Not able to renew or delete expired cert

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: sarvagram.com

I ran this command: certbot renew --force-renewal -d sarvagram.com

It produced this output: Currently, the renew verb is capable of either renewing all installed certificates that are due to be renewed or renewing a single certificate specified by its name. If you would like to renew specific certificates by their domains, use the certonly command instead. The renew verb may provide other options for selecting certificates to renew in the future.

My web server is (include version): Apache 2

The operating system my web server runs on is (include version): Ubuntu 16

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.22.0

I ran this command: certbot certonly -d sarvagram.com
(selected apache for ACME CA)

It produced this output: Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: sarvagram.com
Type: unauthorized
Detail: Invalid response from http://sarvagram.com/.well-known/acme-challenge/P8yHlG3fP0kFAea9uH0K0TsKdivg_z6uuhFr6RFQwSE [170.249.236.20]: "<html lang="en-US"><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1"


I ran this command: sudo certbot delete --cert-name sarvagram.com

It produced this output: No certificate found with name sarvagram.com (expected /etc/letsencrypt/renewal/sarvagram.com.conf).

I am neither able to delete expired cert nor able to renew it.

What can I do to renew the cert?

Suraj

Your server is pretty old.

What's the output of certbot certificates?


NB: you have issued two certificates today. DON'T SPAM COMMANDS, you will get ratelimited.

2 Likes

Welcome @surajmundada

You have a wide variety of certs. See here

I see that you renewed a new wildcard cert today. Did you resolve your problem?

The format of your renew command was wrong. Usually you just do this so renew all certs that are due to expire.

certbot renew

To renew just one cert you use the --cert-name X option and not the -d option. The X is the name of the cert which you see using:

certbot certificates

And, please avoid using --force-renewal. It does not fix problems with renewing - it only forces renewing before they are due and can cause problems with rate limiting.

2 Likes

What? Only the person controlling the domain can successfully run commands

2 Likes

Successfully, yes. There are some host-based rate limits. And if you spam --force-renewal you get rate limited pretty quickly either case (too many certs or too many failed validations)

2 Likes

What do you mean by spam a command? Using personal slang does not translate well especially on a forum where English is not first language for many.

3 Likes

"Run it carelessly several times in a row"

3 Likes

Run:
certbot renew

This is wrong in several ways:

Never use --force-renewal to request a renewal.
The names on the cert are: sarvagram.com AND www.sarvagram.com
Trying to renew a cert via only one of the two names isn't renewing any existing cert at all.

Yeah, you need to see what certs you have and which names they cover:
So, show the output of:
certbot certificates

Also, there was a wildcard cert issued today:
crt.sh | 6045529568
But it doesn't cover the apex domain "sarvagram.com".
[make sure it is being used correctly]

1 Like

Dear all, Thanks for your reverts.

Will be careful not to use force renewal.

certbot certificates command returns "No Certificates found" message

As mentioned, I got a new certificate *.sarvagram.com but it shows nowhere in any folder inside /etc/letsencrypt

I have sarvagram.com folder in /etc/letsencrypt/live with 4 pem files. And /etc/letsencrypt/renewal has a file "sarvagram.com" created on 25 Jan 2022. Other folders have no other certificates.

What can I do next to activate *.sarvagram.com

Please note that my certificate sarvagram.com had already expired before I ran renew or any other command.

Also, I am not sure how earlier sarvagram.com certificate worked properly for all webapps with subdomains like pm.sarvagram.com, reports.sarvagram.com etc. For cert to work with subdomains, won't I need wildcard certificate?

Regards,
Suraj

2 Likes

Please show the entire output of:
certbot certificates

1 Like

Console output -

root@ip-172-31-46-121:~# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
No certificates found.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

letsencrypt.log contents -

2022-01-26 13:02:58,301:DEBUG:urllib3.connectionpool:http://localhost:None "GET /v2/connections?snap=certbot&interface=content HTTP/1.1" 200 97
2022-01-26 13:02:58,742:DEBUG:certbot._internal.main:certbot version: 1.22.0
2022-01-26 13:02:58,742:DEBUG:certbot._internal.main:Location of certbot entry point: /snap/certbot/1670/bin/certbot
2022-01-26 13:02:58,742:DEBUG:certbot._internal.main:Arguments: ['--preconfigured-renewal']
2022-01-26 13:02:58,743:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2022-01-26 13:02:58,760:DEBUG:certbot._internal.log:Root logging level set at 30
2022-01-26 13:02:58,762:DEBUG:certbot._internal.display.obj:Notifying user: No certificates found.

Did you run "certbot delete" or remove files, or directories, from within the /etc/letscrypt/ folder at any point?

1 Like

I did not try removing any files manually

I had used " sudo certbot delete --cert-name sarvagram.com"

OK. I suppose that was the only cert you had then.
How many times did you run "certbot delete"?

1 Like

I don't remember now ... may be twice

OK.
Well, it seems that one of those did the job and it deleted your cert.
I won't bother asking why you thought you needed to do that.
Let's try and get you a new cert.
Please show the output of:
apachectl -t -D DUMP_VHOSTS

1 Like
root@ip-172-31-46-121:/etc/letsencrypt# apachectl -t -D DUMP_VHOSTS
VirtualHost configuration:
*:80                   is a NameVirtualHost
         default server jenkins.sarvagram.com (/etc/apache2/sites-enabled/jenkins.conf:1)
         port 80 namevhost jenkins.sarvagram.com (/etc/apache2/sites-enabled/jenkins.conf:1)
         port 80 namevhost pm.sarvagram.com (/etc/apache2/sites-enabled/openproject.conf:3)
         port 80 namevhost repo.sarvagram.com (/etc/apache2/sites-enabled/repo.conf:1)
         port 80 namevhost ldap.sarvagram.com (/etc/apache2/sites-enabled/update-password.conf:1)
         port 80 namevhost dummy.sarvagram.com (/etc/apache2/sites-enabled/zzz_dummy.conf:1)
*:443                  is a NameVirtualHost
         default server jenkins.sarvagram.com (/etc/apache2/sites-enabled/jenkins.conf:8)
         port 443 namevhost jenkins.sarvagram.com (/etc/apache2/sites-enabled/jenkins.conf:8)
         port 443 namevhost pm.sarvagram.com (/etc/apache2/sites-enabled/openproject.conf:9)
         port 443 namevhost repo.sarvagram.com (/etc/apache2/sites-enabled/repo.conf:15)
         port 443 namevhost ldap.sarvagram.com (/etc/apache2/sites-enabled/update-password.conf:6)
         port 443 namevhost dummy.sarvagram.com (/etc/apache2/sites-enabled/zzz_dummy.conf:6)

How are those files able to encrypt anything?
Please show one of those files.

1 Like

"/etc/apache2/sites-enabled/repo.conf"

<VirtualHost *:80>
  ServerName repo.sarvagram.com

  Redirect permanent / http://repo.sarvagram.com/

  ProxyRequests off

  RewriteEngine On
  RewriteRule "^/1$" "/" [R,L]
  ProxyPass "/" "http://127.0.0.1:$$$$$/" retry=0
  ProxyPassReverse "/" "http://127.0.0.1:$$$$$/"

</VirtualHost>

<VirtualHost *:443>
  ServerName repo.sarvagram.com

  SSLEngine on

  ProxyRequests off

  RewriteEngine On
  RewriteRule "^/1$" "/" [R,L]
  ProxyPass "/" "http://127.0.0.1:$$$$$/" retry=0
  ProxyPassReverse "/" "http://127.0.0.1:$$$$$/"

  SSLCertificateFile      /etc/letsencrypt/live/sarvagram.com/cert.pem
  SSLCertificateKeyFile   /etc/letsencrypt/live/sarvagram.com/privkey.pem
  SSLCertificateChainFile /etc/letsencrypt/live/sarvagram.com/fullchain.pem
</VirtualHost>
~
~

I have replaced actual port numbers with $$$$$

Please show the output of:
ls -lR /etc/letsencrypt/live/

1 Like