Stefan Johner

Issue with renewal of existing Let's Encrypt certificates

Posted on Sep 1, 2017

I am a fan of Let’s Encrypt. I think this initiative vastly improved the Internet experience of everyone and brought big progress in terms of securing the entire web. Below graphics are taken from Let’s Encrypt stats page.

Lets Encrypt growth diagram

Stats about pages loaded with HTTPS

The process of installing and using Let’s Encrypt on your machines is pretty straightforward and there are plenty of guides out there which explain this in detail for various distributions.

However if you are using Let’s Encrypt for some time now it might happen that after installing letsencrypt package on your Ubuntu box you are unable to renew certificates. This occurred to me when I changed from certbot to the (apparently older) letsencrypt package in Ubuntu 16.04.

You might get an error similar to this one when trying to renew your existing certificates.

WARNING:letsencrypt.cli:Attempting to renew cert from
/etc/letsencrypt/renewal/blog.jhnr.ch.conf produced an unexpected error: 'server'.
Skipping.

The older Ubuntu package is not forwards-compatible to configuration files generated by more recent releases. Fixing this comes down to pretty much three options:

  • Continue using certbot.
  • Start with a new configuration. Clean /etc/letsencrypt and then re-issue all certificates.
  • Try to manually fix the configuration.

Well to me it seemed to be the best option to start with a new configuration and re-issue all certificates with the default Ubuntu letsencrypt package.

sudo apt-get install letsencrypt

I then successfully created new certificates. However when renewing for the first time, I ran into the following error message. The message is actually pretty clear on how to resolve the issue but I decided to reference it anyway to point out that the apache plugin may need to be installed.

$ sudo letsencrypt renew
Processing /etc/letsencrypt/renewal/blog.jhnr.ch.conf
2016-09-29 20:48:48,959:WARNING:letsencrypt.cli:Attempting to renew cert from /etc/letsencrypt/renewal/blog.jhnr.ch.conf produced an unexpected error: The ested apache plugin does not appear to be installed. Skipping.

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/blog.jhnr.ch/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

Installing the Apache plugin for Let’s Encrypt python-letsencrypt-apache resolves the issue

$ sudo apt-cache search letsencrypt
letsencrypt - Let's Encrypt main client
python-letsencrypt - Let's Encrypt main library
python-letsencrypt-apache - Apache plugin for Let's Encrypt
python-letsencrypt-apache-doc - Apache Let's Encrypt plugin documentation
python-letsencrypt-doc - Let's Encrypt client documentation
$ sudo apt-get install python-letsencrypt-apache