Unexpected Error during renew

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

kriebel.mooo.com

I ran this command:

sudo /usr/bin/certbot renew --http-01-port 62080

It produced this output:

Attempting to renew cert (kriebel.mooo.com) from /etc/letsencrypt/renewal/kriebel.mooo.com.conf produced an unexpected error: Account at /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/xxx does not exist. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/kriebel.mooo.com/fullchain.pem (failure)

My web server is (include version):

apache2 -v
Server version: Apache/2.4.38 (Raspbian)
Server built: 2023-04-21T22:01:00

The operating system my web server runs on is (include version):

lsb_release -a
No LSB modules are available.
Distributor ID: Raspbian
Description: Raspbian GNU/Linux 10 (buster)
Release: 10
Codename: buster

My hosting provider, if applicable, is:

I run this on my own local server (raspberry pi) via dsl router port forwarding from 80 to 62080

I can login to a root shell on my machine (yes or no, or I don't know):

yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

I'm using a ssh terminal to connect to the RPi

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot --version
certbot 0.31.0

Additional Infos:
I installed your certificate in Oct 2023 and tested everything, it work fine. I made a lot of renew attemps and they worked without any issues, although it was saying that the renew cannot be completed because the 90 day period ist not over. I added a cronjob to perform the renew command every 5 days.

A few days ago I received a reminder email that I have to take care to renew my certificate. I looged into my RPi and here we are...

The error message saying .../acme-v01.api.letsencrypt.org.. cannot be reached. That is normal, because this directory doesn't exist. I'm using v02.
This is the content of my kriebel.mooo.com.conf:

version = 0.31.0
archive_dir = /etc/letsencrypt/archive/kriebel.mooo.com
cert = /etc/letsencrypt/live/kriebel.mooo.com/cert.pem
privkey = /etc/letsencrypt/live/kriebel.mooo.com/privkey.pem
chain = /etc/letsencrypt/live/kriebel.mooo.com/chain.pem
fullchain = /etc/letsencrypt/live/kriebel.mooo.com/fullchain.pem

/# Options used in the renewal process
[renewalparams]
account = xxx
authenticator = standalone
server = https://acme-v02.api.letsencrypt.org/directory
key_type = ecdsa

This is in the accounts folder:
root@RPi2:/etc/letsencrypt/accounts# ls
acme-staging-v02.api.letsencrypt.org acme-v02.api.letsencrypt.org

2

It seems you don't have any account for any production environment, old or new, on your current host.. Maybe you could simply run sudo certbot register to register a new account on the v02 API and hope Certbot starts using that? If not, you could change the account parameter in kriebel.mooo.com.conf to reflect the hash found in the newly made directory /etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/.

This Certbot is rather old. It might be all your issues are solved by running the latest Certbot version. I would probably not recommend snap on a RPi (no clue if that's going to work or not..), so maybe you could follow the pip instructions on the https://certbot.eff.org/ site to upgrade your Certbot.

1 Like
3

Thank you very much for the quick answer. I installed certbot 2.7.4 with pip right now (thanks for that hint!), it's not yet working, but I'm making some progress.

Renew failed with this:
Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 62080. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Probably the syntax to define the port number changed, in October it still worked:
sudo /usr/bin/certbot renew --http-01-port 62080
I'm going to look into the certbot Docs or ask Dr. Google perhaps he knows..

Additional info, a dry-run worked
sudo /usr/bin/certbot renew --http-01-port 62080 --dry-run
...
Congratulations, all simulated renewals succeeded:
/etc/letsencrypt/live/kriebel.mooo.com/fullchain.pem (success)

1 Like
4

That's good. But, normally you set the options using certonly and then renew runs without options. Example

sudo /usr/bin/certbot certonly --standalone --http-01-port 62080 -d kriebel.mooo.com --dry-run

Then in cronjob or command line you just do

sudo /usr/bin/certbot renew

Leave the --dry-run off for production certs.

You should be running a renew command at least daily if not twice / day. And

We ask that ACME clients perform routine renewals at random times to avoid spikes in traffic at set times of the day, such as exactly midnight UTC, or the first second of each hour or minute. When the service is too busy, clients will be asked to try again later, so randomizing renewal times can help avoid unnecessary retries.

See the Certbot docs for a recommended way to randomize cronjob renewal times

3 Likes
5

That was the solution, thank's a lot! I first ran above command, got a "Successfully received certificate.", then just to be save ran

sudo /usr/bin/certbot renew
Certificate not yet due for renewal - as expected.
I'm going to change my crontab according to your advice. I already saw this:

echo "0 0,12 * * * root /opt/certbot/bin/python -c 'import random; import time; time.sleep(random.random() * 3600)' && sudo certbot renew -q" | sudo tee -a /etc/crontab > /dev/null

in the certbot documentation. I'm going to adapt this to my needs.
Thanks again!

2 Likes
6

Terrific!

You can always test renew by adding just --dry-run

sudo /usr/bin/certbot renew --dry-run
3 Likes
7

But it looks like it is there:

I still don't get why it tries acme-v01:

No, that was NOT normal.

Agreed.
And I'm glad the updated version helped to resolve this issue [and any other(s)] :slight_smile:

1 Like
8

Huh, just stopped reading after the staging URI I guess :rofl:

1 Like
9

TL;DR fatigue!

1 Like
10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.