Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
Ubuntu 18
My hosting provider, if applicable, is:
Linode
I can login to a root shell on my machine (yes or no, or I don't know):
Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version
certbot 0.31.0
The problem is that I have to set up Cloudflare properly to avoid uninterrupted service since I have been running Full Strict SSL for some years.
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for blog.ingber.com
http-01 challenge for default.ingber.com
http-01 challenge for ingber.com
http-01 challenge for lester.ingber.com
http-01 challenge for lin.ingber.com
http-01 challenge for lin6.ingber.com
http-01 challenge for www.ingber.com
Cleaning up challenges
Attempting to renew cert (www.ingber.com) from /etc/letsencrypt/renewal/www.ingb
er.com.conf produced an unexpected error: Missing command line flag or config en
try for this setting:
Input the webroot for blog.ingber.com:. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.ingber.com/fullchain.pem (failure)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.ingber.com/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
In /var/log/letsencrypt/letsencrypt.log I see at the end:
2020-09-23 11:59:18,381:ERROR:certbot.renewal:All renewal attempts failed. The f
ollowing certs could not be renewed:
2020-09-23 11:59:18,381:ERROR:certbot.renewal: /etc/letsencrypt/live/www.ingber
.com/fullchain.pem (failure)
2020-09-23 11:59:18,382:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/letsencrypt", line 11, in
load_entry_point('certbot==0.31.0', 'console_scripts', 'certbot')()
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1365, in main
return config.func(config, plugins)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1272, in renew
renewal.handle_renewal_request(config)
File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 477, in handle_
renewal_request
len(renew_failures), len(parse_failures)))
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)
It seems your renewal configuration file is damaged for some reason. It's missing critical information: the webroot. Did you manually edit the file by any chance?
You could manually add the webroot again to the renewal configuration file (look in other renewal configuration files for examples if you have them).
You could also try to issue the certificate again. I.e., run certbot again without renew. It should store all the parameters again in the renewal configuration file after that. If you have more than one certificate in certbot, you can identify the certificate name from the list generated by certbot certificates. After that, you could use certbot --cert-name <insert cert name here> with after that the required options to issue a certificate like you did in the beginning.
He could also specify the entire command with the webroot and certbot should update the configuration automatically. That is unless certbot is barred from doing so for some reason. He could then use /usr/bin/letsencrypt certificates as you've suggested to note the old certificate name(s) then use /usr/bin/letsencrypt delete *old certificate name* to cleanup.
This would imply running the following: /usr/bin/letsencrypt certonly --cert-name ingber.com -a webroot -w *put the webroot here* -d ingber.com,www.ingber.com,blog.ingber.com,default.ingber.com,lester.ingber.com,lin.ingber.com,lin6.ingber.com
You are going to somewhat hate my response, but you went through all these headaches for no reason.
Cloudflare is handling the "internet facing" SSL for all your domains (from a web browser to their Edge servers); if you click on the padlock for any of your sites in a browser window, you'll see their Certificates, not LetsEncrypt.
The LetsEncrypt certificates you obtained are only being used to Encrypt traffic between your web server (origin) and Cloudflare's network. While you can use LetsEncrypt to obtain these, they need to be renewed at least every 3 months.
The two main problems with running LetsEncrypt certificates behind Cloudflare:
The http/https traffic used to validate the certificates is proxied through Cloudflare, so you can sometimes have hiccups of configuration issues within the Cloudflare network that you have no control over
There are sometimes oddities troubleshooting/bugfixing that get complicated by this setup because public DNS no longer resolves to your website but resolves to the Cloudflare network
Did you not read the next paragraph or was it unclear the alternative certificate from cloudflare, which you simply download once every 15 years, encrypts that segment?