Renew does not work on Debian Trixie

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain are: performance.izzop.com, consult.izzop.com, galerie.izzop.com ....

I ran this command:
certbot --standalone rewen

It produced this output: Output too long .... (170 Ko) I extract the end :

2025-01-13 15:42:45,244:DEBUG:acme.client:Storing nonce: 5VsalEMJ3arn6L9D-sFP1SWDWQJyzWRJkuGIY-FqznoY9qUDFz0
2025-01-13 15:42:45,245:INFO:certbot._internal.auth_handler:Challenge failed for domain performance6.jppozzi.dyndns.org
2025-01-13 15:42:45,245:INFO:certbot._internal.auth_handler:http-01 challenge for performance6.jppozzi.dyndns.org
2025-01-13 15:42:45,245:DEBUG:certbot._internal.display.obj:Notifying user: 
Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
  Domain: performance6.jppozzi.dyndns.org
  Type:   unauthorized
  Detail: 176.187.84.182: Invalid response from https://performance6.jppozzi.dyndns.org/.well-known/acme-challenge/6iKOg35diTyM8rvagvtu3dzO_i1gu75DvMF75dMoC50: 404

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

2025-01-13 15:42:45,245:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2025-01-13 15:42:45,245:DEBUG:certbot._internal.error_handler:Calling registered functions
2025-01-13 15:42:45,245:INFO:certbot._internal.auth_handler:Cleaning up challenges
2025-01-13 15:42:45,245:DEBUG:certbot._internal.plugins.standalone:Stopping server at :::80...
2025-01-13 15:42:45,462:ERROR:certbot._internal.renewal:Failed to renew certificate performance6.jppozzi.dyndns.org with error: Some challenges have failed.
2025-01-13 15:42:45,462:DEBUG:certbot._internal.renewal:Traceback was:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/_internal/renewal.py", line 540, in handle_renewal_request
    main.renew_cert(lineage_config, plugins, renewal_candidate)
  File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1550, in renew_cert
    renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 131, in _get_and_save_cert
    renewal.renew_cert(config, domains, le_client, lineage)
  File "/usr/lib/python3/dist-packages/certbot/_internal/renewal.py", line 399, in renew_cert
    new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
                                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 428, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 496, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2025-01-13 15:42:45,463:DEBUG:certbot._internal.display.obj:Notifying user: 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2025-01-13 15:42:45,463:ERROR:certbot._internal.renewal:All renewals failed. The following certificates could not be renewed:
2025-01-13 15:42:45,463:ERROR:certbot._internal.renewal:  /etc/letsencrypt/live/consult.izzop.com/fullchain.pem (failure)
  /etc/letsencrypt/live/consult.jppozzi.dyndns.org/fullchain.pem (failure)
  /etc/letsencrypt/live/galerie.izzop.com/fullchain.pem (failure)
  /etc/letsencrypt/live/galerie.jppozzi.dyndns.org/fullchain.pem (failure)
  /etc/letsencrypt/live/jppozzi.dyndns.org/fullchain.pem (failure)
  /etc/letsencrypt/live/performance.izzop.com/fullchain.pem (failure)
  /etc/letsencrypt/live/performance.jppozzi.dyndns.org/fullchain.pem (failure)
  /etc/letsencrypt/live/performance6.izzop.com/fullchain.pem (failure)
  /etc/letsencrypt/live/performance6.jppozzi.dyndns.org/fullchain.pem (failure)
2025-01-13 15:42:45,463:DEBUG:certbot._internal.display.obj:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2025-01-13 15:42:45,463:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 33, in <module>
    sys.exit(load_entry_point('certbot==2.11.0', 'console_scripts', 'certbot')())
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1894, in main
    return config.func(config, plugins)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1642, in renew
    renewed_domains, failed_domains = renewal.handle_renewal_request(config)
                                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/certbot/_internal/renewal.py", line 568, in handle_renewal_request
    raise errors.Error(
certbot.errors.Error: 9 renew failure(s), 0 parse failure(s)
2025-01-13 15:42:45,463:ERROR:certbot._internal.log:9 renew failure(s), 0 parse failure(s)
-----------------------------------------------------------------------------------------------------

My web server is (include version): --standalone

The operating system my web server runs on is (include version): Debian Trixie

My hosting provider, if applicable, is: self hosted in a VM

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): none

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.11.0

Regards

JP P

2

The --standalone option requires exclusive use of port 80. Did you stop your Apache server before running that?

I say Apache because that is what is replying to HTTP requests right now.

Have you considered using the --webroot or --apache option instead of --standalone now that you have Apache running?

2 Likes
3

Hello,

Apache and haproxy were not running and thé port 80 was free. It is not the first time I renew my certs, but it is the first time with Debian Trixie.

I have followed the process I use since some years.

It could be a problem with Trixie.

Regards

JP P

4

I doubt it. The error was a '404' which means something replied to the Let's Encrypt server with that. The --standalone option would never reply with that code. There is likely something else running on that port then.

What does this show before you try running --standalone?

sudo ss -pant | grep -i listen | grep ':80' | grep -v grep

And, would you show the Certbot command again? It got lost in your original post

Did you upgrade your o/s in place? Or is it a new virtual server? If the latter does your DNS still point to the right IP?

3 Likes
5

Hello,

I ran the command :

sudo ss -pant | grep -i listen | grep ':80'
LISTEN 0 4096 192.168.2.80:80 0.0.0.0:* users:(("haproxy",pid=130192,fd=10))

Only "haproxy" uses the port 80 but I stop it before launching the certbot command :
certbot --standalone renew
Hope this is OK for you.
Regards
JP P

6

I asked to see the output of the ss command just before you ran Certbot.

That is an unusual way to run the renew command. What does this show

sudo certbot certificates
1 Like
7

Hello,
The result of : "certbot certificates" is rather long, here truncated after the first cert listed ;

8

Then what is output of:

sudo certbot certificates --cert-name performance6.jppozzi.dyndns.org
1 Like
9

Hello,

Output is:
certbot certificates --cert-name performance6.jppozzi.dyndns.org
Saving debug log to /var/log/letsencrypt/letsencrypt.log
/usr/lib/python3/dist-packages/certbot/ocsp.py:238: CryptographyDeprecationWarning: Properties that return a naïve datetime object have been deprecated. Please switch to this_update_utc.
if not response_ocsp.this_update:
/usr/lib/python3/dist-packages/certbot/ocsp.py:240: CryptographyDeprecationWarning: Properties that return a naïve datetime object have been deprecated. Please switch to this_update_utc.
if response_ocsp.this_update > now + timedelta(minutes=5):
/usr/lib/python3/dist-packages/certbot/ocsp.py:242: CryptographyDeprecationWarning: Properties that return a naïve datetime object have been deprecated. Please switch to next_update_utc.
if response_ocsp.next_update and response_ocsp.next_update < now - timedelta(minutes=5):

Regards
JP P

Found the following matching certs:
Certificate Name: performance6.jppozzi.dyndns.org
Serial Number: 43e14c6cb04b9c5b4a9f6a809f2de9696bf
Key Type: RSA
Domains: performance6.jppozzi.dyndns.org
Expiry Date: 2025-01-29 15:02:58+00:00 (VALID: 14 days)
Certificate Path: /etc/letsencrypt/live/performance6.jppozzi.dyndns.org/fullchain.pem
Private Key Path: /etc/letsencrypt/live/performance6.jppozzi.dyndns.org/privkey.pem
10

Now please show contents of the renewal config profile:

/etc/letsencrypt/renewal/performance6.jppozzi.dyndns.org.conf
1 Like
11

Hello,

cat /etc/letsencrypt/renewal/performance6.jppozzi.dyndns.org.conf

# renew_before_expiry = 30 days
version = 2.1.0
archive_dir = /etc/letsencrypt/archive/performance6.jppozzi.dyndns.org
cert = /etc/letsencrypt/live/performance6.jppozzi.dyndns.org/cert.pem
privkey = /etc/letsencrypt/live/performance6.jppozzi.dyndns.org/privkey.pem
chain = /etc/letsencrypt/live/performance6.jppozzi.dyndns.org/chain.pem
fullchain = /etc/letsencrypt/live/performance6.jppozzi.dyndns.org/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = 6b86e312c316ab1b30e13b12f9f96fad
authenticator = standalone
server = https://acme-v02.api.letsencrypt.org/directory
key_type = rsa

Regards
JP P

PS : I go to bed, it is 23:51 here
Returning tomorrow morning ...

1 Like
12

Okay, let's walk through this carefully to identify the root cause.

We'll just work on the performance subdomain and likely same issue for all.

Your Certbot renewal for that confirms --standalone. So, lets test that:

  1. Stop haproxy as it uses port 80

  2. Show output of this:

sudo ss -pant | grep -i listen | grep ':80' | grep -v grep

Need to make certain port 80 is available. Maybe haproxy stop works different now. Or perhaps some monitoring system notices it is stopped and restarts it. If nothing shows for port 80 go to next step. Otherwise we have found the reason :slight_smile:

  1. Show output of this (will not affect existing production certs)
sudo certbot renew --dry-run --cert-name performance6.jppozzi.dyndns.org
  1. If that fails for any reason, upload:
/var/log/letsencrypt/letsencrypt.log

You will need to copy it to a .txt file to upload to this forum

1 Like
13

Hello,

sudo ss -pant | grep -i listen | grep ':80' | grep -v grep
return nothing

certbot renew --dry-run --cert-name performance6.jppozzi.dyndns.org
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/performance6.jppozzi.dyndns.org.conf

/usr/lib/python3/dist-packages/certbot/ocsp.py:238: CryptographyDeprecationWarning: Properties that return a naïve datetime object have been deprecated. Please switch to this_update_utc.
if not response_ocsp.this_update:
/usr/lib/python3/dist-packages/certbot/ocsp.py:240: CryptographyDeprecationWarning: Properties that return a naïve datetime object have been deprecated. Please switch to this_update_utc.
if response_ocsp.this_update > now + timedelta(minutes=5):
/usr/lib/python3/dist-packages/certbot/ocsp.py:242: CryptographyDeprecationWarning: Properties that return a naïve datetime object have been deprecated. Please switch to next_update_utc.
if response_ocsp.next_update and response_ocsp.next_update < now - timedelta(minutes=5):
Account registered.
Simulating renewal of an existing certificate for performance6.jppozzi.dyndns.org

Congratulations, all simulated renewals succeeded:
/etc/letsencrypt/live/performance6.jppozzi.dyndns.org/fullchain.pem (success)

As I have an update on the internet bridge/firewall system I hope it was it the culprit before than upgrade ... from Bookworm to Trixie.

Will try the complete renewal, and it works, I will try to understand why the firewall has done weird things ...

Regards ans thanks for your kindness.

JP P

1 Like
14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.