Renew failing - apparently only on one domain. Version problem?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.thecoachmasternetwork.com

I ran this command: certbot renew

It produced this output:
root@ianhobson:~# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/coachmaster.co.uk-0001.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/coachmaster.co.uk.conf


Attempting to parse the version 1.22.0 renewal configuration file found at /etc/letsencrypt/renewal/coachmaster.co.uk.conf with version 0.40.0 of Certbot. This might not work.
Cert not yet due for renewal
Could not choose appropriate plugin for updaters: Could not select or initialize the requested installer nginx.


Processing /etc/letsencrypt/renewal/thecoachmasternetwork.com.conf


Attempting to parse the version 1.22.0 renewal configuration file found at /etc/letsencrypt/renewal/thecoachmasternetwork.com.conf with version 0.40.0 of Certbot. This might not work.
Cert not yet due for renewal
Could not choose appropriate plugin for updaters: Could not select or initialize the requested installer nginx.


The following certs are not due for renewal yet:
/etc/letsencrypt/live/coachmaster.co.uk-0001/fullchain.pem expires on 2022-05-16 (skipped)
/etc/letsencrypt/live/coachmaster.co.uk/fullchain.pem expires on 2022-04-28 (skipped)
/etc/letsencrypt/live/thecoachmasternetwork.com/fullchain.pem expires on 2022-04-29 (skipped)
No renewals were attempted.


root@ianhobson:~#

My web server is (include version): Nginx - 1.20.1 with extra modules compiled in

The operating system my web server runs on is (include version): Ubuntu 20.04

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.40.0

Background.
This morning I got the Let's Encrypt certificate expiration notice for domain "www.thecoachmasternetwork.com" saying it will expire tomorrow.

Machine was rebuilt from 18:04 recently, and I may have made error in the conversion or setting up.

Help! I'm out of my depth.
Ian

Two things:

  • Please show the output of the command: sudo certbot certificates
  • It seems at least one of your certificates was issued by Certbot version 1.22.0 (fairly recent), but for some reason the Certbot version currently running is an ancient version, 0.40.0? How is that possible?
2 Likes

Its possible because certbot was installed on the previous server, and I tried to move things over.
Suspect I need to remove and reinstall, but I don't know which configs to remove and which to keep.

Either all of them or none of them.

1 Like

Was your previous server also using the same nginx? Because it seems Certbot doesn't like your current nginx version.. Something different in that regard?

Also note that the certificate with Certificate Name: thecoachmasternetwork.com is redundant with regard to the certificate with Certificate Name: coachmaster.co.uk

The same goes for the certificate with Certificate Name: coachmaster.co.uk-0001, but that's it seems the only certificate working, probably issued freshly on the new server?

2 Likes

The previous server was using nginx, but some of the modules were older. I tend to update it and recompile every few months. The new server was built with a new compilation of nginx - but same modules and libraries.
I don't understand how the certificates for thecoachmasternetwork.com and coachmaster.co.uk can be linked. They are two separate web sites.
The coachmaster.co.uk-001 certificate was the result of a mistake I made about a year ago. I don't know how to correct it.

It appears I have a miss-match of new & old, and snap and "apt" installed certbots. So....
I am preparing the following work to remove certbot and start afresh. Could some expert please cast their eyes over it, and see if I have missed something or risk damaging something else.

Edit all HTTPS sites to switch to port 80 and remove mention of letsencrypt
And certificates, and restart nginx 

$ sudo apt  remove certbot 
$ sudo remove python3-certbot
$ sudo snap remove certbot

Remove  these files and directories that remain, and all contents 
   /etc/letsencrypt
   /var/log/letsencrypt
   /var/lib/letsencrypt
   /usr/bin/letsencrypt
   /etc/cron.d/certbot 
   /etc/logrotate.d/certbot 
   /var/snap/certbot 
   /root/snap/certbot
   /snap/certbot
   /snap/bin/certbot 
   /usr/bin/certbot
   /usr/lib/python3/dist-packages/certbot 
   /usr/share/doc
   /etc/systemd/system/timers.target.wants/certbot/timer
   /var/lib/systemd/deb-systemd-helper-enable/timer.target.wants/certbot.timer
   /usr/lib/systemd/system/certbot.timer

Reboot server
Install and set up again...
   $ sudo snap install core; sudo snap refresh core
   $ sudo snap install --classic certbot
   $ sudo ln -s /snap/bin/certbot /usr/bin/certbot
   $ sudo certbot --nginx
   $ sudo certbot renew --dry-run

Check that sites that should have been updated are now on https, 
and the others have not been updates and remain on http ports 80, 8080 and 8088. 

A certificate can contain many different hostnames. As long as both sites resolve to the same IP address, it's quite easy (no issue at all) to incorporate all the hostnames in a single certificate.

Removing that directory isn't necessary. Actually, I would recommend to keep it at all times.

4 Likes

Thanks everyone - esp Osiris. All sorted.

Final info - to get rid of the coachmaster.co.uk-0001 certificate, I have to remove the .conf file and the directories with its name under various directories under /etc/letsencrypt .

3 Likes

You can use this:

sudo certbot delete --cert-name coachmaster.co.uk-0001
4 Likes

Indeed, please don't manually for change things in the /etc/letsencrypt/ directory.

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.