Webroot renewal timeout - works on standalone only

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: benedicte-pavageau.com

I ran this command: /usr/bin/certbot renew --webroot -w /usr/share/wordpress --dry-run

It produced this output: Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/benedicte-pavageau.com.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Simulating renewal of an existing certificate for benedicte-pavageau.com and www.benedicte-pavageau.com
Performing the following challenges:
http-01 challenge for www.benedicte-pavageau.com
http-01 challenge for benedicte-pavageau.com
Using the webroot path /usr/share/wordpress for all unmatched domains.
Waiting for verification...
Challenge failed for domain www.benedicte-pavageau.com
Challenge failed for domain benedicte-pavageau.com
http-01 challenge for www.benedicte-pavageau.com
http-01 challenge for benedicte-pavageau.com
Cleaning up challenges
Failed to renew certificate benedicte-pavageau.com with error: Some challenges have failed.


All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/benedicte-pavageau.com/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

My web server is (include version): apache

The operating system my web server runs on is (include version): debian

My hosting provider, if applicable, is: linode

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.12.0

Hi @tlloancy, and welcome to the LE community forum :slight_smile:

That shows a "firewall" type problem.
How can --standalone work?

1 Like

Hello

This is why i'm here for asking lol

OK, but if there is a firewall blocking, then --standalone would also fail.

Are you sure --standalone works?

2 Likes

I'm sure because this is my only way to renew the certificate

Exactly what command do you run to renew the cert?

2 Likes

certbot renew --standalone

Please show the renewal config file for that cert.
[look for file in the folder: /etc/letsencrypt/renewal/]

2 Likes

cat /etc/letsencrypt/renewal/benedicte-pavageau.com.conf

renew_before_expiry = 30 days

version = 1.12.0
archive_dir = /etc/letsencrypt/archive/benedicte-pavageau.com
cert = /etc/letsencrypt/live/benedicte-pavageau.com/cert.pem
privkey = /etc/letsencrypt/live/benedicte-pavageau.com/privkey.pem
chain = /etc/letsencrypt/live/benedicte-pavageau.com/chain.pem
fullchain = /etc/letsencrypt/live/benedicte-pavageau.com/fullchain.pem

Options used in the renewal process

[renewalparams]
account = 1bbea34b5ff906bb812e1a70b793fefb
authenticator = standalone
server = https://acme-v02.api.letsencrypt.org/directory
[[webroot_map]]
benedicte-pavageau.com = /usr/share/wordpress
www.benedicte-pavageau.com = /usr/share/wordpress

hmm...
That cert is already set to use --standalone

but there is a web server listening on port 80:

curl -Ii http://benedicte-pavageau.com/
HTTP/1.1 301 Moved Permanently
Date: Tue, 03 Oct 2023 16:45:15 GMT
Server: Apache/2.4.56 (Debian)
Location: https://benedicte-pavageau.com/
Content-Type: text/html; charset=iso-8859-1

What shows?
ls -lR /etc/letsencrypt/renewal-hooks/

1 Like

/etc/letsencrypt/renewal-hooks/:
total 12
drwxr-xr-x 2 root root 4096 Mar 28 2023 deploy
drwxr-xr-x 2 root root 4096 Mar 28 2023 post
drwxr-xr-x 2 root root 4096 Mar 28 2023 pre

/etc/letsencrypt/renewal-hooks/deploy:
total 0

/etc/letsencrypt/renewal-hooks/post:
total 0

/etc/letsencrypt/renewal-hooks/pre:
total 0

Based on what you have shown, "certbot renew --standalone" would fail to bind on port 80.
It would NOT work.
Without first stopping the web service [manually].

3 Likes

but i first stopped the webservice

Then you must repeat [all] your steps for any such renewals.

That said, I don't see how that would affect the firewall/blocking.
There must be other missing step(s) OR other things have changed since your last renewal.

3 Likes

I don't see a firewall problem anymore. At least not using Let's Debug.

4 Likes

what im trying to do is to make the webroot option work in order to not stop the apache webserver

@tlloancy Can you try this command again and show result? Because I don't see a firewall problem anymore

4 Likes

/usr/bin/certbot renew --webroot -w /usr/share/wordpress --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/benedicte-pavageau.com.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Simulating renewal of an existing certificate for benedicte-pavageau.com and www.benedicte-pavageau.com
Performing the following challenges:
http-01 challenge for benedicte-pavageau.com
http-01 challenge for www.benedicte-pavageau.com
Using the webroot path /usr/share/wordpress for all unmatched domains.
Waiting for verification...
Challenge failed for domain benedicte-pavageau.com
Challenge failed for domain www.benedicte-pavageau.com
http-01 challenge for benedicte-pavageau.com
http-01 challenge for www.benedicte-pavageau.com
Cleaning up challenges
Failed to renew certificate benedicte-pavageau.com with error: Some challenges have failed.


All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/benedicte-pavageau.com/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

Since we are dealing with Apache, we should start with the output of:
sudo apachectl -t -D DUMP_VHOSTS

3 Likes

And yet LE does still have a "firewall/blocking" problem :frowning:

4 Likes