Renew failure error: Missing command line flag

domain https://gbcblog.com/

plain vanilla certbot renew process.

Name Based Hosting, > 500 domains per ip address

Important note: I set up procedures to request certs in batches of 35 or so. Ran it 3 times a day.
I was using the apache installer, until it failed after 250 domains or so, then I switched to this
certbot certonly -n --webroot -w /var/www/html --agree-tos -d ’ . $ourhost . ’ -d ’ . $ourhostwww;

I have had my 500 + certificates renew successfully, this is one of the few exceptions and one of the only ones I have no clue as to what is wrong. The only thing I can think of is to try and revoke and re request a cert. Please advise?

I do not see anything wrong with either the command or the apache files. I do not know if there is something I should be looking for in the letsencrypt file.

I included the apache conf files. I looked for the webroot,
I see
ServerName gbcblog.com
ServerAlias www.gbcblog.com

ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
  1. letsencrypt log

  2. apache conf files

2019-10-17 09:07:16,662:DEBUG:certbot.plugins.webroot:All challenges cleaned up
2019-10-17 09:07:16,662:WARNING:certbot.renewal:Attempting to renew cert (gbcblog.com) from /etc/letsencrypt/renewal/gbcblog.com.conf produced an unexpected error: Missing command line flag or config entry for this setting:
*elect the webroot for gbcblog.com:
Choices: [‘Enter a new webroot’, ‘/var/www/html’]

(You can set this with the --webroot-path flag). Skipping.
2019-10-17 09:07:16,663:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot/renewal.py”, line 452, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1193, in renew_cert
renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 116, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File “/usr/lib/python3/dist-packages/certbot/renewal.py”, line 310, in renew_cert
new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 353, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 389, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 75, in handle_authorizations
resp = self._solve_challenges(aauthzrs)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 139, in _solve_challenges
resp = self.auth.perform(all_achalls)
File “/usr/lib/python3/dist-packages/certbot/plugins/webroot.py”, line 81, in perform
self._set_webroots(achalls)
File “/usr/lib/python3/dist-packages/certbot/plugins/webroot.py”, line 99, in _set_webroots
known_webroots)
File “/usr/lib/python3/dist-packages/certbot/plugins/webroot.py”, line 115, in _prompt_for_webroot
webroot = self._prompt_with_webroot_list(domain, known_webroots)
File “/usr/lib/python3/dist-packages/certbot/plugins/webroot.py”, line 132, in _prompt_with_webroot_list
cli_flag=path_flag, force_interactive=True)
File “/usr/lib/python3/dist-packages/certbot/display/util.py”, line 507, in menu
self._interaction_fail(message, cli_flag, "Choices: " + repr(choices))
File “/usr/lib/python3/dist-packages/certbot/display/util.py”, line 469, in _interaction_fail
raise errors.MissingCommandlineFlag(msg)
certbot.errors.MissingCommandlineFlag: Missing command line flag or config entry for this setting:
Select the webroot for gbcblog.com:
Choices: [‘Enter a new webroot’, ‘/var/www/html’]

(You can set this with the --webroot-path flag)

  1. gbcblog-le-ssl.conf
ServerName gbcblog.com
ServerAlias www.gbcblog.com

ServerAdmin webmaster@localhost
**DocumentRoot /var/www/html**

<Directory />
	Options FollowSymLinks
	AllowOverride None
</Directory>
<Directory /var/www/html>
	Options Indexes FollowSymLinks MultiViews
	AllowOverride All
	Order allow,deny
	allow from all
</Directory>

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
	AllowOverride None
	Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
	Order allow,deny
	Allow from all
</Directory>

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

RewriteEngine on

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/gbcblog.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/gbcblog.com/privkey.pem

gbcblog.conf

ServerName gbcblog.com
ServerAlias www.gbcblog.com

ServerAdmin webmaster@localhost
DocumentRoot /var/www/html

<Directory />
	Options FollowSymLinks
	AllowOverride None
</Directory>
<Directory /var/www/html>
	Options Indexes FollowSymLinks MultiViews
	AllowOverride All
	Order allow,deny
	allow from all
</Directory>

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
	AllowOverride None
	Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
	Order allow,deny
	Allow from all
</Directory>

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

RewriteEngine on
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [NC,END,NE,R=permanent]

Certbot stores the configuration details needed by “certbot renew” in files in /etc/letsencrypt/renewal/. There was a bug in certain versions of Certbot that can lead to the web root being left out under certain circumstances, breaking future renewals.

So now you have to fix it.

sudo certbot renew --cert-name gbcblog.com -w /var/www/html” might work.

If not, you could rerun the “certbot certonly ...” command you used to create the certificate originally.

You can also edit /etc/letsencrypt/renewal/gbcblog.com.conf in a text editor.

See the the /etc/letsencrypt/renewal/ files listed below after the —

When I compare 1) to 2) I see that

if I delete the line

webroot_path = /var/www/html,

and add the line

gbcblog.com = /var/www/html
www.gbcblog.com = /var/www/html

Do you think I would be okay?

I error on the side of caution with security and certificate type things. Most of the time I would just push the buttons and see what happens. I take my responsibilities seriously about complying with terms of service and wishes of Letsencrypt.


Thanks I am going to show 3 examples and bold some items for review. First is the error conf
/etc/letsencrypt/renewal/gbcblog.com.conf

renew_before_expiry = 30 days

version = 0.31.0
archive_dir = /etc/letsencrypt/archive/gbcblog.com
cert = /etc/letsencrypt/live/gbcblog.com/cert.pem
privkey = /etc/letsencrypt/live/gbcblog.com/privkey.pem
chain = /etc/letsencrypt/live/gbcblog.com/chain.pem
fullchain = /etc/letsencrypt/live/gbcblog.com/fullchain.pem

Options used in the renewal process

[renewalparams]
account = 51759ba3dccb8494b190da63f954a1f3
authenticator = webroot
webroot_path = /var/www/html,
server = https://acme-v02.api.letsencrypt.org/directory
[[webroot_map]]
www.gbcblog.com = /var/www/html

  1. a good example

renew_before_expiry = 30 days

version = 0.31.0
archive_dir = /etc/letsencrypt/archive/adelphiachiropracticblog.com
cert = /etc/letsencrypt/live/adelphiachiropracticblog.com/cert.pem
privkey = /etc/letsencrypt/live/adelphiachiropracticblog.com/privkey.pem
chain = /etc/letsencrypt/live/adelphiachiropracticblog.com/chain.pem
fullchain = /etc/letsencrypt/live/adelphiachiropracticblog.com/fullchain.pem

Options used in the renewal process

[renewalparams]
account = 51759ba3dccb8494b190da63f954a1f3
authenticator = webroot
server = https://acme-v02.api.letsencrypt.org/directory
[[webroot_map]]
adelphiachiropracticblog.com = /var/www/html
www.adelphiachiropracticblog.com = /var/www/html

  1. another good example

renew_before_expiry = 30 days

version = 0.31.0
archive_dir = /etc/letsencrypt/archive/georgetownfamilychiropracticblog.com
cert = /etc/letsencrypt/live/georgetownfamilychiropracticblog.com/cert.pem
privkey = /etc/letsencrypt/live/georgetownfamilychiropracticblog.com/privkey.pem
chain = /etc/letsencrypt/live/georgetownfamilychiropracticblog.com/chain.pem
fullchain = /etc/letsencrypt/live/georgetownfamilychiropracticblog.com/fullchain.pem

Options used in the renewal process

[renewalparams]
account = 51759ba3dccb8494b190da63f954a1f3
authenticator = webroot
server = https://acme-v02.api.letsencrypt.org/directory
[[webroot_map]]
georgetownfamilychiropracticblog.com = /var/www/html
www.georgetownfamilychiropracticblog.com = /var/www/html

You don’t need to delete the webroot_path setting, but if you add the gbcblog.com = ... line, it should work. :smile:

1 Like

Mr nmordoff found the solution I wanted to post about what we might have done wrong. After we fixed the file in /etc/letsencrypt/renewal/ , we got this error:

Domain: www.gbcblog.com
Type: None
Detail: DNS problem: NXDOMAIN looking up A for www.gbcblog.com
2019-10-17 17:17:56,164:DEBUG:certbot.error_handler:Encountered exception:

We had the cname record as GBCBlog.com
We changed it to gbcblog.com, it worked.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.