Sudo letsencrypt renew -> unexpected error: 'server'. Skipping


#1

hi
I use Let’s Encrypt on a few websites hosted on Digital Ocean running apache and Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-57-generic x86_64)

I used a previous version of letsencrypt to getting SSL working on apache for the following two domains for my droplet. These now only have 23 days remaining.


I recently upgrades a number of packages - as recommended in DO’s tutorial before getting a new SSL cert for

And now the following command returns the following errors:
$ sudo letsencrypt renew

Processing /etc/letsencrypt/renewal/cycling-jersey-collection.uk.conf
2017-01-05 10:58:55,499:WARNING:letsencrypt.cli:Attempting to renew cert from /etc/letsencrypt/renewal/cycling-jersey-collection.uk.conf produced an unexpected error: ‘server’. Skipping.
Processing /etc/letsencrypt/renewal/cycling-jersey-collection.com.conf
2017-01-05 10:58:56,563:WARNING:letsencrypt.cli:Attempting to renew cert from /etc/letsencrypt/renewal/cycling-jersey-collection.com.conf produced an unexpected error: ‘server’. Skipping.
Processing /etc/letsencrypt/renewal/ontherivet.store.conf

The following certs are not due for renewal yet:
/etc/letsencrypt/live/ontherivet.store/fullchain.pem (skipped)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/cycling-jersey-collection.uk/fullchain.pem (failure)
/etc/letsencrypt/live/cycling-jersey-collection.com/fullchain.pem (failure)
2 renew failure(s), 0 parse failure(s)

Can you please advise a suitable course of action?

Many thanks!


#2

Check the server directive in the mentioned .conf files for strange characters.


#3

I believe this problem usually happens when initially installing Certbot or letsencrypt from git or letsencrypt-auto, and then “upgrading” to an Ubuntu OS package. Is that perhaps what you did in this case?

The trouble is that the Ubuntu package is actually an older version of the client, and the renewal configuration files aren’t backwards-compatible.


#4

Dear Seth

Many thanks for taking the time to reply.

You are absolutely right, I used the following command:
$ sudo apt-get update
$ sudo apt-get install python-letsencrypt-apache

So the question is what do I do now?

Is there a nice why of upgrading the Ubuntu OS package back to where I was so that I can ensure all three domains are renewable?

OR

Can I re-create the .conf files by hand?

The format of the two types of file is vastly different

ontherivet.store:

cert = /etc/letsencrypt/live/ontherivet.store/cert.pem
privkey = /etc/letsencrypt/live/ontherivet.store/privkey.pem
chain = /etc/letsencrypt/live/ontherivet.store/chain.pem
fullchain = /etc/letsencrypt/live/ontherivet.store/fullchain.pem

Options and defaults used in the renewal process

[renewalparams]
no_self_upgrade = False
apache_enmod = a2enmod
no_verify_ssl = False
ifaces = None
apache_dismod = a2dismod
register_unsafely_without_email = False
apache_handle_modules = True
uir = None
installer = apache
config_dir = /etc/letsencrypt
text_mode = False
func = <function run at 0x7fd84f5bdc08>
staging = False
dry_run = False
work_dir = /var/lib/letsencrypt
[36%]

cycling-jersey-collection.com:

renew_before_expiry = 30 days

version = 0.9.3
cert = /etc/letsencrypt/live/cycling-jersey-collection.com/cert.pem
privkey = /etc/letsencrypt/live/cycling-jersey-collection.com/privkey.pem
chain = /etc/letsencrypt/live/cycling-jersey-collection.com/chain.pem
fullchain = /etc/letsencrypt/live/cycling-jersey-collection.com/fullchain.pem

Options used in the renewal process

[renewalparams]
authenticator = apache
installer = apache
account = 971f6841a0be2e3599f2e130e320accc
[100%]

Thanks!

Andy


#5

I think the easiest is to start with a clean configuration

mv /etc/letsencrypt /etc/letsencrypt.old

and then re-issue all certificates.


#6

SUCCESS!

I re-wrote the old .conf files based on the ontherivet.store.conf and all is well!

Happy Days…

Andy


#7

Installing from Ubuntu and other Distro’s repositories is generally not advised as they are not updated frequently enough. Ubuntu’s repo has a version that’s anywhere between 0.2.0-4 and 0.4.1-1. However the latest official client Certbot is at 0.9.3.

Only Ubuntu 16.10 gives you a later version 0.8.1-2 (still outdated)
and Ubuntu Zesty (amazingly) has 0.9.3-1 in their repo.

Best still is to clone the repo from Github into /opt/certbot and always be up to date.


#8

If you’re using certbot-auto afterwards, it’s better to just download https://dl.eff.org/certbot-auto, make it executable and run it.

Cloning the whole github shebang and not using it for coding is rather unusual if you ask me.


#9

Yes indeed @Osiris … my bad, still stuck with git clone in my head. Will update all my articles to note this that only the script is needed. Thanks for the reminder :+1:


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.