Unable to renew

aliakhtar · October 5, 2020, 9:30am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: api.ali.actor

I ran this command: sudo certbot renew

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/api.ali.actor.conf

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
Attempting to renew cert (api.ali.actor) from /etc/letsencrypt/renewal/api.ali.actor.conf produced an unexpected error: None of the preferred challenges are supported by the selected plugin. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/api.ali.actor/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/api.ali.actor/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

My web server is (include version): Stand alone?

The operating system my web server runs on is (include version): Ubuntu

My hosting provider, if applicable, is: Ubuntu 18.04.5 LTS

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0

_az · October 5, 2020, 9:39am

Odd. Does this work?

sudo certbot renew --cert-name api.ali.actor --preferred-challenges http

Osiris · October 5, 2020, 9:46am

Could be the known bug about this error message in 0.31.0, but first try @_az's suggestion.

aliakhtar · October 5, 2020, 9:51am

Does that require putting a file on a URL? I'm running a custom backend on this subdomain so would prefer not having to do anything that requires web server related stuff.

_az · October 5, 2020, 10:03am

The standalone plugin, which you are already using, starts its own HTTP server temporarily in order to serve the challenge response.

I honestly had forgotten about the bug @Osiris is referring to (https://github.com/certbot/certbot/issues/5342 I think)? If you issued the certificate manually via DNS recently, that bug would be relevant, in which case my advice wouldn't help.

Osiris · October 5, 2020, 10:07am

That bug would have introduced the error if that's the case? As the bug report was for 0.20.0 and was fixed in 0.31.0, the version @aliakhtar is using But I remember it had something to do with reusing authz indeed.

aliakhtar · October 5, 2020, 10:57am

All right - this worked. Is this the command I should run in future when updating?

_az · October 5, 2020, 11:11am

No, you shouldn't need it next time. The /etc/letsencrypt/renewal/api.ali.actor.conf file should now have that extra parameter recorded, so it will be automatically applied at the next automatic renewal.

Osiris · October 5, 2020, 11:47am

Good to know this wasn't the aformentioned bug. I guess that was indeed fixed in 0.31.0.

system · November 4, 2020, 11:47am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.