My domain is: program.youimpact.com

certbot renew --dry-run --verbose

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/program.youimpact.com.conf

Certificate is due for renewal, auto-renewing...

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

nginx -v
nginx version: nginx/1.22.1

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 3.2.0

I need to know if the active DNS Connectivity Issue could be related to why my SSL auto-renewal process is failing today. My website certificate expired today and the process to renew hangs indefinitely when attempting to auto-renew.

certbot renew --dry-run --verbose Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/program.youimpact.com.conf

Certificate is due for renewal, auto-renewing...

"/var/log/letsencrypt/letsencrypt.log" 15L, 1796B 13,1 All 2025-03-01 11:04:04,880:DEBUG:urllib3.connectionpool:http://localhost:None "GET /v2/connections?snap=certbot&interface=content HTTP/1.1" 200 97 2025-03-01 11:04:04,981:DEBUG:certbot._internal.main:certbot version: 3.2.0 2025-03-01 11:04:04,981:DEBUG:certbot._internal.main:Location of certbot entry point: /snap/certbot/4412/bin/certbot 2025-03-01 11:04:04,981:DEBUG:certbot._internal.main:Arguments: ['--dry-run', '--verbose', '--preconfigured-renewal'] 2025-03-01 11:04:04,981:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot) 2025-03-01 11:04:05,018:DEBUG:certbot._internal.log:Root logging level set at 20 2025-03-01 11:04:05,020:DEBUG:certbot._internal.display.obj:Notifying user: Processing /etc/letsencrypt/renewal/program.youimpact.com.conf 2025-03-01 11:04:05,021:DEBUG:certbot.configuration:Var server=https://acme-staging-v02.api.letsencrypt.org/directory (set by user). 2025-03-01 11:04:05,021:DEBUG:certbot.configuration:Var account=None (set by user). 2025-03-01 11:04:05,021:DEBUG:certbot._internal.plugins.selection:Requested authenticator None and installer None 2025-03-01 11:04:05,021:DEBUG:certbot._internal.plugins.selection:Requested authenticator None and installer None 2025-03-01 11:04:05,031:DEBUG:certbot._internal.storage:Should renew, less than 30 days before certificate expiry 2025-03-01 09:29:28 UTC. 2025-03-01 11:04:05,031:INFO:certbot._internal.renewal:Certificate is due for renewal, auto-renewing... 2025-03-01 11:04:05,031:DEBUG:certbot._internal.plugins.selection:Requested authenticator nginx and installer nginx 2025-03-01 11:07:30,513:ERROR:certbot._internal.log:Exiting due to user request.

Hosting provider is Linode

Hello @clifmo, welcome to the Let's Encrypt community.

Presently a very recent certificate is being served

• https://decoder.link/sslchecker/program.youimpact.com/443
• https://www.ssllabs.com/ssltest/analyze.html?d=program.youimpact.com
• https://www.hardenize.com/report/program.youimpact.com/1740851918#www_certs

I assume you have resolved the issue(s).

Yes I resolved it manually however the auto renew issue persists.

Hi @clifmo,

Please show the output of grep certbot /etc/crontab

The output of that command is blank. Here's the command that's stuck running.

ps -ef | grep "certb"

root 850427 1 0 Mar01 ? 00:00:00 /var/lib/snapd/snap/certbot/4412/bin/python3 -s /snap/certbot/4412/bin/certbot -q renew

Kindly wait for more knowledgeable Let's Encrypt community volunteers to assist.

-q option after certbot silences output, can you remove it and let cron run again?

It's not in Cron at all. It's a systemd service running a snap command certbot.renew. Regardless it's not the job that's the issue, renew does not work when i trigger it manually in exactly the same way, and I provided the full output in OP for certbot renew --dry-run --verbose

[Unit]

Auto-generated, DO NOT EDIT

Description=Service for snap application certbot.renew
Requires=var-lib-snapd-snap-certbot-4412.mount
Wants=network.target
After=var-lib-snapd-snap-certbot-4412.mount network.target snapd.apparmor.service
X-Snappy=yes

[Service]
EnvironmentFile=-/etc/environment
ExecStart=/usr/bin/snap run --timer="00:00~24:00/2" certbot.renew
SyslogIdentifier=certbot.renew
Restart=no
WorkingDirectory=/var/snap/certbot/4412
TimeoutStopSec=30
Type=oneshot

I have this exact same issue, with a very similar setup to yours (nginx 1.2x, certbot 3.2.0, etc), where renewal just hangs, but never errors/times out.

How did you resolve your problem manually?

Would you show the contents of this file?

Also, please answer this question:

The operating system my web server runs on is (include version):

I doubt any DNS issue would cause a log like you show. But can you describe more about this "DNS Connectivity" issue?

Re: DNS issue - that was copy/pasta from a support ticket with my hosting provider. They had a DNS-level incident active but it didn't apply to this box.

cat /etc/os-release

NAME="CentOS Stream"
VERSION="9"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="9"
PLATFORM_ID="platform:el9"
PRETTY_NAME="CentOS Stream 9"
ANSI_COLOR="0;31"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:centos:centos:9"
HOME_URL="https://centos.org/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux 9"
REDHAT_SUPPORT_PRODUCT_VERSION="CentOS Stream"

cat /etc/letsencrypt/renewal/program.youimpact.com.conf

# renew_before_expiry = 30 days
version = 3.2.0
archive_dir = /etc/letsencrypt/archive/program.youimpact.com
cert = /etc/letsencrypt/live/program.youimpact.com/cert.pem
privkey = /etc/letsencrypt/live/program.youimpact.com/privkey.pem
chain = /etc/letsencrypt/live/program.youimpact.com/chain.pem
fullchain = /etc/letsencrypt/live/program.youimpact.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = XXXXXXXXXXXXXXXXXX
authenticator = manual
server = https://acme-v02.api.letsencrypt.org/directory
key_type = rsa

Ah, I see you what you meant by resolving this "manually". This renewal profile now cannot be used with the auto "renew" command because it requires manual interaction.

Let's try a test to see if we can get something working.

Please show output of this. It is only a test and will not interfere with your nginx config or production certs.

sudo certbot certonly --dry-run --nginx -d program.youimpact.com

Here's the output. It's hanging just as reported

sudo certbot certonly --dry-run --nginx -d program.youimpact.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log

cat /var/log/letsencrypt/letsencrypt.log

2025-03-05 22:50:47,902:DEBUG:urllib3.connectionpool:http://localhost:None "GET /v2/connections?snap=certbot&interface=content HTTP/1.1" 200 97
2025-03-05 22:50:48,017:DEBUG:certbot._internal.main:certbot version: 3.2.0
2025-03-05 22:50:48,017:DEBUG:certbot._internal.main:Location of certbot entry point: /snap/certbot/4412/bin/certbot
2025-03-05 22:50:48,017:DEBUG:certbot._internal.main:Arguments: ['--dry-run', '--nginx', '-d', 'program.youimpact.com', '--preconfigured-renewal']
2025-03-05 22:50:48,017:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2025-03-05 22:50:48,077:DEBUG:certbot._internal.log:Root logging level set at 30
2025-03-05 22:50:48,079:DEBUG:certbot._internal.plugins.selection:Requested authenticator nginx and installer nginx

We'll have to poke around to see why. This is an unusual problem.

Would you show the entire (long) output of this. An upper case T is essential

sudo nginx -T

Better would be to upload this upload.txt file

sudo nginx -T >upload.txt

upload.txt (12.8 KB)

At the top of this config file:
/etc/nginx/conf.d/program.youimpact.com.conf

You have the below server block. You should remove it. You already have one with this server_name that has proper "listen" statements for port 80. This one looks like a mashup of something for port 80 and port 443 but yet has no active listen statements for either.

The default with no listens includes port 80 and could well be causing confusion about which server block is correct (this or the later correct one). It may not be causing the hang but it isn't productive. After you remove these lines restart (not just reload) nginx and retry the --dry-run command I showed earlier.

server {
    if ($host = program.youimpact.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    server_name program.youimpact.com;

    rewrite ^ https://program.youimpact.com$request_uri? permanent;

#    listen [::]:443 ssl; # managed by Certbot
#    listen 443 ssl; # managed by Certbot
#    ssl_certificate /etc/letsencrypt/live/program.youimpact.com/fullchain.pem; # managed by Certbot
#    ssl_certificate_key /etc/letsencrypt/live/program.youimpact.com/privkey.pem; # managed by Certbot
#    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
#    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

from Certbot hangs on auto and manual renewal, but never errors out - #5 by casestry OP there fixed same problem by disabling ocsp stapling, which you have too: can you try that?

I am not convinced that removing stapling lines in that other thread was the full and complete answer. I have stapling enabled in my own nginx server and renew fine with Certbot --nginx and same Certbot snap v3.2 as these two threads.

Also, while this thread's nginx config has the two stapling lines in the port 443 server block, the nginx server never sends an OCSP stapled response Their nginx error log probably says something about that.

That said, since Let's Encrypt will soon be dropping OCSP URL from their certs they could remove stapling lines anyway. I just don't think it will help.

If removing the faulty server block I described does not fix the hang I plan to suggest --webroot rather than --nginx. And, in two variations one w/out --deploy-hook and one with it.

Thanks Mike. I removed the block. No difference.

If removing the faulty server block I described does not fix the hang I plan to suggest --webroot rather than --nginx. And, in two variations one w/out --deploy-hook and one with it.

--webroot seemed to work. I'm not sure I follow you on the exact command you're suggesting. Ideally I'd get this back to auto renewal. Thanks again for the help.

sudo certbot certonly --dry-run --webroot -d program.youimpact.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Account registered.

An RSA certificate named program.youimpact.com already exists. Do you want to
update its key type to ECDSA?