网站证书自动续订失败的问题解决,原来是续订指令certbot renew出错，导致crontab定时任务续订失败

发现网站还有不到一个月证书就过期了，问题是已经设置好了自动续订，而且以前已经正常续订了好几个月了啊。

配置见：https://skywalk.blog.csdn.net/article/details/154342032

官网操作指南见：Certbot Instructions | Certbot

查找问题

登录到服务器，直接执行续订certbot renew -q ，发现报错：

Failed to renew certificate quye.com with error: The requested nginx plugin does not appear to be installed
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/quye.com/fullchain.p

我已经忘记这个是pip安装的还是apt安装的了

不过apt确实没有安装，用apt search certbot-nginx 看一下：

apt search certbot-nginx
Sorting... Done
Full Text Search... Done
python3-certbot-nginx/noble 2.9.0-1 all
  Nginx plugin for Certbot

使用pip还是apt，这里要多思考下，因为如果是pip，那就是在root账户下的python环境。（这里应该是踩坑了，一开始可能并不是这里的问题）

尝试用apt安装试试解决certbot-nginx问题

sudo apt install python3-certbot-nginx

现在续订sudo certbot renew -q变成了这样：

sudo certbot renew -q
Failed to renew certificate quye.com with error: Account at /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/18865f8ebdca67973220f9587c5580a3 does not exist
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/quye.com/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

也就是certbot-nginx的问题解决了。

尝试解决Account问题

现在报错：Account at /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/18865f8ebdca67973220f9587c5580a3 does not exist

我再来用pip试试吧，在root账户下执行：

pip install  certbot certbot-nginx -U

报错

pip install  certbot certbot-nginx -U
error: externally-managed-environment

× This environment is externally managed
╰─> To install Python packages system-wide, try apt install
    python3-xyz, where xyz is the package you are trying to
    install.

    If you wish to install a non-Debian-packaged Python package,
    create a virtual environment using python3 -m venv path/to/venv.
    Then use path/to/venv/bin/python and path/to/venv/bin/pip. Make
    sure you have python3-full installed.

    If you wish to install a non-Debian packaged Python application,
    it may be easiest to use pipx install xyz, which will manage a
    virtual environment for you. Make sure you have pipx installed.

    See /usr/share/doc/python3.12/README.venv for more information.

note: If you believe this is a mistake, please contact your Python installation or OS distribution provider. You can override this, at the risk of breaking your Python installation or OS, by passing --break-system-packages.
hint: See PEP 668 for the detailed specification.

怎么办呢？

certbot certificates验证注册

certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: quye.com
    Serial Number: 5898e30feaace0a997be58dcc3d20dfcxxx
    Key Type: ECDSA
    Domains: quye.com ai.quye.com airoot.quye.com mindspore.quye.com www.quye.com
    Expiry Date: 2026-01-29 16:09:18+00:00 (VALID: 25 days)
    Certificate Path: /etc/letsencrypt/live/quye.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/quye.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

是可以的啊，但是就是续订不行

续订报错Account at /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/18865f8ebdca67973220f9587c5580a3 does not exist

certbot renew续订的时候报错：

certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/quye.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Failed to renew certificate quye.com with error: Account at /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/18865f8ebdca67973220f9587c5580a3 does not exist

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/quye.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

就是没有账户.....

查找配置文件

Processing /etc/letsencrypt/renewal/quye.com.conf

cat /etc/letsencrypt/renewal/quye.com.conf
# renew_before_expiry = 30 days
version = 3.0.0
archive_dir = /etc/letsencrypt/archive/quye.com
cert = /etc/letsencrypt/live/quye.com/cert.pem
privkey = /etc/letsencrypt/live/quye.com/privkey.pem
chain = /etc/letsencrypt/live/quye.com/chain.pem
fullchain = /etc/letsencrypt/live/quye.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = 18865f8ebdca67973220f9587c558xxx
authenticator = nginx
installer = nginx
server = https://acme-v02.api.letsencrypt.org/directory
key_type = ecdsa

发现问题了，是去v02找，但是系统报错在v01

 Account at /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/18865f8ebdca67973220f9587c558xxx

用certbot --version看看版本

certbot --version
certbot 2.9.0

竟然是2.9.0版本，这个版本有点低啊，据说要>3.1版本才行！

到python3.12环境下看看，已经到了5.2.2版本了！

但是这个普通账户下python3.12，没有root权限啊

尝试到root账户pip安装certbot

到root账户，pip安装certbot报错：

pip3 install certbot
error: externally-managed-environment

× This environment is externally managed
╰─> To install Python packages system-wide, try apt install
    python3-xyz, where xyz is the package you are trying to
    install.

    If you wish to install a non-Debian-packaged Python package,
    create a virtual environment using python3 -m venv path/to/venv.
    Then use path/to/venv/bin/python and path/to/venv/bin/pip. Make
    sure you have python3-full installed.

    If you wish to install a non-Debian packaged Python application,
    it may be easiest to use pipx install xyz, which will manage a
    virtual environment for you. Make sure you have pipx installed.

    See /usr/share/doc/python3.12/README.venv for more information.

note: If you believe this is a mistake, please contact your Python installation or OS distribution provider. You can override this, at the risk of breaking your Python installation or OS, by passing --break-system-packages.
hint: See PEP 668 for the detailed specification.
root@iZ2ze2j4cywindg339jqloZ:~# python3 -m pip3 install certbot
/usr/bin/python3: No module named pip3
root@iZ2ze2j4cywindg339jqloZ:~# python3 -m pip install certbot
error: externally-managed-environment

× This environment is externally managed
╰─> To install Python packages system-wide, try apt install
    python3-xyz, where xyz is the package you are trying to
    install.

    If you wish to install a non-Debian-packaged Python package,
    create a virtual environment using python3 -m venv path/to/venv.
    Then use path/to/venv/bin/python and path/to/venv/bin/pip. Make
    sure you have python3-full installed.

    If you wish to install a non-Debian packaged Python application,
    it may be easiest to use pipx install xyz, which will manage a
    virtual environment for you. Make sure you have pipx installed.

    See /usr/share/doc/python3.12/README.venv for more information.

note: If you believe this is a mistake, please contact your Python installation or OS distribution provider. You can override this, at the risk of breaking your Python installation or OS, by passing --break-system-packages.

安装失败

重新完全安装手册来

在root账户下，创建虚拟环境

 python3 -m  venv /opt/certbot/

升级pip

/opt/certbot/bin/pip install --upgrade pip

安装certbot

/opt/certbot/bin/pip install certbot certbot-nginx

删除原来的/usr/bin/certbot文件，链接新文件

ln -s /opt/certbot/bin/certbot /usr/bin/certbot

现在5.22版本，还是报错

certbot renew --dry-run -v测试注册，报错

明白了，是一个域名的问题，确实这里有问题：

certbot renew --dry-run -v
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/quye.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Account registered.
Simulating renewal of an existing certificate for quye.com and 4 more
Performing the following challenges:
http-01 challenge for ai.quye.com
http-01 challenge for airoot.quye.com
http-01 challenge for mindspore.quye.com
http-01 challenge for quye.com
http-01 challenge for www.quye.com
Waiting for verification...
Challenge failed for domain airoot.quye.com
http-01 challenge for airoot.quye.com

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: airoot.quye.com
  Type:   unauthorized
  Detail: 94.183.185.252: Invalid response from http://airoot.quye.com/.well-known/acme-challenge/sEP2B3cd0tk6LBJw_dJ8TrlKUwxSbT3y-PXPcAfSZBg: 404

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Cleaning up challenges
Failed to renew certificate quye.com with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All simulated renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/quye.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

把airoot这条dns去掉：

|--------|---|----|----------------|
| airoot | A | 默认 | 94.183.185.252 |

经过几分钟等待时间之后，再运行

sudo certbot renew --dry-run -v

这就过了！

续订还是报错

这时候在续订一下

sudo certbot renew

还是报错那个文件不在。没法了，重新注册吧

重新注册证书

实在不行了，只能重新注册证书了：

sudo certbot certonly --nginx -d quye.com \
    --email skywalk163@vip.qq.com \
    --agree-tos \
    --no-eff-email \
    --preferred-chain "ISRG Root X1"

下次建议用手工命令方式：

sudo sudo certbot certonly --nginx

或者尝试用多域名：

sudo certbot certonly --nginx -d quye.com \
    -d www.quye.com \
    --email skywalk163@vip.qq.com \
    --agree-tos \
    --no-eff-email \
    --preferred-chain "ISRG Root X1"

注册报错

An unexpected error occurred:
requests.exceptions.ReadTimeout: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Read timed out. (read timeout=45)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

测试服务器：

curl -v https://acme-v02.api.letsencrypt.org

pass

注册通过

可能是服务器压力大的缘故，多次执行注册命令，终于过了

sudo certbot certonly --nginx -d quye.com     --email skywalk163@vip.qq.com     --agree-tos     --no-eff-email     --preferred-chain "ISRG Root X1"
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Account registered.
Requesting a certificate for quye.com

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/quye.com-0001/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/quye.com-0001/privkey.pem
This certificate expires on 2026-04-04.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

看来这两个文件改了啊

Certificate is saved at: /etc/letsencrypt/live/quye.com-0001/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/quye.com-0001/privkey.pem
This certificate expires on 2026-04-04.

修改nginx配置文件，指向新的文件

    ssl_certificate /etc/letsencrypt/live/quye.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/quye.com/privkey.pem;

好了，终于续订成功了。其实是新注册了一个。

发现现在续订还是报错...怎么老指向那一个地址了？明白了，是老的配置文件没有删除的缘故：

Processing /etc/letsencrypt/renewal/quye.com-0001.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/quye.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Failed to renew certificate quye.com with error: Account at /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/18865f8ebdca67973220f9587c5580a3 does not exist

删除quye.com.conf老文件

/etc/letsencrypt/renewal/quye.com.conf

现在至少执行没有报错了

sudo certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/quye.com-0001.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certificates are not due for renewal yet:
  /etc/letsencrypt/live/quye.com-0001/fullchain.pem expires on 2026-04-04 (skipped)
No renewals were attempted.

这样总算正常了，预计以后可以自动续订。这样整个问题算解决了。

总结

不明白为什么用着用着就不能自动续订了

不明白为什么续订时候会提示没有账户....

不明白为什么注册的时候好几次失败，索性最终成功了。

不明白为什么老的账户会报错：Account at /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/18865f8ebdca67973220f9587c5580a3 does not exist

全部设置文件里没有找到指向acme-v01.api.letsencrypt.org/的地方，但就是有这个报错。

调试

后来某天突然发现只给主域名申请了证书，没有给泛域名申请证书

解决的方法是申请的时候填写上域名

sudo certbot certonly \
    --dns-cloudflare \
    --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini \
    -d quye.com \
    -d *.quye.com \
    --email skywalk163@vip.qq.com \
    --agree-tos \
    --no-eff-email \
    --preferred-chain "ISRG Root X1"

sudo certbot certonly \
    -d quye.com \
    -d *.quye.com \
    --email skywalk163@vip.qq.com \
    --agree-tos \
    --no-eff-email \
    --preferred-chain "ISRG Root X1"

或者是用这条手工命令：

sudo sudo certbot certonly --nginx

执行后它会问对哪些域名进行认证，留空或者填写序号，留空就是所有域名都进行认证

(base) skywalk@iZ2ze2j4cywindg339jqloZ:~$ sudo sudo certbot certonly --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: quye.com
2: www.quye.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1 2

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/quye.com-0001.conf)

It contains these names: quye.com

You requested these names for the new certificate: quye.com, www.quye.com.

Do you want to expand and replace this existing certificate with the new
certificate?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(E)xpand/(C)ancel: e
Renewing an existing certificate for quye.com and www.quye.com

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/quye.com-0001/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/quye.com-0001/privkey.pem
This certificate expires on 2026-04-07.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -