Renew error hosed my hosts

My domain is: queer2queerfest.com (and a few others are involved, see below)

I ran this command: certbot renew

It produced this output: one challenge failed

My web server is (include version): apache/2.4.41

The operating system my web server runs on is (include version): Ubuntu 20.4.3 LTS

My hosting provider, if applicable, is: self, Digital Ocean

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.18.0

I originally let certbot automatically issue certs for all sites on my server. It didn't renew them automatically the last time, so I tried to run renew manually. I believe I used certbot renew.

It threw an error for one domain, jackwoodjohnson.com, after which all domains pointed to the first (alphabetically) site, almostmarriedmovie.com

Not really knowing what I was doing, I deleted all certs I could find and a2dissite'd all domains and recreated my virtual hosts and then used certbot -d {domain} --force-renew one-by-one to get them all working again.

Except now one site, queer2queerfest.com, still resolves to the almostmarriedmovie.com directory no matter what I try.

2 Likes

Hi @measuretwice, welcome to the LE community forum :slight_smile:

Let's see what we can do to straighten this all out...
First: Let's have a look at the output of:
sudo apachectl -t -D DUMP_VHOSTS

3 Likes

Hmm, looks like there's not virtual host for queer2queerfest.com. I know just enough to be dangerous. What would you suggest?

VirtualHost configuration:
*:443                  is a NameVirtualHost
         default server almostmarriedmovie.com (/etc/apache2/sites-enabled/almostmarriedmovie.com-le-ssl.conf:2)
         port 443 namevhost almostmarriedmovie.com (/etc/apache2/sites-enabled/almostmarriedmovie.com-le-ssl.conf:2)
                 alias www.almostmarriedmovie.com
         port 443 namevhost alphazette.com (/etc/apache2/sites-enabled/alphazette.com-le-ssl.conf:2)
                 alias www.alphazette.com
         port 443 namevhost buildaschedule.com (/etc/apache2/sites-enabled/buildaschedule.com-le-ssl.conf:2)
                 alias www.buildaschedule.com
         port 443 namevhost fornightmares.com (/etc/apache2/sites-enabled/fornightmares.com-le-ssl.conf:2)
                 alias www.fornightmares.com
         port 443 namevhost jackwoodjohnson.com (/etc/apache2/sites-enabled/jackwoodjohnson.com-le-ssl.conf:2)
                 alias www.jackwoodjohnson.com
         port 443 namevhost lisalafayette.com (/etc/apache2/sites-enabled/lisalafayette.com-le-ssl.conf:2)
                 alias www.lisalafayette.com
         port 443 namevhost lmnop.world (/etc/apache2/sites-enabled/lmnop.world-le-ssl.conf:2)
                 alias www.lmnop.world
         port 443 namevhost strangemail.net (/etc/apache2/sites-enabled/strangemail.net-le-ssl.conf:2)
                 alias www.strangemail.net
         port 443 namevhost strangermornings.com (/etc/apache2/sites-enabled/strangermornings.com-le-ssl.conf:2)
                 alias www.thesoulgatherer.com
         port 443 namevhost theaquariummovie.com (/etc/apache2/sites-enabled/theaquariummovie.com-le-ssl.conf:2)
                 alias www.theaquariummovie.com
         port 443 namevhost thebabysitterfromhell.com (/etc/apache2/sites-enabled/thebabysitterfromhell.com-le-ssl.conf:2)
                 alias www.thebabysitterfromhell.com
         port 443 namevhost theintrovertedfilmmaker.com (/etc/apache2/sites-enabled/theintrovertedfilmmaker.com-le-ssl.conf:2)
                 alias www.theintrovertedfilmmaker.com
         port 443 namevhost theintrovertedfilmmakers.com (/etc/apache2/sites-enabled/theintrovertedfilmmakers.com-le-ssl.conf:2)
                 alias www.theintrovertedfilmmakers.com
         port 443 namevhost themodernbow.com (/etc/apache2/sites-enabled/themodernbow.com-le-ssl.conf:2)
                 alias www.themodernbow.com
         port 443 namevhost thesoulgatherer.com (/etc/apache2/sites-enabled/thesoulgatherer.com-le-ssl.conf:2)
                 alias www.thesoulgatherer.com
*:80                   is a NameVirtualHost
         default server 128.199.9.96 (/etc/apache2/sites-enabled/000-default.conf:1)
         port 80 namevhost 128.199.9.96 (/etc/apache2/sites-enabled/000-default.conf:1)
         port 80 namevhost almostmarriedmovie.com (/etc/apache2/sites-enabled/almostmarriedmovie.com.conf:1)
                 alias www.almostmarriedmovie.com
         port 80 namevhost alphazette.com (/etc/apache2/sites-enabled/alphazette.com.conf:1)
                 alias www.alphazette.com
         port 80 namevhost buildaschedule.com (/etc/apache2/sites-enabled/buildaschedule.com.conf:1)
                 alias www.buildaschedule.com
         port 80 namevhost fornightmares.com (/etc/apache2/sites-enabled/fornightmares.com.conf:1)
                 alias www.fornightmares.com
         port 80 namevhost jackwoodjohnson.com (/etc/apache2/sites-enabled/jackwoodjohnson.com.conf:1)
                 alias www.jackwoodjohnson.com
         port 80 namevhost lisalafayette.com (/etc/apache2/sites-enabled/lisalafayette.com.conf:1)
                 alias www.lisalafayette.com
         port 80 namevhost lmnop.world (/etc/apache2/sites-enabled/lmnop.world.conf:1)
                 alias www.lmnop.world
         port 80 namevhost queer2queerfest.com (/etc/apache2/sites-enabled/queer2queerfest.com.conf:1)
                 alias www.queer2queerfest.com
         port 80 namevhost strangemail.net (/etc/apache2/sites-enabled/strangemail.net.conf:1)
                 alias www.strangemail.net
         port 80 namevhost strangermornings.com (/etc/apache2/sites-enabled/strangermornings.com.conf:1)
                 alias www.thesoulgatherer.com
         port 80 namevhost theaquariummovie.com (/etc/apache2/sites-enabled/theaquariummovie.com.conf:1)
                 alias www.theaquariummovie.com
         port 80 namevhost thebabysitterfromhell.com (/etc/apache2/sites-enabled/thebabysitterfromhell.com.conf:1)
                 alias www.thebabysitterfromhell.com
         port 80 namevhost theintrovertedfilmmaker.com (/etc/apache2/sites-enabled/theintrovertedfilmmaker.com.conf:1)
                 alias www.theintrovertedfilmmaker.com
         port 80 namevhost theintrovertedfilmmakers.com (/etc/apache2/sites-enabled/theintrovertedfilmmakers.com.conf:1)
                 alias www.theintrovertedfilmmakers.com
         port 80 namevhost themodernbow.com (/etc/apache2/sites-enabled/themodernbow.com.conf:1)
                 alias www.themodernbow.com
         port 80 namevhost thesoulgatherer.com (/etc/apache2/sites-enabled/thesoulgatherer.com.conf:1)
                 alias www.thesoulgatherer.com
3 Likes

I checked a few of those domains, and at least one other one is also misconfigured.

I don't know if Certbot messed up the config, or if you are just dealing with the technical debt of required server maintenance after too much time/changes.

I hate saying this, but In your situation, I would do a full audit of your system:

  1. Create a spreadsheet, with each row being a domain
  2. Audit and cleanup your setup with these rows:
    • Configuration file exists in /sites-available
    • Configuration file valid and expected
    • website directory exists and where expected (re Configuration file)
    • Configuration file symlinked into /sites-enabled
  3. Go through each row or column, and check for errors and correctness.

It will probably take you 2-3 hours of busywork, but it's the least stressful and fastest way to get you closer to a working solution.

4 Likes

I'm good with first and fourth bullet points, and think I can figure out the second. What is site director?

2 Likes

I tried validating all the names in DNS.
Here are my findings:

Non-existent domains:

www.alphazette.com
www.jackwoodjohnson.com
www.lmnop.world
www.queer2queerfest.com
www.theaquariummovie.com
www.thebabysitterfromhell.com

Otherwise, all remaining names resolved to the same IP.

4 Likes

Interesting, those are all registered through namecheap.com, and all the others are through GoDaddy.

2 Likes

Well then someone needs to login to namecheap and add all the missing www CNAMEs.
Not to say that will fix the problem you mentioned in your topic.
But it will fix this problem.

4 Likes

Gotcha. On it.

4 Likes

Sorry, typo. I corrected it to be "Website directory". Just make sure the document roots or whatever directories mentioned in the configuration file exist, and are pointing at what you want them too.

I make a practice to audit this stuff at least once every year or two. Configurations, files and deployments often get out of sync without you realizing it.

4 Likes

Got it, thanks so much.

4 Likes

Between adding CNAME records, manually adding queer2queerfest.com-le-ssl.conf, and disabling/re-enabling the site, I seem to have gotten it sorted out.

Thanks so much for your help, gentlemen. I appreciate you.

5 Likes

Welcome to the Let's Encrypt Community, Ben :slightly_smiling_face:

Though you may have made a series of mostly-preventable, somewhat-common mistakes, I stopped by to commend you for your humility, vigilance, cooperation, responsiveness, amicability, and, above all, gratefulness.

:yellow_heart:

I personally believe that some of your technical approaches could still use some work, but that's not everything.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.