bug#62491: [berlin] certbot renewal appears to be broken

bug-guix
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#62491: [berlin] certbot renewal appears to be broken

From:	Maxim Cournoyer
Subject:	bug#62491: [berlin] certbot renewal appears to be broken
Date:	Mon, 27 Mar 2023 17:05:50 -0400
Hi,

The TLS cert of https://disarchive.guix.gnu.org/ expired today.  Looking
at /var/log/mcron.log on Berlin, we see that the last certbot renew job
failed like so:

--8<---------------cut here---------------start------------->8---
2023-03-24 00:30:00 127768 certbot renew --webroot --webroot-path /var/www: 
running...
2023-03-24 00:30:02 127768 certbot renew --webroot --webroot-path /var/www: 
Saving debug log to /var/log/letsencrypt/letsencrypt.log
2023-03-24 00:30:02 127768 certbot renew --webroot --webroot-path /var/www: 
2023-03-24 00:30:02 127768 certbot renew --webroot --webroot-path /var/www: - - 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2023-03-24 00:30:02 127768 certbot renew --webroot --webroot-path /var/www: 
Processing /etc/letsencrypt/renewal/bootstrappable.org.conf
2023-03-24 00:30:02 127768 certbot renew --webroot --webroot-path /var/www: - - 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2023-03-24 00:30:02 127768 certbot renew --webroot --webroot-path /var/www: 
Certificate not yet due for renewal
2023-03-24 00:30:02 127768 certbot renew --webroot --webroot-path /var/www: 
2023-03-24 00:30:02 127768 certbot renew --webroot --webroot-path /var/www: - - 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2023-03-24 00:30:02 127768 certbot renew --webroot --webroot-path /var/www: 
Processing /etc/letsencrypt/renewal/ci.guix.gnu.org.conf
2023-03-24 00:30:02 127768 certbot renew --webroot --webroot-path /var/www: - - 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2023-03-24 00:30:02 127768 certbot renew --webroot --webroot-path /var/www: 
Certificate not yet due for renewal
2023-03-24 00:30:02 127768 certbot renew --webroot --webroot-path /var/www: 
2023-03-24 00:30:02 127768 certbot renew --webroot --webroot-path /var/www: - - 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2023-03-24 00:30:02 127768 certbot renew --webroot --webroot-path /var/www: 
Processing /etc/letsencrypt/renewal/disarchive.guix.gnu.org.conf
2023-03-24 00:30:02 127768 certbot renew --webroot --webroot-path /var/www: - - 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2023-03-24 00:32:54 127768 certbot renew --webroot --webroot-path /var/www: 
Renewing an existing certificate for disarchive.guix.gnu.org
2023-03-24 00:33:09 127768 certbot renew --webroot --webroot-path /var/www: 
2023-03-24 00:33:09 127768 certbot renew --webroot --webroot-path /var/www: 
Certbot failed to authenticate some domains (authenticator: webroot). The 
Certificate Authority reported these problems:
2023-03-24 00:33:09 127768 certbot renew --webroot --webroot-path /var/www:   
Domain: disarchive.guix.gnu.org
2023-03-24 00:33:09 127768 certbot renew --webroot --webroot-path /var/www:   
Type:   unauthorized
2023-03-24 00:33:09 127768 certbot renew --webroot --webroot-path /var/www:   
Detail: 141.80.181.40: Invalid response from 
https://disarchive.guix.gnu.org/.well-known/acme-challenge/O1kK3tsJtH0r9RwvbCIFhHagJhBwewV3Ka0NPW86nAI:
 404
2023-03-24 00:33:09 127768 certbot renew --webroot --webroot-path /var/www: 
2023-03-24 00:33:09 127768 certbot renew --webroot --webroot-path /var/www: 
Hint: The Certificate Authority failed to download the temporary challenge 
files created by Certbot. Ensure that the listed domains serve their content 
from the provided --webroot-path/-w and that files created there can be 
downloaded from the internet.
2023-03-24 00:33:09 127768 certbot renew --webroot --webroot-path /var/www: 
2023-03-24 00:33:09 127768 certbot renew --webroot --webroot-path /var/www: 
Failed to renew certificate disarchive.guix.gnu.org with error: Some challenges 
have failed.
2023-03-24 00:33:09 127768 certbot renew --webroot --webroot-path /var/www: 
2023-03-24 00:33:09 127768 certbot renew --webroot --webroot-path /var/www: - - 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2023-03-24 00:33:09 127768 certbot renew --webroot --webroot-path /var/www: 
Processing /etc/letsencrypt/renewal/dump.guix.gnu.org.conf
2023-03-24 00:33:09 127768 certbot renew --webroot --webroot-path /var/www: - - 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2023-03-24 00:33:09 127768 certbot renew --webroot --webroot-path /var/www: 
Certificate not yet due for renewal
2023-03-24 00:33:09 127768 certbot renew --webroot --webroot-path /var/www: 
2023-03-24 00:33:09 127768 certbot renew --webroot --webroot-path /var/www: - - 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2023-03-24 00:33:09 127768 certbot renew --webroot --webroot-path /var/www: 
Processing /etc/letsencrypt/renewal/guix.gnu.org.conf
2023-03-24 00:33:09 127768 certbot renew --webroot --webroot-path /var/www: - - 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2023-03-24 00:33:10 127768 certbot renew --webroot --webroot-path /var/www: 
Renewing an existing certificate for guix.gnu.org
2023-03-24 00:33:18 127768 certbot renew --webroot --webroot-path /var/www: 
2023-03-24 00:33:18 127768 certbot renew --webroot --webroot-path /var/www: 
Certbot failed to authenticate some domains (authenticator: webroot). The 
Certificate Authority reported these problems:
2023-03-24 00:33:18 127768 certbot renew --webroot --webroot-path /var/www:   
Domain: guix.gnu.org
2023-03-24 00:33:18 127768 certbot renew --webroot --webroot-path /var/www:   
Type:   unauthorized
2023-03-24 00:33:18 127768 certbot renew --webroot --webroot-path /var/www:   
Detail: 2a0c:e300::58: Invalid response from 
https://guix.gnu.org/.well-known/acme-challenge/_PlXq5i2BRw23Ui1Yl4rLtyB2aSDnUNMZXurCWBwH-k:
 404
2023-03-24 00:33:18 127768 certbot renew --webroot --webroot-path /var/www: 
2023-03-24 00:33:18 127768 certbot renew --webroot --webroot-path /var/www: 
Hint: The Certificate Authority failed to download the temporary challenge 
files created by Certbot. Ensure that the listed domains serve their content 
from the provided --webroot-path/-w and that files created there can be 
downloaded from the internet.
2023-03-24 00:33:18 127768 certbot renew --webroot --webroot-path /var/www: 
2023-03-24 00:33:18 127768 certbot renew --webroot --webroot-path /var/www: 
Failed to renew certificate guix.gnu.org with error: Some challenges have 
failed.
2023-03-24 00:33:18 127768 certbot renew --webroot --webroot-path /var/www: 
2023-03-24 00:33:18 127768 certbot renew --webroot --webroot-path /var/www: - - 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2023-03-24 00:33:18 127768 certbot renew --webroot --webroot-path /var/www: 
Processing /etc/letsencrypt/renewal/guix.info.conf
2023-03-24 00:33:18 127768 certbot renew --webroot --webroot-path /var/www: - - 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2023-03-24 00:33:19 127768 certbot renew --webroot --webroot-path /var/www: 
Renewing an existing certificate for guix.info and www.guix.info
2023-03-24 00:33:25 127768 certbot renew --webroot --webroot-path /var/www: 
2023-03-24 00:33:25 127768 certbot renew --webroot --webroot-path /var/www: 
Certbot failed to authenticate some domains (authenticator: webroot). The 
Certificate Authority reported these problems:
2023-03-24 00:33:25 127768 certbot renew --webroot --webroot-path /var/www:   
Domain: guix.info
2023-03-24 00:33:25 127768 certbot renew --webroot --webroot-path /var/www:   
Type:   unauthorized
2023-03-24 00:33:25 127768 certbot renew --webroot --webroot-path /var/www:   
Detail: 141.80.181.40: Invalid response from 
https://guix.gnu.org/.well-known/acme-challenge/O6y6aqSvLdjdS77MgaEhh7sN7Q75OQX3Jz69xnT4qnY:
 404
2023-03-24 00:33:25 127768 certbot renew --webroot --webroot-path /var/www: 
2023-03-24 00:33:25 127768 certbot renew --webroot --webroot-path /var/www:   
Domain: www.guix.info
2023-03-24 00:33:25 127768 certbot renew --webroot --webroot-path /var/www:   
Type:   unauthorized
2023-03-24 00:33:25 127768 certbot renew --webroot --webroot-path /var/www:   
Detail: 141.80.181.40: Invalid response from 
https://guix.gnu.org/.well-known/acme-challenge/lCioloihdJF6xwwTBg6cSNFjRearp4EBZBWcjkznrUE:
 404
2023-03-24 00:33:25 127768 certbot renew --webroot --webroot-path /var/www: 
2023-03-24 00:33:25 127768 certbot renew --webroot --webroot-path /var/www: 
Hint: The Certificate Authority failed to download the temporary challenge 
files created by Certbot. Ensure that the listed domains serve their content 
from the provided --webroot-path/-w and that files created there can be 
downloaded from the internet.
2023-03-24 00:33:25 127768 certbot renew --webroot --webroot-path /var/www: 
2023-03-24 00:33:25 127768 certbot renew --webroot --webroot-path /var/www: 
Failed to renew certificate guix.info with error: Some challenges have failed.
2023-03-24 00:33:25 127768 certbot renew --webroot --webroot-path /var/www: 
2023-03-24 00:33:25 127768 certbot renew --webroot --webroot-path /var/www: - - 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2023-03-24 00:33:25 127768 certbot renew --webroot --webroot-path /var/www: 
Processing /etc/letsencrypt/renewal/issues.guix.gnu.org.conf
2023-03-24 00:33:25 127768 certbot renew --webroot --webroot-path /var/www: - - 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2023-03-24 00:33:25 127768 certbot renew --webroot --webroot-path /var/www: 
Certificate not yet due for renewal
2023-03-24 00:33:25 127768 certbot renew --webroot --webroot-path /var/www: 
2023-03-24 00:33:25 127768 certbot renew --webroot --webroot-path /var/www: - - 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2023-03-24 00:33:25 127768 certbot renew --webroot --webroot-path /var/www: 
Processing /etc/letsencrypt/renewal/issues.guix.info.conf
2023-03-24 00:33:25 127768 certbot renew --webroot --webroot-path /var/www: - - 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2023-03-24 00:33:26 127768 certbot renew --webroot --webroot-path /var/www: 
Renewing an existing certificate for issues.guix.info and 3 more domains
2023-03-24 00:33:39 127768 certbot renew --webroot --webroot-path /var/www: 
2023-03-24 00:33:39 127768 certbot renew --webroot --webroot-path /var/www: 
Certbot failed to authenticate some domains (authenticator: webroot). The 
Certificate Authority reported these problems:
2023-03-24 00:33:39 127768 certbot renew --webroot --webroot-path /var/www:   
Domain: guix.info
2023-03-24 00:33:39 127768 certbot renew --webroot --webroot-path /var/www:   
Type:   unauthorized
2023-03-24 00:33:39 127768 certbot renew --webroot --webroot-path /var/www:   
Detail: 141.80.181.40: Invalid response from 
https://guix.gnu.org/.well-known/acme-challenge/Yv4KpoYC95LzGsM5IPTE68vf6lLfNHVK5kMUocSuDW0:
 404
2023-03-24 00:33:39 127768 certbot renew --webroot --webroot-path /var/www: 
2023-03-24 00:33:39 127768 certbot renew --webroot --webroot-path /var/www: 
Hint: The Certificate Authority failed to download the temporary challenge 
files created by Certbot. Ensure that the listed domains serve their content 
from the provided --webroot-path/-w and that files created there can be 
downloaded from the internet.
2023-03-24 00:33:39 127768 certbot renew --webroot --webroot-path /var/www: 
2023-03-24 00:33:39 127768 certbot renew --webroot --webroot-path /var/www: 
Failed to renew certificate issues.guix.info with error: Some challenges have 
failed.
2023-03-24 00:33:39 127768 certbot renew --webroot --webroot-path /var/www: 
2023-03-24 00:33:39 127768 certbot renew --webroot --webroot-path /var/www: - - 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2023-03-24 00:33:39 127768 certbot renew --webroot --webroot-path /var/www: 
Processing /etc/letsencrypt/renewal/monitor.guix.gnu.org.conf
2023-03-24 00:33:39 127768 certbot renew --webroot --webroot-path /var/www: - - 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2023-03-24 00:33:39 127768 certbot renew --webroot --webroot-path /var/www: 
Renewing an existing certificate for monitor.guix.gnu.org
2023-03-24 00:33:54 127768 certbot renew --webroot --webroot-path /var/www: 
2023-03-24 00:33:54 127768 certbot renew --webroot --webroot-path /var/www: 
Certbot failed to authenticate some domains (authenticator: webroot). The 
Certificate Authority reported these problems:
2023-03-24 00:33:54 127768 certbot renew --webroot --webroot-path /var/www:   
Domain: monitor.guix.gnu.org
2023-03-24 00:33:54 127768 certbot renew --webroot --webroot-path /var/www:   
Type:   unauthorized
2023-03-24 00:33:54 127768 certbot renew --webroot --webroot-path /var/www:   
Detail: 141.80.181.40: Invalid response from 
https://monitor.guix.gnu.org/.well-known/acme-challenge/_wxH92e9QQag7TEYdqsA4-C-5pE5DnUd6pzMvQWzWNU:
 400
2023-03-24 00:33:54 127768 certbot renew --webroot --webroot-path /var/www: 
2023-03-24 00:33:54 127768 certbot renew --webroot --webroot-path /var/www: 
Hint: The Certificate Authority failed to download the temporary challenge 
files created by Certbot. Ensure that the listed domains serve their content 
from the provided --webroot-path/-w and that files created there can be 
downloaded from the internet.
2023-03-24 00:33:54 127768 certbot renew --webroot --webroot-path /var/www: 
2023-03-24 00:33:54 127768 certbot renew --webroot --webroot-path /var/www: 
Failed to renew certificate monitor.guix.gnu.org with error: Some challenges 
have failed.
2023-03-24 00:33:54 127768 certbot renew --webroot --webroot-path /var/www: 
2023-03-24 00:33:54 127768 certbot renew --webroot --webroot-path /var/www: - - 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2023-03-24 00:33:54 127768 certbot renew --webroot --webroot-path /var/www: 
Processing /etc/letsencrypt/renewal/www.guixwl.org-0001.conf
2023-03-24 00:33:54 127768 certbot renew --webroot --webroot-path /var/www: - - 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2023-03-24 00:33:54 127768 certbot renew --webroot --webroot-path /var/www: 
Certificate not yet due for renewal
2023-03-24 00:33:54 127768 certbot renew --webroot --webroot-path /var/www: 
2023-03-24 00:33:54 127768 certbot renew --webroot --webroot-path /var/www: - - 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2023-03-24 00:33:54 127768 certbot renew --webroot --webroot-path /var/www: 
Processing /etc/letsencrypt/renewal/www.guixwl.org.conf
2023-03-24 00:33:54 127768 certbot renew --webroot --webroot-path /var/www: - - 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2023-03-24 00:33:54 127768 certbot renew --webroot --webroot-path /var/www: 
Certificate not yet due for renewal
2023-03-24 00:33:54 127768 certbot renew --webroot --webroot-path /var/www: 
2023-03-24 00:33:54 127768 certbot renew --webroot --webroot-path /var/www: - - 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2023-03-24 00:33:54 127768 certbot renew --webroot --webroot-path /var/www: The 
following certificates are not due for renewal yet:
2023-03-24 00:33:54 127768 certbot renew --webroot --webroot-path /var/www:   
/etc/letsencrypt/live/bootstrappable.org/fullchain.pem expires on 2023-05-14 
(skipped)
2023-03-24 00:33:54 127768 certbot renew --webroot --webroot-path /var/www:   
/etc/letsencrypt/live/ci.guix.gnu.org/fullchain.pem expires on 2023-06-04 
(skipped)
2023-03-24 00:33:54 127768 certbot renew --webroot --webroot-path /var/www:   
/etc/letsencrypt/live/dump.guix.gnu.org/fullchain.pem expires on 2023-06-04 
(skipped)
2023-03-24 00:33:54 127768 certbot renew --webroot --webroot-path /var/www:   
/etc/letsencrypt/live/issues.guix.gnu.org/fullchain.pem expires on 2023-06-04 
(skipped)
2023-03-24 00:33:54 127768 certbot renew --webroot --webroot-path /var/www:   
/etc/letsencrypt/live/www.guixwl.org-0001/fullchain.pem expires on 2023-06-04 
(skipped)
2023-03-24 00:33:54 127768 certbot renew --webroot --webroot-path /var/www:   
/etc/letsencrypt/live/www.guixwl.org/fullchain.pem expires on 2023-06-04 
(skipped)
2023-03-24 00:33:54 127768 certbot renew --webroot --webroot-path /var/www: All 
renewals failed. The following certificates could not be renewed:
2023-03-24 00:33:54 127768 certbot renew --webroot --webroot-path /var/www:   
/etc/letsencrypt/live/disarchive.guix.gnu.org/fullchain.pem (failure)
2023-03-24 00:33:54 127768 certbot renew --webroot --webroot-path /var/www:   
/etc/letsencrypt/live/guix.gnu.org/fullchain.pem (failure)
2023-03-24 00:33:54 127768 certbot renew --webroot --webroot-path /var/www:   
/etc/letsencrypt/live/guix.info/fullchain.pem (failure)
2023-03-24 00:33:54 127768 certbot renew --webroot --webroot-path /var/www:   
/etc/letsencrypt/live/issues.guix.info/fullchain.pem (failure)
2023-03-24 00:33:54 127768 certbot renew --webroot --webroot-path /var/www:   
/etc/letsencrypt/live/monitor.guix.gnu.org/fullchain.pem (failure)
2023-03-24 00:33:54 127768 certbot renew --webroot --webroot-path /var/www: - - 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2023-03-24 00:33:54 127768 certbot renew --webroot --webroot-path /var/www: 5 
renew failure(s), 0 parse failure(s)
2023-03-24 00:33:54 127768 certbot renew --webroot --webroot-path /var/www: Ask 
for help or search for solutions at https://community.letsencrypt.org. See the 
logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more 
details.
2023-03-24 00:33:54 127768 certbot renew --webroot --webroot-path /var/www: 
failed after 234.635s with: (misc-error #f unclean exit status ~S (1) 
#f)--8<---------------cut here---------------end--------------->8---

I removed the certbot file name prefix
(/gnu/store/jnp0166xw62dafd2zgxdmvjb6yq8ak32-certbot-1.28.0/bin/) in the
above output to improve readability.

-- 
Thanks,
Maxim
[Prev in Thread]
Current Thread
[Next in Thread]
bug#62491: [berlin] certbot renewal appears to be broken, Maxim Cournoyer <=
Prev by Date: bug#55287: make-file-writable adds the executable bit on some files added to the store
Next by Date: bug#62493: xelatex won't render fonts correctly without full texlive
Previous by thread: bug#55287: make-file-writable adds the executable bit on some files added to the store
Next by thread: bug#62493: xelatex won't render fonts correctly without full texlive
Index(es):
- Date
- Thread