All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/fullchain.pem (failure)

Help
1

I have root privileges on my Ubutntu 16.04 server with Apache. As I have the old protocol on one of my domains I decided to amend that so I can renew certificates. I followed instructions from here How to stop using TLS-SNI-01 with Certbot, including updating certbot to 0.28. Then I tried to do the following:

I ran this command: certbot renew --dry-run

It produced this output:

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/<redacted>/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: <redacted>
   Type:   unauthorized
   Detail: Invalid response from
   http://<redacted>/.well-known/acme-challenge/YAWinFZ40yxkw1doOCA0yY6Oab-s-RZNoHAngzE5DKQ:
   "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

I tried creating a folder in web root /.well-known/acme-challenge/ with a file test.txt that I successfully was able to access. The domain in the URL from the logs is correct too.

I looked around the forum and used some of the advice, however, I was not able to fix the issue.

Can someone please advise on how to rectify this issue?

2

Post the full output of Certbot. Can’t help you with only this partial selection of the log.

Especially important is identifying the authenticator and which challenge type was used.

Blind guess, but you could try:

certbot renew --cert-name <redacted> -a apache --dry-run
3

Thanks for the quick response.

I tried the command earlier from one of the posts I found, this didn't work I get the same error.

root@training:/var/log/letsencrypt# certbot renew --dry-run --debug-challenges -v
Root logging level set at 10
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/.conf

Requested authenticator <certbot.cli._Default object at 0x7fc658434978> and installer <certbot.cli._Default object at 0x7fc658434978>
Var dry_run=True (set by user).
Var server={'dry_run', 'staging'} (set by user).
Var dry_run=True (set by user).
Var server={'dry_run', 'staging'} (set by user).
Var account={'server'} (set by user).
Cert not due for renewal, but simulating renewal for dry run
Requested authenticator apache and installer apache
Apache version is 2.4.18
Single candidate plugin: * apache
Description: Apache Web Server plugin - Beta
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT
Initialized: <certbot_apache.override_debian.DebianConfigurator object at 0x7fc658412be0>
Prep: True
Single candidate plugin: * apache
Description: Apache Web Server plugin - Beta
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT
Initialized: <certbot_apache.override_debian.DebianConfigurator object at 0x7fc658412be0>
Prep: True
Selected authenticator <certbot_apache.override_debian.DebianConfigurator object at 0x7fc658412be0> and installer <certbot_apache.override_debian.DebianConfigurator object at 0x7fc658412be0>
Plugins selected: Authenticator apache, Installer apache
Picked account: <Account(RegistrationResource(body=Registration(terms_of_service_agreed=None, key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x7fc658434390>)>), only_return_existing=None, status='valid', agreement=None, contact=()), uri='https::acme-staging-v02.api.letsencrypt.org/acme/acct/6121019', new_authzr_uri=None, terms_of_service='https::letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'), 7890f538b79c5720d45ab4766acacf88, Meta(creation_dt=datetime.datetime(2018, 5, 20, 19, 28, 48, tzinfo=), creation_host='ip-172-31-17-97.eu-west-1.compute.internal'))>
Sending GET request to https::acme-staging-v02.api.letsencrypt.org/directory.
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
https::acme-staging-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 724
Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 724
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Fri, 01 Feb 2019 09:29:44 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Fri, 01 Feb 2019 09:29:44 GMT
Connection: keep-alive

{
"atPduBvaGxc": "https::community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
"keyChange": "https::acme-staging-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"termsOfService": "https::letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
"website": "https::letsencrypt.org/docs/staging-environment/"
},
"newAccount": "https::acme-staging-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https::acme-staging-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https::acme-staging-v02.api.letsencrypt.org/acme/new-order",
"revokeCert": "https::acme-staging-v02.api.letsencrypt.org/acme/revoke-cert"
}
Renewing an existing certificate
Requesting fresh nonce
Sending HEAD request to https::acme-staging-v02.api.letsencrypt.org/acme/new-order.
https::acme-staging-v02.api.letsencrypt.org:443 "HEAD /acme/new-order HTTP/1.1" 405 0
Received response:
HTTP 405
Server: nginx
Content-Type: application/problem+json
Content-Length: 103
Allow: POST
Replay-Nonce: aOFjsLEvFzOVqygq71P-FD3Nk29WpdIQMoIO1fVH7w4
Expires: Fri, 01 Feb 2019 09:29:44 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Fri, 01 Feb 2019 09:29:44 GMT
Connection: keep-alive

Storing nonce: aOFjsLEvFzOVqygq71P-FD3Nk29WpdIQMoIO1fVH7w4
JWS payload:
b'{\n "status": "pending",\n "identifiers": [\n {\n "type": "dns",\n "value": ""\n }\n ],\n "resource": "new-order"\n}'
Sending POST request to https::acme-staging-v02.api.letsencrypt.org/acme/new-order:
{
"signature": "HcEap3TNkL5lssML5iQNnuvP_9phjOhZ_UAeYu1rceTBBX0Ulhu2d8C_FGYegnaCqidWXeA2Oou0wyF87MvDiWTPfeSdOYAKLKbw9KDSYR6C2p8BkkmN_IA44hUZcpmri2f23StDRRVzJPLqTzrLv4NRy_2BRFjA5YHH-bud5_Z46ShrgwrRiW69QKz0-ThENRURVx8L3nC3lC_GoTK6Ow7ziiEpkYW7wdoaYEVVlafPUrnZZVqdvW36QQ3QusAjIa1JcsuvoWYI9kM-KA5Sxo1P41O-Fk9eTJnWLm39jECt8sZ2LZYT2jnoidInDFWN3qI72RUBbYuNIGMPXKa2Fg",
"payload": "ewogICJzdGF0dXMiOiAicGVuZGluZyIsCiAgImlkZW50aWZpZXJzIjogWwogICAgewogICAgICAidHlwZSI6ICJkbnMiLAogICAgICAidmFsdWUiOiAidHJhaW5pbmcuY2hlbG1zZm9yZHN0YXIuY29vcCIKICAgIH0KICBdLAogICJyZXNvdXJjZSI6ICJuZXctb3JkZXIiCn0",
"protected": "eyJhbGciOiAiUlMyNTYiLCAidXJsIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvbmV3LW9yZGVyIiwgIm5vbmNlIjogImFPRmpzTEV2RnpPVnF5Z3E3MVAtRkQzTmsyOVdwZElRTW9JTzFmVkg3dzQiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC82MTIxMDE5In0"
}
https::acme-staging-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 401
Received response:
HTTP 201
Server: nginx
Content-Type: application/json
Content-Length: 401
Boulder-Requester: 6121019
Location: https::acme-staging-v02.api.letsencrypt.org/acme/order/6121019/22257986
Replay-Nonce: 23gU4CYbqU-izspSeKAkBPzoiL0KR4Mpt9l1_Qli8pM
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Fri, 01 Feb 2019 09:29:44 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Fri, 01 Feb 2019 09:29:44 GMT
Connection: keep-alive

{
"status": "pending",
"expires": "2019-02-08T09:29:44.613778154Z",
"identifiers": [
{
"type": "dns",
"value": ""
}
],
"authorizations": [
"https::acme-staging-v02.api.letsencrypt.org/acme/authz/h9EkCXwA_srx8h8Am6DBSVaSE31_y8hx3g-JqWY1bU4"
],
"finalize": "https::acme-staging-v02.api.letsencrypt.org/acme/finalize/6121019/22257986"
}
Storing nonce: 23gU4CYbqU-izspSeKAkBPzoiL0KR4Mpt9l1_Qli8pM
Sending GET request to https::acme-staging-v02.api.letsencrypt.org/acme/authz/h9EkCXwA_srx8h8Am6DBSVaSE31_y8hx3g-JqWY1bU4.
https::acme-staging-v02.api.letsencrypt.org:443 "GET /acme/authz/h9EkCXwA_srx8h8Am6DBSVaSE31_y8hx3g-JqWY1bU4 HTTP/1.1" 200 941
Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 941
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Fri, 01 Feb 2019 09:29:44 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Fri, 01 Feb 2019 09:29:44 GMT
Connection: keep-alive

{
"identifier": {
"type": "dns",
"value": ""
},
"status": "pending",
"expires": "2019-02-08T09:29:44Z",
"challenges": [
{
"type": "http-01",
"status": "pending",
"url": "https::acme-staging-v02.api.letsencrypt.org/acme/challenge/h9EkCXwA_srx8h8Am6DBSVaSE31_y8hx3g-JqWY1bU4/236247309",
"token": "6_UO_gkFhRVv3xvKAxrl8jIqZ3uCE1yzNG-fv8T9PNk"
},
{
"type": "dns-01",
"status": "pending",
"url": "https::acme-staging-v02.api.letsencrypt.org/acme/challenge/h9EkCXwA_srx8h8Am6DBSVaSE31_y8hx3g-JqWY1bU4/236247310",
"token": "8ZzXza5dfHREVnuAkYn1Fb4vvAMqyz-9qNk3lFWrSCE"
},
{
"type": "tls-alpn-01",
"status": "pending",
"url": "https::acme-staging-v02.api.letsencrypt.org/acme/challenge/h9EkCXwA_srx8h8Am6DBSVaSE31_y8hx3g-JqWY1bU4/236247311",
"token": "LwWmNNxUon0way3dSaemzCOyXU-ir5K3c2W2ExXsY3A"
}
]
}
Performing the following challenges:
http-01 challenge for
Adding a temporary challenge validation Include for name: in: /etc/apache2/sites-enabled/000-default.conf
writing a pre config file with text:
RewriteEngine on
RewriteRule ^/.well-known/acme-challenge/([A-Za-z0-9-_=]+)$ /var/lib/letsencrypt/http_challenges/$1 [END]

writing a post config file with text:
<Directory /var/lib/letsencrypt/http_challenges>
Require all granted

<Location /.well-known/acme-challenge>
Require all granted

Creating backup of /etc/apache2/sites-enabled/000-default.conf
Waiting for verification...

Challenges loaded. Press continue to submit to CA. Pass "-v" for more info about
challenges.

JWS payload:
b'{\n "type": "http-01",\n "resource": "challenge",\n "keyAuthorization": "6_UO_gkFhRVv3xvKAxrl8jIqZ3uCE1yzNG-fv8T9PNk.5DcHnnNnvhL_IPTAtyPDnJRXZalmVs5jYwcsfnDwL_0"\n}'
Sending POST request to https::acme-staging-v02.api.letsencrypt.org/acme/challenge/h9EkCXwA_srx8h8Am6DBSVaSE31_y8hx3g-JqWY1bU4/236247309:
{
"signature": "uRxNUU_uOdxQgcQVbQpv6mdjPptbP6B4AWWy_oAMCaTDUIeawwp38ZsaiXjTc10Lpeq2sNJZKUAtzeS8nsY7yJ8B9Jd4Wn2QvXjDVhbhhr4t_MeiVClEYloIJ6F1ShApdhw1XjARjUM6Zkqxwhr6Pl9Cn7XRUbFGatfMKsHOA06WkS5YsmGx5-6Wff952QJtL_L0fw2mdWhDffnyyQchgFK0JlAW3hl4uTCSyEzIyfB73QfZLywAa0c1uxv0-833NAPYoHAGXt9SbcaCLNo9FkSh5jGi-g-9VtYw937LmTUUBOHTcZ1eQyL4gNcMgC6gDQbzWbl4duo_HYGyFGS_Qw",
"payload": "ewogICJ0eXBlIjogImh0dHAtMDEiLAogICJyZXNvdXJjZSI6ICJjaGFsbGVuZ2UiLAogICJrZXlBdXRob3JpemF0aW9uIjogIjZfVU9fZ2tGaFJWdjN4dktBeHJsOGpJcVozdUNFMXl6TkctZnY4VDlQTmsuNURjSG5uTm52aExfSVBUQXR5UERuSlJYWmFsbVZzNWpZd2NzZm5Ed0xfMCIKfQ",
"protected": "eyJhbGciOiAiUlMyNTYiLCAidXJsIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvY2hhbGxlbmdlL2g5RWtDWHdBX3NyeDhoOEFtNkRCU1ZhU0UzMV95OGh4M2ctSnFXWTFiVTQvMjM2MjQ3MzA5IiwgIm5vbmNlIjogIjIzZ1U0Q1licVUtaXpzcFNlS0FrQlB6b2lMMEtSNE1wdDlsMV9RbGk4cE0iLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC82MTIxMDE5In0"
}
https::acme-staging-v02.api.letsencrypt.org:443 "POST /acme/challenge/h9EkCXwA_srx8h8Am6DBSVaSE31_y8hx3g-JqWY1bU4/236247309 HTTP/1.1" 200 230
Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 230
Boulder-Requester: 6121019
Link: https::acme-staging-v02.api.letsencrypt.org/acme/authz/h9EkCXwA_srx8h8Am6DBSVaSE31_y8hx3g-JqWY1bU4;rel="up"
Location: https::acme-staging-v02.api.letsencrypt.org/acme/challenge/h9EkCXwA_srx8h8Am6DBSVaSE31_y8hx3g-JqWY1bU4/236247309
Replay-Nonce: _qA52Y2_VRbGL8taKfRq1Gi29byiDbjvnL3sfqALVGI
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Fri, 01 Feb 2019 09:29:48 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Fri, 01 Feb 2019 09:29:48 GMT
Connection: keep-alive

{
"type": "http-01",
"status": "pending",
"url": "https::acme-staging-v02.api.letsencrypt.org/acme/challenge/h9EkCXwA_srx8h8Am6DBSVaSE31_y8hx3g-JqWY1bU4/236247309",
"token": "6_UO_gkFhRVv3xvKAxrl8jIqZ3uCE1yzNG-fv8T9PNk"
}
Storing nonce: _qA52Y2_VRbGL8taKfRq1Gi29byiDbjvnL3sfqALVGI
Sending GET request to https::acme-staging-v02.api.letsencrypt.org/acme/authz/h9EkCXwA_srx8h8Am6DBSVaSE31_y8hx3g-JqWY1bU4.
https::acme-staging-v02.api.letsencrypt.org:443 "GET /acme/authz/h9EkCXwA_srx8h8Am6DBSVaSE31_y8hx3g-JqWY1bU4 HTTP/1.1" 200 2163
Received response:
HTTP 200
Server: nginx
Content-Type: application/json
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Content-Length: 2163
Expires: Fri, 01 Feb 2019 09:29:51 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Fri, 01 Feb 2019 09:29:51 GMT
Connection: keep-alive

{
"identifier": {
"type": "dns",
"value": ""
},
"status": "invalid",
"expires": "2019-02-08T09:29:44Z",
"challenges": [
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "Invalid response from http::/.well-known/acme-challenge/6_UO_gkFhRVv3xvKAxrl8jIqZ3uCE1yzNG-fv8T9PNk: "\u003c!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\"\u003e\n\u003chtml\u003e\u003chead\u003e\n\u003ctitle\u003e404 Not Found\u003c/title\u003e\n\u003c/head\u003e\u003cbody\u003e\n\u003ch1\u003eNot Found\u003c/h1\u003e\n\u003cp"",
"status": 403
},
"url": "https::acme-staging-v02.api.letsencrypt.org/acme/challenge/h9EkCXwA_srx8h8Am6DBSVaSE31_y8hx3g-JqWY1bU4/236247309",
"token": "6_UO_gkFhRVv3xvKAxrl8jIqZ3uCE1yzNG-fv8T9PNk",
"validationRecord": [
{
"url": "http::/.well-known/acme-challenge/6_UO_gkFhRVv3xvKAxrl8jIqZ3uCE1yzNG-fv8T9PNk",
"hostname": "",
"port": "80",
"addressesResolved": [
""
],
"addressUsed": ""
},
{
"url": "https::/.well-known/acme-challenge/6_UO_gkFhRVv3xvKAxrl8jIqZ3uCE1yzNG-fv8T9PNk",
"hostname": "",
"port": "443",
"addressesResolved": [
""
],
"addressUsed": ""
}
]
},
{
"type": "dns-01",
"status": "invalid",
"url": "https::acme-staging-v02.api.letsencrypt.org/acme/challenge/h9EkCXwA_srx8h8Am6DBSVaSE31_y8hx3g-JqWY1bU4/236247310",
"token": "8ZzXza5dfHREVnuAkYn1Fb4vvAMqyz-9qNk3lFWrSCE"
},
{
"type": "tls-alpn-01",
"status": "invalid",
"url": "https::acme-staging-v02.api.letsencrypt.org/acme/challenge/h9EkCXwA_srx8h8Am6DBSVaSE31_y8hx3g-JqWY1bU4/236247311",
"token": "LwWmNNxUon0way3dSaemzCOyXU-ir5K3c2W2ExXsY3A"
}
]
}
Reporting to user: The following errors were reported by the server:

Domain:
Type: unauthorized
Detail: Invalid response from http::/.well-known/acme-challenge/6_UO_gkFhRVv3xvKAxrl8jIqZ3uCE1yzNG-fv8T9PNk: "\n\n404 Not Found\n\n

Not Found

\n<p"

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
Encountered exception:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
self._respond(aauthzrs, resp, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 161, in _respond
self._poll_challenges(aauthzrs, chall_update, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 232, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http::/.well-known/acme-challenge/6_UO_gkFhRVv3xvKAxrl8jIqZ3uCE1yzNG-fv8T9PNk: "\n\n404 Not Found\n\n

Not Found

\n<p"

Calling registered functions
Cleaning up challenges
Attempting to renew cert () from /etc/letsencrypt/renewal/.conf produced an unexpected error: Failed authorization procedure. (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http::/.well-known/acme-challenge/6_UO_gkFhRVv3xvKAxrl8jIqZ3uCE1yzNG-fv8T9PNk: "\n\n404 Not Found\n\n

Not Found

\n<p". Skipping.
Traceback was:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 430, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1168, in renew_cert
renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 116, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 305, in renew_cert
new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
File "/usr/lib/python3/dist-packages/certbot/client.py", line 335, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/usr/lib/python3/dist-packages/certbot/client.py", line 371, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
self._respond(aauthzrs, resp, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 161, in _respond
self._poll_challenges(aauthzrs, chall_update, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 232, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http::/.well-known/acme-challenge/6_UO_gkFhRVv3xvKAxrl8jIqZ3uCE1yzNG-fv8T9PNk: "\n\n404 Not Found\n\n

Not Found

\n<p"

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live//fullchain.pem (failure)

** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live//fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)

Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 11, in
load_entry_point('certbot==0.28.0', 'console_scripts', 'certbot')()
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1340, in main
return config.func(config, plugins)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1247, in renew
renewal.handle_renewal_request(config)
File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 455, in handle_renewal_request
len(renew_failures), len(parse_failures)))
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain:
    Type: unauthorized
    Detail: Invalid response from
    http::/.well-known/acme-challenge/6_UO_gkFhRVv3xvKAxrl8jIqZ3uCE1yzNG-fv8T9PNk:
    "\n\n404 Not
    Found\n\n

    Not Found

    \n<p"

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

4

Thanks!

It looks like the changes that Certbot’s Apache authenticator applied were not effective, judging by the fact that the request resulted in a redirect.

This can sometimes happen based on how your Virtual Hosts are setup. What’s this show?

apachectl -t -D DUMP_VHOSTS

Is your primary virtual host defined in /etc/apache2/sites-enabled/000-default.conf or are there more?

5

I won't lie, I am no expert on this so I am unsure what you meant by the primary virtual host. I only have one domain on the server if that is what you were after. However, my conf files ( added below) look really odd (don't ask me what I did back then, this was nearly 4 years ago when I did the set up)!

This is what the command returned: (the is the same in all the brackets)

[Fri Feb 01 10:54:04.541815 2019] [alias:warn] [pid 5259] AH00671: The Alias directive in /etc/phpmyadmin/apache.conf at line 3 will probably never match because it overlaps an earlier Alias.
VirtualHost configuration:
*:443 (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
*:80 is a NameVirtualHost
default server (/etc/apache2/sites-enabled/000-default-le-ssl.conf:39)
port 80 namevhost (/etc/apache2/sites-enabled/000-default-le-ssl.conf:39)
alias
port 80 namevhost (/etc/apache2/sites-enabled/000-default.conf:1)
alias

Just in case you need the two conf files.

ssl.conf file

# The ServerName directive sets the request scheme, hostname and port that # the server uses to identify itself. This is used when creating # redirection URLs. In the context of virtual hosts, the ServerName # specifies what hostname must appear in the request's Host: header to # match this virtual host. For the default virtual host (this file) this # value is not decisive as it is used as a last resort host regardless. # However, you must set it for any further virtual host explicitly. #ServerName www.example.com 
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html

    # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
    # error, crit, alert, emerg.
    # It is also possible to configure the loglevel for particular
    # modules, e.g.
    #LogLevel info ssl:warn

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    # For most configuration files from conf-available/, which are
    # enabled or disabled at a global level, it is possible to
    # include a line for only one particular virtual host. For example the
    # following line enables the CGI configuration for this host only
    # after it has been globally disabled with "a2disconf".
    #Include conf-available/serve-cgi-bin.conf

ServerName
Include /etc/letsencrypt/options-ssl-apache.conf
ServerAlias
SSLCertificateFile /etc/letsencrypt/live//cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live//privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live//chain.pem


<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
ServerName
ServerAlias
Redirect permanent / https:///

    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html

    # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
    # error, crit, alert, emerg.
    # It is also possible to configure the loglevel for particular
    # modules, e.g.
    #LogLevel info ssl:warn

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    # For most configuration files from conf-available/, which are
    # enabled or disabled at a global level, it is possible to
    # include a line for only one particular virtual host. For example the
    # following line enables the CGI configuration for this host only
    # after it has been globally disabled with "a2disconf".
    #Include conf-available/serve-cgi-bin.conf

RewriteEngine on

Some rewrite rules in this file were disabled on your HTTPS site,

because they have the potential to create redirection loops.

RewriteCond %{SERVER_NAME} = [OR]

RewriteCond %{SERVER_NAME} =

RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

000 conf

<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
ServerName
ServerAlias training.chelsmfordstar.coop
Redirect permanent / https:///

    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html

    # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
    # error, crit, alert, emerg.
    # It is also possible to configure the loglevel for particular
    # modules, e.g.
    #LogLevel info ssl:warn

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    # For most configuration files from conf-available/, which are
    # enabled or disabled at a global level, it is possible to
    # include a line for only one particular virtual host. For example the
    # following line enables the CGI configuration for this host only
    # after it has been globally disabled with "a2disconf".
    #Include conf-available/serve-cgi-bin.conf

RewriteEngine on
RewriteCond %{SERVER_NAME} = [OR]
RewriteCond %{SERVER_NAME} =
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

vim: syntax=apache ts=4 sw=4 sts=4 sr noet

6

Are those ServerName and ServerAlias lines actually lacking your domain name or did you redact them?

Here's the thing:

If these two virtual hosts happen to have the same ServerName or ServerAlias, then it's going to confuse Certbot's Apache authenticator (because it has a chance to apply its changes to the wrong file).

In Apache, domain names must be unique across multiple virtual hosts.

So the solution would be to remove/comment out one of these virtual hosts so that you only have one remaining.

You could also try going the webroot approach which is something like:

certbot renew -a webroot -w /var/www/html --dry-run

but I would suggest fixing up the virtual host conflicts instead, if they exist.

1 Like
7

I did redact the domain name, did not want it plastered about as I am sure after 13th Feb this topic might get a few clicks! :slight_smile:

I have now fixed it by renaming the 000-default.conf file and the --dry-run succeeded. Hopefully, deleting the file will not cause any more issues down the road.

It is odd that it has never caused an issue in the past.

Thank you @_az so much for your help, I would not have been able to figure this out without your help.

1 Like
8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.