Renew command running impossibly slow

certbot renew has been running incredibly slow for me, and I suspect it has something to do with parsing large Apache configs, similar to an issue I encountered when issuing the certificates in the first place.

My certs are issued by http challenges, which work wonderfully, thanks to --webroot:

certbot --webroot --webroot-path /var/www/vhosts/domain.com/html certonly -d domain.com -d www.domain.com

But, when renewing with certbot renew via a cron job, it seems like I run into a similar issue that’s making it impossible to renew.

Can anyone tell what the problem might be? I looked for options for the renew command, but didn’t see any. It seems as though I need something similar to --webroot for renew in order to automate renewals.

Config:

  • Certbot 0.31.0
  • CentOS 7
  • Apache 2.4.6

Log:

2019-06-03 00:04:11,395:DEBUG:certbot.storage:Should renew, less than 30 days before certificate expiry 2019-06-30 19:13:42 UTC.
2019-06-03 00:04:11,396:INFO:certbot.renewal:Cert is due for renewal, auto-renewing...
2019-06-03 00:04:11,396:DEBUG:certbot.plugins.selection:Requested authenticator apache and installer apache
2019-06-03 00:04:12,890:DEBUG:certbot_apache.configurator:Apache version is 2.4.6
2019-06-03 00:19:26,448:DEBUG:certbot.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT
Initialized: <certbot_apache.override_centos.CentOSConfigurator object at 0x7f111c8ee990>
Prep: True
2019-06-03 00:19:26,449:DEBUG:certbot.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT
Initialized: <certbot_apache.override_centos.CentOSConfigurator object at 0x7f111c8ee990>
Prep: True
2019-06-03 00:19:26,450:DEBUG:certbot.plugins.selection:Selected authenticator <certbot_apache.override_centos.CentOSConfigurator object at 0x7f111c8ee990> and installer <certbot_apache.override_centos.CentOSConfigurator object at 0x7f111c8ee990>
2019-06-03 00:19:26,450:INFO:certbot.plugins.selection:Plugins selected: Authenticator apache, Installer apache
2019-06-03 00:19:26,455:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(status=None, terms_of_service_agreed=None, agreement=None, only_return_existing=None, contact=(), key=None, external_account_binding=None), uri=u'https://acme-v02.api.letsencrypt.org/acme/acct/51249897', new_authzr_uri=None, terms_of_service=None), STRING, Meta(creation_host=u'localhost.localdomain', creation_dt=datetime.datetime(2019, 2, 10, 22, 39, 49, tzinfo=<UTC>)))>
2019-06-03 00:19:26,456:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2019-06-03 00:19:26,457:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
2019-06-03 00:19:26,543:DEBUG:requests.packages.urllib3.connectionpool:"GET /directory HTTP/1.1" 200 658
2019-06-03 00:19:26,544:DEBUG:acme.client:Received response:
HTTP 200
content-length: 658
expires: Mon, 03 Jun 2019 05:19:26 GMT
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
pragma: no-cache
cache-control: max-age=0, no-cache, no-store
date: Mon, 03 Jun 2019 05:19:26 GMT
x-frame-options: DENY
content-type: application/json

{
  "BJ4sO-wNVq0": "https://community.letsencrypt.org/t/STRING/33417",
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2019-06-03 00:19:26,545:INFO:certbot.main:Renewing an existing certificate
2019-06-03 00:19:26,769:DEBUG:certbot.crypto_util:Generating key (2048 bits): /etc/letsencrypt/keys/4225_key-certbot.pem
2019-06-03 00:19:26,895:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/4225_csr-certbot.pem
2019-06-03 00:19:26,896:DEBUG:acme.client:Requesting fresh nonce
2019-06-03 00:19:26,896:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2019-06-03 00:19:26,956:DEBUG:requests.packages.urllib3.connectionpool:"HEAD /acme/new-nonce HTTP/1.1" 200 0
2019-06-03 00:19:26,957:DEBUG:acme.client:Received response:
HTTP 200
content-length: 0
expires: Mon, 03 Jun 2019 05:19:26 GMT
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
pragma: no-cache
cache-control: max-age=0, no-cache, no-store
date: Mon, 03 Jun 2019 05:19:26 GMT
x-frame-options: DENY
replay-nonce: STRING


2019-06-03 00:19:26,957:DEBUG:acme.client:Storing nonce: STRING
2019-06-03 00:19:26,958:DEBUG:acme.client:JWS payload:
{
  "identifiers": [
    {
      "type": "dns", 
      "value": "domain.com"
    }, 
    {
      "type": "dns", 
      "value": "www.domain.com"
    }
  ]
}
2019-06-03 00:19:26,960:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "[STRING]", 
  "payload": "[STRING]", 
  "signature": "[STRING]"
}
2019-06-03 00:19:27,058:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/new-order HTTP/1.1" 201 540
2019-06-03 00:19:27,059:DEBUG:acme.client:Received response:
HTTP 201
content-length: 540
expires: Mon, 03 Jun 2019 05:19:27 GMT
cache-control: max-age=0, no-cache, no-store
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
location: https://acme-v02.api.letsencrypt.org/acme/order/51249897/501550674
pragma: no-cache
boulder-requester: 51249897
date: Mon, 03 Jun 2019 05:19:27 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: [STRING]

{
  "status": "pending",
  "expires": "2019-06-10T05:19:26.999941028Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "domain.com"
    },
    {
      "type": "dns",
      "value": "www.domain.com"
    }
  ],
  "authorizations": [
    "https://acme-v02.api.letsencrypt.org/acme/authz/[STRING]",
    "https://acme-v02.api.letsencrypt.org/acme/authz/[STRING]"
  ],
  "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/51249897/501550674"
}
2019-06-03 00:19:27,059:DEBUG:acme.client:Storing nonce: [STRING]
2019-06-03 00:19:27,060:DEBUG:acme.client:JWS payload:

2019-06-03 00:19:27,064:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz/[STRING]:
{
  "protected": "[STRING]", 
  "payload": "", 
  "signature": "[STRING]"
}
2019-06-03 00:19:27,144:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/authz/[STRING] HTTP/1.1" 200 908
2019-06-03 00:19:27,146:DEBUG:acme.client:Received response:
HTTP 200
content-length: 908
expires: Mon, 03 Jun 2019 05:19:27 GMT
cache-control: max-age=0, no-cache, no-store
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
pragma: no-cache
boulder-requester: 51249897
date: Mon, 03 Jun 2019 05:19:27 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: [STRING]

{
  "identifier": {
    "type": "dns",
    "value": "domain.com"
  },
  "status": "pending",
  "expires": "2019-06-10T05:19:26Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/[STRING]",
      "token": "[STRING]"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/[STRING]",
      "token": "[STRING]"
    },
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/[STRING]",
      "token": "[STRING]"
    }
  ]
}
2019-06-03 00:19:27,146:DEBUG:acme.client:Storing nonce: [STRING]
2019-06-03 00:19:27,147:DEBUG:acme.client:JWS payload:

2019-06-03 00:19:27,150:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz/[STRING]:
{
  "protected": "[STRING]", 
  "payload": "", 
  "signature": "[STRING]"
}
2019-06-03 00:19:27,216:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/authz/[STRING] HTTP/1.1" 200 912
2019-06-03 00:19:27,217:DEBUG:acme.client:Received response:
HTTP 200
content-length: 912
expires: Mon, 03 Jun 2019 05:19:27 GMT
cache-control: max-age=0, no-cache, no-store
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
pragma: no-cache
boulder-requester: 51249897
date: Mon, 03 Jun 2019 05:19:27 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: [STRING]

{
  "identifier": {
    "type": "dns",
    "value": "www.domain.com"
  },
  "status": "pending",
  "expires": "2019-06-10T05:19:26Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/[STRING]",
      "token": "[STRING]"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/[STRING]",
      "token": "[STRING]"
    },
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/[STRING]/[STRING]",
      "token": "[STRING]"
    }
  ]
}
2019-06-03 00:19:27,218:DEBUG:acme.client:Storing nonce: [STRING]
2019-06-03 00:19:27,219:INFO:certbot.auth_handler:Performing the following challenges:
2019-06-03 00:19:27,219:INFO:certbot.auth_handler:http-01 challenge for domain.com
2019-06-03 00:19:27,219:INFO:certbot.auth_handler:http-01 challenge for www.domain.com
2019-06-03 00:23:14,275:DEBUG:certbot_apache.http_01:Adding a temporary challenge validation Include for name: domain.com in: /etc/httpd/vhosts.d/domain.com-ssl.conf
2019-06-03 00:23:14,277:DEBUG:certbot_apache.http_01:Adding a temporary challenge validation Include for name: domain.com in: /etc/httpd/vhosts.d/domain.com.conf
2019-06-03 00:23:14,279:DEBUG:certbot_apache.http_01:writing a pre config file with text:
         RewriteEngine on
        RewriteRule ^/\.well-known/acme-challenge/([A-Za-z0-9-_=]+)$ /var/lib/letsencrypt/http_challenges/$1 [END]
    
2019-06-03 00:23:14,280:DEBUG:certbot_apache.http_01:writing a post config file with text:
         <Directory /var/lib/letsencrypt/http_challenges>
            Require all granted
        </Directory>
        <Location /.well-known/acme-challenge>
            Require all granted
        </Location>
    
2019-06-03 00:23:14,662:DEBUG:certbot.reverter:Creating backup of /etc/httpd/vhosts.d/domain.com.conf
2019-06-03 00:23:14,665:DEBUG:certbot.reverter:Creating backup of /etc/httpd/vhosts.d/domain.com-ssl.conf
2019-06-03 00:23:38,999:INFO:certbot.auth_handler:Waiting for verification...
2019-06-03 00:23:39,001:DEBUG:acme.client:JWS payload:
{
  "keyAuthorization": "[STRING]", 
  "type": "http-01", 
  "resource": "challenge"
}
2019-06-03 00:23:39,006:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/challenge/[STRING]:
{
  "protected": "[STRING]", 
  "payload": "[STRING]", 
  "signature": "[STRING]"
}
2019-06-03 00:23:39,082:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/challenge/STRING/16615105476 HTTP/1.1" 200 224
2019-06-03 00:23:39,083:DEBUG:acme.client:Received response:
HTTP 200
content-length: 224
expires: Mon, 03 Jun 2019 05:23:39 GMT
cache-control: max-age=0, no-cache, no-store
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-v02.api.letsencrypt.org/acme/authz/STRING>;rel="up"
location: https://acme-v02.api.letsencrypt.org/acme/challenge/STRING/16615105476
pragma: no-cache
boulder-requester: 51249897
date: Mon, 03 Jun 2019 05:23:39 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: STRING

{
  "type": "http-01",
  "status": "pending",
  "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/STRING/16615105476",
  "token": "STRING"
}
2019-06-03 00:23:39,084:DEBUG:acme.client:Storing nonce: STRING
2019-06-03 00:23:39,085:DEBUG:acme.client:JWS payload:
{
  "keyAuthorization": "STRING.STRING", 
  "type": "http-01", 
  "resource": "challenge"
}
2019-06-03 00:23:39,088:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/challenge/STRING/16615105482:
{
  "protected": "STRING", 
  "payload": "STRING", 
  "signature": "STRING"
}
2019-06-03 00:23:39,264:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/challenge/STRING/16615105482 HTTP/1.1" 200 224
2019-06-03 00:23:39,265:DEBUG:acme.client:Received response:
HTTP 200
content-length: 224
expires: Mon, 03 Jun 2019 05:23:39 GMT
cache-control: max-age=0, no-cache, no-store
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-v02.api.letsencrypt.org/acme/authz/STRING>;rel="up"
location: https://acme-v02.api.letsencrypt.org/acme/challenge/STRING/16615105482
pragma: no-cache
boulder-requester: 51249897
date: Mon, 03 Jun 2019 05:23:39 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: STRING

{
  "type": "http-01",
  "status": "pending",
  "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/STRING/16615105482",
  "token": "STRING"
}
2019-06-03 00:23:39,265:DEBUG:acme.client:Storing nonce: STRING
2019-06-03 00:23:42,269:DEBUG:acme.client:JWS payload:

2019-06-03 00:23:42,272:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz/STRING:
{
  "protected": "STRING", 
  "payload": "", 
  "signature": "STRING"
}
2019-06-03 00:23:42,347:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/authz/STRING HTTP/1.1" 200 1574
2019-06-03 00:23:42,348:DEBUG:acme.client:Received response:
HTTP 200
content-length: 1574
expires: Mon, 03 Jun 2019 05:23:42 GMT
cache-control: max-age=0, no-cache, no-store
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
pragma: no-cache
boulder-requester: 51249897
date: Mon, 03 Jun 2019 05:23:42 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: STRING

{
  "identifier": {
    "type": "dns",
    "value": "domain.com"
  },
  "status": "valid",
  "expires": "2019-07-03T05:23:41Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/STRING/16615105474",
      "token": "STRING"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/STRING/16615105475",
      "token": "STRING"
    },
    {
      "type": "http-01",
      "status": "valid",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/STRING/16615105476",
      "token": "STRING",
      "validationRecord": [
        {
          "url": "http://domain.com/.well-known/acme-challenge/STRING",
          "hostname": "domain.com",
          "port": "80",
          "addressesResolved": [
            "000.00.000.00"
          ],
          "addressUsed": "000.00.000.00"
        },
        {
          "url": "http://www.domain.com/.well-known/acme-challenge/STRING",
          "hostname": "www.domain.com",
          "port": "80",
          "addressesResolved": [
            "111.11.111.11"
          ],
          "addressUsed": "111.11.111.11"
        }
      ]
    }
  ]
}
2019-06-03 00:23:42,349:DEBUG:acme.client:Storing nonce: STRING
2019-06-03 00:23:42,352:DEBUG:acme.client:JWS payload:

2019-06-03 00:23:42,354:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz/STRING:
{
  "protected": "STRING", 
  "payload": "", 
  "signature": "STRING"
}
2019-06-03 00:23:42,426:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/authz/STRING HTTP/1.1" 200 1267
2019-06-03 00:23:42,427:DEBUG:acme.client:Received response:
HTTP 200
content-length: 1267
expires: Mon, 03 Jun 2019 05:23:42 GMT
cache-control: max-age=0, no-cache, no-store
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
pragma: no-cache
boulder-requester: 51249897
date: Mon, 03 Jun 2019 05:23:42 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: STRING

{
  "identifier": {
    "type": "dns",
    "value": "www.domain.com"
  },
  "status": "valid",
  "expires": "2019-07-03T05:23:39Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/STRING/16615105478",
      "token": "STRING"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/STRING/16615105480",
      "token": "STRING"
    },
    {
      "type": "http-01",
      "status": "valid",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/STRING/16615105482",
      "token": "STRING",
      "validationRecord": [
        {
          "url": "http://www.domain.com/.well-known/acme-challenge/STRING",
          "hostname": "www.domain.com",
          "port": "80",
          "addressesResolved": [
            "111.11.111.11"
          ],
          "addressUsed": "111.11.111.11"
        }
      ]
    }
  ]
}
2019-06-03 00:23:42,427:DEBUG:acme.client:Storing nonce: STRING
2019-06-03 00:23:42,428:DEBUG:certbot.error_handler:Calling registered functions
2019-06-03 00:23:42,429:INFO:certbot.auth_handler:Cleaning up challenges
2019-06-03 00:27:35,084:DEBUG:certbot.client:CSR: CSR(file='/etc/letsencrypt/csr/4225_csr-certbot.pem', data='-----BEGIN CERTIFICATE REQUEST-----\STRING\STRING+G+LzA9Kxs5zSHqFVh\STRING/zplcaZmxEMx03XD67Oruq+NwSmtDl\nWwlN9hyNc+STRING/QpNQjfEloVO3Reb17K\nvK+/STRING/9DojXHziK7GZ64gKk0FIqQk3hQml1\nTATcq+STRING/UVfsWGI3l6hhM0iO8mKqOSl\nv8DkLYftUprvwzOpyykCAwEAAaA+STRING\STRING\nBQADggEBACx0SLekKaNgofUKK2fI/STRING\nLPUi5lRPubg+9pT0EYEzX8tHYwMD2VnUos/AOFsMmsbKUWJi/PaO3lBhs2lPKfYf\STRING\STRING//FjubvHB\nqcBRfp/STRING\nJ0q7KgTUVl1fEWyr+yN2o+XAu6f7B4g=\n-----END CERTIFICATE REQUEST-----\n', form='pem')
2019-06-03 00:27:35,086:DEBUG:acme.client:JWS payload:
{
  "resource": "new-cert", 
  "csr": "STRING"
}
2019-06-03 00:27:35,089:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/finalize/51249897/501550674:
{
  "protected": "STRING", 
  "payload": "STRING", 
  "signature": "STRING"
}
2019-06-03 00:27:35,900:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/finalize/51249897/501550674 HTTP/1.1" 200 632
2019-06-03 00:27:35,902:DEBUG:acme.client:Received response:
HTTP 200
content-length: 632
expires: Mon, 03 Jun 2019 05:27:35 GMT
cache-control: max-age=0, no-cache, no-store
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
location: https://acme-v02.api.letsencrypt.org/acme/order/51249897/501550674
pragma: no-cache
boulder-requester: 51249897
date: Mon, 03 Jun 2019 05:27:35 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: STRING

{
  "status": "valid",
  "expires": "2019-06-10T05:19:26Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "domain.com"
    },
    {
      "type": "dns",
      "value": "www.domain.com"
    }
  ],
  "authorizations": [
    "https://acme-v02.api.letsencrypt.org/acme/authz/STRING",
    "https://acme-v02.api.letsencrypt.org/acme/authz/STRING"
  ],
  "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/51249897/501550674",
  "certificate": "https://acme-v02.api.letsencrypt.org/acme/cert/STRING"
}
2019-06-03 00:27:35,902:DEBUG:acme.client:Storing nonce: STRING
2019-06-03 00:27:36,903:DEBUG:acme.client:JWS payload:

2019-06-03 00:27:36,907:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/order/51249897/501550674:
{
  "protected": "STRING", 
  "payload": "", 
  "signature": "STRING"
}
2019-06-03 00:27:36,974:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/order/51249897/501550674 HTTP/1.1" 200 632
2019-06-03 00:27:36,975:DEBUG:acme.client:Received response:
HTTP 200
content-length: 632
expires: Mon, 03 Jun 2019 05:27:36 GMT
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
pragma: no-cache
cache-control: max-age=0, no-cache, no-store
date: Mon, 03 Jun 2019 05:27:36 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: STRING

{
  "status": "valid",
  "expires": "2019-06-10T05:19:26Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "domain.com"
    },
    {
      "type": "dns",
      "value": "www.domain.com"
    }
  ],
  "authorizations": [
    "https://acme-v02.api.letsencrypt.org/acme/authz/STRING",
    "https://acme-v02.api.letsencrypt.org/acme/authz/STRING"
  ],
  "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/51249897/501550674",
  "certificate": "https://acme-v02.api.letsencrypt.org/acme/cert/STRING"
}
2019-06-03 00:27:36,975:DEBUG:acme.client:Storing nonce: STRING
2019-06-03 00:27:36,976:DEBUG:acme.client:JWS payload:

2019-06-03 00:27:36,979:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/cert/STRING:
{
  "protected": "STRING", 
  "payload": "", 
  "signature": "STRING"
}
2019-06-03 00:27:37,040:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/cert/STRING HTTP/1.1" 415 168
2019-06-03 00:27:37,045:DEBUG:acme.client:Received response:
HTTP 415
content-length: 168
expires: Mon, 03 Jun 2019 05:27:37 GMT
server: nginx
connection: close
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
pragma: no-cache
cache-control: max-age=0, no-cache, no-store
date: Mon, 03 Jun 2019 05:27:37 GMT
content-type: application/problem+json
replay-nonce: STRING

{
  "type": "urn:ietf:params:acme:error:malformed",
  "detail": "Invalid Content-Type header on POST. Content-Type must be \"application/jose+json\"",
  "status": 415
}
2019-06-03 00:27:37,047:DEBUG:acme.client:Error during a POST-as-GET request, your ACME CA may not support it:
urn:ietf:params:acme:error:malformed :: The request message was malformed :: Invalid Content-Type header on POST. Content-Type must be "application/jose+json"
2019-06-03 00:27:37,047:DEBUG:acme.client:Retrying request with GET.
2019-06-03 00:27:37,047:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/acme/cert/STRING.
2019-06-03 00:27:37,048:INFO:requests.packages.urllib3.connectionpool:Resetting dropped connection: acme-v02.api.letsencrypt.org
2019-06-03 00:27:37,147:DEBUG:requests.packages.urllib3.connectionpool:"GET /acme/cert/STRING HTTP/1.1" 200 3579
2019-06-03 00:27:37,148:DEBUG:acme.client:Received response:
HTTP 200
content-length: 3579
expires: Mon, 03 Jun 2019 05:27:37 GMT
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
pragma: no-cache
cache-control: max-age=0, no-cache, no-store
date: Mon, 03 Jun 2019 05:27:37 GMT
x-frame-options: DENY
content-type: application/pem-certificate-chain

-----BEGIN CERTIFICATE-----
STRING
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
STRING
-----END CERTIFICATE-----

2019-06-03 00:27:37,154:DEBUG:certbot.storage:Writing new private key to /etc/letsencrypt/archive/domain.com/privkey2.pem.
2019-06-03 00:27:37,154:DEBUG:certbot.storage:Writing certificate to /etc/letsencrypt/archive/domain.com/cert2.pem.
2019-06-03 00:27:37,155:DEBUG:certbot.storage:Writing chain to /etc/letsencrypt/archive/domain.com/chain2.pem.
2019-06-03 00:27:37,155:DEBUG:certbot.storage:Writing full chain to /etc/letsencrypt/archive/domain.com/fullchain2.pem.
2019-06-03 00:27:37,645:DEBUG:certbot.storage:Writing new config /etc/letsencrypt/renewal/domain.com.conf.new.
2019-06-03 00:27:37,650:DEBUG:certbot.plugins.storage:Plugin storage file /etc/letsencrypt/.pluginstorage.json was empty, no values loaded
2019-06-03 00:27:40,387:DEBUG:certbot.plugins.selection:Requested authenticator apache and installer apache
2019-06-03 00:27:40,391:DEBUG:certbot.plugins.selection:Selecting plugin: * apache
Description: Apache Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT
Initialized: <certbot_apache.override_centos.CentOSConfigurator object at 0x7f111c8ee990>
Prep: True

Hi @rreess

There is the apache plugin used, not webroot. What's the content of the config file in

/etc/letsencrypt/renewal

What's the content of your cron job? Your cron job should only use certbot renew, so the last saved definition is used. If this is webroot, then webroot is used.

Ahh, I see what you mean! Some domain’s .conf files in /etc/letsencrypt/renewal are set to authenticator = apache and others are authenticator = webroot.

Which makes sense, because the first few hundred certificates I issued used the Apache plugin before I switched to --webroot.

It looks as though I could manually edit these .conf files to switch from ordering the apache plugin to using webroot… Thoughts?

1 Like

Yes, you can edit these renew files manual.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.