Automatic renewal of certificate failed after many successes

My domain is: www.chemtube3d.com

I ran this command: sudo certbot renew

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/www.chemtube3d.com.conf

Renewing an existing certificate for www.chemtube3d.com

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: www.chemtube3d.com
Type: unauthorized
Detail: 2606:4700:3035::6815:28a2: Invalid response from https://chemtube3d.com/.well-known/acme-challenge/9wwxJymwP0JXQPuvrX-waK4uyy6dhs2VRzi259e8d2g: 526

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Failed to renew certificate www.chemtube3d.com with error: Some challenges have failed.

All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/www.chemtube3d.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): Server version: Apache/2.4.52 (Ubuntu)
Server built: 2024-07-17T18:57:26

The operating system my web server runs on is (include version): Ubuntu 22.04

My hosting provider, if applicable, is: n/a

I can login to a root shell on my machine (yes or no, or I don't know): YES

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): NO

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.21.0

I got an email regarding this certificate as it is now invalid. I thought it would automatically renew as it has for years. But it obviously has not. When I tried to renew it manually I received the error above. Cloudflare handles my DNS requirements and I am not aware of any changes. When trying other commands I generated this error message:

[Errno 13] Permission denied: '/var/log/letsencrypt/.certbot.lock'

This seems to be an empty file. I have seen others with this problem but not found a solution that works for me.

Hopefully someone will be able to shine some light on this issue as this is the first time I’ve set something like this up. The web site is operating just fine at the moment.
Thanks Nick

Your current error is due to the Cloudflare very strict TLS settings: it's refusing to connect to your origin server due to the invalid certificate.

To find out why it's failing validation beyond the current CF issue, you should temporarily set the CF TLS settings less strict, try again to renew and then post the new error, if applicable.

Also, you might want to consider using a Cloudflare Origin CA cert if you're using CF anyway.

Wow, that was quick. I've changed the CF setting to "full" and the renewal works just fine. Many thanks.
I'll read up about CF Origin CA cert too.

But the question now is: why did it not automatically renew when the previous cert was still valid? "Full (strict)" should allow you to renew your still valid, but about to expire certificate just fine.

Of course I don't know. I wonder if it is to do with the port(s) used to authenticate the renewal process? The firewall might block these if they are unusual. I'd be happy to test out any ideas as others have had the same error messages in the past.

Just 80 (and 443 if redirected to HTTPS, like Cloudflare does automatically usually).

There's not much to test: the error you've shown was due to the Cloudflare "Full (strict)" mode. It's an explanation why renewal failed once your certificate had expired but it does not, I believe, explain why renewal would fail with a valid certificate.

Hopefully automated renewal works in 60 days.

This is what CF says about full (strict):
"Enable encryption end-to-end and enforce validation on origin certificates. Use Cloudflare’s Origin CA to generate certificates for your origin."

Yes, and the specific things CF looks for in the origin server's cert is described here: Full (strict) - SSL/TLS encryption modes

From above the domain name requested is your www subdomain (domain: www.chemtube3d.com). But, the domain in the error URL is for your apex name. This means the original HTTP request from LE to your www domain got redirected to your apex.

That is not how your redirects currently work. An HTTP request to your apex gets redirected to HTTPS for your apex. Same with www (HTTP to www gets redirected to HTTPS for the www).

Likely the 526 is because CF was looking for a cert with your apex name in it but the cert only has the www subdomain in it.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.