Renewal of certificate fails

London · March 29, 2016, 7:28am

Hello there, the renewal for my certificate is due but I am getting an error trying to renew my certificate.
This is the command I used: /opt/letsencrypt/letsencrypt-auto renew --renew-by-default
And this is the output I get

Checking for new version...
Requesting root privileges to run letsencrypt...
   /root/.local/share/letsencrypt/bin/letsencrypt renew --renew-by-default
Processing /etc/letsencrypt/renewal/einfach-leichter-kurse.de.conf
2016-03-29 09:21:39,604:WARNING:letsencrypt.cli:Attempting to renew cert from /etc/letsencrypt/renewal/einfach-leichter-kurse.de.conf produced an unexpected error: Unexpected response Content-Type: text/html. Skipping.

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/einfach-leichter-kurse.de/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

my logfile gives me this info

2016-03-29 07:21:37,236:DEBUG:letsencrypt.cli:Root logging level set at 30
2016-03-29 07:21:37,236:INFO:letsencrypt.cli:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2016-03-29 07:21:37,237:DEBUG:letsencrypt.cli:letsencrypt version: 0.4.2
2016-03-29 07:21:37,237:DEBUG:letsencrypt.cli:Arguments: ['--renew-by-default']
2016-03-29 07:21:37,237:DEBUG:letsencrypt.cli:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoint#standalone)
2016-03-29 07:21:37,251:DEBUG:letsencrypt.cli:Requested authenticator  and installer 
2016-03-29 07:21:37,251:DEBUG:letsencrypt.cli:Default Detector is Namespace(account='', agree_dev_preview=None, apache='', apache_challenge_location='/etc/apache2', apache_ctl=None, apache_dismod='a2dismod', apache_enmod='a2enmod', apache_handle_modules=True, apache_handle_sites=True, apache_init_script=None, apache_le_vhost_ext='-le-ssl.conf', apache_server_root='/etc/apache2', apache_vhost_root='/etc/apache2/sites-available', authenticator='', break_my_certs='', cert_path='/etc/letsencrypt', chain_path=None, checkpoints=0, config_dir='', config_file=None, configurator='', csr='', debug='', domains=[], dry_run='', duplicate='', email='london@adduce.de', expand='', fullchain_path=None, func=<function renew at 0x2cf3e60>, hsts=False, http01_port=0, ifaces='', init='', installer='', key_path='/etc/letsencrypt', logs_dir='', manual='', manual_public_ip_logging_ok=False, manual_test_mode=False, nginx='', no_self_upgrade='', no_verify_ssl=False, noninteractive_mode='', os_packages_only='', prepare='', redirect=None, register_unsafely_without_email='', reinstall='', renew_by_default=True, rsa_key_size=4096, server='https://acme-v01.api.letsencrypt.org/', staging='', standalone='', standalone_supported_challenges='tls-sni-01,http-01', store_false_vars={'--no-hsts': True, '--no-uir': True, <letsencrypt.cli.HelpfulArgumentParser object at 0x2e58150>: True, '--no-redirect': True}, strict_permissions='', text_mode=True, tls_sni_01_port=0, tos=True, uir=None, user_agent=None, verb='renew', verbose_count=0, version='', webroot='', webroot_map={}, webroot_path=[], work_dir='')
2016-03-29 07:21:37,253:INFO:letsencrypt.cli:Auto-renewal forced with --force-renewal...
2016-03-29 07:21:37,257:DEBUG:letsencrypt.cli:Requested authenticator standalone and installer none
2016-03-29 07:21:37,257:DEBUG:letsencrypt.display.ops:No candidate plugin
2016-03-29 07:21:37,443:DEBUG:letsencrypt.display.ops:Single candidate plugin: * standalone
Description: Automatically use a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = letsencrypt.plugins.standalone:Authenticator
Initialized: <letsencrypt.plugins.standalone.Authenticator object at 0x2e69f50>
Prep: True
2016-03-29 07:21:37,444:DEBUG:letsencrypt.cli:Selected authenticator <letsencrypt.plugins.standalone.Authenticator object at 0x2e69f50> and installer None
2016-03-29 07:21:37,444:DEBUG:letsencrypt.account:Account loading problem
Traceback (most recent call last):
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/account.py", line 160, in find_all
    accounts.append(self.load(account_id))
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/account.py", line 179, in load
    raise errors.AccountStorageError(error)
AccountStorageError: [Errno 2] No such file or directory: '/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory5/regr.json'
2016-03-29 07:21:37,444:DEBUG:letsencrypt.account:Account loading problem
Traceback (most recent call last):
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/account.py", line 160, in find_all
    accounts.append(self.load(account_id))
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/account.py", line 179, in load
    raise errors.AccountStorageError(error)
AccountStorageError: [Errno 2] No such file or directory: '/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory9/regr.json'
2016-03-29 07:21:37,445:DEBUG:letsencrypt.account:Account loading problem
Traceback (most recent call last):
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/account.py", line 160, in find_all
    accounts.append(self.load(account_id))
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/account.py", line 179, in load
    raise errors.AccountStorageError(error)
AccountStorageError: [Errno 2] No such file or directory: '/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/regr.json'
2016-03-29 07:21:37,445:DEBUG:letsencrypt.account:Account loading problem
Traceback (most recent call last):
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/account.py", line 160, in find_all
    accounts.append(self.load(account_id))
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/account.py", line 179, in load
    raise errors.AccountStorageError(error)
AccountStorageError: [Errno 2] No such file or directory: '/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory5/regr.json'
2016-03-29 07:21:37,445:DEBUG:letsencrypt.account:Account loading problem
Traceback (most recent call last):
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/account.py", line 160, in find_all
    accounts.append(self.load(account_id))
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/account.py", line 179, in load
    raise errors.AccountStorageError(error)
AccountStorageError: [Errno 2] No such file or directory: '/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory9/regr.json'
2016-03-29 07:21:37,445:DEBUG:letsencrypt.account:Account loading problem
Traceback (most recent call last):
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/account.py", line 160, in find_all
    accounts.append(self.load(account_id))
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/account.py", line 179, in load
    raise errors.AccountStorageError(error)
AccountStorageError: [Errno 2] No such file or directory: '/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/regr.json'
2016-03-29 07:21:39,349:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/. args: (), kwargs: {}
2016-03-29 07:21:39,357:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-03-29 07:21:39,600:DEBUG:requests.packages.urllib3.connectionpool:"GET / HTTP/1.1" 200 866
2016-03-29 07:21:39,603:DEBUG:root:Received <Response [200]>. Headers: {'Content-Length': '866', 'Expires': 'Tue, 29 Mar 2016 07:21:40 GMT', 'Content-Encoding': 'gzip', 'Accept-Ranges': 'bytes', 'Strict-Transport-Security': 'max-age=604800', 'Vary': 'Accept-Encoding', 'Server': 'nginx', 'Last-Modified': 'Tue, 13 Oct 2015 15:42:36 GMT', 'Connection': 'keep-alive', 'ETag': '"561d266c-87f"', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Tue, 29 Mar 2016 07:21:40 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'text/html'}. Content: '<!DOCTYPE html>\n\n<html lang="en">\n<head>\n  <meta charset="utf-8">\n  <meta http-equiv="X-UA-Compatible" content="IE=edge">\n  <meta name="viewport" content=\n  "width=device-width, initial-scale=1">\n\n  <title>Boulder: The Let\'s Encrypt CA</title>\n  <link href=\n  "//maxcdn.bootstrapcdn.com/bootstrap/3.2.0/css/bootstrap.min.css"\n  rel="stylesheet" type="text/css">\n  <link href=\n  "//maxcdn.bootstrapcdn.com/font-awesome/4.2.0/css/font-awesome.min.css"\n  rel="stylesheet" type="text/css">\n</head>\n\n<body>\n  <div class="container-fluid">\n    <div class="row">\n      <div class="col-xs-6 text-right">\n        <p style="font-size: 90px;">\n        <i class="fa fa-barcode"></i></p>\n      </div>\n\n      <div class="col-xs-6 text-left">\n        <h1>Boulder<br>\n        <small>The Let\'s Encrypt CA</small></h1>\n      </div>\n    </div>\n\n    <div class="row">\n      <div class="col-xs-8 col-xs-offset-2 text-center">\n        <h3>This is an <a href="https://github.com/letsencrypt/acme-spec/">ACME</a> Certificate Authority running <a href="https://github.com/letsencrypt/boulder">Boulder</a>.</h3>\n        <p>This is a <em>programmatic</em> endpoint, an API for a computer to talk to. You should probably be using a specialized client to utilize the service, and not your web browser. See <a href="https://letsencrypt.org/"><tt>https://letsencrypt.org/</tt></a> for help.</p>\n        <p>If you\'re trying to use this service, note that the starting point, <em>the directory</em>, is available at this URL: <a href="https://acme-v01.api.letsencrypt.org/directory"><tt>https://acme-v01.api.letsencrypt.org/directory</a></tt>.</p>\n      </div>\n    </div>\n    <div class="row">\n      <div class="col-xs-4 col-xs-offset-2 text-center">\n        <p><a href="https://letsencrypt.status.io" title="Twitter">\n          <i class="fa fa-area-chart"></i>\n          Service Status (letsencrypt.status.io)\n        </a></p>\n      </div>\n      <div class="col-xs-4 text-center">\n        <p><a href="https://twitter.com/letsencrypt" title="Twitter">\n          <i class="fa fa-twitter"></i>\n          Check with us on Twitter\n        </a></p>\n      </div>\n    </div> <!-- row -->\n  </div>\n\n\n</body>\n</html>\n'
2016-03-29 07:21:39,603:DEBUG:acme.client:Received response <Response [200]> (headers: {'Content-Length': '866', 'Expires': 'Tue, 29 Mar 2016 07:21:40 GMT', 'Content-Encoding': 'gzip', 'Accept-Ranges': 'bytes', 'Strict-Transport-Security': 'max-age=604800', 'Vary': 'Accept-Encoding', 'Server': 'nginx', 'Last-Modified': 'Tue, 13 Oct 2015 15:42:36 GMT', 'Connection': 'keep-alive', 'ETag': '"561d266c-87f"', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Tue, 29 Mar 2016 07:21:40 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'text/html'}): '<!DOCTYPE html>\n\n<html lang="en">\n<head>\n  <meta charset="utf-8">\n  <meta http-equiv="X-UA-Compatible" content="IE=edge">\n  <meta name="viewport" content=\n  "width=device-width, initial-scale=1">\n\n  <title>Boulder: The Let\'s Encrypt CA</title>\n  <link href=\n  "//maxcdn.bootstrapcdn.com/bootstrap/3.2.0/css/bootstrap.min.css"\n  rel="stylesheet" type="text/css">\n  <link href=\n  "//maxcdn.bootstrapcdn.com/font-awesome/4.2.0/css/font-awesome.min.css"\n  rel="stylesheet" type="text/css">\n</head>\n\n<body>\n  <div class="container-fluid">\n    <div class="row">\n      <div class="col-xs-6 text-right">\n        <p style="font-size: 90px;">\n        <i class="fa fa-barcode"></i></p>\n      </div>\n\n      <div class="col-xs-6 text-left">\n        <h1>Boulder<br>\n        <small>The Let\'s Encrypt CA</small></h1>\n      </div>\n    </div>\n\n    <div class="row">\n      <div class="col-xs-8 col-xs-offset-2 text-center">\n        <h3>This is an <a href="https://github.com/letsencrypt/acme-spec/">ACME</a> Certificate Authority running <a href="https://github.com/letsencrypt/boulder">Boulder</a>.</h3>\n        <p>This is a <em>programmatic</em> endpoint, an API for a computer to talk to. You should probably be using a specialized client to utilize the service, and not your web browser. See <a href="https://letsencrypt.org/"><tt>https://letsencrypt.org/</tt></a> for help.</p>\n        <p>If you\'re trying to use this service, note that the starting point, <em>the directory</em>, is available at this URL: <a href="https://acme-v01.api.letsencrypt.org/directory"><tt>https://acme-v01.api.letsencrypt.org/directory</a></tt>.</p>\n      </div>\n    </div>\n    <div class="row">\n      <div class="col-xs-4 col-xs-offset-2 text-center">\n        <p><a href="https://letsencrypt.status.io" title="Twitter">\n          <i class="fa fa-area-chart"></i>\n          Service Status (letsencrypt.status.io)\n        </a></p>\n      </div>\n      <div class="col-xs-4 text-center">\n        <p><a href="https://twitter.com/letsencrypt" title="Twitter">\n          <i class="fa fa-twitter"></i>\n          Check with us on Twitter\n        </a></p>\n      </div>\n    </div> <!-- row -->\n  </div>\n\n\n</body>\n</html>\n'
2016-03-29 07:21:39,604:WARNING:letsencrypt.cli:Attempting to renew cert from /etc/letsencrypt/renewal/einfach-leichter-kurse.de.conf produced an unexpected error: Unexpected response Content-Type: text/html. Skipping.
2016-03-29 07:21:39,605:DEBUG:letsencrypt.cli:Traceback was:
Traceback (most recent call last):
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py", line 1024, in renew
    obtain_cert(lineage_config, plugins, renewal_candidate)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py", line 690, in obtain_cert
    le_client = _init_le_client(config, authenticator, installer)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py", line 207, in _init_le_client
    acc, acme = _determine_account(config)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py", line 192, in _determine_account
    config, account_storage, tos_cb=_tos_cb)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/client.py", line 116, in register
    acme = acme_from_config_key(config, key)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/client.py", line 41, in acme_from_config_key
    return acme_client.Client(config.server, key=key, net=net)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/client.py", line 63, in __init__
    self.net.get(directory).json())
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/client.py", line 627, in get
    self._send_request('GET', url, **kwargs), content_type=content_type)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/client.py", line 583, in _check_response
    'Unexpected response Content-Type: {0}'.format(response_ct))
ClientError: Unexpected response Content-Type: text/html

2016-03-29 07:21:39,605:DEBUG:letsencrypt.cli:Exiting abnormally:
Traceback (most recent call last):
  File "/root/.local/share/letsencrypt/bin/letsencrypt", line 9, in <module>
    load_entry_point('letsencrypt==0.4.2', 'console_scripts', 'letsencrypt')()
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py", line 1993, in main
    return config.func(config, plugins)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py", line 1041, in renew
    len(renew_failures), len(parse_failures)))
Error: 1 renew failure(s), 0 parse failure(s)

pfg · March 29, 2016, 7:34am

The server URL specified in /etc/letsencrypt/renewal/einfach-leichter-kurse.de.conf is not correct. It's currently set to:

server = https://acme-v01.api.letsencrypt.org/

it should be:

server = https://acme-v01.api.letsencrypt.org/directory

London · March 29, 2016, 7:52am

Thank you, now this error is gone. Actually the server URL was correct in the /etc/letsencrypt/renewal/einfach-leichter-kurse.de.conf, the server URL specified in /etc/letsencrypt/cli.ini was set to https://acme-v01.api.letsencrypt.org/

Well but now a different error came up.
CLI output

Checking for new version...

Requesting root privileges to run letsencrypt...
   /root/.local/share/letsencrypt/bin/letsencrypt renew --renew-by-default
Processing /etc/letsencrypt/renewal/einfach-leichter-kurse.de.conf
2016-03-29 09:37:23,472:WARNING:letsencrypt.cli:Attempting to renew cert from /etc/letsencrypt/renewal/einfach-leichter-kurse.de.conf produced an unexpected error: max() arg is an empty sequence. Skipping.

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/einfach-leichter-kurse.de/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

logfile

2016-03-29 07:37:23,472:WARNING:letsencrypt.cli:Attempting to renew cert from /etc/letsencrypt/renewal/einfach-leichter-kurse.de.conf produced an unexpected error: max() arg is an empty sequence. Skipping.
2016-03-29 07:37:23,473:DEBUG:letsencrypt.cli:Traceback was:
Traceback (most recent call last):
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py", line 1024, in renew
    obtain_cert(lineage_config, plugins, renewal_candidate)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py", line 707, in obtain_cert
    _, action = _auth_from_domains(le_client, config, domains, lineage)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py", line 465, in _auth_from_domains
    lineage.latest_common_version(), OpenSSL.crypto.dump_certificate(
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/storage.py", line 456, in latest_common_version
    return max(n for n in versions[0] if all(n in v for v in versions[1:]))
ValueError: max() arg is an empty sequence

2016-03-29 07:37:23,473:DEBUG:letsencrypt.cli:Exiting abnormally:
Traceback (most recent call last):
  File "/root/.local/share/letsencrypt/bin/letsencrypt", line 9, in <module>
    load_entry_point('letsencrypt==0.4.2', 'console_scripts', 'letsencrypt')()
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py", line 1993, in main
    return config.func(config, plugins)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py", line 1041, in renew
    len(renew_failures), len(parse_failures)))
Error: 1 renew failure(s), 0 parse failure(s)

actually the log output is much longer, but it seems it contains my key

pfg · March 29, 2016, 8:01am

Did you manually modify or move any files in /etc/letsencrypt/live or /etc/letsencrypt/archive?

Could you paste a list of all file names in /etc/letsencrypt/archive/einfach-leichter-kurse.de/?

London · March 29, 2016, 8:11am

No, I didn’t move or modify any files in these folders

ll /etc/letsencrypt/archive/einfach-leichter-kurse.de/
total 16
-rw-r--r-- 1 root root 2293 Feb 11 08:37 cert.pem
-rw-r--r-- 1 root root 1675 Feb 11 08:37 chain.pem
-rw-r--r-- 1 root root 3968 Feb 11 08:37 fullchain.pem
-rw-r--r-- 1 root root 3268 Feb 11 08:37 privkey.pem

ll /etc/letsencrypt/live/einfach-leichter-kurse.de/
total 0
lrwxrwxrwx 1 root root 48 Feb 11 09:21 cert.pem -> ../../archive/einfach-leichter-kurse.de/cert.pem
lrwxrwxrwx 1 root root 49 Feb 11 09:21 chain.pem -> ../../archive/einfach-leichter-kurse.de/chain.pem
lrwxrwxrwx 1 root root 53 Feb 11 09:21 fullchain.pem -> ../../archive/einfach-leichter-kurse.de/fullchain.pem
lrwxrwxrwx 1 root root 51 Feb 11 09:21 privkey.pem -> ../../archive/einfach-leichter-kurse.de/privkey.pem

pfg · March 29, 2016, 8:17am

Files in /etc/letsencrypt/archive are named cert1.pem, chain1.pem, fullchain1.pem and privkey1.pem by default. When the client renews a certificate, it increases a counter and creates chain<n>.pem, etc. I’m pretty sure the client is throwing that error because it expects the files to be organized like that.

I would recommend renaming the files to ...1.pem and then trying again.

sahsanu · March 29, 2016, 8:29am

Hello @London,

Just two things:

1.- AFAIK, renew option is working since letsencrypt 0.4.0 so to renew a domain your certificate needs to be created with version 0.4.0 or above. I mean, if you issued your certs using letsencrypt < 0.4.0 then you need to issue your certs as usual and next time renew should work.

2.- You already issued a certificate for einfach-l[...]r-kurse.de less than an hour ago:

CRT ID    DOMAIN (CN)                    VALID FROM              VALID TO                EXPIRES IN  SANs
15823972  www.ge[...]-k[...]le.de        2016-Mar-29 08:37 CEST  2016-Jun-27 08:37 CEST  89 days     einfach-l[...]r-kurse.de
                                                                                                     ge[...]-k[...]le.de
                                                                                                     www.einfach-[...]-kurse.de
                                                                                                     www.ge[...]-k[...]le.de

Cheers,
sahsanu

system · April 28, 2016, 8:29am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Renewal failure (404 error) Help	9	5524	May 2, 2016
Help us test renewal with "letsencrypt renew" Client dev	36	52446	April 9, 2016
Cert renew issue Help	20	3785	November 13, 2018
Cert renewal attempts failed Help	12	1577	August 27, 2019
Error message - renewing Lets Encrypt via Terminal Help	65	5097	June 8, 2018

Renewal of certificate fails

Related topics