Renewal on a roundcube config

My domain is: acupuncture-nantes.fr

I ran this command: certbot renew

It produced this output:


Processing /etc/letsencrypt/renewal/acupuncture-nantes.fr.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/mail.acupuncture-nantes.fr.conf


Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for mail.acupuncture-nantes.fr
Waiting for verification...
Challenge failed for domain mail.acupuncture-nantes.fr
http-01 challenge for mail.acupuncture-nantes.fr
Cleaning up challenges
Attempting to renew cert (mail.acupuncture-nantes.fr) from /etc/letsencrypt/renewal/mail.acupuncture-nantes.fr.conf produced an unexpected error: Some challenges have failed.. Skipping.

[...]

The following certs are not due for renewal yet:
/etc/letsencrypt/live/acupuncture-nantes.fr/fullchain.pem expires on 2021-08-13 (skipped)
/etc/letsencrypt/live/poterie-aisne.fr/fullchain.pem expires on 2021-09-06 (skipped)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mail.acupuncture-nantes.fr/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

My web server is (include version): Apache/2.4.41

The operating system my web server runs on is (include version): Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-66-generic x86_64)

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.40.0

Content of mail.acupuncture-nantes.fr.conf :

<VirtualHost *:80>

    ServerAdmin thomas@acupuncture-nantes.fr
    ServerName mail.acupuncture-nantes.fr
    DocumentRoot /usr/share/roundcube
    <Directory /usr/share/roundcube/>
            AllowOverride All
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

RewriteEngine on
RewriteCond %{SERVER_NAME} =mail.acupuncture-nantes.fr
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

At first i thought that /usr/share/roundcube/ being owned by root:root was the issue, so i chowned it to web:web but it didn't change anything.

Any clue ?

Hi @r0dy,

Could you please show us the output of:

sudo apachectl -t -D DUMP_VHOSTS

Please show us this file:

and the output of:
sudo apachectl -S
OR
apachectl -S
[whichever works first]

@rg305
Here :

renew_before_expiry = 30 days

version = 0.40.0
archive_dir = /etc/letsencrypt/archive/mail.acupuncture-nantes.fr
cert = /etc/letsencrypt/live/mail.acupuncture-nantes.fr/cert.pem
privkey = /etc/letsencrypt/live/mail.acupuncture-nantes.fr/privkey.pem
chain = /etc/letsencrypt/live/mail.acupuncture-nantes.fr/chain.pem
fullchain = /etc/letsencrypt/live/mail.acupuncture-nantes.fr/fullchain.pem

Options used in the renewal process

[renewalparams]
account = 93b59d6a1556ddc7eac7185d0854b6d5
authenticator = apache
installer = apache
server = https://acme-v02.api.letsencrypt.org/directory

apachectl -S
VirtualHost configuration:
*:443 is a NameVirtualHost
default server acupuncture-ancenis.fr (/etc/apache2/sites-enabled/acupuncture-ancenis.fr-le-ssl.conf:2)
port 443 namevhost acupuncture-ancenis.fr (/etc/apache2/sites-enabled/acupuncture-ancenis.fr-le-ssl.conf:2)
alias www.acupuncture-ancenis.fr
port 443 namevhost acupuncture-nantes.fr (/etc/apache2/sites-enabled/acupuncture-nantes.fr-le-ssl.conf:2)
alias www.acupuncture-nantes.fr
alias mtc-nantes.fr
port 443 namevhost a.r0dy.net (/etc/apache2/sites-enabled/admin.r0dy.net-le-ssl.conf:2)
alias admin.r0dy.net
alias admin.mtc-nantes.fr
port 443 namevhost calligraphie-chinoise-paris.fr (/etc/apache2/sites-enabled/calligraphie-chinoise-paris.fr-le-ssl.conf:2)
alias www.calligraphie-chinoise-paris.fr
alias terre-encre.net
alias www.terre-encre.net
port 443 namevhost consult.mtc-nantes.fr (/etc/apache2/sites-enabled/consult.mtc-nantes.fr-le-ssl.conf:2)
port 443 namevhost mail.acupuncture-nantes.fr (/etc/apache2/sites-enabled/mail.acupuncture-nantes.fr-le-ssl.conf:2)
port 443 namevhost mtc.r0dy.net (/etc/apache2/sites-enabled/mtc.r0dy.net-le-ssl.conf:2)
port 443 namevhost poterie-aisne.fr (/etc/apache2/sites-enabled/poterie-aisne.fr-le-ssl.conf:2)
alias www.poterie-aisne.fr
port 443 namevhost r0dy.net (/etc/apache2/sites-enabled/r0dy.net-le-ssl.conf:2)
alias www.r0dy.net
port 443 namevhost tlvtle.r0dy.net (/etc/apache2/sites-enabled/tlvtle.r0dy.net-le-ssl.conf:2)
alias tlvtle.r0dy.net
*:80 is a NameVirtualHost
default server mail.acupuncture-nantes.fr (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost mail.acupuncture-nantes.fr (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost acupuncture-ancenis.fr (/etc/apache2/sites-enabled/acupuncture-ancenis.fr.conf:1)
alias www.acupuncture-ancenis.fr
port 80 namevhost acupuncture-nantes.fr (/etc/apache2/sites-enabled/acupuncture-nantes.fr.conf:1)
alias www.acupuncture-nantes.fr
alias mtc-nantes.fr
port 80 namevhost a.r0dy.net (/etc/apache2/sites-enabled/admin.r0dy.net-le-ssl.conf:41)
alias admin.r0dy.net
alias admin.mtc-nantes.fr
port 80 namevhost a.r0dy.net (/etc/apache2/sites-enabled/admin.r0dy.net.conf:1)
alias admin.r0dy.net
alias admin.mtc-nantes.fr
port 80 namevhost calligraphie-chinoise-paris.fr (/etc/apache2/sites-enabled/calligraphie-chinoise-paris.fr.conf:1)
alias www.calligraphie-chinoise-paris.fr
alias terre-encre.net
alias www.terre-encre.net
port 80 namevhost consult.mtc-nantes.fr (/etc/apache2/sites-enabled/consult.mtc-nantes.fr-le-ssl.conf:45)
port 80 namevhost consult.mtc-nantes.fr (/etc/apache2/sites-enabled/consult.mtc-nantes.fr.conf:1)
port 80 namevhost mail.acupuncture-nantes.fr (/etc/apache2/sites-enabled/mail.acupuncture-nantes.fr.conf:1)
port 80 namevhost mtc.r0dy.net (/etc/apache2/sites-enabled/mtc.r0dy.net-le-ssl.conf:41)
port 80 namevhost mtc.r0dy.net (/etc/apache2/sites-enabled/mtc.r0dy.net.conf:1)
port 80 namevhost poterie-aisne.fr (/etc/apache2/sites-enabled/poterie-aisne.fr.conf:1)
alias www.poterie-aisne.fr
port 80 namevhost r0dy.net (/etc/apache2/sites-enabled/r0dy.net-le-ssl.conf:41)
alias www.r0dy.net
port 80 namevhost r0dy.net (/etc/apache2/sites-enabled/r0dy.net.conf:1)
alias www.r0dy.net
port 80 namevhost tlvtle.r0dy.net (/etc/apache2/sites-enabled/tlvtle.r0dy.net-le-ssl.conf:41)
alias tlvtle.r0dy.net
port 80 namevhost tlvtle.r0dy.net (/etc/apache2/sites-enabled/tlvtle.r0dy.net.conf:1)
alias tlvtle.r0dy.net
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="web" id=1001
Group: name="web" id=1001

apachectl -t -D DUMP_VHOSTS
VirtualHost configuration:
*:443 is a NameVirtualHost
default server acupuncture-ancenis.fr (/etc/apache2/sites-enabled/acupuncture-ancenis.fr-le-ssl.conf:2)
port 443 namevhost acupuncture-ancenis.fr (/etc/apache2/sites-enabled/acupuncture-ancenis.fr-le-ssl.conf:2)
alias www.acupuncture-ancenis.fr
port 443 namevhost acupuncture-nantes.fr (/etc/apache2/sites-enabled/acupuncture-nantes.fr-le-ssl.conf:2)
alias www.acupuncture-nantes.fr
alias mtc-nantes.fr
port 443 namevhost a.r0dy.net (/etc/apache2/sites-enabled/admin.r0dy.net-le-ssl.conf:2)
alias admin.r0dy.net
alias admin.mtc-nantes.fr
port 443 namevhost calligraphie-chinoise-paris.fr (/etc/apache2/sites-enabled/calligraphie-chinoise-paris.fr-le-ssl.conf:2)
alias www.calligraphie-chinoise-paris.fr
alias terre-encre.net
alias www.terre-encre.net
port 443 namevhost consult.mtc-nantes.fr (/etc/apache2/sites-enabled/consult.mtc-nantes.fr-le-ssl.conf:2)
port 443 namevhost mail.acupuncture-nantes.fr (/etc/apache2/sites-enabled/mail.acupuncture-nantes.fr-le-ssl.conf:2)
port 443 namevhost mtc.r0dy.net (/etc/apache2/sites-enabled/mtc.r0dy.net-le-ssl.conf:2)
port 443 namevhost poterie-aisne.fr (/etc/apache2/sites-enabled/poterie-aisne.fr-le-ssl.conf:2)
alias www.poterie-aisne.fr
port 443 namevhost r0dy.net (/etc/apache2/sites-enabled/r0dy.net-le-ssl.conf:2)
alias www.r0dy.net
port 443 namevhost tlvtle.r0dy.net (/etc/apache2/sites-enabled/tlvtle.r0dy.net-le-ssl.conf:2)
alias tlvtle.r0dy.net
*:80 is a NameVirtualHost
default server mail.acupuncture-nantes.fr (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost mail.acupuncture-nantes.fr (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost acupuncture-ancenis.fr (/etc/apache2/sites-enabled/acupuncture-ancenis.fr.conf:1)
alias www.acupuncture-ancenis.fr
port 80 namevhost acupuncture-nantes.fr (/etc/apache2/sites-enabled/acupuncture-nantes.fr.conf:1)
alias www.acupuncture-nantes.fr
alias mtc-nantes.fr
port 80 namevhost a.r0dy.net (/etc/apache2/sites-enabled/admin.r0dy.net-le-ssl.conf:41)
alias admin.r0dy.net
alias admin.mtc-nantes.fr
port 80 namevhost a.r0dy.net (/etc/apache2/sites-enabled/admin.r0dy.net.conf:1)
alias admin.r0dy.net
alias admin.mtc-nantes.fr
port 80 namevhost calligraphie-chinoise-paris.fr (/etc/apache2/sites-enabled/calligraphie-chinoise-paris.fr.conf:1)
alias www.calligraphie-chinoise-paris.fr
alias terre-encre.net
alias www.terre-encre.net
port 80 namevhost consult.mtc-nantes.fr (/etc/apache2/sites-enabled/consult.mtc-nantes.fr-le-ssl.conf:45)
port 80 namevhost consult.mtc-nantes.fr (/etc/apache2/sites-enabled/consult.mtc-nantes.fr.conf:1)
port 80 namevhost mail.acupuncture-nantes.fr (/etc/apache2/sites-enabled/mail.acupuncture-nantes.fr.conf:1)
port 80 namevhost mtc.r0dy.net (/etc/apache2/sites-enabled/mtc.r0dy.net-le-ssl.conf:41)
port 80 namevhost mtc.r0dy.net (/etc/apache2/sites-enabled/mtc.r0dy.net.conf:1)
port 80 namevhost poterie-aisne.fr (/etc/apache2/sites-enabled/poterie-aisne.fr.conf:1)
alias www.poterie-aisne.fr
port 80 namevhost r0dy.net (/etc/apache2/sites-enabled/r0dy.net-le-ssl.conf:41)
alias www.r0dy.net
port 80 namevhost r0dy.net (/etc/apache2/sites-enabled/r0dy.net.conf:1)
alias www.r0dy.net
port 80 namevhost tlvtle.r0dy.net (/etc/apache2/sites-enabled/tlvtle.r0dy.net-le-ssl.conf:41)
alias tlvtle.r0dy.net
port 80 namevhost tlvtle.r0dy.net (/etc/apache2/sites-enabled/tlvtle.r0dy.net.conf:1)
alias tlvtle.r0dy.net

Try adding a dummy ServerName here in this virtualhost.

For example,

ServerName non-existent.invalid

This will prevent Apache from automatically assigning mail.acupuncture-nantes.fr to the virtualhost based on your server's hostname, which should allow Certbot to do its job.

1 Like

That was it :

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/mail.acupuncture-nantes.fr/fullchain.pem (success)

I didnt really understand why the default server was mail.acupuncture-nantes.fr rather than just acupuncture-nantes.fr, or why this prevented certbot to renew the certificate, but it works :slight_smile:

Thanks !

1 Like

Cool!

I've written down why it happens here; if it's realistic to fix this, we'll try to do it.