Not getting PEM files when requesting new certificate

Help
1

I’m trying to get new certificate for new domain, but I’m not getting the PEM files in the /etc/letsencrypt/live folder:

cert.pem
chain.pem
fullchain.pem
privkey.pem

I created the /etc/letsencrypt/live/avvau.com folder but I’m still not getting the PEM files.

My domain is: avvau.com

I ran this command:
/opt/letsencrypt/letsencrypt-auto certonly --config /etc/letsencrypt/cli.ini -w /var/www/avvau.com/public_html -d avvau.com -d www.avvau.com

It produced this output:
Updating letsencrypt and virtual environment dependencies…

My web server is (include version):
Apache/2.2.22 (Ubuntu)

The operating system my web server runs on is (include version):
Linux 12.04.4 LTS, Precise Pangolin

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot: command not found
cerbot-auto: command not found

2

Hi @curt

if you use letsencrypt-auto, you should update to certbot. That's a too old version.

Same with your Ubuntu.

Ubuntu 12.04 LTS reached its regular End of Life on April 28, 2017.

What's the error message?

3

@JuergenAuer

Thanks for your reply.
How do I update to certbot?

I’d rather not update Ubuntu right now because it will make me do a lot of work, such as updating MySQL, PHP, my programs, etc.
I have other domains running fine with Letsencrypt certificates, so if I can get by with 12.04, I’d like to do that for now.

I did not get any error message. After showing the following, it showed the terminal prompt:

Updating letsencrypt and virtual environment dependencies…

4

Checked your website (via https://check-your-website.server-daten.de/?q=avvau.com ) you have redirects http -> https and you use Cloudflare.

But Cloudflare requires a working certificate.

Instead, https creates (Cloudflare) errors.

Error 526 Ray ID: 4c668ee148a0d113 • 2019-04-12 16:25:46 UTC Invalid SSL certificate You Browser Working Berlin Cloudflare Working avvau.com Host Error What happened? The origin web server does not have a valid SSL certificate. What can I do? If you're a visitor of this website: Please try again in a few minutes. If you're the owner of this website: The SSL certificate presented by the server did not pass validation. This could indicate an expired SSL certificate or a certificate that does not include the requested domain name. Please contact your hosting provider to ensure that an up-to-date and valid SSL certificate issued by a Certificate Authority is configured for this domain name on the origin server. Additional troubleshooting information here. Cloudflare Ray ID: 4c668ee148a0d113 • Your IP : 2a01:238:301b::1229 • Performance & security by Cloudflare

So disable Cloudflare (or disable the redirect http -> https), create a certificate, then enable Cloudflare again.

Perhaps it may work if you disable only the redirect http -> https. If Cloudflare sends the request to your server, then your http port should answer.

5

@JuergenAuer
In Cloudflare:

  • Under Crytpo, I turned SSL to Off.
  • Under DNS, for the A and CNAME records, I clicked the orange clouds to turn them to gray, so that traffic will bypass Cloudflare.

I tried creating the certificates again, and I’m still not getting PEM files and no error message.

Should I change the nameservers to point to my hosting company instead of Cloudflare?

6

I don't understand why there is no output.

What says

/var/log/letsencrypt/letsencrypt.log

I'm not firm with that old letsencrypt-client. Perhaps that client supports only tls-sni-01 validation, that's not longer supported. Or did you create other certificates with the same command?

What says

letsencrypt-auto --version

That may be the next step. But without a log of your client it's terrible.

7

@JuergenAuer
From the last lines of /var/log/letsencrypt/letsencrypt.log, it showed this:

2019-03-02 04:59:51,090:ERROR:certbot.renewal:The following certs could not be renewed:
2019-03-02 04:59:51,091:ERROR:certbot.renewal:  /etc/letsencrypt/live/testdomain.com/fullchain.pem (failure)
2019-03-02 04:59:51,092:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 11, in <module>
    sys.exit(main())
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 1365, in main
    return config.func(config, plugins)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 1272, in renew
    renewal.handle_renewal_request(config)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/renewal.py", line 477, in handle_renewal_request
    len(renew_failures), len(parse_failures)))
Error: 1 renew failure(s), 0 parse failure(s)

I have created other certificates with the same command, but I did that a couple of years ago.

I ran:

/opt/letsencrypt/letsencrypt-auto --version

It showed the same thing as when I tried to create a certificate. It showed:

Updating letsencrypt and virtual environment dependencies...

After half a minute, it showed the terminal prompt.

Let me know if I should change the nameservers to point to my hosting company instead of Cloudflare.

8

Then your installation is corrupt.

With a not working installation, it's impossible to create a new certificate.

Installing certbot-auto may not work, but you can try it.

Perhaps select another client.

9

@JuergenAuer
I already have a couple of domains with Letsencrypt certificates on my server, since a few years ago. They work fine and have been auto-renewing every month or so, for the past few years. If they still work, I do not understand why I am not able to create a new certificate with the same installation.

Should I try changing the nameservers to point to my hosting company instead of to Cloudflare, and then try creating certificates again?

10

@JuergenAuer
I first started using Letsencrypt in January 2016. At that time, I followed directions at https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-14-04

As you can see, it says to execute:

$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install python-certbot-apache
$ sudo certbot --apache -d example.com -d www.example.com

Today, I ran and got the following:

$ sudo certbot --config /etc/letsencrypt/cli.ini -w /var/www/avvau.com/public_html -d avvau.com -d www.avvau.com
certbot: command not found
$ sudo /opt/letsencrypt/certbot --config /etc/letsencrypt/cli.ini -w /var/www/avvau.com/public_html -d avvau.com -d www.avvau.com
-bash: /opt/letsencrypt/certbot: No such file or directory

I confirmed that certbot does not exist in /opt/letsencrypt, but certbot-auto does

I tried running the following and got:

$ sudo /opt/letsencrypt/certbot-auto certonly --config /etc/letsencrypt/cli.ini -w /var/www/avvau.com/public_html -d avvau.com -d www.avvau.com
Bootstrapping dependencies for Debian-based OSes... (you can skip this with --no-bootstrap)
Hit http://archive.ubuntu.com precise Release.gpg                                                                   
Hit http://archive.ubuntu.com precise-updates Release.gpg                                                           
Hit http://archive.ubuntu.com precise-backports Release.gpg                                                         
Hit http://archive.ubuntu.com precise Release                                                                       
Hit http://archive.ubuntu.com precise-updates Release           
Hit http://archive.ubuntu.com precise-backports Release                                                      
Hit http://archive.ubuntu.com precise/main Sources                                                           
Hit http://archive.ubuntu.com precise/restricted Sources                              
Hit http://archive.ubuntu.com precise/universe Sources                                
Hit http://archive.ubuntu.com precise/multiverse Sources                              
Hit http://archive.ubuntu.com precise/main amd64 Packages                             
Hit http://archive.ubuntu.com precise/restricted amd64 Packages                       
Hit http://archive.ubuntu.com precise/universe amd64 Packages                         
Hit http://archive.ubuntu.com precise/multiverse amd64 Packages                       
Hit http://archive.ubuntu.com precise/main i386 Packages                              
Hit http://archive.ubuntu.com precise/restricted i386 Packages                        
Hit http://archive.ubuntu.com precise/universe i386 Packages                                             
Hit http://archive.ubuntu.com precise/multiverse i386 Packages                                           
Hit http://archive.ubuntu.com precise/main TranslationIndex                                              
Hit http://archive.ubuntu.com precise/multiverse TranslationIndex                                        
Hit http://archive.ubuntu.com precise/restricted TranslationIndex                                        
Hit http://archive.ubuntu.com precise/universe TranslationIndex                                          
Hit http://archive.ubuntu.com precise-updates/main Sources                                               
Hit http://archive.ubuntu.com precise-updates/restricted Sources                                         
Hit http://archive.ubuntu.com precise-updates/universe Sources                                           
Hit http://archive.ubuntu.com precise-updates/multiverse Sources                                         
Hit http://archive.ubuntu.com precise-updates/main amd64 Packages                                        
Hit http://archive.ubuntu.com precise-updates/restricted amd64 Packages                                  
Hit http://archive.ubuntu.com precise-updates/universe amd64 Packages                                    
Hit http://archive.ubuntu.com precise-updates/multiverse amd64 Packages                                  
Hit http://archive.ubuntu.com precise-updates/main i386 Packages                                         
Hit http://archive.ubuntu.com precise-updates/restricted i386 Packages                                   
Hit http://archive.ubuntu.com precise-updates/universe i386 Packages                                     
Hit http://archive.ubuntu.com precise-updates/multiverse i386 Packages                                   
Hit http://archive.ubuntu.com precise-updates/main TranslationIndex                                      
Hit http://archive.ubuntu.com precise-updates/multiverse TranslationIndex                                
Hit http://archive.ubuntu.com precise-updates/restricted TranslationIndex                                
Hit http://archive.ubuntu.com precise-updates/universe TranslationIndex            
Hit http://archive.ubuntu.com precise-backports/main Sources                       
Hit http://archive.ubuntu.com precise-backports/restricted Sources                 
Hit http://archive.ubuntu.com precise-backports/universe Sources                   
Hit http://archive.ubuntu.com precise-backports/multiverse Sources                 
Hit http://archive.ubuntu.com precise-backports/main amd64 Packages                                      
Hit http://archive.ubuntu.com precise-backports/restricted amd64 Packages                                
Hit http://archive.ubuntu.com precise-backports/universe amd64 Packages                                  
Hit http://archive.ubuntu.com precise-backports/multiverse amd64 Packages                                
Hit http://archive.ubuntu.com precise-backports/main i386 Packages                                       
Hit http://archive.ubuntu.com precise-backports/restricted i386 Packages           
Hit http://archive.ubuntu.com precise-backports/universe i386 Packages             
Hit http://archive.ubuntu.com precise-backports/multiverse i386 Packages                                 
Hit http://archive.ubuntu.com precise-backports/main TranslationIndex                                    
Hit http://archive.ubuntu.com precise-backports/multiverse TranslationIndex                              
Hit http://archive.ubuntu.com precise-backports/restricted TranslationIndex                              
Hit http://archive.ubuntu.com precise-backports/universe TranslationIndex                                
Hit http://archive.ubuntu.com precise/main Translation-en                                                
Hit http://archive.ubuntu.com precise/multiverse Translation-en                                          
Hit http://archive.ubuntu.com precise/restricted Translation-en                                          
Hit http://archive.ubuntu.com precise/universe Translation-en                                            
Hit http://archive.ubuntu.com precise-updates/main Translation-en                                        
Hit http://archive.ubuntu.com precise-updates/multiverse Translation-en                                  
Hit http://archive.ubuntu.com precise-updates/restricted Translation-en                                  
Hit http://archive.ubuntu.com precise-updates/universe Translation-en                                    
Hit http://archive.ubuntu.com precise-backports/main Translation-en                                      
Hit http://archive.ubuntu.com precise-backports/multiverse Translation-en              
Hit http://archive.ubuntu.com precise-backports/restricted Translation-en              
Hit http://archive.ubuntu.com precise-backports/universe Translation-en                
Hit http://security.ubuntu.com precise-security Release.gpg                                                         
Hit http://security.ubuntu.com precise-security Release          
Hit http://security.ubuntu.com precise-security/main Sources
Hit http://security.ubuntu.com precise-security/restricted Sources
Hit http://security.ubuntu.com precise-security/universe Sources
Hit http://security.ubuntu.com precise-security/multiverse Sources
Hit http://security.ubuntu.com precise-security/main amd64 Packages
Hit http://security.ubuntu.com precise-security/restricted amd64 Packages
Hit http://security.ubuntu.com precise-security/universe amd64 Packages
Hit http://security.ubuntu.com precise-security/multiverse amd64 Packages
Hit http://security.ubuntu.com precise-security/main i386 Packages
Hit http://security.ubuntu.com precise-security/restricted i386 Packages
Hit http://security.ubuntu.com precise-security/universe i386 Packages
Hit http://security.ubuntu.com precise-security/multiverse i386 Packages
Hit http://security.ubuntu.com precise-security/main TranslationIndex
Hit http://security.ubuntu.com precise-security/multiverse TranslationIndex
Hit http://security.ubuntu.com precise-security/restricted TranslationIndex
Hit http://security.ubuntu.com precise-security/universe TranslationIndex
Hit http://security.ubuntu.com precise-security/main Translation-en
Hit http://security.ubuntu.com precise-security/multiverse Translation-en
Hit http://security.ubuntu.com precise-security/restricted Translation-en
Hit http://security.ubuntu.com precise-security/universe Translation-en
Reading package lists... Done 
Reading package lists... Done
Building dependency tree       
Reading state information... Done
augeas-lenses is already the newest version.
augeas-lenses set to manually installed.
gcc is already the newest version.
libaugeas0 is already the newest version.
libffi-dev is already the newest version.
python-virtualenv is already the newest version.
ca-certificates is already the newest version.
libssl-dev is already the newest version.
openssl is already the newest version.
python is already the newest version.
python-dev is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 49 not upgraded.
Upgrading certbot-auto 0.32.0 to 0.33.1...
Replacing certbot-auto...
Creating virtual environment...
Installing Python packages...
/opt/eff.org/certbot/venv/bin/python: No module named pip.__main__; 'pip' is a package and cannot be directly executed
Traceback (most recent call last):
  File "/tmp/tmp.WjK4JFYugS/pipstrap.py", line 177, in <module>
    sys.exit(main())
  File "/tmp/tmp.WjK4JFYugS/pipstrap.py", line 149, in main
    pip_version = StrictVersion(check_output([python, '-m', 'pip', '--version'])
  File "/usr/lib/python2.7/subprocess.py", line 544, in check_output
    raise CalledProcessError(retcode, cmd, output=output)
subprocess.CalledProcessError: Command '['/opt/eff.org/certbot/venv/bin/python', '-m', 'pip', '--version']' returned non-zero exit status 1

From:

It says to install Certbot and run:

$ wget https://dl.eff.org/certbot-auto
$ chmod a+x certbot-auto
$ sudo /path/to/certbot-auto --apache

I didn’t install Cerbot as it suggested, but I ran the following:

$ sudo /path/to/certbot-auto --apache

I got the same long list of return messages as you see above. There is still nothing in /etc/letsencrypt/live/avvau.com

A few questions:

11

Recent versions of certbot-auto are incompatible with the ancient version of pip in Ubuntu 12.04.

See this thread (which mostly discusses Debian 7, which is also EOL, but it's the same issue):

You can work around that issue, but you should upgrade to a newer OS.

12

@mnordhoff
As suggested by user gery at PIP error with certbot-auto , I made the following changes to certbot-auto:

pip_version = StrictVersion(check_output([python, '-m', 'pip', '--version'])
by
pip_version = StrictVersion(check_output(['pip', '--version'])

and
command = [python, '-m', 'pip', 'install', '--no-index', '--no-deps', '-U']
by
command = ['pip', 'install', '--no-index', '--no-deps', '-U']

Then I ran the following:

$ /opt/letsencrypt/certbot-auto certonly --config /etc/letsencrypt/cli.ini -w /var/www/avvau.com/public_html -d avvau.com -d www.avvau.com

It gave the following response:

/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/cryptography/hazmat/primitives/constant_time.py:26: CryptographyDeprecationWarning: Support for your Python version is deprecated. The next version of cryptography will remove support. Please upgrade to a 2.7.x release that supports hmac.compare_digest as soon as possible.
  utils.PersistentlyDeprecated2018,
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for avvau.com
http-01 challenge for www.avvau.com
Using the webroot path /var/www/avvau.com/public_html for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/avvau.com-0001/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/avvau.com-0001/privkey.pem
   Your cert will expire on 2019-07-12. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"

So, it worked. Thanks for your help!

13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.