Unable to renew Let's Encrypt Certificate

princejindal · September 23, 2020, 2:24pm

Hello

I am trying to renew my SSL certificate which is Let's Encrypt Authority X3 certificate.

When I hit this command via SSH

"sudo certbot renew --dry-run"

Then, the terminal throws the following error -

"Attempting to renew cert (weighinglab.com) from /etc/letsencrypt/renewal/weighinglab.com.conf produced an unexpected error: Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.. Skipping. All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/weighinglab.com/fullchain.pem (failure)"

My Domain Name is http://weighinglab.com/

I ran this command: sudo certbot renew --dry-run

My web server is (include version): Linux

The operating system my web server runs on is (include version): Ubuntu LAMP on Ubuntu 18

My hosting provider, if applicable, is: Digital Ocean

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

I request you to help me in this regard and send an appropriate solution.

griffin · September 23, 2020, 2:37pm

Welcome to the Let's Encrypt Community

Your port 80 seems fine to me right now. Your redirects, on the other hand, have a problem. They go from http://www to https://www then back to http:// then back to https://.

JuergenAuer · September 23, 2020, 2:51pm

Hi @princejindal

there

is your job. Add a port 80 vHost. See the documentation of your system.

griffin · September 23, 2020, 2:56pm

@JuergenAuer

I checked port 80 three different ways. Looks fine to me. Did you see something I missed?

Osiris · September 23, 2020, 4:25pm

You can have a perfectly working HTTP server without a virtual host: just a default host without even knowing about any hostname will do. It'll serve the same contents for every hostname provided by the HTTP Host header. But that doesn't work for the apache certbot plugin: it'll need a virtualhost to get the hostname(s) from, it'll need a virtualhost to install the certs in et cetera.

griffin · September 23, 2020, 7:19pm

I got blocked from seeing the content in my browser due to the expired certificate. When I saw letsdebug return OK, I assumed that all was well on the far end of the redirect chain. That's my fault. I suppose this may be one of those cases where the error simply must be accepted as-is. Is there any way to confirm this error with an external tool (given that the cert is expired)?

rg305 · September 23, 2020, 7:50pm

Only locally, try running:
apachectl -S

griffin · September 23, 2020, 7:51pm

I wish I could externally use apachectl -S. Would make my initial post much easier.

schoen · September 23, 2020, 7:53pm

Did you change your web server configuration (perhaps the configuration files /etc/apache2) significantly somehow after originally obtaining this certificate?

@rg305's suggestion of apachectl -S is helpful, although you might want to run that command with sudo for a more comprehensive output if you aren't running as root.

rg305 · September 23, 2020, 8:07pm

And I wish there was a tool that could show all layer 2 devices along a traced route.
[but that ain't happening anytime soon either]

princejindal · September 26, 2020, 6:45am

Thank you for the prompt replies and instant support.

I was able to resolve the issue by changing the port to 80 and then running the renewal command which is
sudo certbot renew --dry-run

Thank you once again everybody here for the assistance.

schoen · September 26, 2020, 6:59am

Please remember that --dry-run means to do a (realistic) test, and won't obtain or save a new certificate that can actually be used on your public web site.

system · October 26, 2020, 6:59am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.