Sudo certbot --authenticator webroot --installer apache exit with error


#1

My domain is: veronikalyg.com

I ran this command: sudo certbot --authenticator webroot --installer apache

It produced this output:

Select the appropriate numbers separated by commas and/or spaces, or leave input

blank to select all options shown (Enter ‘c’ to cancel): 1
Cert not yet due for renewal
You have an existing certificate that has exactly the same domains or certificate name you requested and isn’t clos
e to expiry.
(ref: /etc/letsencrypt/renewal/veronikalyg.com.conf)
What would you like to do?

1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 1
Keeping the existing certificate
File:

  • Could not be found to be deleted /etc/apache2/sites-available/veron-le-ssl.conf - Certbot probably shut down une
    xpectedly
    An unexpected error occurred:
    StopIteration
    Please see the logfiles in /var/log/letsencrypt for more details.
    IMPORTANT NOTES:
  • Unable to install the certificate
  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/veronikalyg.com/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/veronikalyg.com/privkey.pem
    Your cert will expire on 2018-12-11. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot again
    with the “certonly” option. To non-interactively renew all of
    your certificates, run “certbot renew”

My web server is (include version): 2.4.25-3+deb9u5

The operating system my web server runs on is (include version): Debian 9

My hosting provider, if applicable, is: Google App Engine

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no, ssh only

/var/log/letsencrypt/letsencrypt.log :

2018-09-12 18:31:05,158:DEBUG:certbot.main:certbot version: 0.25.0
2018-09-12 18:31:05,159:DEBUG:certbot.main:Arguments: [’–authenticator’, ‘webroot’, ‘–installer’, ‘apache’]
2018-09-12 18:31:05,160:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2018-09-12 18:31:05,167:DEBUG:certbot.log:Root logging level set at 20
2018-09-12 18:31:05,168:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2018-09-12 18:31:05,169:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer apache
2018-09-12 18:31:05,247:DEBUG:certbot_apache.configurator:Apache version is 2.4.25
2018-09-12 18:31:05,590:DEBUG:certbot.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server plugin - Beta
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT
Initialized: <certbot_apache.override_debian.DebianConfigurator object at 0x7f1d20b77fd0>
Prep: True
2018-09-12 18:31:05,592:DEBUG:certbot.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
Initialized: <certbot.plugins.webroot.Authenticator object at 0x7f1d1deb0d30>
Prep: True
2018-09-12 18:31:05,593:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x7f1d1deb0d30> and installer <certbot_apache.override_debian.DebianConfigurator object at 0x7f1d20b77fd0>
2018-09-12 18:31:05,593:INFO:certbot.plugins.selection:Plugins selected: Authenticator webroot, Installer apache
2018-09-12 18:31:05,597:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(terms_of_service=‘https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf’, uri=‘https://acme-v01.api.letsencrypt.org/acme/reg/41805868’, body=Registration(contact=(‘mailto:gladiator1988@gmail.com’,), terms_of_service_agreed=None, status=‘valid’, agreement=‘https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf’, key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x7f1d1f87b5c0>)>)), new_authzr_uri=‘https://acme-v01.api.letsencrypt.org/acme/new-authz’), 08cf7fe2fe99edccdbceb8aff9e8839b, Meta(creation_host=‘localhost’, creation_dt=datetime.datetime(2018, 9, 9, 17, 51, 53, tzinfo=)))>
2018-09-12 18:31:05,599:DEBUG:acme.client:Sending GET request to https://acme-v01.api.letsencrypt.org/directory.
2018-09-12 18:31:05,605:DEBUG:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2018-09-12 18:31:05,829:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 “GET /directory HTTP/1.1” 200 658
2018-09-12 18:31:05,830:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 658
Replay-Nonce: ja_fvj9oo7hP8dU6T746c_b2Eg15tG7VBV2rMOC-SJ4
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 12 Sep 2018 18:31:05 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 12 Sep 2018 18:31:05 GMT
Connection: keep-alive

{
“key-change”: “https://acme-v01.api.letsencrypt.org/acme/key-change”,
“meta”: {
“caaIdentities”: [
letsencrypt.org
],
“terms-of-service”: “https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf”,
“website”: “https://letsencrypt.org
},
“new-authz”: “https://acme-v01.api.letsencrypt.org/acme/new-authz”,
“new-cert”: “https://acme-v01.api.letsencrypt.org/acme/new-cert”,
“new-reg”: “https://acme-v01.api.letsencrypt.org/acme/new-reg”,
“r_bSS2Dpe9s”: “Adding random entries to the directory”,
“revoke-cert”: “https://acme-v01.api.letsencrypt.org/acme/revoke-cert
}
2018-09-12 18:31:10,618:INFO:certbot.renewal:Cert not yet due for renewal
2018-09-12 18:31:17,118:INFO:certbot.main:Keeping the existing certificate
2018-09-12 18:31:17,119:DEBUG:certbot.reporter:Reporting to user: Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/veronikalyg.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/veronikalyg.com/privkey.pem
Your cert will expire on 2018-12-11. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the “certonly” option. To non-interactively renew all of your certificates, run “certbot renew”
2018-09-12 18:31:17,121:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 489, in deploy_certificate
fullchain_path=fullchain_path)
File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 304, in deploy_cert
vhosts = self.choose_vhosts(domain)
File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 328, in choose_vhosts
return [self.choose_vhost(domain, create_if_no_ssl)]
File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 510, in choose_vhost
vhost = self.make_vhost_ssl(vhost)
File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 1085, in make_vhost_ssl
self._copy_create_ssl_vhost_skeleton(nonssl_vhost, ssl_fp)
File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 1231, in copy_create_ssl_vhost
skeleton
ssl_vh_contents, sift = self._sift_rewrite_rules(orig_contents)
File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 1303, in _sift_rewrite_rules
line = next(contents)
StopIteration
2018-09-12 18:31:17,121:DEBUG:certbot.error_handler:Calling registered functions
2018-09-12 18:31:17,122:WARNING:certbot.reverter:File:

  • Could not be found to be deleted /etc/apache2/sites-available/veron-le-ssl.conf - Certbot probably shut do
    wn unexpectedly
    2018-09-12 18:31:17,123:DEBUG:certbot.reporter:Reporting to user: Unable to install the certificate
    2018-09-12 18:31:17,123:DEBUG:certbot.log:Exiting abnormally:
    Traceback (most recent call last):
    File “/usr/bin/certbot”, line 11, in
    load_entry_point(‘certbot==0.25.0’, ‘console_scripts’, ‘certbot’)()
    File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1323, in main
    return config.func(config, plugins)
    File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1093, in run
    _install_cert(config, le_client, domains, new_lineage)
    File “/usr/lib/python3/dist-packages/certbot/main.py”, line 768, in _install_cert
    path_provider.cert_path, path_provider.chain_path, path_provider.fullchain_path)
    File “/usr/lib/python3/dist-packages/certbot/client.py”, line 489, in deploy_certificate
    fullchain_path=fullchain_path)
    File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 304, in deploy_cert
    vhosts = self.choose_vhosts(domain)
    File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 328, in choose_vhosts
    return [self.choose_vhost(domain, create_if_no_ssl)]
    File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 510, in choose_vhost
    vhost = self.make_vhost_ssl(vhost)
    File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 1085, in make_vhost_ssl
    self._copy_create_ssl_vhost_skeleton(nonssl_vhost, ssl_fp)
    File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 1231, in copy_create_ssl_vhost
    skeleton
    ssl_vh_contents, sift = self._sift_rewrite_rules(orig_contents)
    File “/usr/lib/python3/dist-packages/certbot_apache/configurator.py”, line 1303, in _sift_rewrite_rules
    line = next(contents)
    StopIteration
    2018-09-12 18:31:17,124:ERROR:certbot.log:An unexpected error occurred:

#2

Please show:
certbot certificates
grep -Eri 'servername|serveralias' /etc/apache2


#3

sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: veronikalyg.com
Domains: veronikalyg.com
Expiry Date: 2018-12-11 16:09:27+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/veronikalyg.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/veronikalyg.com/privkey.pem

sudo grep -Eri ‘servername|serveralias’ /etc/apache2
/etc/apache2/sites-available/000-default.conf: # The ServerName directive sets the request scheme, hostname and po
rt that
/etc/apache2/sites-available/000-default.conf: # redirection URLs. In the context of virtual hosts, the ServerName
/etc/apache2/sites-available/000-default.conf: #ServerName www.example.com
/etc/apache2/sites-available/veron.conf: # The ServerName directive sets the request scheme, hostname and po
rt that
/etc/apache2/sites-available/veron.conf: # redirection URLs. In the context of virtual hosts, the ServerName
/etc/apache2/sites-available/veron.conf: ServerName veronikalyg.com
/etc/apache2/sites-available/veron.conf:# ServerAlias veronikalyg.com *.veronikalyg.com
/etc/apache2/mods-available/info.conf: # http://servername/server-info (requires that mod_info.c be loaded).
/etc/apache2/mods-available/status.conf: # with the URL of http://servername/server-status


#4

Please show file:
/etc/apache2/sites-available/veron.conf
and the corresponding file at:
/etc/letsencrypt/renewal/


#5

/etc/apache2/sites-available/veron.conf

<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request’s Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
ServerName veronikalyg.com

ServerAlias veronikalyg.com *.veronikalyg.com

    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/site
    <Directory /var/www/site>
    Require all granted
    AllowOverride all
    </Directory>
    RewriteEngine on
    RewriteOptions inherit
    RewriteRule \.(svn|git)(/)?$ - [F]
    RewriteCond %{HTTP_HOST}    !^www.veronikalyg\.com [NC]
    RewriteCond %{HTTP_HOST}    !^$
    #Enable https redirection
    #RewriteRule ^/(.*)          https://www.veronikalyg/$1 [L,R]
    <IfModule mod_headers.c>
    Header set X-XSS-Protection "1; mode=block"
    Header always append X-Frame-Options SAMEORIGIN
    </IfModule>
    # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
    # error, crit, alert, emerg.
    # It is also possible to configure the loglevel for particular
    # modules, e.g.
    #LogLevel info ssl:warn
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
    # For most configuration files from conf-available/, which are
    # enabled or disabled at a global level, it is possible to
    # include a line for only one particular virtual host. For example the
    # following line enables the CGI configuration for this host only
    # after it has been globally disabled with "a2disconf".
    #Include conf-available/serve-cgi-bin.conf
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

/etc/letsencrypt/renewal/veronikalyg.com.conf

renew_before_expiry = 30 days

version = 0.25.0
archive_dir = /etc/letsencrypt/archive/veronikalyg.com
cert = /etc/letsencrypt/live/veronikalyg.com/cert.pem
privkey = /etc/letsencrypt/live/veronikalyg.com/privkey.pem
chain = /etc/letsencrypt/live/veronikalyg.com/chain.pem
fullchain = /etc/letsencrypt/live/veronikalyg.com/fullchain.pem

Options used in the renewal process

[renewalparams]
installer = apache
authenticator = webroot
account = 08cf7fe2fe99edccdbceb8aff9e8839b
[[webroot_map]]
veronikalyg.com = /var/www/site


#6

Since the installer and webroot are already defined in the renewal conf file, you don’t need to mention them in the command request.
Try just:
sudo certbot
or
sudo certbot renew
on your next attempt and use whichever works in your crontab.

However…
This is concerning:

It seems that certbot thinks that file should exist but it doesn’t exist.
At this point, I think you should start over by deleting the cert and re-installing it.
type
sudo certbot delete
then pick the cert number from the list (#1)
then check:
The file
/etc/letsencrypt/renewal/veronikalyg.com.conf
should have also been deleted, so you will have to use “webroot” and “–apache” in the installation command (as you did with the first cert).


#7

I made everything. but again it doesnt work.

Looks like the root of problem here

  2018-09-13 18:11:22,383:DEBUG:certbot.error_handler:Encountered exception:
  Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 489, in deploy_certificate
    fullchain_path=fullchain_path)
  File "/usr/lib/python3/dist-packages/certbot_apache/configurator.py", line 304, in deploy_cert
    vhosts = self.choose_vhosts(domain)
  File "/usr/lib/python3/dist-packages/certbot_apache/configurator.py", line 328, in choose_vhosts
    return [self.choose_vhost(domain, create_if_no_ssl)]
  File "/usr/lib/python3/dist-packages/certbot_apache/configurator.py", line 510, in choose_vhost
    vhost = self.make_vhost_ssl(vhost)
  File "/usr/lib/python3/dist-packages/certbot_apache/configurator.py", line 1085, in make_vhost_ssl
    self._copy_create_ssl_vhost_skeleton(nonssl_vhost, ssl_fp)
  File "/usr/lib/python3/dist-packages/certbot_apache/configurator.py", line 1231, in _copy_create_ssl_vhost_skelet
on
    ssl_vh_contents, sift = self._sift_rewrite_rules(orig_contents)
  File "/usr/lib/python3/dist-packages/certbot_apache/configurator.py", line 1303, in _sift_rewrite_rules
    line = next(contents)
StopIteration

#8

I think something wrong with RewriteCond

 # RewriteCond(s) must be followed by one RewriteRule
while not line.lower().lstrip().startswith("rewriterule"):
chunk.append(line)
line = next(contents)

#9

Yes, the configuration you posted earlier shows a RewriteCond that isn’t followed by a RewriteRule:

There’s a Certbot issue about handling it better, but the quick fix is to comment out the RewriteConds, or uncomment the RewriteRule.