Update of wildcard certificates fails

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:njom.com

I ran this command:certbot -d njom.com -d *.njom.com --manual --preferred-challenges dns certonly

It produced this output:An unexpected error occurred:
ValueError: max() arg is an empty sequence

My web server is (include version):Apache/2.4.53

The operating system my web server runs on is (include version):Amazon Linux 2

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 0.39.0

I created the wildcard with certbot -d *.njom.com --manual --preferred-challenges dns certonly 3 month ago using only the *.njom.com trying the same now it complains on number of arguments

It is trying to upgrade and fails with same message in the end of the upgrade or last try it failed at start with the same message

Now it seems that there are two njom.com certificates: One wildcard *.njom.com that I installed on my servers and another njom.com and www.njom.com at the hosting provider for our home server that is outsourced to another company and that I point to in my dns record. It looks in the log as it is verifying against the hosting providers cert.

Any idea on how to solve this? Renewing or install from scratch!

Regards
Kent

2

Here is a list of the certificates that have been issued https://crt.sh/?q=njom.com
The latest as of today 2022-09-26.

This is the certificate that is currently being served.

image
image1146×652 8.71 KB

1 Like
3

Yes and this was the previous certificate

certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: njom.com
Domains: *.njom.com
Expiry Date: 2022-09-25 08:46:28+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/njom.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/njom.com/privkey.pem

4

Does certbot certificates show any other certs? Because you got two today with both your wildcard and apex domain name in it. See HERE

Also, when I try your apex domain it says an nginx server is replying. But, your post says Apache is being used. Can you explain?

curl -I http://njom.com
HTTP/1.1 301 Moved Permanently
Date: Mon, 26 Sep 2022 15:19:09 GMT
Location: https://njom.com/
Server: nginx
3 Likes
7

I think you cross-posted. That warning is for domain in other thread :slight_smile:

3 Likes
8

Dang, the second time today. :slightly_frowning_face:
Thanks for catching that @MikeMcQ

9

Yes, I have a number of other services in this domain, but on one of them I need to use the wildcard

Regarding your other question: I think that what you are looking on is the home server that is not handled by me but by a hosting provider (for our marketing people) that is a completely different company.
But the Ip is handled in my dns service

10

Please provide the entire log file from when you encountered this error.

Also, your Certbot is pretty old, perhaps updating is enough to fix it.

4 Likes
11

https://dastjar-coupons.s3.eu-west-1.amazonaws.com/upload/coupon/logfile_certbot.txt

12

Looks like your /archive/ directory is messed up. Please post the output of:

ls -l /etc/letsencrypt/archive/njom.com/

And also

ls -l /etc/letsencrypt/live/njom.com/

4 Likes
13

ls -l /etc/letsencrypt/archive/njom.com/
totalt 20
-rw-r--r-- 1 root root 1830 27 jun 09.46 cert.pem
-rw-r--r-- 1 root root 3750 27 jun 09.46 chain.pem
-rw-r--r-- 1 root root 5580 27 jun 09.46 fullchain.pem
drwxr-xr-x 2 root root 83 27 jun 13.41 old
-rw------- 1 root root 1704 27 jun 09.46 privkey.pem

ls -l /etc/letsencrypt/live/njom.com/
totalt 4
lrwxrwxrwx 1 root root 31 27 jun 13.45 cert.pem -> ../../archive/njom.com/cert.pem
lrwxrwxrwx 1 root root 32 27 jun 13.45 chain.pem -> ../../archive/njom.com/chain.pem
lrwxrwxrwx 1 root root 36 27 jun 13.45 fullchain.pem -> ../../archive/njom.com/fullchain.pem
lrwxrwxrwx 1 root root 34 27 jun 13.45 privkey.pem -> ../../archive/njom.com/privkey.pem
-rw-r--r-- 1 root root 692 27 maj 08.20 README

14

Well, that's not good. Someone manually modified the contents of the /archive/ directory. Certbot only generates files with the format xxx1.pem and xxx2.pem and so on. (Where xxx = "cert", "chain", "fullchain" and "privkey".)

By manually modifying the /archive/ directory contents so it does not have a number any longer, Certbot will malfunction with the error presented. Adding a number again and fixing the symbolic links in /live/ will restore it.

4 Likes
15

Seems to work now! Thanks a lot!

3 Likes
16

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.