Certbot-auto can't renew because letsencrypt domain is 'duplicated'?

Question

I have an Ubuntu 14.04 Trust server, with a Django app served with Apache 2.4. I have set up Let's Encrypt with a SSL Cert. The cert is installed, but will expire in 17 days. /root/certbot-auto renew --apache gives the following error, and the cert isn't renewed:

I have 3 websites on this machine (site1.org, www.site2.com, site3.ie) with lets encrypt and only one of them is broken?

# /root/certbot-auto renew --apache

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/site1.org.conf
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/www.site2.com.conf
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/site3.ie.conf
------------------------------------------------------------------------------
2016-09-27 10:13:38,702:WARNING:certbot.renewal:Attempting to renew cert from /etc/letsencrypt/renewal/site3.ie.conf produced an unexpected error: The apache plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(('There has been an error in parsing the file (%s): %s', u'/etc/apache2/sites-available/certbot.log', u'Syntax error'),). Skipping.

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/site1.org/fullchain.pem (skipped)
  /etc/letsencrypt/live/www.site2.com/fullchain.pem (skipped)
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/site3.ie/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

The file mentioned in the error log:

# cat /etc/apache2/sites-available/certbot.log
Traceback (most recent call last):
  File "/home/rory/.local/share/letsencrypt/bin/letsencrypt", line 11, in <module>
    sys.exit(main())
  File "/home/rory/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py", line 703, in main
    args = cli.prepare_and_parse_args(plugins, cli_args)
  File "/home/rory/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/cli.py", line 858, in prepare_and_parse_args
    return helpful.parse_args()
  File "/home/rory/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/cli.py", line 362, in parse_args
    parsed_args = self.parser.parse_args(self.args)
  File "/home/rory/.local/share/letsencrypt/local/lib/python2.7/site-packages/configargparse.py", line 216, in parse_args
    env_vars = env_vars)
  File "/home/rory/.local/share/letsencrypt/local/lib/python2.7/site-packages/configargparse.py", line 349, in parse_known_args
    self, args=args, namespace=namespace)
  File "/usr/lib/python2.7/argparse.py", line 1722, in parse_known_args
    namespace, args = self._parse_known_args(args, namespace)
  File "/usr/lib/python2.7/argparse.py", line 1928, in _parse_known_args
    start_index = consume_optional(start_index)
  File "/usr/lib/python2.7/argparse.py", line 1868, in consume_optional
    take_action(action, args, option_string)
  File "/usr/lib/python2.7/argparse.py", line 1796, in take_action
    action(self, namespace, argument_values, option_string)
  File "/home/rory/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/cli.py", line 988, in __call__
    add_domains(namespace, domain)
  File "/home/rory/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/cli.py", line 1008, in add_domains
    domain = util.enforce_domain_sanity(domain.strip())
  File "/home/rory/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/util.py", line 433, in enforce_domain_sanity
    .format(domain))
ConfigurationError: Requested domain site1.org www.site3.org is not a FQDN

What's interesting is that it can't renew site3.ie, but the error message is about site1.org. It looks like it somehow has both domains (site1.org wwww.site1.org) in a string where it expects just one domain??

I have tried to grep in /etc/letsencrypt, but couldn't see anything obvious.

I have downloaded certbot-auto today

# /root/certbot-auto --version
letsencrypt 0.8.1

How can I fix this?

Answer 1

I have solved this.

If you look carefully, you'll see that certbot-auto is complaining about the file /etc/apache2/sites-available/certbot.log. Why is there a certbot.log file in /etc/apache2/sites-available/? I don't know. But it shouldn't be there. I think certbot is trying to parse that file as an apache config file, and failing (hence the SyntaxError message). I moved that file out of the way, and certbot auto is able to work fine.

I must have made a mistake when setting up certbot and ran it with 2 domains. I presume my cwd was /etc/apache2/sites-available/ and so certbot put a certbot.log file there. Which then broke further runs of certbot.

This is a bug in certbot-auto because any non-apache config file in /etc/apache2/sites-available/ will break certbot.

Answer 2

Looks like in fact you have problem in your apache configuration, not in letsencrypt. Probably, you have two domains in ServerName line. Also, the error says "site1.org www.site3.org is not a FQDN" If you have not the ASCII whitespace, but some unicode symbol with same visual appearance, it can be read like one "domain".