网站证书自动续订失败的问题解决,原来是续订指令certbot renew出错，导致crontab定时任务续订失败

发现网站还有不到一个月证书就过期了，问题是已经设置好了自动续订，而且以前已经正常续订了好几个月了啊。

配置见：https://skywalk.blog.csdn.net/article/details/154342032

官网操作指南见：Certbot Instructions | Certbot

查找问题

登录到服务器，直接执行续订certbot renew -q ，发现报错：

Failed to renew certificate quye.com with error: The requested nginx plugin does not appear to be installed All renewals failed. The following certificates could not be renewed: /etc/letsencrypt/live/quye.com/fullchain.p

我已经忘记这个是pip安装的还是apt安装的了

不过apt确实没有安装，用apt search certbot-nginx 看一下：

apt search certbot-nginx Sorting... Done Full Text Search... Done python3-certbot-nginx/noble 2.9.0-1 all Nginx plugin for Certbot

使用pip还是apt，这里要多思考下，因为如果是pip，那就是在root账户下的python环境。（这里应该是踩坑了，一开始可能并不是这里的问题）

尝试用apt安装试试解决certbot-nginx问题

sudo apt install python3-certbot-nginx

现在续订sudo certbot renew -q变成了这样：

sudo certbot renew -q Failed to renew certificate quye.com with error: Account at /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/18865f8ebdca67973220f9587c5580a3 does not exist All renewals failed. The following certificates could not be renewed: /etc/letsencrypt/live/quye.com/fullchain.pem (failure) 1 renew failure(s), 0 parse failure(s)

也就是certbot-nginx的问题解决了。

尝试解决Account问题

现在报错：Account at /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/18865f8ebdca67973220f9587c5580a3 does not exist

我再来用pip试试吧，在root账户下执行：

pip install certbot certbot-nginx -U

报错

pip install certbot certbot-nginx -U error: externally-managed-environment × This environment is externally managed ╰─> To install Python packages system-wide, try apt install python3-xyz, where xyz is the package you are trying to install. If you wish to install a non-Debian-packaged Python package, create a virtual environment using python3 -m venv path/to/venv. Then use path/to/venv/bin/python and path/to/venv/bin/pip. Make sure you have python3-full installed. If you wish to install a non-Debian packaged Python application, it may be easiest to use pipx install xyz, which will manage a virtual environment for you. Make sure you have pipx installed. See /usr/share/doc/python3.12/README.venv for more information. note: If you believe this is a mistake, please contact your Python installation or OS distribution provider. You can override this, at the risk of breaking your Python installation or OS, by passing --break-system-packages. hint: See PEP 668 for the detailed specification.

怎么办呢？

certbot certificates验证注册

certbot certificates Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Found the following certs: Certificate Name: quye.com Serial Number: 5898e30feaace0a997be58dcc3d20dfcxxx Key Type: ECDSA Domains: quye.com ai.quye.com airoot.quye.com mindspore.quye.com www.quye.com Expiry Date: 2026-01-29 16:09:18+00:00 (VALID: 25 days) Certificate Path: /etc/letsencrypt/live/quye.com/fullchain.pem Private Key Path: /etc/letsencrypt/live/quye.com/privkey.pem - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

是可以的啊，但是就是续订不行

续订报错Account at /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/18865f8ebdca67973220f9587c5580a3 does not exist

certbot renew续订的时候报错：

certbot renew Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/quye.com.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Failed to renew certificate quye.com with error: Account at /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/18865f8ebdca67973220f9587c5580a3 does not exist - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - All renewals failed. The following certificates could not be renewed: /etc/letsencrypt/live/quye.com/fullchain.pem (failure) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1 renew failure(s), 0 parse failure(s)

就是没有账户.....

查找配置文件

Processing /etc/letsencrypt/renewal/quye.com.conf

cat /etc/letsencrypt/renewal/quye.com.conf # renew_before_expiry = 30 days version = 3.0.0 archive_dir = /etc/letsencrypt/archive/quye.com cert = /etc/letsencrypt/live/quye.com/cert.pem privkey = /etc/letsencrypt/live/quye.com/privkey.pem chain = /etc/letsencrypt/live/quye.com/chain.pem fullchain = /etc/letsencrypt/live/quye.com/fullchain.pem # Options used in the renewal process [renewalparams] account = 18865f8ebdca67973220f9587c558xxx authenticator = nginx installer = nginx server = https://acme-v02.api.letsencrypt.org/directory key_type = ecdsa

发现问题了，是去v02找，但是系统报错在v01

Account at /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/18865f8ebdca67973220f9587c558xxx

用certbot --version看看版本

certbot --version certbot 2.9.0

竟然是2.9.0版本，这个版本有点低啊，据说要>3.1版本才行！

到python3.12环境下看看，已经到了5.2.2版本了！

但是这个普通账户下python3.12，没有root权限啊

尝试到root账户pip安装certbot

到root账户，pip安装certbot报错：

pip3 install certbot error: externally-managed-environment × This environment is externally managed ╰─> To install Python packages system-wide, try apt install python3-xyz, where xyz is the package you are trying to install. If you wish to install a non-Debian-packaged Python package, create a virtual environment using python3 -m venv path/to/venv. Then use path/to/venv/bin/python and path/to/venv/bin/pip. Make sure you have python3-full installed. If you wish to install a non-Debian packaged Python application, it may be easiest to use pipx install xyz, which will manage a virtual environment for you. Make sure you have pipx installed. See /usr/share/doc/python3.12/README.venv for more information. note: If you believe this is a mistake, please contact your Python installation or OS distribution provider. You can override this, at the risk of breaking your Python installation or OS, by passing --break-system-packages. hint: See PEP 668 for the detailed specification. root@iZ2ze2j4cywindg339jqloZ:~# python3 -m pip3 install certbot /usr/bin/python3: No module named pip3 root@iZ2ze2j4cywindg339jqloZ:~# python3 -m pip install certbot error: externally-managed-environment × This environment is externally managed ╰─> To install Python packages system-wide, try apt install python3-xyz, where xyz is the package you are trying to install. If you wish to install a non-Debian-packaged Python package, create a virtual environment using python3 -m venv path/to/venv. Then use path/to/venv/bin/python and path/to/venv/bin/pip. Make sure you have python3-full installed. If you wish to install a non-Debian packaged Python application, it may be easiest to use pipx install xyz, which will manage a virtual environment for you. Make sure you have pipx installed. See /usr/share/doc/python3.12/README.venv for more information. note: If you believe this is a mistake, please contact your Python installation or OS distribution provider. You can override this, at the risk of breaking your Python installation or OS, by passing --break-system-packages.

安装失败

重新完全安装手册来

在root账户下，创建虚拟环境

python3 -m venv /opt/certbot/

升级pip

/opt/certbot/bin/pip install --upgrade pip

安装certbot

/opt/certbot/bin/pip install certbot certbot-nginx

删除原来的/usr/bin/certbot文件，链接新文件

ln -s /opt/certbot/bin/certbot /usr/bin/certbot

现在5.22版本，还是报错

certbot renew --dry-run -v测试注册，报错

明白了，是一个域名的问题，确实这里有问题：

certbot renew --dry-run -v Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/quye.com.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Certificate not due for renewal, but simulating renewal for dry run Plugins selected: Authenticator nginx, Installer nginx Account registered. Simulating renewal of an existing certificate for quye.com and 4 more Performing the following challenges: http-01 challenge for ai.quye.com http-01 challenge for airoot.quye.com http-01 challenge for mindspore.quye.com http-01 challenge for quye.com http-01 challenge for www.quye.com Waiting for verification... Challenge failed for domain airoot.quye.com http-01 challenge for airoot.quye.com Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems: Domain: airoot.quye.com Type: unauthorized Detail: 94.183.185.252: Invalid response from http://airoot.quye.com/.well-known/acme-challenge/sEP2B3cd0tk6LBJw_dJ8TrlKUwxSbT3y-PXPcAfSZBg: 404 Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet. Cleaning up challenges Failed to renew certificate quye.com with error: Some challenges have failed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - All simulated renewals failed. The following certificates could not be renewed: /etc/letsencrypt/live/quye.com/fullchain.pem (failure) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1 renew failure(s), 0 parse failure(s) Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

把airoot这条dns去掉：

经过几分钟等待时间之后，再运行

sudo certbot renew --dry-run -v

这就过了！

续订还是报错

这时候在续订一下

sudo certbot renew

还是报错那个文件不在。没法了，重新注册吧

重新注册证书

实在不行了，只能重新注册证书了：

sudo certbot certonly --nginx -d quye.com \ --email skywalk163@vip.qq.com \ --agree-tos \ --no-eff-email \ --preferred-chain "ISRG Root X1"

注册报错

An unexpected error occurred: requests.exceptions.ReadTimeout: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Read timed out. (read timeout=45) Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

测试服务器：

curl -v https://acme-v02.api.letsencrypt.org

pass

注册通过

可能是服务器压力大的缘故，多次执行注册命令，终于过了

sudo certbot certonly --nginx -d quye.com --email skywalk163@vip.qq.com --agree-tos --no-eff-email --preferred-chain "ISRG Root X1" Saving debug log to /var/log/letsencrypt/letsencrypt.log Account registered. Requesting a certificate for quye.com Successfully received certificate. Certificate is saved at: /etc/letsencrypt/live/quye.com-0001/fullchain.pem Key is saved at: /etc/letsencrypt/live/quye.com-0001/privkey.pem This certificate expires on 2026-04-04. These files will be updated when the certificate renews. Certbot has set up a scheduled task to automatically renew this certificate in the background. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - If you like Certbot, please consider supporting our work by: * Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate * Donating to EFF: https://eff.org/donate-le - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

看来这两个文件改了啊

Certificate is saved at: /etc/letsencrypt/live/quye.com-0001/fullchain.pem Key is saved at: /etc/letsencrypt/live/quye.com-0001/privkey.pem This certificate expires on 2026-04-04.

修改nginx配置文件，指向新的文件

ssl_certificate /etc/letsencrypt/live/quye.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/quye.com/privkey.pem;

好了，终于续订成功了。其实是新注册了一个。

发现现在续订还是报错...怎么老指向那一个地址了？明白了，是老的配置文件没有删除的缘故：

Processing /etc/letsencrypt/renewal/quye.com-0001.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Certificate not yet due for renewal - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/quye.com.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Failed to renew certificate quye.com with error: Account at /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/18865f8ebdca67973220f9587c5580a3 does not exist

删除quye.com.conf老文件

/etc/letsencrypt/renewal/quye.com.conf

现在至少执行没有报错了

sudo certbot renew Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/quye.com-0001.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Certificate not yet due for renewal - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - The following certificates are not due for renewal yet: /etc/letsencrypt/live/quye.com-0001/fullchain.pem expires on 2026-04-04 (skipped) No renewals were attempted.

这样总算正常了，预计以后可以自动续订。这样整个问题算解决了。

总结

不明白为什么用着用着就不能自动续订了

不明白为什么续订时候会提示没有账户....

不明白为什么注册的时候好几次失败，索性最终成功了。

不明白为什么老的账户会报错：Account at /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/18865f8ebdca67973220f9587c5580a3 does not exist

全部设置文件里没有找到指向acme-v01.api.letsencrypt.org/的地方，但就是有这个报错。

..