Auto-renew stopped working!

I have had this certificate in place for a long time and it always auto-renewed previously, but now it is failing to auto-renew. Thanks!

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

sudo certbot renew --dry-run

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for
Waiting for verification...
Cleaning up challenges
Attempting to renew cert ( from /etc/letsencrypt/renewal/ produced an unexpected error: Failed authorization procedure. (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from 503. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/ (failure)

** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/ (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)

1 renew failure(s), 0 parse failure(s)


My web server is (include version):

apache2 2.4.29-1ubuntu4.22

The operating system my web server runs on is (include version):

Ubuntu 18.04.6 LTS

My hosting provider, if applicable, is:

medical center

I can login to a root shell on my machine (yes or no, or I don't know):


I'm using a control panel to manage my site (no, or provide the name and version of the control panel):


The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 0.31.0

1 Like

See also: Palo Alto firewall users with failing HTTP-01 challenges: enable "acme-protocol"


A post was split to a new topic: Problems renewing via IPv6

This is very helpful. I am now asking my employer (VUMC) to adjust their firewall so that Let's Encrypt can do what it needs to do with the server. But I don't understand what that is exactly. Could you please help me understand what kind of access is needed, that is being blocked?

1 Like

HTTP access to the /.well-known/acme-challenge/ path is required to fulfill the challenge request.


I have now learned that my employer uses a Palo Alto firewall, and I suspect we are running into this issue:

However they are saying the acme-protocol IS enabled on the firewall.

They are asking is there any chance the request is coming from overseas, since they block a lot of non-US countries.

And also, is it possible to find out the address from which the request is coming, so they can check their logs.

Thanks a lot for your help.

1 Like

Yes, LE uses multiple vantage points from around the globe. Currently, I think all AWS though, but from different regions.


Then they are mistaken - they should test things:

curl -Ii -A "Mozilla/5.0 (compatible; Let's Encrypt validation server; +"
HTTP/1.1 503 Service Unavailable
Content-Type: text/html; charset=UTF-8
Content-Length: 2042
Connection: close
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache

curl -Ii -A "Mozilla/5.0 everyone else"
HTTP/1.1 301 Moved Permanently
Date: Mon, 06 Jun 2022 17:19:43 GMT
Server: Apache/2.4.29 (Ubuntu)
Content-Type: text/html; charset=iso-8859-1

We see two very different handlings.



curl -A "Mozilla/5.0 (compatible; Let's Encrypt validation server; +"
<title>Application Blocked</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="viewport" content="initial-scale=1.0">
#content {
        border: 9px solid #91D6E3;
        background-color: #fff;
    margin: 1.5em;
    padding: 1.5em;
        font-family: Tahoma, Helvetica, Arial, sans-serif;
        font-size: 1em;
h1 {
        font-size: 1.3em;
        font-weight: bold;
        color: #000505;
        text-align: center;
p {
    font-size: 0.9em;
b {
        color: #000505;
.center {
    display: block;
    margin-left: auto;
    margin-right: auto;
        width: 50%;
<body bgcolor="#D9DDDD">
<div id="content">
<img src="" alt="Vanderbilt University Medical Center" class="center" style="width:300px;" />
<h1>VUMC Unauthorized Application Use</h1>
<p>To protect its staff and faculty, Vanderbilt University Medical Center has implemented an institution-wide program to detect applications inappropriate for VUMC networks on Internet websites.</p>
<p>The connection you are attempting to make has been flagged as utilizing an unauthorized / high risk application.</p>
<p>To protect your privacy, the privacy of others, and the integrity of our computer networks, this application cannot be accessed at this time.</p>
<p>If you have reason to believe this application should not be blocked, please submit a request for review at <a target="_blank" href="">
VEC Security Operations and Services Blocked Website and Application Review</a> or call the Help Desk at 615-343-4357.</p>
<br /><br />
<p><b>User:</b> [MY.IP] </p>
<p><b>Application:</b> <span style="color: #FF0000;">acme-protocol</span> </p>
<p>VUMC Acceptable Use Policy - <a target="_blank" href="">VUMC AUP</a></p>

Hm, VUMC, Vanderbilt UMC, there was another thread with Vanderbilt in a screenshot from the error recently.


Thank you all for your help. We have solved the problem, it was caused by the Palo Alto firewall change.