Unable to renew certificates

Help
1

My domains are: maps.astragroup.info & cloud.astragroup.info

I ran this command:
sudo certbot renew --force-renewal

It produced this output:

Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for cloud.astragroup.info
Cleaning up challenges
Attempting to renew cert (cloud.astragroup.info) from /etc/letsencrypt/renewal/cloud.astragroup.info.conf produced an unexpected error: Unable to insert label!. Skipping.
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for sonic.astragroup.info
http-01 challenge for agls.tk
http-01 challenge for cloud.astragroup.info
http-01 challenge for www.astragroup.info
http-01 challenge for astragroup.tk
http-01 challenge for maps.astragroup.info
Cleaning up challenges
Attempting to renew cert (maps.astragroup.info) from /etc/letsencrypt/renewal/maps.astragroup.info.conf produced an unexpected error: Unable to insert label!. Skipping.
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
The following certs could not be renewed:
  /etc/letsencrypt/live/cloud.astragroup.info/fullchain.pem (failure)
  /etc/letsencrypt/live/maps.astragroup.info/fullchain.pem (failure)
2 renew failure(s), 0 parse failure(s)

My web server is (include version):

Server version: Apache/2.4.29 (Ubuntu)
Server built:   2019-07-16T18:14:45

The operating system my web server runs on is (include version):
5.0.0-23-generic #24~18.04.1-Ubuntu SMP Mon Jul 29 16:12:28 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

My hosting provider, if applicable, is:
n/a

I can login to a root shell on my machine (yes or no, or I don’t know):
Yup

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
nope

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
Certbot 0.31.0

2

Hi @nate2014jatc

what says

certbot certificates
apachectl -S
3

log output (sifting through for relevant lines):

2019-08-10 09:02:17,126:DEBUG:acme.client:Storing nonce: xxxyDtklrBCyNpd1ea3HtXBGKw3JjPMy-57bBm4th7E
2019-08-10 09:02:17,127:INFO:certbot.auth_handler:Performing the following challenges:
2019-08-10 09:02:17,127:INFO:certbot.auth_handler:http-01 challenge for sonic.astragroup.info
2019-08-10 09:02:17,127:INFO:certbot.auth_handler:http-01 challenge for agls.tk
2019-08-10 09:02:17,127:INFO:certbot.auth_handler:http-01 challenge for cloud.astragroup.info
2019-08-10 09:02:17,127:INFO:certbot.auth_handler:http-01 challenge for www.astragroup.info
2019-08-10 09:02:17,128:INFO:certbot.auth_handler:http-01 challenge for astragroup.tk
2019-08-10 09:02:17,128:INFO:certbot.auth_handler:http-01 challenge for maps.astragroup.info
2019-08-10 09:02:17,190:DEBUG:certbot_apache.http_01:Adding a temporary challenge validation Include for name: sonic.astragroup.info in: /etc/apache2/sites-enabled/sonic.astragroup.info-le-ssl.conf
2019-08-10 09:02:17,190:DEBUG:certbot_apache.http_01:Adding a temporary challenge validation Include for name: sonic.astragroup.info in: /etc/apache2/sites-enabled/sonic.astragroup.info.conf
2019-08-10 09:02:17,190:DEBUG:certbot_apache.http_01:Adding a temporary challenge validation Include for name: agls.tk in: /etc/apache2/sites-enabled/000-default-le-ssl.conf
2019-08-10 09:02:17,190:DEBUG:certbot_apache.http_01:Adding a temporary challenge validation Include for name: agls.tk in: /etc/apache2/sites-enabled/000-default.conf
2019-08-10 09:02:17,191:DEBUG:certbot_apache.http_01:Adding a temporary challenge validation Include for name: cloud.astragroup.info in: /etc/apache2/sites-enabled/cloud.astragroup.info.conf
2019-08-10 09:02:17,191:DEBUG:certbot_apache.http_01:Adding a temporary challenge validation Include for name: cloud.astragroup.info in: /etc/apache2/sites-enabled/cloud.astragroup.info-le-ssl.conf
2019-08-10 09:02:17,191:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 75, in handle_authorizations
    resp = self._solve_challenges(aauthzrs)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 139, in _solve_challenges
    resp = self.auth.perform(all_achalls)
  File "/usr/lib/python3/dist-packages/certbot_apache/configurator.py", line 2281, in perform
    http_response = http_doer.perform()
  File "/usr/lib/python3/dist-packages/certbot_apache/http_01.py", line 72, in perform
    self._mod_config()
  File "/usr/lib/python3/dist-packages/certbot_apache/http_01.py", line 112, in _mod_config
    self._set_up_include_directives(vh)
  File "/usr/lib/python3/dist-packages/certbot_apache/http_01.py", line 198, in _set_up_include_directives
    vhost.path, "Include", self.challenge_conf_pre)
  File "/usr/lib/python3/dist-packages/certbot_apache/parser.py", line 346, in add_dir_beginning
    self.aug.insert(first_dir, "directive", True)
  File "/usr/lib/python3/dist-packages/augeas.py", line 369, in insert
    raise ValueError("Unable to insert label!")
ValueError: Unable to insert label!

2019-08-10 09:02:17,191:DEBUG:certbot.error_handler:Calling registered functions
2019-08-10 09:02:17,191:INFO:certbot.auth_handler:Cleaning up challenges
2019-08-10 09:02:17,432:WARNING:certbot.renewal:Attempting to renew cert (maps.astragroup.info) from /etc/letsencrypt/renewal/maps.astragroup.info.conf produced an unexpected error: Unable to insert label!. Skipping.
2019-08-10 09:02:17,433:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 452, in handle_renewal_request
    main.renew_cert(lineage_config, plugins, renewal_candidate)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1193, in renew_cert
    renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 116, in _get_and_save_cert
    renewal.renew_cert(config, domains, le_client, lineage)
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 310, in renew_cert
    new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 353, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 389, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 75, in handle_authorizations
    resp = self._solve_challenges(aauthzrs)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 139, in _solve_challenges
    resp = self.auth.perform(all_achalls)
  File "/usr/lib/python3/dist-packages/certbot_apache/configurator.py", line 2281, in perform
    http_response = http_doer.perform()
  File "/usr/lib/python3/dist-packages/certbot_apache/http_01.py", line 72, in perform
    self._mod_config()
  File "/usr/lib/python3/dist-packages/certbot_apache/http_01.py", line 112, in _mod_config
    self._set_up_include_directives(vh)
  File "/usr/lib/python3/dist-packages/certbot_apache/http_01.py", line 198, in _set_up_include_directives
    vhost.path, "Include", self.challenge_conf_pre)
  File "/usr/lib/python3/dist-packages/certbot_apache/parser.py", line 346, in add_dir_beginning
    self.aug.insert(first_dir, "directive", True)
  File "/usr/lib/python3/dist-packages/augeas.py", line 369, in insert
    raise ValueError("Unable to insert label!")
ValueError: Unable to insert label!

Description: Apache Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT
Initialized: <certbot_apache.override_debian.DebianConfigurator object at 0x7f5663c92390>
Prep: True
2019-08-10 09:02:20,383:ERROR:certbot.renewal:The following certs could not be renewed:
2019-08-10 09:02:20,383:ERROR:certbot.renewal:  /etc/letsencrypt/live/cloud.astragroup.info/fullchain.pem (failure)
  /etc/letsencrypt/live/maps.astragroup.info/fullchain.pem (failure)
2019-08-10 09:02:20,383:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.31.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1365, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1272, in renew
    renewal.handle_renewal_request(config)
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 477, in handle_renewal_request
    len(renew_failures), len(parse_failures)))
certbot.errors.Error: 2 renew failure(s), 0 parse failure(s)
4

certbot certificates:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: astragroup.info
    Domains: astragroup.info
    Expiry Date: 2019-11-08 14:02:02+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/astragroup.info/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/astragroup.info/privkey.pem
  Certificate Name: cloud.astragroup.info
    Domains: cloud.astragroup.info
    Expiry Date: 2019-09-16 19:44:46+00:00 (VALID: 37 days)
    Certificate Path: /etc/letsencrypt/live/cloud.astragroup.info/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/cloud.astragroup.info/privkey.pem
  Certificate Name: docapi.astragroup.info
    Domains: docapi.astragroup.info
    Expiry Date: 2019-11-08 14:02:08+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/docapi.astragroup.info/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/docapi.astragroup.info/privkey.pem
  Certificate Name: jenkins.astragroup.info
    Domains: jenkins.astragroup.info
    Expiry Date: 2019-11-08 14:02:12+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/jenkins.astragroup.info/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/jenkins.astragroup.info/privkey.pem
  Certificate Name: maps.astragroup.info
    Domains: agls.tk astragroup.info astragroup.tk cloud.astragroup.info jenkins.astragroup.info maps.astragroup.info sonic.astragroup.info www.astragroup.info
    Expiry Date: 2019-08-26 03:31:35+00:00 (VALID: 15 days)
    Certificate Path: /etc/letsencrypt/live/maps.astragroup.info/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/maps.astragroup.info/privkey.pem
  Certificate Name: priv.astragroup.info
    Domains: priv.astragroup.info
    Expiry Date: 2019-11-08 14:02:18+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/priv.astragroup.info/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/priv.astragroup.info/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
5

apachectl -S:

VirtualHost configuration:
*:443                  is a NameVirtualHost
         default server agls.tk (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
         port 443 namevhost agls.tk (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
         port 443 namevhost astragroup.tk (/etc/apache2/sites-enabled/000-default-le-ssl.conf:21)
         port 443 namevhost astragroup.info (/etc/apache2/sites-enabled/000-default-le-ssl.conf:40)
                 alias www.astragroup.info
         port 443 namevhost cloud.astragroup.info (/etc/apache2/sites-enabled/cloud.astragroup.info-le-ssl.conf:1)
         port 443 namevhost docapi.astragroup.info (/etc/apache2/sites-enabled/docapi.astragroup.info-le-ssl.conf:2)
         port 443 namevhost jenkins.astragroup.info (/etc/apache2/sites-enabled/jenkins-le-ssl.conf:2)
         port 443 namevhost maps.astragroup.info (/etc/apache2/sites-enabled/maps.astragroup.info-le-ssl.conf:2)
         port 443 namevhost priv.astragroup.info (/etc/apache2/sites-enabled/priv.astragroup.info-le-ssl.conf:2)
                 alias priv.astragroup.info
         port 443 namevhost sonic.astragroup.info (/etc/apache2/sites-enabled/sonic.astragroup.info-le-ssl.conf:2)
*:80                   is a NameVirtualHost
         default server astragroup.info (/etc/apache2/sites-enabled/000-default.conf:1)
         port 80 namevhost astragroup.info (/etc/apache2/sites-enabled/000-default.conf:1)
                 alias www.astragroup.info
         port 80 namevhost agls.tk (/etc/apache2/sites-enabled/000-default.conf:32)
         port 80 namevhost astragroup.tk (/etc/apache2/sites-enabled/000-default.conf:44)
         port 80 namevhost cloud.astragroup.info (/etc/apache2/sites-enabled/cloud.astragroup.info.conf:1)
         port 80 namevhost docapi.astragroup.info (/etc/apache2/sites-enabled/docapi.astragroup.info.conf:1)
         port 80 namevhost jenkins.astragroup.info (/etc/apache2/sites-enabled/jenkins.conf:1)
         port 80 namevhost maps.astragroup.info (/etc/apache2/sites-enabled/maps.astragroup.info.conf:1)
         port 80 namevhost priv.astragroup.info (/etc/apache2/sites-enabled/priv.astragroup.info.conf:1)
                 alias priv.astragroup.info
         port 80 namevhost sonic.astragroup.info (/etc/apache2/sites-enabled/sonic.astragroup.info.conf:1)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=flock 
Mutex mpm-accept: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33
6

Thank you for your reply.
I have added the requested information.

7

There is an earlier topic

Looks like certbot hasn't enough rights to write your config files.

Had to do some debugging… -vvv flag did it.
This problem was missing access rights for apache user www-data on
/var/lib/letsencrypt (was: root:root, 750)

8

I have attempted this fix, however it does not seem to have worked. I will try rebooting the box, and trying again

9

Fix that:

The same name as ServerName and ServerAlias is wrong, remove the ServerAlias.

Perhaps switch to webroot.

1 Like
10

That’s odd, could that be causing the errors in the other sites’ renewal?

1 Like
11

I was able to successfully renew using the webroot auth. How would you suggest I continue in trying to get the previous method working again?

2 Likes
12

@joohoi do you know what can cause this Augeas error “unable to insert label”?

1 Like
13

I wouldn't.

webroot doesn't change the config file and has sometimes a better performance (users with a lot of domains, apache or nginx is slow, they switch to webroot, that works).

You can try to find the error (renew only one certificate to see, what works). Or you use a working method and ignore it.

14

There have been several previous threads, but not very much information about causes...

https://community.letsencrypt.org/search?q=Unable%20to%20insert%20label

One thread pointed at a virtual host with no ServerName directive, and another one at /var/lib/letsencrypt being unwriteable or something.

Edit: As I wrote that, someone posted a new thread with information...

15

Because the config is split between two files for some OS versions of apache the LoadModule is in the wrong file (ssl.load). The certbot configuration goes in ssl.conf which gets picked with IfModule … mod_ssl in the python script.

Note: I also had to clean out my virtualhost config which had a bunch of conflicting stuff in it.

16

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.