Renew Error cert

Hello
www.caloro.ch will expire in the next view days..... certboot renew, letsencrypt renew also not running fine.

if check the Log
2020-11-07 16:24:06,960:WARNING:certbot.renewal:Attempting to renew cert (caloro.ch) from
/etc/letsencrypt/renewal/caloro.ch.conf produced an unexpected error: Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.. Skipping.

2020-11-07 16:24:06,962:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 430, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1168, in renew_cert
renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 116, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 305, in renew_cert
new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
File "/usr/lib/python3/dist-packages/certbot/client.py", line 335, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/usr/lib/python3/dist-packages/certbot/client.py", line 371, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 75, in handle_authorizations
resp = self._solve_challenges(aauthzrs)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 132, in _solve_challenges
resp = self.auth.perform(all_achalls)
File "/usr/lib/python3/dist-packages/certbot_apache/configurator.py", line 2280, in perform
http_response = http_doer.perform()
File "/usr/lib/python3/dist-packages/certbot_apache/http_01.py", line 72, in perform
self._mod_config()
File "/usr/lib/python3/dist-packages/certbot_apache/http_01.py", line 99, in _mod_config
for vh in self._relevant_vhosts():
File "/usr/lib/python3/dist-packages/certbot_apache/http_01.py", line 136, in _relevant_vhosts
" {0}.".format(http01_port))
certbot.errors.PluginError: Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.

2020-11-07 16:24:06,967:INFO:certbot.renewal:Cert not yet due for renewal
2020-11-07 16:24:06,968:DEBUG:certbot.plugins.selection:Requested authenticator standalone and installer None
2020-11-07 16:24:06,968:ERROR:certbot.renewal:All renewal attempts failed. The following certs could not be renewed:
2020-11-07 16:24:06,969:ERROR:certbot.renewal: /etc/letsencrypt/live/caloro.ch/fullchain.pem (failure)
2020-11-07 16:24:06,969:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/letsencrypt", line 11, in
load_entry_point('certbot==0.28.0', 'console_scripts', 'certbot')()
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1340, in main
return config.func(config, plugins)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1247, in renew
renewal.handle_renewal_request(config)
File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 455, in handle_renewal_request
len(renew_failures), len(parse_failures)))
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)

--But i have only 443 running.
apachectl -t -D DUMP_VHOSTS
VirtualHost configuration:
*:443 is a NameVirtualHost
default server mta-sts. (/etc/apache2/sites-enabled/mta-sts-ssl.conf:3)
port 443 namevhost mta-sts. (/etc/apache2/sites-enabled/mta-sts-ssl.conf:3)
port 443 namevhost webalizer.caloro.ch (/etc/apache2/sites-enabled/webalizer-ssl.conf:3)
port 443 namevhost www.caloro.ch (/etc/apache2/sites-enabled/wordpress-ssl.conf:3)

Please how can i update this Cerrt!!
Thanks

Ok i need only to enable the 000-default.conf, than certbot renew will run without problem.

But if running only with port 443, why the 80 i need? this only for recertify?
Thanks for possible help!

Yes, if using HTTP challenges (which is the typical case it seems), you need to keep port 80 open.

3 Likes

Port 80 only needs to do that one thing: Complete the LE challenge.
And it can do it in several secure ways:

  1. redirect ALL connections to HTTPS
  2. handle the acme-challenge requests in HTTP and redirect ALL other connections to HTTPS
  3. handle the acme-challenge requests in HTTP and return 404 for all other requests
  4. use a completely different web server service to provide this HTTP function only
  5. use a completely separate server to provide this dedicated web server service
  6. use a reverse proxy to reach the real (HTTPS) web server (only for acme-challenge requests)

I could go on, but I think you should have a good idea of options that can be run all the time and yet be secure enough to let you sleep at night. :slight_smile:

READERS: Get involved and participate: If you read something you like, then click to like it :heart: