Renewal of certificate fails


#1

Hello there, the renewal for my certificate is due but I am getting an error trying to renew my certificate.
This is the command I used: /opt/letsencrypt/letsencrypt-auto renew --renew-by-default
And this is the output I get

Checking for new version...
Requesting root privileges to run letsencrypt...
   /root/.local/share/letsencrypt/bin/letsencrypt renew --renew-by-default
Processing /etc/letsencrypt/renewal/einfach-leichter-kurse.de.conf
2016-03-29 09:21:39,604:WARNING:letsencrypt.cli:Attempting to renew cert from /etc/letsencrypt/renewal/einfach-leichter-kurse.de.conf produced an unexpected error: Unexpected response Content-Type: text/html. Skipping.

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/einfach-leichter-kurse.de/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

my logfile gives me this info

2016-03-29 07:21:37,236:DEBUG:letsencrypt.cli:Root logging level set at 30
2016-03-29 07:21:37,236:INFO:letsencrypt.cli:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2016-03-29 07:21:37,237:DEBUG:letsencrypt.cli:letsencrypt version: 0.4.2
2016-03-29 07:21:37,237:DEBUG:letsencrypt.cli:Arguments: ['--renew-by-default']
2016-03-29 07:21:37,237:DEBUG:letsencrypt.cli:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoint#standalone)
2016-03-29 07:21:37,251:DEBUG:letsencrypt.cli:Requested authenticator  and installer 
2016-03-29 07:21:37,251:DEBUG:letsencrypt.cli:Default Detector is Namespace(account='', agree_dev_preview=None, apache='', apache_challenge_location='/etc/apache2', apache_ctl=None, apache_dismod='a2dismod', apache_enmod='a2enmod', apache_handle_modules=True, apache_handle_sites=True, apache_init_script=None, apache_le_vhost_ext='-le-ssl.conf', apache_server_root='/etc/apache2', apache_vhost_root='/etc/apache2/sites-available', authenticator='', break_my_certs='', cert_path='/etc/letsencrypt', chain_path=None, checkpoints=0, config_dir='', config_file=None, configurator='', csr='', debug='', domains=[], dry_run='', duplicate='', email='london@adduce.de', expand='', fullchain_path=None, func=<function renew at 0x2cf3e60>, hsts=False, http01_port=0, ifaces='', init='', installer='', key_path='/etc/letsencrypt', logs_dir='', manual='', manual_public_ip_logging_ok=False, manual_test_mode=False, nginx='', no_self_upgrade='', no_verify_ssl=False, noninteractive_mode='', os_packages_only='', prepare='', redirect=None, register_unsafely_without_email='', reinstall='', renew_by_default=True, rsa_key_size=4096, server='https://acme-v01.api.letsencrypt.org/', staging='', standalone='', standalone_supported_challenges='tls-sni-01,http-01', store_false_vars={'--no-hsts': True, '--no-uir': True, <letsencrypt.cli.HelpfulArgumentParser object at 0x2e58150>: True, '--no-redirect': True}, strict_permissions='', text_mode=True, tls_sni_01_port=0, tos=True, uir=None, user_agent=None, verb='renew', verbose_count=0, version='', webroot='', webroot_map={}, webroot_path=[], work_dir='')
2016-03-29 07:21:37,253:INFO:letsencrypt.cli:Auto-renewal forced with --force-renewal...
2016-03-29 07:21:37,257:DEBUG:letsencrypt.cli:Requested authenticator standalone and installer none
2016-03-29 07:21:37,257:DEBUG:letsencrypt.display.ops:No candidate plugin
2016-03-29 07:21:37,443:DEBUG:letsencrypt.display.ops:Single candidate plugin: * standalone
Description: Automatically use a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = letsencrypt.plugins.standalone:Authenticator
Initialized: <letsencrypt.plugins.standalone.Authenticator object at 0x2e69f50>
Prep: True
2016-03-29 07:21:37,444:DEBUG:letsencrypt.cli:Selected authenticator <letsencrypt.plugins.standalone.Authenticator object at 0x2e69f50> and installer None
2016-03-29 07:21:37,444:DEBUG:letsencrypt.account:Account loading problem
Traceback (most recent call last):
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/account.py", line 160, in find_all
    accounts.append(self.load(account_id))
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/account.py", line 179, in load
    raise errors.AccountStorageError(error)
AccountStorageError: [Errno 2] No such file or directory: '/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory5/regr.json'
2016-03-29 07:21:37,444:DEBUG:letsencrypt.account:Account loading problem
Traceback (most recent call last):
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/account.py", line 160, in find_all
    accounts.append(self.load(account_id))
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/account.py", line 179, in load
    raise errors.AccountStorageError(error)
AccountStorageError: [Errno 2] No such file or directory: '/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory9/regr.json'
2016-03-29 07:21:37,445:DEBUG:letsencrypt.account:Account loading problem
Traceback (most recent call last):
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/account.py", line 160, in find_all
    accounts.append(self.load(account_id))
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/account.py", line 179, in load
    raise errors.AccountStorageError(error)
AccountStorageError: [Errno 2] No such file or directory: '/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/regr.json'
2016-03-29 07:21:37,445:DEBUG:letsencrypt.account:Account loading problem
Traceback (most recent call last):
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/account.py", line 160, in find_all
    accounts.append(self.load(account_id))
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/account.py", line 179, in load
    raise errors.AccountStorageError(error)
AccountStorageError: [Errno 2] No such file or directory: '/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory5/regr.json'
2016-03-29 07:21:37,445:DEBUG:letsencrypt.account:Account loading problem
Traceback (most recent call last):
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/account.py", line 160, in find_all
    accounts.append(self.load(account_id))
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/account.py", line 179, in load
    raise errors.AccountStorageError(error)
AccountStorageError: [Errno 2] No such file or directory: '/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory9/regr.json'
2016-03-29 07:21:37,445:DEBUG:letsencrypt.account:Account loading problem
Traceback (most recent call last):
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/account.py", line 160, in find_all
    accounts.append(self.load(account_id))
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/account.py", line 179, in load
    raise errors.AccountStorageError(error)
AccountStorageError: [Errno 2] No such file or directory: '/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/regr.json'
2016-03-29 07:21:39,349:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/. args: (), kwargs: {}
2016-03-29 07:21:39,357:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-03-29 07:21:39,600:DEBUG:requests.packages.urllib3.connectionpool:"GET / HTTP/1.1" 200 866
2016-03-29 07:21:39,603:DEBUG:root:Received <Response [200]>. Headers: {'Content-Length': '866', 'Expires': 'Tue, 29 Mar 2016 07:21:40 GMT', 'Content-Encoding': 'gzip', 'Accept-Ranges': 'bytes', 'Strict-Transport-Security': 'max-age=604800', 'Vary': 'Accept-Encoding', 'Server': 'nginx', 'Last-Modified': 'Tue, 13 Oct 2015 15:42:36 GMT', 'Connection': 'keep-alive', 'ETag': '"561d266c-87f"', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Tue, 29 Mar 2016 07:21:40 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'text/html'}. Content: '<!DOCTYPE html>\n\n<html lang="en">\n<head>\n  <meta charset="utf-8">\n  <meta http-equiv="X-UA-Compatible" content="IE=edge">\n  <meta name="viewport" content=\n  "width=device-width, initial-scale=1">\n\n  <title>Boulder: The Let\'s Encrypt CA</title>\n  <link href=\n  "//maxcdn.bootstrapcdn.com/bootstrap/3.2.0/css/bootstrap.min.css"\n  rel="stylesheet" type="text/css">\n  <link href=\n  "//maxcdn.bootstrapcdn.com/font-awesome/4.2.0/css/font-awesome.min.css"\n  rel="stylesheet" type="text/css">\n</head>\n\n<body>\n  <div class="container-fluid">\n    <div class="row">\n      <div class="col-xs-6 text-right">\n        <p style="font-size: 90px;">\n        <i class="fa fa-barcode"></i></p>\n      </div>\n\n      <div class="col-xs-6 text-left">\n        <h1>Boulder<br>\n        <small>The Let\'s Encrypt CA</small></h1>\n      </div>\n    </div>\n\n    <div class="row">\n      <div class="col-xs-8 col-xs-offset-2 text-center">\n        <h3>This is an <a href="https://github.com/letsencrypt/acme-spec/">ACME</a> Certificate Authority running <a href="https://github.com/letsencrypt/boulder">Boulder</a>.</h3>\n        <p>This is a <em>programmatic</em> endpoint, an API for a computer to talk to. You should probably be using a specialized client to utilize the service, and not your web browser. See <a href="https://letsencrypt.org/"><tt>https://letsencrypt.org/</tt></a> for help.</p>\n        <p>If you\'re trying to use this service, note that the starting point, <em>the directory</em>, is available at this URL: <a href="https://acme-v01.api.letsencrypt.org/directory"><tt>https://acme-v01.api.letsencrypt.org/directory</a></tt>.</p>\n      </div>\n    </div>\n    <div class="row">\n      <div class="col-xs-4 col-xs-offset-2 text-center">\n        <p><a href="https://letsencrypt.status.io" title="Twitter">\n          <i class="fa fa-area-chart"></i>\n          Service Status (letsencrypt.status.io)\n        </a></p>\n      </div>\n      <div class="col-xs-4 text-center">\n        <p><a href="https://twitter.com/letsencrypt" title="Twitter">\n          <i class="fa fa-twitter"></i>\n          Check with us on Twitter\n        </a></p>\n      </div>\n    </div> <!-- row -->\n  </div>\n\n\n</body>\n</html>\n'
2016-03-29 07:21:39,603:DEBUG:acme.client:Received response <Response [200]> (headers: {'Content-Length': '866', 'Expires': 'Tue, 29 Mar 2016 07:21:40 GMT', 'Content-Encoding': 'gzip', 'Accept-Ranges': 'bytes', 'Strict-Transport-Security': 'max-age=604800', 'Vary': 'Accept-Encoding', 'Server': 'nginx', 'Last-Modified': 'Tue, 13 Oct 2015 15:42:36 GMT', 'Connection': 'keep-alive', 'ETag': '"561d266c-87f"', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Tue, 29 Mar 2016 07:21:40 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'text/html'}): '<!DOCTYPE html>\n\n<html lang="en">\n<head>\n  <meta charset="utf-8">\n  <meta http-equiv="X-UA-Compatible" content="IE=edge">\n  <meta name="viewport" content=\n  "width=device-width, initial-scale=1">\n\n  <title>Boulder: The Let\'s Encrypt CA</title>\n  <link href=\n  "//maxcdn.bootstrapcdn.com/bootstrap/3.2.0/css/bootstrap.min.css"\n  rel="stylesheet" type="text/css">\n  <link href=\n  "//maxcdn.bootstrapcdn.com/font-awesome/4.2.0/css/font-awesome.min.css"\n  rel="stylesheet" type="text/css">\n</head>\n\n<body>\n  <div class="container-fluid">\n    <div class="row">\n      <div class="col-xs-6 text-right">\n        <p style="font-size: 90px;">\n        <i class="fa fa-barcode"></i></p>\n      </div>\n\n      <div class="col-xs-6 text-left">\n        <h1>Boulder<br>\n        <small>The Let\'s Encrypt CA</small></h1>\n      </div>\n    </div>\n\n    <div class="row">\n      <div class="col-xs-8 col-xs-offset-2 text-center">\n        <h3>This is an <a href="https://github.com/letsencrypt/acme-spec/">ACME</a> Certificate Authority running <a href="https://github.com/letsencrypt/boulder">Boulder</a>.</h3>\n        <p>This is a <em>programmatic</em> endpoint, an API for a computer to talk to. You should probably be using a specialized client to utilize the service, and not your web browser. See <a href="https://letsencrypt.org/"><tt>https://letsencrypt.org/</tt></a> for help.</p>\n        <p>If you\'re trying to use this service, note that the starting point, <em>the directory</em>, is available at this URL: <a href="https://acme-v01.api.letsencrypt.org/directory"><tt>https://acme-v01.api.letsencrypt.org/directory</a></tt>.</p>\n      </div>\n    </div>\n    <div class="row">\n      <div class="col-xs-4 col-xs-offset-2 text-center">\n        <p><a href="https://letsencrypt.status.io" title="Twitter">\n          <i class="fa fa-area-chart"></i>\n          Service Status (letsencrypt.status.io)\n        </a></p>\n      </div>\n      <div class="col-xs-4 text-center">\n        <p><a href="https://twitter.com/letsencrypt" title="Twitter">\n          <i class="fa fa-twitter"></i>\n          Check with us on Twitter\n        </a></p>\n      </div>\n    </div> <!-- row -->\n  </div>\n\n\n</body>\n</html>\n'
2016-03-29 07:21:39,604:WARNING:letsencrypt.cli:Attempting to renew cert from /etc/letsencrypt/renewal/einfach-leichter-kurse.de.conf produced an unexpected error: Unexpected response Content-Type: text/html. Skipping.
2016-03-29 07:21:39,605:DEBUG:letsencrypt.cli:Traceback was:
Traceback (most recent call last):
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py", line 1024, in renew
    obtain_cert(lineage_config, plugins, renewal_candidate)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py", line 690, in obtain_cert
    le_client = _init_le_client(config, authenticator, installer)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py", line 207, in _init_le_client
    acc, acme = _determine_account(config)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py", line 192, in _determine_account
    config, account_storage, tos_cb=_tos_cb)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/client.py", line 116, in register
    acme = acme_from_config_key(config, key)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/client.py", line 41, in acme_from_config_key
    return acme_client.Client(config.server, key=key, net=net)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/client.py", line 63, in __init__
    self.net.get(directory).json())
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/client.py", line 627, in get
    self._send_request('GET', url, **kwargs), content_type=content_type)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/client.py", line 583, in _check_response
    'Unexpected response Content-Type: {0}'.format(response_ct))
ClientError: Unexpected response Content-Type: text/html

2016-03-29 07:21:39,605:DEBUG:letsencrypt.cli:Exiting abnormally:
Traceback (most recent call last):
  File "/root/.local/share/letsencrypt/bin/letsencrypt", line 9, in <module>
    load_entry_point('letsencrypt==0.4.2', 'console_scripts', 'letsencrypt')()
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py", line 1993, in main
    return config.func(config, plugins)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py", line 1041, in renew
    len(renew_failures), len(parse_failures)))
Error: 1 renew failure(s), 0 parse failure(s)

#2

The server URL specified in /etc/letsencrypt/renewal/einfach-leichter-kurse.de.conf is not correct. It’s currently set to:

server = https://acme-v01.api.letsencrypt.org/

it should be:

server = https://acme-v01.api.letsencrypt.org/directory

#3

Thank you, now this error is gone. Actually the server URL was correct in the /etc/letsencrypt/renewal/einfach-leichter-kurse.de.conf, the server URL specified in /etc/letsencrypt/cli.ini was set to https://acme-v01.api.letsencrypt.org/

Well but now a different error came up.
CLI output

Checking for new version...

Requesting root privileges to run letsencrypt...
   /root/.local/share/letsencrypt/bin/letsencrypt renew --renew-by-default
Processing /etc/letsencrypt/renewal/einfach-leichter-kurse.de.conf
2016-03-29 09:37:23,472:WARNING:letsencrypt.cli:Attempting to renew cert from /etc/letsencrypt/renewal/einfach-leichter-kurse.de.conf produced an unexpected error: max() arg is an empty sequence. Skipping.

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/einfach-leichter-kurse.de/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

logfile

2016-03-29 07:37:23,472:WARNING:letsencrypt.cli:Attempting to renew cert from /etc/letsencrypt/renewal/einfach-leichter-kurse.de.conf produced an unexpected error: max() arg is an empty sequence. Skipping.
2016-03-29 07:37:23,473:DEBUG:letsencrypt.cli:Traceback was:
Traceback (most recent call last):
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py", line 1024, in renew
    obtain_cert(lineage_config, plugins, renewal_candidate)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py", line 707, in obtain_cert
    _, action = _auth_from_domains(le_client, config, domains, lineage)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py", line 465, in _auth_from_domains
    lineage.latest_common_version(), OpenSSL.crypto.dump_certificate(
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/storage.py", line 456, in latest_common_version
    return max(n for n in versions[0] if all(n in v for v in versions[1:]))
ValueError: max() arg is an empty sequence

2016-03-29 07:37:23,473:DEBUG:letsencrypt.cli:Exiting abnormally:
Traceback (most recent call last):
  File "/root/.local/share/letsencrypt/bin/letsencrypt", line 9, in <module>
    load_entry_point('letsencrypt==0.4.2', 'console_scripts', 'letsencrypt')()
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py", line 1993, in main
    return config.func(config, plugins)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py", line 1041, in renew
    len(renew_failures), len(parse_failures)))
Error: 1 renew failure(s), 0 parse failure(s)

actually the log output is much longer, but it seems it contains my key


#4

Did you manually modify or move any files in /etc/letsencrypt/live or /etc/letsencrypt/archive?

Could you paste a list of all file names in /etc/letsencrypt/archive/einfach-leichter-kurse.de/?


#5

No, I didn’t move or modify any files in these folders

ll /etc/letsencrypt/archive/einfach-leichter-kurse.de/
total 16
-rw-r--r-- 1 root root 2293 Feb 11 08:37 cert.pem
-rw-r--r-- 1 root root 1675 Feb 11 08:37 chain.pem
-rw-r--r-- 1 root root 3968 Feb 11 08:37 fullchain.pem
-rw-r--r-- 1 root root 3268 Feb 11 08:37 privkey.pem
ll /etc/letsencrypt/live/einfach-leichter-kurse.de/
total 0
lrwxrwxrwx 1 root root 48 Feb 11 09:21 cert.pem -> ../../archive/einfach-leichter-kurse.de/cert.pem
lrwxrwxrwx 1 root root 49 Feb 11 09:21 chain.pem -> ../../archive/einfach-leichter-kurse.de/chain.pem
lrwxrwxrwx 1 root root 53 Feb 11 09:21 fullchain.pem -> ../../archive/einfach-leichter-kurse.de/fullchain.pem
lrwxrwxrwx 1 root root 51 Feb 11 09:21 privkey.pem -> ../../archive/einfach-leichter-kurse.de/privkey.pem

#6

Files in /etc/letsencrypt/archive are named cert1.pem, chain1.pem, fullchain1.pem and privkey1.pem by default. When the client renews a certificate, it increases a counter and creates chain<n>.pem, etc. I’m pretty sure the client is throwing that error because it expects the files to be organized like that.

I would recommend renaming the files to ...1.pem and then trying again.


#7

Hello @London,

Just two things:

1.- AFAIK, renew option is working since letsencrypt 0.4.0 so to renew a domain your certificate needs to be created with version 0.4.0 or above. I mean, if you issued your certs using letsencrypt < 0.4.0 then you need to issue your certs as usual and next time renew should work.

2.- You already issued a certificate for einfach-l[...]r-kurse.de less than an hour ago:

CRT ID    DOMAIN (CN)                    VALID FROM              VALID TO                EXPIRES IN  SANs
15823972  www.ge[...]-k[...]le.de        2016-Mar-29 08:37 CEST  2016-Jun-27 08:37 CEST  89 days     einfach-l[...]r-kurse.de
                                                                                                     ge[...]-k[...]le.de
                                                                                                     www.einfach-[...]-kurse.de
                                                                                                     www.ge[...]-k[...]le.de

Cheers,
sahsanu


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.