]:

What happened to the HTTP vhost config file for shop.puric.hr ?

2 Likes

This is also confusing:

Why is the alias the same as the name?
Let's have a look at that file.

2 Likes

http is online,

*:80 is a NameVirtualHost
port 80 namevhost shop.puric.hr (/etc/httpd/conf/httpd.conf:407)

Should I delete existing certificate and create a new one?
sudo certbot delete --cert-name shop.puric.hr

And then create new one using ACME?

<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerName shop.puric.hr
        ServerAlias shop.puric.hr
        ServerAdmin 
<Directory /var/www/shop.puric.hr/public>
            AllowOverride All
</Directory>
        ErrorLog logs/shop.puric.hr-error_log
        CustomLog logs/shop.puric.hr-access_log common


SSLCertificateFile /etc/letsencrypt/live/shop.puric.hr/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/shop.puric.hr/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/shop.puric.hr/chain.pem
DocumentRoot /var/www/shop.puric.hr/public
</VirtualHost>
</IfModule>

<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerName testshop.puric.hr
        ServerAlias testshop.puric.hr
        ServerAdmin 
        DocumentRoot /var/www/testshop.puric.hr/public
        <Directory "/var/www/testshop.puric.hr/public">
            AllowOverride All
        </Directory>
        ErrorLog logs/testshop.puric.hr-error_log
        CustomLog logs/testshop.puric.hr-access_log common

</VirtualHost>
</IfModule>

No.

2 Likes

Remove ServerAlias [duplicate name]:

Remove this unused section:

3 Likes

Let's review this file:

3 Likes

Last part of file:

Include /etc/httpd/conf/httpd-le-ssl.conf
<VirtualHost *:80>  #this is the line 407
DocumentRoot "/var/www/shop.puric.hr/public"
ServerName shop.puric.hr
<Directory "/var/www/shop.puric.hr/public">
allow from all
Options None
Require all granted
</Directory>
</VirtualHost>

Try:
certbot renew --allow-subset-of-names

4 Likes

It works. You're a genius. Thank you very much!

2 Likes

Please show:
certbot certificates

2 Likes