Unable to renew the Let's Encrtypt certificate


#1

Hi,

I have got certificate for my domain but it is expired now.
When I run sudo certbot renew --dry-run and getting below error,

$ sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/veplopenhab.ga.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 64, in _reconstitute
    renewal_candidate = storage.RenewableCert(full_path, config)
  File "/usr/lib/python3/dist-packages/certbot/storage.py", line 441, in __init__
    "file reference".format(self.configfile))
certbot.errors.CertStorageError: renewal config file {} is missing a required file reference
Renewal configuration file /etc/letsencrypt/renewal/veplopenhab.ga.conf is broken. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/veplopenhab.ga-0001.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Error while running apache2ctl configtest.
Action 'configtest' failed.
The Apache error log may have more information.

AH00526: Syntax error on line 37 of /etc/apache2/sites-enabled/000-default.conf:
Listen cannot occur within <VirtualHost> section

Could not choose appropriate plugin: The apache plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError("Error while running apache2ctl configtest.\nAction 'configtest' failed.\nThe Apache error log may have more information.\n\nAH00526: Syntax error on line 37 of /etc/apache2/sites-enabled/000-default.conf:\nListen cannot occur within <VirtualHost> section\n",)
Attempting to renew cert (veplopenhab.ga-0001) from /etc/letsencrypt/renewal/veplopenhab.ga-0001.conf produced an unexpected error: The apache plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError("Error while running apache2ctl configtest.\nAction 'configtest' failed.\nThe Apache error log may have more information.\n\nAH00526: Syntax error on line 37 of /etc/apache2/sites-enabled/000-default.conf:\nListen cannot occur within <VirtualHost> section\n",). Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/veplopenhab.ga-0001/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/veplopenhab.ga-0001/fullchain.pem (failure)

Additionally, the following renewal configurations were invalid: 
  /etc/letsencrypt/renewal/veplopenhab.ga.conf (parsefail)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 1 parse failure(s)

I have tried others fix, but it is not working.
Can you please help me on this ?.

Thanks,
Dhanasekar


#2
AH00526: Syntax error on line 37 of /etc/apache2/sites-enabled/000-default.conf:
Listen cannot occur within <VirtualHost> section

what’s happending at that file?


#3

No… I have not change in this file…

<VirtualHost *:80>
	# The ServerName directive sets the request scheme, hostname and port that
	# the server uses to identify itself. This is used when creating
	# redirection URLs. In the context of virtual hosts, the ServerName
	# specifies what hostname must appear in the request's Host: header to
	# match this virtual host. For the default virtual host (this file) this
	# value is not decisive as it is used as a last resort host regardless.
	# However, you must set it for any further virtual host explicitly.
	#ServerName www.example.com

	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html

	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular
	# modules, e.g.
	#LogLevel info ssl:warn

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf
RewriteEngine on
RewriteCond %{SERVER_NAME} =veplopenhab.ga
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>


<VirtualHost *:4443>

  listen 4443;
  server_name veplopenhab.ga;

  ssl_certificate /etc/letsencrypt/live/veplopenhab.ga-0001/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/veplopenhab.ga-0001/privkey.pem;

#  error_log	/location/to/error.log.file

  location / {
   proxy_pass https://localhost:8443/;
   proxy_set_header Host $http_host;
   proxy_set_header X-Real-IP $remote_addr;
   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
   proxy_set_header X-Forwarded-Proto $scheme;
   satisfy any;
   allow 10.0.0.0/8; # ONLY Internal network has access
   allow 127.0.0.1;
   deny all;
  }

</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

#4

remove listen 4443; on that file.


#5

No… I can’t remove that, because I am using in openhab.

image


#6

I don’t think apache config files is in vaild state, because it was apache error that you’re reading. apache is smart enough refues loading invaild config file and still run, but if it ever restarted I think whole site will be break.
port number is already defined in
<VirtualHost *:4443>
I think move listen line outside of block will do the job>
force edit it with root right.


#7

Hi @_DJ

A listen directive must be outside a VirtualHost - block. Not inside.


#8

you mean you want to remove listen 4443


#9

move it from there to next line of where listen 80; is


#10

Hi Jurergen / Orange Pizza

I have made like this ,

 listen 4443;

<VirtualHost *:4443>

 
  server_name veplopenhab.ga;

  ssl_certificate /etc/letsencrypt/live/veplopenhab.ga-0001/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/veplopenhab.ga-0001/privkey.pem;


#11

In my 000-default.conf file, there is no listen 80 line…


#12

Checked your domain with https://check-your-website.server-daten.de/?q=veplopenhab.ga - that can’t work.

Host T IP-Address is auth. ∑ Queries ∑ Timeout
veplopenhab.ga A 10.1.68.206 yes 1 0
AAAA yes
www.veplopenhab.ga Name Error yes 1 0

That’s a private ip address.

Your A record must have a public visible ip address.


#13

Ok… What is next step I have to do?


#14

Those are all Nginx settings. Not Apache.


#15

than how he even got a site loaded, let alone certificate?


#16

yes… It is Nginx and I have not used Apache.


#17

You’re using Certbot’s Apache plugin and the file is /etc/apache2/sites-enabled/000-default.conf and the rest of the file’s contents are Apache settings.


#18

Ok… I have got certificate with this community help and I am not much good in these topic.
Please provide your comments to fix this issue.


#19

I have a bad feeling this. is your nginx config in/etc/nginx and subfolders safe? I hope it doesn’t tainted.


#20

Content of /etc/nginx/sites-enabled/proxy.conf,

server {
  listen 4443 ssl;
  server_name veplopenhab.ga;

  ssl_certificate /etc/letsencrypt/live/veplopenhab.ga-0001/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/veplopenhab.ga-0001/privkey.pem;

#  error_log	/location/to/error.log.file

  location / {
   proxy_pass https://localhost:8443/;
   proxy_set_header Host $http_host;
   proxy_set_header X-Real-IP $remote_addr;
   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
   proxy_set_header X-Forwarded-Proto $scheme;
   satisfy any;
   allow 10.0.0.0/8; # ONLY Internal network has access
   allow 127.0.0.1;
   deny all;
  }
 }