/usr/bin/certbot renew --post-hook 'service postfix restart; service nginx restart; service dovecot restart'

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: simoli.met.gov.fj

I ran this command: sudo certbot renew --dry-run

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/simoli.met.gov.fj.conf

Found a new cert /archive/ that was not linked to in /live/; fixing…
Attempting to renew cert (simoli.met.gov.fj) from /etc/letsencrypt/renewal/simoli.met.gov.fj.conf produced an unexpected error: [(‘PEM routines’, ‘get_name’, ‘no start line’)]. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/simoli.met.gov.fj/fullchain.pem (failure)

** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/simoli.met.gov.fj/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)

1 renew failure(s), 0 parse failure(s)

My web server is (include version): Ubuntu 18.04.4 LTS

The operating system my web server runs on is (include version):
nginx version: nginx/1.14.0 (Ubuntu)
built with OpenSSL 1.1.1 11 Sep 2018
TLS SNI support enabled
configure arguments: --with-cc-opt=’-g -O2 -fdebug-prefix-map=/build/nginx-GkiujU/nginx-1.14.0=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2’ --with-ld-opt=’-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -fPIC’ --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_geoip_module=dynamic --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_xslt_module=dynamic --with-stream=dynamic --with-stream_ssl_module --with-mail=dynamic --with-mail_ssl_module

My hosting provider, if applicable, is: NA

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

1 Like
2

Hi,

Looks like there’s something wrong with your certbot configuration file. Can you share that conf file along with the debug log located in /var/log/letsencrypt/letsencrypt.log? (Just the transaction where this error occured).

Please also check whether your certificate file contain a valid certificate. Check this file /etc/letsencrypt/live/simoli.met.gov.fj/fullchain.pem

Debug steps from https://github.com/certbot/certbot/issues/4145

1 Like
3

What I have noticed in /etc/letsencrypt/archive/simoli.met.gov.fj is the following files:

-rw-r–r-- 1 root root 1708 Dec 15 2019 privkey1.pem
-rw-r–r-- 1 root root 3562 Dec 15 2019 fullchain1.pem
-rw-r–r-- 1 root root 1647 Dec 15 2019 chain1.pem
-rw-r–r-- 1 root root 1915 Dec 15 2019 cert1.pem
drw-r–r-- 3 root root 4096 Dec 15 2019 …
-rw-r–r-- 1 root root 1704 Feb 13 13:16 privkey2.pem
-rw-r–r-- 1 root root 3562 Feb 13 13:16 fullchain2.pem
-rw-r–r-- 1 root root 1647 Feb 13 13:16 chain2.pem
-rw-r–r-- 1 root root 1915 Feb 13 13:16 cert2.pem
-rw-r–r-- 1 root root 1704 Apr 13 20:25 privkey3.pem
-rw-r–r-- 1 root root 1647 Apr 13 20:25 chain3.pem
-rw-r–r-- 1 root root 1919 Apr 13 20:25 cert3.pem
-rw-r–r-- 1 root root 3566 Apr 13 20:25 fullchain3.pem
-rw-r–r-- 1 root root 3562 Jun 13 03:04 fullchain4.pem
-rw-r–r-- 1 root root 1647 Jun 13 03:04 chain4.pem
drwxr-xr-x 2 root root 4096 Jun 16 09:21 .
-rw-r–r-- 1 root root 0 Jun 16 09:37 privkey5.pem
-rw-r–r-- 1 root root 0 Jun 16 09:37 fullchain5.pem
-rw-r–r-- 1 root root 0 Jun 16 09:37 chain5.pem
-rw-r–r-- 1 root root 0 Jun 16 09:37 cert5.pem

I am missing two files for privkey4.pem and cert4.pem.
The lastest files *5.pem have 0 blocks.

The output of the letsencrypt.log file is below:

2020-06-18 11:26:25,532:DEBUG:certbot.main:certbot version: 0.31.0
2020-06-18 11:26:25,533:DEBUG:certbot.main:Arguments:
2020-06-18 11:26:25,533:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2020-06-18 11:26:25,539:DEBUG:certbot.log:Root logging level set at 20
2020-06-18 11:26:25,539:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2020-06-18 11:26:25,551:DEBUG:certbot.ocsp:Querying OCSP for /etc/letsencrypt/live/simoli.met.gov.fj/cert.pem
2020-06-18 11:26:25,552:DEBUG:certbot.ocsp:openssl ocsp -no_nonce -issuer /etc/letsencrypt/live/simoli.met.gov.fj/chain.pem -cert /etc/letsencrypt/live/simoli.met.gov.fj/cert.pem -url http://ocsp.int-x3.letsencrypt.org -CAfile /etc/letsencrypt/live/simoli.met.gov.fj/chain.pem -verify_other /etc/letsencrypt/live/simoli.met.gov.fj/chain.pem -trust_other -header Host=ocsp.int-x3.letsencrypt.org
2020-06-18 11:31:02,303:DEBUG:certbot.main:certbot version: 0.31.0
2020-06-18 11:31:02,304:DEBUG:certbot.main:Arguments: [’–dry-run’]
2020-06-18 11:31:02,304:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2020-06-18 11:31:02,316:DEBUG:certbot.log:Root logging level set at 20
2020-06-18 11:31:02,317:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2020-06-18 11:31:02,329:DEBUG:certbot.plugins.selection:Requested authenticator <certbot.cli._Default object at 0x7fdec36dc898> and installer <certbot.cli._Default object at 0x7fdec36dc898>
2020-06-18 11:31:02,329:DEBUG:certbot.cli:Var dry_run=True (set by user).
2020-06-18 11:31:02,329:DEBUG:certbot.cli:Var server={‘staging’, ‘dry_run’} (set by user).
2020-06-18 11:31:02,329:DEBUG:certbot.cli:Var dry_run=True (set by user).
2020-06-18 11:31:02,329:DEBUG:certbot.cli:Var server={‘staging’, ‘dry_run’} (set by user).
2020-06-18 11:31:02,329:DEBUG:certbot.cli:Var account={‘server’} (set by user).
2020-06-18 11:31:02,335:WARNING:certbot.storage:Found a new cert /archive/ that was not linked to in /live/; fixing…
2020-06-18 11:31:02,336:WARNING:certbot.renewal:Attempting to renew cert (simoli.met.gov.fj) from /etc/letsencrypt/renewal/simoli.met.gov.fj.conf produced an unexpected error: [(‘PEM routines’, ‘get_name’, ‘no start line’)]. Skipping.
2020-06-18 11:31:02,347:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot/renewal.py”, line 437, in handle_renewal_request
if should_renew(lineage_config, renewal_candidate):
File “/usr/lib/python3/dist-packages/certbot/renewal.py”, line 268, in should_renew
if lineage.should_autorenew():
File “/usr/lib/python3/dist-packages/certbot/storage.py”, line 944, in should_autorenew
“cert”, self.latest_common_version()))
File “/usr/lib/python3/dist-packages/certbot/crypto_util.py”, line 418, in notAfter
return _notAfterBefore(cert_path, crypto.X509.get_notAfter)
File “/usr/lib/python3/dist-packages/certbot/crypto_util.py”, line 435, in _notAfterBefore
f.read())
File “/usr/lib/python3/dist-packages/OpenSSL/crypto.py”, line 1824, in load_certificate
_raise_current_error()
File “/usr/lib/python3/dist-packages/OpenSSL/_util.py”, line 54, in exception_from_error_queue
raise exception_type(errors)
OpenSSL.crypto.Error: [(‘PEM routines’, ‘get_name’, ‘no start line’)]

2020-06-18 11:31:02,347:ERROR:certbot.renewal:All renewal attempts failed. The following certs could not be renewed:
2020-06-18 11:31:02,347:ERROR:certbot.renewal: /etc/letsencrypt/live/simoli.met.gov.fj/fullchain.pem (failure)
2020-06-18 11:31:02,347:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/certbot”, line 11, in
load_entry_point(‘certbot==0.31.0’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1365, in main
return config.func(config, plugins)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1272, in renew
renewal.handle_renewal_request(config)
File “/usr/lib/python3/dist-packages/certbot/renewal.py”, line 477, in handle_renewal_request
len(renew_failures), len(parse_failures)))
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)
root@simoli:/var/log/letsencrypt#

1 Like
4

now re-reading the error message, my guess is the error is about these empty files.
Can you try to remove the *5.pem files(in archive folder)? Since there’s no content inside that.
And please try to relink the files to live folder.
ln -sf /etc/letsencrypt/archive/simoli.met.gov.fj/fullchain4.pem /etc/letsencrypt/live/simoli.met.gov.fj/fullchain.pem
ln -sf /etc/letsencrypt/archive/simoli.met.gov.fj/privkey4.pem /etc/letsencrypt/live/simoli.met.gov.fj/privkey.pem
I’m not sure if that two relink will be sufficient, but if it isn’t, you’ll also need to link chain.pem and cert.pem

After that, run certbot with dry-run again and see if there’s any issue.

1 Like
5

stevenzhu,

Thank you for your assistance. It showed me a way to fix the issue I had.

What I did was delete *4.pem keys in archive/simoli.met.gov.fj and symlinked files in /live/simoli.met.gov.fj/ to *3.pem files.
Run certbot with dry-run. This created the *4.pem files in archive/simoli.met.gov.fj.

When I run certbot certificates I get a response:
root@simoli:/etc/letsencrypt/archive/simoli.met.gov.fj# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: simoli.met.gov.fj
Domains: simoli.met.gov.fj
Expiry Date: 2020-09-15 23:53:54+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/simoli.met.gov.fj/fullchain.pem
Private Key Path: /etc/letsencrypt/live/simoli.met.gov.fj/privkey.pem

root@simoli:/etc/letsencrypt/archive/simoli.met.gov.fj#

When I run openssl rsa -in privkey4.pem -check it has a positive output.

Thank you,
Len

2 Likes
6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.