Unable to renew ssl

fayaz · March 9, 2020, 10:18am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: priceblaze.pk

I ran this command:

certbot renew --dry-run

It produced this output:

[root@HMFR-4 ~]# certbot renew --dry-run
/usr/lib/python2.7/site-packages/pkg_resources/py2_warn.py:22: UserWarning: Setuptools will stop working on Python 2

You are running Setuptools on Python 2, which is no longer
supported and

SETUPTOOLS WILL STOP WORKING <<<
in a subsequent release (no sooner than 2020-04-20).
Please ensure you are installing
Setuptools using pip 9.x or later or pin to setuptools<45
in your environment.
If you have done those things and are still encountering
this message, please comment in
Drop support for Python 2.7 · Issue #1458 · pypa/setuptools · GitHub
about the steps that led to this unsupported combination.

sys.version_info < (3,) and warnings.warn(pre + "" * 60 + msg + "" * 60)
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/merchant.priceblaze.pk.conf

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for merchant.priceblaze.pk
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (merchant.priceblaze.pk) from /etc/letsencrypt/renewal/merchant.priceblaze.pk.conf produced an unexpected error: urn:ietf:params:acme:error:malformed :: The request message was malformed :: Method not allowed. Skipping.

My web server is (include version):
apache

The operating system my web server runs on is (include version):

CentOS Linux release 7.2.1511 (Core)

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
yes i can login via root

I'm using a control pa
nel to manage my site (no, or provide the name and version of the control panel):

no i dont have any panel

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

[root@HMFR-4 ~]# certbot --version
/usr/lib/python2.7/site-packages/pkg_resources/py2_warn.py:22: UserWarning: Setuptools will stop working on Python 2

You are running Setuptools on Python 2, which is no longer
supported and

SETUPTOOLS WILL STOP WORKING <<<
in a subsequent release (no sooner than 2020-04-20).
Please ensure you are installing
Setuptools using pip 9.x or later or pin to setuptools<45
in your environment.
If you have done those things and are still encountering
this message, please comment in
Drop support for Python 2.7 · Issue #1458 · pypa/setuptools · GitHub
about the steps that led to this unsupported combination.

sys.version_info < (3,) and warnings.warn(pre + "" * 60 + msg + "" * 60)
certbot 0.29.1
[root@HMFR-4 ~]#

9peppe · March 9, 2020, 10:22am

can you move to python3?

fayaz · March 9, 2020, 10:23am

it will effect my web services yes or no ???

9peppe · March 9, 2020, 10:23am

I can’t possibly know that.

fayaz · March 9, 2020, 10:24am

how can i fix this any sol ??

9peppe · March 9, 2020, 10:25am

See if you find another client you like: https://letsencrypt.org/docs/client-options/

(those written in bash are probably your best bet)

fayaz · March 9, 2020, 10:28am

i have gone through but couldn;t find the extact mach with me …

are you sure once i update the python it will work for me ??? if yes let me know the steps please .

9peppe · March 9, 2020, 10:31am

Usually, python2 and python3 can be installed alongside each other without conflicting. But I have never used CentOS systems and don’t know how they work.

What do you mean you haven’t found the exact match? Most every client on that list will run on your system. (but the bash ones will do so easily)

fayaz · March 9, 2020, 10:32am

can you just let me know how can i update it !!

9peppe · March 9, 2020, 10:52am

i spun up a centos:7 docker image and certbot starts for me. I think you should upgrade certbot using your distribution’s package manager (yum update certbot)

fayaz · March 9, 2020, 10:55am

i think it will update cerbot only ?? not python ?

9peppe · March 9, 2020, 10:56am

that’s for redhat/centos developers to decide.

I assumed you followed these instructions to set it up: https://certbot.eff.org/lets-encrypt/centosrhel7-other

(you can definitely upgrade all packages, but that’s only “proper maintenance,” not “solve this problem” – and it can break stuff, on centos it should not, but it can still)

fayaz · March 9, 2020, 10:59am

after updating got this error :

[root@HMFR-4 ~]# certbot renew --dry-run
/usr/lib/python2.7/site-packages/pkg_resources/py2_warn.py:22: UserWarning: Setuptools will stop working on Python 2

You are running Setuptools on Python 2, which is no longer
supported and

SETUPTOOLS WILL STOP WORKING <<<
in a subsequent release (no sooner than 2020-04-20).
Please ensure you are installing
Setuptools using pip 9.x or later or pin to setuptools<45
in your environment.
If you have done those things and are still encountering
this message, please comment in
Drop support for Python 2.7 · Issue #1458 · pypa/setuptools · GitHub
about the steps that led to this unsupported combination.

sys.version_info < (3,) and warnings.warn(pre + "" * 60 + msg + "" * 60)
An unexpected error occurred:
AttributeError: 'module' object has no attribute 'TLSSNI01'
Please see the logfile '/tmp/tmpV1DaoC/log' for more details.

9peppe · March 9, 2020, 11:03am

yum update python2-certbot-nginx

or

yum update python2-certbot-apache

depending on which webserver you run. (it looks like apache)

it also looks like it’s talking way too much:

% curl -Ik https://www.priceblaze.pk/
HTTP/1.1 200 OK
Date: Mon, 09 Mar 2020 11:19:34 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips PHP/5.4.16 mod_wsgi/3.4 Python/2.7.5
Vary: Accept-Encoding,Cookie
X-Frame-Options: SAMEORIGIN
X-Mod-Pagespeed: 1.11.33.2-0
Cache-Control: max-age=0, no-cache
Content-Length: 111226
Content-Type: text/html; charset=utf-8

fayaz · March 9, 2020, 11:15am

hi

its shows me this output

Processing /etc/letsencrypt/renewal/www.priceblaze.pk.conf

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer apache
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Pre-hook command already run, skipping: systemctl stop httpd
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.priceblaze.pk
Cleaning up challenges
Attempting to renew cert (www.priceblaze.pk) from /etc/letsencrypt/renewal/www.priceblaze.pk.conf produced an unexpected error: Problem binding to port 80: Could not bind to IPv4 or IPv6.. Skipping.
The following certs could not be renewed:
/etc/letsencrypt/live/www.priceblaze.pk/fullchain.pem (failure)

** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

The following certs were successfully renewed:
/etc/letsencrypt/live/admin.priceblaze.pk/fullchain.pem (success)
/etc/letsencrypt/live/blog.priceblaze.pk/fullchain.pem (success)
/etc/letsencrypt/live/merchant.priceblaze.pk/fullchain.pem (success)

The following certs could not be renewed:
/etc/letsencrypt/live/www.priceblaze.pk/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)

9peppe · March 9, 2020, 11:17am

there is something else listening on port 80, this is the problem, tell it to use apache for authentication too. (if it's apache)

certbot renew --apache --dry-run

fayaz · March 9, 2020, 11:19am

this is output its seems good what next ??

** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/admin.priceblaze.pk/fullchain.pem (success)
/etc/letsencrypt/live/blog.priceblaze.pk/fullchain.pem (success)
/etc/letsencrypt/live/merchant.priceblaze.pk/fullchain.pem (success)
/etc/letsencrypt/live/www.priceblaze.pk/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)

Running post-hook command: systemctl start httpd
[root@HMFR-4 ~]#

9peppe · March 9, 2020, 11:19am

remove --dry-run and run again

fayaz · March 9, 2020, 11:25am

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/admin.priceblaze.pk/fullchain.pem (success)
/etc/letsencrypt/live/blog.priceblaze.pk/fullchain.pem (success)
/etc/letsencrypt/live/merchant.priceblaze.pk/fullchain.pem (success)
/etc/letsencrypt/live/www.priceblaze.pk/fullchain.pem (success)

Running post-hook command: systemctl start httpd
[root@HMFR-4 ~]# service httpd rstart
The service command supports only basic LSB actions (start, stop, restart, try-restart, reload, force-reload, status). For other actions, please try to use systemctl.
[root@HMFR-4 ~]# service httpd restart
Redirecting to /bin/systemctl restart httpd.service

But the problem is that i haven't get the certificate of just priceblaze.pk this domain i need it this one as well.

fayaz · March 9, 2020, 11:26am

its working fine superb support !!!