All renewal attempts failed


#1

My domain is: www.dzmob.com

I ran this command: sudo certbot renew --dry-run

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/dzmob.com.conf
-------------------------------------------------------------------------------
Attempting to parse the version 0.21.1 renewal configuration file found at /etc/letsencrypt/renewal/dzmob.com.conf with version 0.10.2 of Certbot. This might not work.
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for dzmob.com
http-01 challenge for www.dzmob.com
Waiting for verification...
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/dzmob.com.conf produced an unexpected error: Failed authorization procedure. dzmob.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://dzmob.com/.well-known/acme-challenge/BgDpF9A4bwECn6vgi4txANkywYkPOhXGEl-Hvmf887Y: "<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<ht", www.dzmob.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.dzmob.com/.well-known/acme-challenge/BFRMhRKge2sMleQwROadeI6uCLAwTi3InJrclab1X_U: "<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<ht". Skipping.
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/dzmob.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: dzmob.com
   Type:   unauthorized
   Detail: Invalid response from
   http://dzmob.com/.well-known/acme-challenge/BgDpF9A4bwECn6vgi4txANkywYkPOhXGEl-Hvmf887Y:
   "<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
      "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
   <ht"

   Domain: www.dzmob.com
   Type:   unauthorized
   Detail: Invalid response from
   http://www.dzmob.com/.well-known/acme-challenge/BFRMhRKge2sMleQwROadeI6uCLAwTi3InJrclab1X_U:
   "<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
      "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
   <ht"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

My web server is: Apache 2.4.25

The operating system my web server runs on is: Debian 9

I can login to a root shell on my machine: yes

I’m using a control panel to manage my site: no


When I did some digging around I found that the folder .well-known/acme-challenge is inaccessible Error 403, so all files inside are also inaccessible Error 404

I believe this folder got blacklisted somehow because when I rename acme-challenge to say acme-challenge2 I can access the folder and th files inside

Can the script use a folder name other than acme-challenge?

Please Help :confused:


#2

No, this location is defined by the CA itself.

You should check why you get a 403 when accessing this location.
Check your logfiles and any .htaccess file in your domain directory.


#3

Put a test file in your .well-known/acme-challenge directory and see if you can access it with a browser. Make sure your redirects are not sending Boulder elsewhere.


#4
  • I checked my .htaccess & vhost … nothing
  • I checked apache logs to find out why I get 403 … nothing
  • I put a test file inside .well-known/acme-challenge … I still get is 403

Just now I was able to renew by upgrading certbot from 0.10 to 0.24
The weird part is that .well-known/acme-challenge still returns 403
But renew is working now so i’ll close this issue.

thanks for the help


#5

Glad they renewed for you. Try putting an index.html file in .well-known/acme-challenge and put some (random)text in it. Then try to visit http://dzmob.com/.well-known/acme-challenge . You should see your text.


#6

I put index.html … still 403


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.