Missing webroot path renewing an existing certificate

Hi,

I ran this command:

certbot certificates

Found the following certs:
Certificate Name: casaroca.org
Serial Number: *****************************
Key Type: RSA
Domains: casaroca.org www.casaroca.org
Expiry Date: 2021-12-12 17:45:21+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/casaroca.org/fullchain.pem
Private Key Path: /etc/letsencrypt/live/casaroca.org/privkey.pem

certbot renew

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/casaroca.org.conf


Renewing an existing certificate for casaroca.org and www.casaroca.org
Failed to renew certificate casaroca.org with error: Missing command line flag or config entry for this setting:
Input the webroot for casaroca.org:

1 Like

Welcome to the community @jchavezpe

You did not provide many details but it looks like the webroot_path might be missing from your renewal config file here:

/etc/letsencrypt/renewal/casaroca.org.conf

Someone earlier today had a similar problem. If that solution does not help you please post again but with the answers to the other questions in the form you were shown so we can give better advice.

Also show the contents of your renewal conf file. Thanks

===========================

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

My version of certbot is (from certbot --version):

4 Likes

Thanks Mike,

Server GCP
root@instance-1:~# lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 10 (buster)
Release: 10
Codename: buster

I don't know what can be happening from the ssh console
root@instance-1:~# /etc/letsencrypt/renewal/casaroca.org.conf
-bash: /etc/letsencrypt/renewal/casaroca.org.conf: Permission denied

2 Likes

Try:

cat /etc/letsencrypt/renewal/casaroca.org.conf

Ideally use 3 backticks before for nice format like this

```
output
```

3 Likes

root@instance-1:~# cat /etc/letsencrypt/renewal/casaroca.org.conf

renew_before_expiry = 30 days

version = 1.19.0
archive_dir = /etc/letsencrypt/archive/casaroca.org
cert = /etc/letsencrypt/live/casaroca.org/cert.pem
privkey = /etc/letsencrypt/live/casaroca.org/privkey.pem
chain = /etc/letsencrypt/live/casaroca.org/chain.pem
fullchain = /etc/letsencrypt/live/casaroca.org/fullchain.pem

Options used in the renewal process

[renewalparams]
account = 336d9efba695cd78826556d6dac6ef51
authenticator = webroot
server = https://acme-v02.api.letsencrypt.org/directory
root@instance-1:~#

1 Like

And what is this version?

As you can see in your renewal conf file it is missing the webroot path similar to the other thread I referenced. I am logging out for the night but please show your certbot version and someone can help you if you cannot see how to repair your renewal conf.

2 Likes

root@instance-1:~# certbot --version
certbot 1.22.0

1 Like

It says "webroot", but no webroot is given.
Which may indicate a bug in the version of certbot use when the cert was issued.
Since the renewal.conf file is already suffering from that effect, it needs to be corrected.
Try finding the issuing command in the history, with:
history | grep -i certbot | grep -i webroot

1 Like

root@instance-1:~# history | grep -i certbot | grep -i webroot
501 history | grep -i certbot | grep -i webroot

Try:
grep -ERi 'servername|serveralias|root' /etc/apache2/sites-enabled/

1 Like
root@instance-1:~# grep -ERi 'servername|serveralias|root' /etc/apache2/sites-enabled/`
/etc/apache2/sites-enabled/000-default-le-ssl.conf:     # The ServerName directive sets the request scheme, hostname and port that
/etc/apache2/sites-enabled/000-default-le-ssl.conf:     # redirection URLs. In the context of virtual hosts, the ServerName
/etc/apache2/sites-enabled/000-default-le-ssl.conf:     #ServerName www.example.com
/etc/apache2/sites-enabled/000-default-le-ssl.conf:     DocumentRoot /var/www/html
/etc/apache2/sites-enabled/000-default-le-ssl.conf:ServerName casaroca.site
/etc/apache2/sites-enabled/000-default-le-ssl.conf:ServerAlias www.casaroca.site
/etc/apache2/sites-enabled/000-default.conf:    # The ServerName directive sets the request scheme, hostname and port that
/etc/apache2/sites-enabled/000-default.conf:    # redirection URLs. In the context of virtual hosts, the ServerName
/etc/apache2/sites-enabled/000-default.conf:    #ServerName www.example.com
/etc/apache2/sites-enabled/000-default.conf:    DocumentRoot /var/www/html

Please show the output of:
certbot certificates

1 Like
root@instance-1:~# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: casaroca.org
    Serial Number: 406e9083ab4ebd0**9238651aac**99cf87
    Key Type: RSA
    Domains: casaroca.org www.casaroca.org
    Expiry Date: 2021-12-12 17:45:21+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/casaroca.org/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/casaroca.org/privkey.pem
  Certificate Name: casaroca.site
    Serial Number: 48f2f843498293fea3854ea0a23844469ea
    Key Type: RSA
    Domains: casaroca.site www.casaroca.site
    Expiry Date: 2021-09-21 03:33:49+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/casaroca.site/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/casaroca.site/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

One last piece...
Please show the output of:
sudo apachectl -t -D DUMP_VHOSTS

1 Like
root@instance-1:~# sudo apachectl -t -D DUMP_VHOSTS
VirtualHost configuration:
*:443  casaroca.site (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
*:80   casaroca.site (/etc/apache2/sites-enabled/000-default.conf:1)
AH00180: WARNING: MaxRequestWorkers of 544 exceeds ServerLimit value of 256 servers, decreasing MaxRequestWorkers
 to 256. To increase, please see the ServerLimit directive.

I don't see a vhost that covers the ".org" name ? ? ?
Does casaroca.site and casaroca.org serve the same content/site/folder ?

1 Like

same content,

OK, let's see which cert (path) is being used:
grep privkey /etc/apache2/sites-enabled/000-default-le-ssl.conf

1 Like

root@instance-1:~# grep privkey /etc/apache2/sites-enabled/000-default-le-ssl.conf
SSLCertificateKeyFile /etc/letsencrypt/live/casaroca.site/privkey.pem

THIS IS A ONE TIME FIX - DO NOT DO THIS TO RENEW

Ok, do all three without restarting Apache/LiteSpeed:

1:
certbot delete --cert-name casaroca.org

2:
certbot delete --cert-name casaroca.site

3:
certbot certonly \
 --cert-name casaroca.site \
 --webroot -w /var/www/html \
 -d "casaroca.org,www.casaroca.org,casaroca.site,www.casaroca.site" \
 --force-renewal
1 Like