Novice User Choking on renew

I renewed and it first failed saying that the vhost was not able to get out on 80 to renew so it failed. I updated certbot and renewed and it renewed successfully. Unfortunately the certs when I navigate to the URL state that they expired yesterday and it does not see new ones. When I run renew again it says they are current. I am completely lost. Any advice is much appreciated. Thank you.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
www.racewurx.com

I ran this command:
certbot renew

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/racewurx.com.conf

Cert not yet due for renewal

Processing /etc/letsencrypt/renewal/www.racewurx.com.conf

Cert not yet due for renewal

The following certs are not due for renewal yet:
/etc/letsencrypt/live/racewurx.com/fullchain.pem expires on 2020-04-26 (skipped)
/etc/letsencrypt/live/www.racewurx.com/fullchain.pem expires on 2020-04-26 (skipped)
No renewals were attempted.

My web server is (include version):
Server version: Apache/2.2.24 (Unix)
Server built: Aug 24 2013 21:10:43

The operating system my web server runs on is (include version):
OSX 10.9

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): Latest as of today

Hi @spamtasticus,

If you originally obtained these certificates without using --apache, or using certonly, then Certbot may not have installed them in your Apache configuration for you. In that case, Certbot wouldn’t know to restart or reload Apache after renewing the certificate; your new certificates may be present on your hard drive, but Apache may not have noticed that they’re there. You might have to do an Apache restart or reload manually after your renewal succeeds, or tell Certbot how to do it with a --deploy-hook option.

Thanks schoen. I am not familiar with --deploy-hook but will look that up.

I actually reinstalled apache because I belived I pooched it and decided to run:

administrators-Mac-mini:~ administrator$ sudo certbot --apache
Password:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated) (Enter ‘c’ to cancel): racewurx.com
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for racewurx.com
Cleaning up challenges
Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.
administrators-Mac-mini:~ administrator$

When trying to add the virtual host is that I destroyed it last time. Any tips? thank you.

How did you configure this Apache server to use your Let’s Encrypt certificate? Did you manually edit the Apache server configuration?

When you use certbot --apache, Certbot assumes that you have an existing Apache virtual host for your domain that listens on port 80 (unencrypted HTTP). It will use that as part of its proof that you control your domain name, and then will also create a new port 443 virtual host (for HTTPS) with the new certificate, based on the existing port 80 virtual host. The idea of this is that Certbot is starting with a working HTTP site and creating a new HTTPS site based on the existing HTTP site.

If you only have a default Apache configuration (without a specific virtual host for your domain), this method will probably not work to configure your site automatically. In this case you would have to skip using Certbot's Apache integration (i.e., not use --apache), or else first set up a new HTTP virtual host that works the way you want for the specific site that you're trying to configure.

I’m sure you are correct. I have tried teaching myself how to set up the vhost but seem to be getting something wrong. I have gone through a few different tutotials but cant seem to get it going well. For example. Do I have to use the include command and use a separate doc or can I just configure it on the config doc itself. I specially don’t understand what the documentroot is or where it is for that matter. Is that where the cert docs are stored? I’m not sure where certbot created them. Can you recommend a good tutorial? Thank you so much for your help.f

Ok. I guess it’s the directory to my index. Trying that now.

This happened:

administrators-Mac-mini:~ administrator$ sudo certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?

1: dummy-host.example.com
2: www.dummy-host.example.com
3: racewurx.com
4: www.racewurx.com

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): 3 4
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn’t close to expiry.
(ref: /etc/letsencrypt/renewal/racewurx.com.conf)

What would you like to do?

1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 1
Keeping the existing certificate
Created an SSL vhost at /private/etc/apache2/extra/httpd-vhosts-le-ssl.conf
Deploying Certificate to VirtualHost /private/etc/apache2/extra/httpd-vhosts-le-ssl.conf
Enabling site /private/etc/apache2/extra/httpd-vhosts-le-ssl.conf by adding Include to root configuration
Deploying Certificate to VirtualHost /private/etc/apache2/extra/httpd-vhosts-le-ssl.conf
Error while running apachectl configtest.

Warning: DocumentRoot [/usr/docs/dummy-host.example.com] does not exist
Syntax error on line 13 of /etc/letsencrypt/options-ssl-apache.conf:
This version of openssl does not support configuring compression within sections.

Rolling back to previous server configuration…
Error while running apachectl configtest.

Warning: DocumentRoot [/usr/docs/dummy-host.example.com] does not exist
Syntax error on line 13 of /etc/letsencrypt/options-ssl-apache.conf:
This version of openssl does not support configuring compression within sections.

IMPORTANT NOTES:

• We were unable to install your certificate, however, we
  successfully restored your server to its prior configuration.
• Congratulations! Your certificate and chain have been saved at:
  /etc/letsencrypt/live/racewurx.com/fullchain.pem
  Your key file has been saved at:
  /etc/letsencrypt/live/racewurx.com/privkey.pem
  Your cert will expire on 2020-04-26. To obtain a new or tweaked
  version of this certificate in the future, simply run certbot again
  with the “certonly” option. To non-interactively renew all of
  your certificates, run “certbot renew”
  administrators-Mac-mini:~ administrator$

Line 13 of the config is SSL Compression OFF

I tried turning it to ON but same result. Should I remove the line altogether?

Commenting out the line Worked!

Interestingly, I believe this change was just made upstream in Certbot but hasn’t been part of a release yet

As your change matches up with an official change in Certbot, I think that is the recommended solution. I do wonder if the error you encountered means you’re running especially old software. It seems like macOS 10.9 has been unsupported since 2017, so you might have a better experience in some ways (or get more security updates from Apple) by upgrading to a newer operating system release.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.