Unable to renew 4/6 SSL certificates

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: merskies.com

I ran this command: certbot renew --force-renewal --config "/etc/letsencrypt.ini" --cert-name "npm-2" --preferred-challenges "dns,http" --no-random-sleep-on-renew --disable-hook-validation

It produced this output: Another instance of Certbot is already running.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/tmp70fplq1d/log or re-run Certbot with -v for more details.

My web server is (include version): I am not sure

The operating system my web server runs on is (include version): Unraid: Nginx Proxy Manager -Docker?

My hosting provider, if applicable, is: Xfinity?

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Nginx Proxy Manager?

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.23.0

First of all, you remove this and forget about it.

Second, check if another certbot is actually running:

ps aux | grep certbot

Eventually, reboot and retry.

1 Like

I ran the script without --force-renewal and got this:

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: plex.merskies.com
  Type:   connection
  Detail: 98.36.161.183: Fetching https://plex.merskies.com/.well-known/acme-challenge/6fNExkaSob9TOQyUjgxmcZxn5q52jlgCs6L2laGwyW4: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Failed to renew certificate npm-2 with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/npm-2/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

I ran that command to check if there is another certbot running and it returned this:

2674 root 0:00 grep certbot

Ok, there isn't. Did you forcefully interrupt certbot before?

If so, there are lockfiles to delete. I don't know where or how many.

1 Like

I was relying on the docker Nginx Proxy Manager to auto renew the SSL certs as it is supposed to be a feature. I have never manually ran commands prior to now. I am unsure if the program interrupted certbot before or not.

If you are using proxy manager then why are you running certbot, and where? On the host? Inside proxy manager's container?

Why do the developers of nginx proxy manager even force me to read the source code to understand if their software is using nginx at all?

Ok, now that I let the rant out, I need you to go and complain at proxy manager's people.

Operating on an half broken certbot is delicate. Doing so inside a container with uncountable movable parts is plain asking for trouble.

2 Likes

Okay, I have no idea what the developers have done or what I am doing. I will look for the right people to ask. Thanks!

1 Like

You can ask here. I'm just too sleepy to investigate now or to fight with badly designed software.

If what you need is to proxy containers, you have alternatives: plain nginx, without proxy manager; traefik; caddy; haproxy...

2 Likes

Well one question I have for you is: If I uninstall and remove all aspects of the docker that contains nginx and certbot, would I be able to remake those same SSL certs if I waited enough time? Are the SSL certs local or are they on some Let's Encrypt server somewhere and I will not be able to remake them?

They should be in a docker volume or somewhere in a directory, where depends on proxy manager. Make backups.

The certificates themselves are public, but they are useless without the private keys, and those are only on your disk.

You should be able to remake them if you haven't made duplicates. (In the past 7 days)

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.