Renewing expired cert

quickening · July 10, 2019, 7:34pm

Hi,
My cert expired Jun 6 and I had to upgrade my OS before I could update the certbot rpm. I followed instructions here about certbot >=28 and removing any reference to tls-sni-01, but still getting the same error message on renewal. Perhaps I have to do something different if it has expired?
I have been renewing the cert for years and haven’t changed anything. I don’t have a VirtualHost listening on port 80.

apachectl -t -D DUMP_VHOSTS

VirtualHost configuration:
*:443 quickening.zapto.org (/etc/httpd/conf.d/ssl.conf:56)
Perhaps the apache function is broken and I need alternative? “–webroot” didn’t work either.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: quickening.zapto.org

I ran this command:certbot renew

It produceSaving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/quickening.zapto.org.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for quickening.zapto.org
Cleaning up challenges
Attempting to renew cert (quickening.zapto.org) from /etc/letsencrypt/renewal/quickening.zapto.org.conf produced an unexpected error: Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80… Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/quickening.zapto.org/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/quickening.zapto.org/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)
d this output:

My web server is (include version):Apache 2.4.34

The operating system my web server runs on is (include version):fedoracore27

My hosting provider, if applicable, is:self

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):certbot 0.31.0

mnordhoff · July 10, 2019, 7:47pm

Can you add a port 80 virtual host?

It can just be something simple, like a redirect to HTTPS.

JuergenAuer · July 10, 2019, 7:49pm

Hi @quickening

that's curious. Checking your domain there answers a http server ( https://check-your-website.server-daten.de/?q=quickening.zapto.org ):

Domainname	Http-Status	Sec.	G
• http://quickening.zapto.org/
97.99.65.162	200	0.317	H

• https://quickening.zapto.org/
97.99.65.162	200	1.716	N
Certificate error: RemoteCertificateChainErrors

• http://quickening.zapto.org/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
97.99.65.162	404	0.344	A
Not Found
Visible Content: Not Found The requested URL /.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de was not found on this server.

Perhaps you have only a default port 80 vHost, not a host with

ServerName quickening.zapto.org

Check your standard config files

/etc/apache2/
|-- apache2.conf
|       `--  ports.conf
|-- mods-enabled
|       |-- *.load
|       `-- *.conf
|-- conf-enabled
|       `-- *.conf
|-- sites-enabled
|       `-- *.conf

to see, if apache2.conf has a template you can use.

quickening · July 10, 2019, 8:45pm

I have 2 long string files under [webroot]/.well-known/acme-challenge. Both were created in 2016. I don’t have the “check-your-website-dot-server-daten-dot-de”.
I have in conf file “ServerName quickening.zapto.org:80” . I am pretty sure that means I don’t need a VirtualHost there. I believe a remote query couldn’t tell the difference anyway.

JuergenAuer · July 10, 2019, 8:49pm

ServerName is normally something without a port. It's a name.

Change that to

ServerName quickening.zapto.org

restart your Apache and check it with

apachectl -S

quickening · July 10, 2019, 9:09pm

OK, removing the 80 on ServerName had no effect.

I added a VirtualHost stanza for quickening.zapto.org
and now apachectl -S says:
VirtualHost configuration:
*:80 quickening.zapto.org (/etc/httpd/conf/httpd.conf:371)
*:443 quickening.zapto.org (/etc/httpd/conf.d/ssl.conf:56)
ServerRoot: “/etc/httpd”
Main DocumentRoot: “/var/www/html”
etc.
certbot renew then ran successfully and I verified the cert works.
Thanks.

JuergenAuer · July 10, 2019, 9:13pm

Yep, now your vHost configuration looks as expected.

Happy to read that it had worked

system · August 9, 2019, 9:13pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.