No renewals were attempted

Please fill out the fields below so we can help you better.

My domain is: https://www.kastery.com/

I ran this command: sudo certbot renew

It produced this output: No renewals were attempted.

My web server is (include version): nodejs, expressjs , nginx reverse proxy

The operating system my web server runs on is (include version): ubuntu 17.04

My hosting provider, if applicable, is: digitalocean

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

I move base folder “/etc/letsencrypt” to path “/home/userxxxx/letsencrypt” . I don’t know about failed.

my log
2017-08-28 21:23:43,408:DEBUG:certbot.main:certbot version: 0.14.2
2017-08-28 21:23:43,408:DEBUG:certbot.main:Arguments: []
2017-08-28 21:23:43,408:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2017-08-28 21:23:43,422:DEBUG:certbot.plugins.selection:Requested authenticator <certbot.cli._Default object at 0x7fc3d9b18190> and installer <certbot.cli._Default object at 0x7fc3d9b18190>
2017-08-28 21:23:43,422:DEBUG:certbot.cli:Default Detector is Namespace(account=<certbot.cli._Default object at 0x7fc3d9b18650>, agree_dev_preview=None, allow_subset_of_names=<certbot.cli._Default object at 0x7fc3d9b18410>, apache=<certbot.cli._Default object at 0x7fc3d9b08b90>, authenticator=<certbot.cli._Default object at 0x7fc3d9b18190>, break_my_certs=<certbot.cli._Default object at 0x7fc3d9a9e290>, cert_path=<certbot.cli._Default object at 0x7fc3d9a9e210>, certname=<certbot.cli._Default object at 0x7fc3d9b08510>, chain_path=<certbot.cli._Default object at 0x7fc3d9b18bd0>, checkpoints=<certbot.cli._Default object at 0x7fc3d9a9ec10>, config_dir=<certbot.cli._Default object at 0x7fc3d9b189d0>, config_file=None, configurator=<certbot.cli._Default object at 0x7fc3d9b18190>, csr=<certbot.cli._Default object at 0x7fc3d9aa2750>, debug=<certbot.cli._Default object at 0x7fc3d9b18d50>, debug_challenges=<certbot.cli._Default object at 0x7fc3d9b18e50>, dialog=None, domains=<certbot.cli._Default object at 0x7fc3d9b08690>, dry_run=<certbot.cli._Default object at 0x7fc3d9b08350>, duplicate=<certbot.cli._Default object at 0x7fc3d9b18750>, eff_email=<certbot.cli._Default object at 0x7fc3d9b08d10>, email=<certbot.cli._Default object at 0x7fc3d9b08c10>, expand=<certbot.cli._Default object at 0x7fc3d9b18050>, force_interactive=<certbot.cli._Default object at 0x7fc3d9b08810>, fullchain_path=<certbot.cli._Default object at 0x7fc3d9b18dd0>, func=<function renew at 0x7fc3d3a722a8>, hsts=<certbot.cli._Default object at 0x7fc3d9a9e790>, http01_port=<certbot.cli._Default object at 0x7fc3d9a9e190>, ifaces=<certbot.cli._Default object at 0x7fc3d9a9e610>, init=<certbot.cli._Default object at 0x7fc3d9a9ea10>, installer=<certbot.cli._Default object at 0x7fc3d9b18190>, key_path=<certbot.cli._Default object at 0x7fc3d9a9e050>, logs_dir=<certbot.cli._Default object at 0x7fc3d9b185d0>, manual=<certbot.cli._Default object at 0x7fc3d9b088d0>, manual_auth_hook=<certbot.cli._Default object at 0x7fc3d9aefb10>, manual_cleanup_hook=<certbot.cli._Default object at 0x7fc3d9af9950>, manual_public_ip_logging_ok=<certbot.cli._Default object at 0x7fc3d9af9bd0>, must_staple=<certbot.cli._Default object at 0x7fc3d9a9e490>, nginx=<certbot.cli._Default object at 0x7fc3d9b08290>, no_bootstrap=<certbot.cli._Default object at 0x7fc3d9b18a50>, no_self_upgrade=<certbot.cli._Default object at 0x7fc3d9b18950>, no_verify_ssl=<certbot.cli._Default object at 0x7fc3d9b18f50>, noninteractive_mode=<certbot.cli._Default object at 0x7fc3d9b08990>, num=<certbot.cli._Default object at 0x7fc3d9aa2550>, os_packages_only=<certbot.cli._Default object at 0x7fc3d9b18850>, post_hook=<certbot.cli._Default object at 0x7fc3d9aa20d0>, pre_hook=<certbot.cli._Default object at 0x7fc3d9a9ef90>, pref_challs=<certbot.cli._Default object at 0x7fc3d9a9ee90>, prepare=<certbot.cli._Default object at 0x7fc3d9a9e810>, quiet=<certbot.cli._Default object at 0x7fc3d9b18b50>, reason=<certbot.cli._Default object at 0x7fc3d9a9ee10>, redirect=<certbot.cli._Default object at 0x7fc3d9a9e590>, register_unsafely_without_email=<certbot.cli._Default object at 0x7fc3d9b081d0>, reinstall=<certbot.cli._Default object at 0x7fc3d9b08f10>, renew_by_default=<certbot.cli._Default object at 0x7fc3d9b18210>, renew_hook=<certbot.cli._Default object at 0x7fc3d9aa21d0>, renew_with_new_domains=<certbot.cli._Default object at 0x7fc3d9b18310>, rsa_key_size=<certbot.cli._Default object at 0x7fc3d9a9e390>, server=<certbot.cli._Default object at 0x7fc3d9b18390>, staging=<certbot.cli._Default object at 0x7fc3d9b18c50>, standalone=<certbot.cli._Default object at 0x7fc3d9b085d0>, standalone_supported_challenges=<certbot.cli._Default object at 0x7fc3d9af9dd0>, staple=<certbot.cli._Default object at 0x7fc3d9a9eb90>, strict_permissions=<certbot.cli._Default object at 0x7fc3d9a9ed90>, text_mode=<certbot.cli._Default object at 0x7fc3d9aefc50>, tls_sni_01_port=<certbot.cli._Default object at 0x7fc3d9a9e090>, tos=<certbot.cli._Default object at 0x7fc3d9b18550>, uir=<certbot.cli._Default object at 0x7fc3d9a9e990>, update_registration=<certbot.cli._Default object at 0x7fc3d9b08050>, user_agent=<certbot.cli._Default object at 0x7fc3d9aa2650>, validate_hooks=<certbot.cli._Default object at 0x7fc3d9aa22d0>, verb=‘renew’, verbose_count=<certbot.cli._Default object at 0x7fc3d9aefcd0>, webroot=<certbot.cli._Default object at 0x7fc3d9aefb90>, webroot_map=<certbot.cli._Default object at 0x7fc3d9b01390>, webroot_path=<certbot.cli._Default object at 0x7fc3d9aefa90>, work_dir=<certbot.cli._Default object at 0x7fc3d9b187d0>)
2017-08-28 21:23:43,440:DEBUG:certbot.log:Root logging level set at 20
2017-08-28 21:23:43,441:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2017-08-28 21:23:43,442:DEBUG:certbot.renewal:no renewal failures

Can you help me ?

I don’t think moving the base Let’s Encrypt directory is supported by Certbot… That’s a really important set of files, and there are a lot of very sensitive symlinks set up there. You might have to start over and let Certbot rebuild that.

Yeah, certbot just isn’t finding where you moved its directory to.

If you move this directory you have to tell certbot where it is every time you run it, e.g.

sudo certbot --config-dir /home/userxxxx/letsencrypt renew

ok Thank. Now I moved letencrypt directory to /etc/letencrypt . and i got next error .

i use command : sudo certbot renew --dry-run

my error

Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for kastery.com
http-01 challenge for www.kastery.com
Waiting for verification…
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/kastery.com.conf produced an unexpected error: Failed authorization procedure. kastery.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://kastery.com/.well-known/acme-challenge/Nlzr53IKzCd0394pQl3kkJQlUtrOwFCII7mQduRnlrE: “<link rel=“preload” href=”/_next/1377841f-dfc8-4e89-81ea-166d1f3f2b0b/page/.well-known/acme-challenge", www.kastery.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.kastery.com/.well-known/acme-challenge/aYLChAer7TCYFBwhXmctTmhEb9SSnIV3v_JOUEhZD-8: “<link rel=“preload” href=”/_next/1377841f-dfc8-4e89-81ea-166d1f3f2b0b/page/.well-known/acme-challenge". Skipping.
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/kastery.com/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: kastery.com
  Type: unauthorized
  Detail: Invalid response from
  http://kastery.com/.well-known/acme-challenge/Nlzr53IKzCd0394pQl3kkJQlUtrOwFCII7mQduRnlrE:
  "<link rel=“preload"
  href=”/_next/1377841f-dfc8-4e89-81ea-166d1f3f2b0b/page/.well-known/acme-challenge"

  Domain: www.kastery.com
  Type: unauthorized
  Detail: Invalid response from
  http://www.kastery.com/.well-known/acme-challenge/aYLChAer7TCYFBwhXmctTmhEb9SSnIV3v_JOUEhZD-8:
  "<link rel=“preload"
  href=”/_next/1377841f-dfc8-4e89-81ea-166d1f3f2b0b/page/.well-known/acme-challenge"

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A record(s) for that domain
  contain(s) the right IP address.

Can you help me? my knowledge system is little.

So http-01 verification works by placing a file in your web serving directory and then asking the Let’s Encrypt servers if they can see it. But instead of getting this file back, they are getting something from your node server instead.

You’ll need to make sure nginx serves static files from that directory, or make sure your node server is serving static files instead. You can see what certbot thinks is your current webroot by examining /etc/letsencrypt/renewal/kastery.com.conf and if you need to change it you can do so by rerunning the command you ran to issue in the first place, but with the right directory.

Alternatively, you could switch to tls-sni-01 verification, which works at a higher level and won’t be bothered by the proxy. You can switch by issuing a command like:

sudo certbot certonly --nginx -d kastery.com -d www.kastery.com --renew-hook 'systemctl reload nginx'

That will issue your certificate but not permanently affect your nginx configuration, since you appear to already have SSL enabled. You may not have had the renew-hook option set before but that would take care of reloading your certificate on renewal so you don’t have to.

@Patches Thank you very much.
i use this command “sudo certbot certonly --nginx -d kastery.com -d www.kastery.com --renew-hook ‘systemctl reload nginx’”

it work !.

Can i push this "sudo certbot certonly --nginx -d kastery.com -d www.kastery.com --renew-hook ‘systemctl reload nginx’ " to crontab -e ?

I’m glad you got it working!

You do not need to specify the --renew-hook option with certbot renew if you specified it when issuing the certificate. Certbot saved that option to the renewal configuration file I mentioned earlier, and it will recall it on subsequent invocations.

If you installed certbot from Ubuntu via apt-get or synaptic, you shouldn’t have to create a cronjob at all. It usually installs a cronjob or systemd timer for you.

OK it mean . i dont use cronjob . it automatic renew cronjob already ? I install via apt-get.

Yes. You can check by running systemctl status certbot.timer

Thank you very much.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.