Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: moodle.ngberger.com

I ran this command: certbot renew

It produced this output:
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for moodle.ngberger.com
Enabled Apache rewrite module
Cleaning up challenges
Attempting to renew cert (moodle.ngberger.com) from /etc/letsencrypt/renewal/moodle.ngberger.com.conf produced an unexpected error: Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/moodle.ngberger.com/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/moodle.ngberger.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

My web server is (include version): apache 2.4.41

The operating system my web server runs on is (include version): Ubuntu 20.4.LTS 5.4.0-104

My hosting provider, if applicable, is: not applicable

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): ssl

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.40.0

apachectl -t -D DUMP_VHOSTS VirtualHost configuration:
*:443 moodle.ngberger.com (/etc/apache2/sites-enabled/moodle.ngberger.com-le-ssl.conf:2)

If I add a .conf file in sites-enabled as suggested last time I had this problem on my other server on Automatic renewal broken after ubuntu upgrade to 20.4. No virtual hosts on port 80?
Apache fails and the site goes down.
The file I tried said: <VirtualHost *:80>
ServerName moodle.ngberger.com
ServerAlias moodle.ngberger.com
# The ServerName directive sets the request scheme, hostname and port t>
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com

    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html

    # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
    # error, crit, alert, emerg.
    # It is also possible to configure the loglevel for particular
    # modules, e.g.
    #LogLevel info ssl:warn

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    # For most configuration files from conf-available/, which are
    # enabled or disabled at a global level, it is possible to
    # include a line for only one particular virtual host. For example the
    # following line enables the CGI configuration for this host only
    # after it has been globally disabled with "a2disconf".
    #Include conf-available/serve-cgi-bin.conf

RewriteEngine on
RewriteCond %{SERVER_NAME} =moodle.ngberger.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

vim: syntax=apache ts=4 sw=4 sts=4 sr noet

Please help me fix this. My certificate expires on March 26th and I don't want students to find the site does not work.
Norbert

You need the port 80 virtual host. Figuring out why Apache fails when you add it, would be a good next step.

You can add the virtual host and do a config test without reloading Apache:

sudo apachectl configtest

If that reports errors, you'll need to fix them. Or post what the error message is here and we can help you.

Thanks for offering to help. When I put the file into sites-enabled and test I get the following error message:
root@moodlengbergercom:/etc/apache2/sites-enabled# sudo apachectl configtest
AH00526: Syntax error on line 31 of /etc/apache2/sites-enabled/moodle.ngberger.com-le-ssl.conf:
Invalid command 'RewriteEngine', perhaps misspelled or defined by a module not included in the server configuration
Action 'configtest' failed.

The file reads as follows:
<VirtualHost *:80>
ServerName moodle.ngberger.com
ServerAlias moodle.ngberger.com
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com

    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html

    # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
    # error, crit, alert, emerg.
    # It is also possible to configure the loglevel for particular
    # modules, e.g.
    #LogLevel info ssl:warn

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    # For most configuration files from conf-available/, which are
    # enabled or disabled at a global level, it is possible to
    # include a line for only one particular virtual host. For example the
    # following line enables the CGI configuration for this host only
    # after it has been globally disabled with "a2disconf".
    #Include conf-available/serve-cgi-bin.conf

RewriteEngine on
RewriteCond %{SERVER_NAME} =moodle.ngberger.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

vim: syntax=apache ts=4 sw=4 sts=4 sr noet

What's the problem? Thanks for helping.
Norbert

Is mod_rewrite enabled? Try running a2enmod rewrite

Ok. Have enabled mod_rewrite and copied the second conf file into sites-enabled.
Renewal succeeded. Many thanks! Brilliant.

Norbert

Second conf file removed before as now the conf file is recognised as virtual port 80.
Cheers again

Oops. Now there is no secure connection. Need to explore.

The browser shows me this:
An error occurred during a connection to moodle.ngberger.com. SSL received a record that exceeded the maximum permissible length.

Error code: SSL_ERROR_RX_RECORD_TOO_LONG

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the web site owners to inform them of this problem.

You probably need a virtualhost on port 443 to serve the website.

Certbot will probably make one of you run certbot install

Phew! Don't know what I would have done without your advice! Thanks.

Checking on the expiry date of the certificate, I still get certificate expires in a few days. Checking I get:
root@moodlengbergercom:/etc/apache2/sites-enabled# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/moodle.ngberger.com.conf

Cert not yet due for renewal

The following certs are not due for renewal yet:
/etc/letsencrypt/live/moodle.ngberger.com/fullchain.pem expires on 2022-06-15 (skipped)
No renewals were attempted.

So how do I replace the old with the skipped one?

It looks like it works:

~ $ openssl s_client -quiet -connect moodle.ngberger.com:443
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = moodle.ngberger.com
verify return:1
~ $

Show me the lines in the Apache config where the certificates get referenced SSLCertificateFile and SSLCertificateKeyFile directives if I recall correctly.

Also show me the output of certbot certificates

Okay, I have become quite confused by the two different certificates: The ssl certificate is recognised by the browser. I misunderstood the message above. I had better stop now.

Yes. Everything seems okay now. Thanks

Indeed, you served a certificate that expires on June 15th.

---
Certificate chain
 0 s:CN = moodle.ngberger.com
   i:C = US, O = Let's Encrypt, CN = R3
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Mar 17 06:30:41 2022 GMT; NotAfter: Jun 15 06:30:40 2022 GMT
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jan 20 19:14:03 2021 GMT; NotAfter: Sep 30 18:14:03 2024 GMT
---

Thanks. I am amazed what you can retrieve from your logs. So I guess the problem is now solved. Many thanks to you all.
Norbert

It's not logs, it's just openssl s_client asking your server directly.

Ah. Yes. Openssl can apparently do many things I am not aware of. Feeling sheepish. Should learn some more. If only I had the time! Best wishes.

It's a big and very complex (this is not good when talking encryption -- see why libressl was launched) piece of software.

I suppose not even its developers know all of its options. Most people only know the subcommands and options they need.