Sudo certbot renew --dry-run FAILED

elteejay · December 20, 2019, 3:46pm

My initial installation for certbot seems to work fine as https:// is now working for my website. The problem is when I do a renew --dry-run. I looked around for similar issues and it seems that my certbot needs to be updated. I’d like to figure this out now and not in a couple months when this is closer to expiration.

However I am told the following:

certbot is already the newest version (0.28.0-1~deb9u2).
python-certbot-nginx is already the newest version (0.28.0-1~deb9u1).

I ran this command: sudo certbot renew --dry-run

It produced this output:

Attempting to renew cert (.com-0001) from /etc/letsencrypt/renewal/.com-0001.conf produced an unexpected error: urn:ietf:params:acme:error:malformed :: The request message was malformed :: Method not allowed. Skipping.
All renewal attempts failed. The following certs could not be renewed:
** /etc/letsencrypt/live/******.com-0001/fullchain.pem (failure)

My web server is (include version): nginx/1.10.3

The operating system my web server runs on is (include version): debian 9 (stretch)

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.28.0

rg305 · December 20, 2019, 4:50pm

I have three questions:

Why does the conf file have “-0001”?
[that usually means something might have gone wrong]
What does this show?:
certbot certificates
What does the corresponding renewal.conf file show?
[there is a method somewhere that is no longer allowed or malformed]

mnordhoff · December 21, 2019, 1:48am

Are all of Certbot's other packages up-to-date? If you run apt update and apt list --upgradeable, does anything need to be updated?

_az · December 21, 2019, 2:42am

In particular, check that python3-acme is 0.28.0-1~deb9u2.

$ dpkg-query -l python3-acme
ii  python3-acme         0.28.0-1~deb9u2 all             ACME protocol library for Python 3

That version has been patched to resolve the issue you’re experiencing.

elteejay · December 21, 2019, 2:51am

I know the -0001 looks confusing, but I initially created a certificate for the xxxxx.com domain name, when I actually needed it to be www.xxxxx.com, so I ended up doing the following:

sudo certbot --duplicate --reinstall -d xxxxx.com -d www.xxxxx.com

then I went back and deleted the original certificate that was strictly for xxxxx.com

with: sudo certbot delete

certbot certificates currently shows:

Found the following certs:
Certificate Name: xxxxx.com-0001
Domains: xxxxx.com www.xxxxx.com
Expiry Date: 2020-03-19 14:15:59+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/xxxxx.com-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/xxxxx.com-0001/privkey.pem

–

So up to here, everything is working fine, my website is correctly showing https://www.xxxxx.com and I have had no errors there.

elteejay · December 21, 2019, 2:52am

I think you’re right, there’s quite a large list here:

apt list --upgradeable

python3-acme/oldstable-updates 0.28.0-1~deb9u2 all [upgradable from: 0.28.0-1~deb9u1]
python3-cryptography/oldstable 1.7.1-3+deb9u1 amd64 [upgradable from: 1.7.1-3]
python3-jwt/oldstable,oldstable 1.4.2-1+deb9u1 all [upgradable from: 1.4.2-1]
python3.5/oldstable,oldstable 3.5.3-1+deb9u1 amd64 [upgradable from: 3.5.3-1]
python3.5-minimal/oldstable,oldstable 3.5.3-1+deb9u1 amd64 [upgradable from: 3.5.3-1]
qemu-utils/oldstable,oldstable 1:2.8+dfsg-6+deb9u8 amd64 [upgradable from: 1:2.8+dfsg-6+deb9u1]
rsync/oldstable 3.1.2-1+deb9u2 amd64 [upgradable from: 3.1.2-1]
sensible-utils/oldstable,oldstable 0.0.9+deb9u1 all [upgradable from: 0.0.9]
sudo/oldstable 1.8.19p1-2.1+deb9u1 amd64 [upgradable from: 1.8.19p1-2.1]
systemd/oldstable 232-25+deb9u12 amd64 [upgradable from: 232-25+deb9u1]
systemd-sysv/oldstable 232-25+deb9u12 amd64 [upgradable from: 232-25+deb9u1]
tzdata/oldstable-updates 2019c-0+deb9u1 all [upgradable from: 2017b-1]
udev/oldstable 232-25+deb9u12 amd64 [upgradable from: 232-25+deb9u1]
unzip/oldstable 6.0-21+deb9u2 amd64 [upgradable from: 6.0-21]
util-linux/oldstable,oldstable 2.29.2-1+deb9u1 amd64 [upgradable from: 2.29.2-1]
util-linux-locales/oldstable,oldstable 2.29.2-1+deb9u1 all [upgradable from: 2.29.2-1]
vim/oldstable,oldstable 2:8.0.0197-4+deb9u3 amd64 [upgradable from: 2:8.0.0197-4]
vim-common/oldstable,oldstable 2:8.0.0197-4+deb9u3 all [upgradable from: 2:8.0.0197-4]
vim-runtime/oldstable,oldstable 2:8.0.0197-4+deb9u3 all [upgradable from: 2:8.0.0197-4]
vim-tiny/oldstable,oldstable 2:8.0.0197-4+deb9u3 amd64 [upgradable from: 2:8.0.0197-4]
wget/oldstable,oldstable 1.18-5+deb9u3 amd64 [upgradable from: 1.18-5]
xkb-data/oldstable 2.19-1+deb9u1 all [upgradable from: 2.19-1]
xxd/oldstable,oldstable 2:8.0.0197-4+deb9u3 amd64 [upgradable from: 2:8.0.0197-4]

elteejay · December 21, 2019, 2:57am

Thank you for this, I do see python3-acme on the --upgradeable list.

I am running upgrades right now to see if that fixes the issue.

elteejay · December 21, 2019, 3:04am

You guys are awesome, everything seems to be working correctly now

sudo certbot renew --dry-run

new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/xxxxx.com-0001/fullchain.pem

** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/xxxxx.com-0001/fullchain.pem (success)

system · January 20, 2020, 3:04am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.