Can not renew let's encrypt cert

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: thangvc91.ddns.net

I ran this command: /opt/letsencrypt/certbot-auto renew

It produced this output:

---

Processing /etc/letsencrypt/renewal/thangvc91.ddns.net.conf

---

---

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/thangvc91.ddns.net/fullchain.pem (failure)

---

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: thangvc91.ddns.net
  Type: connection
  Detail: Fetching
  http://thangvc91.ddns.net/.well-known/acme-challenge/Q3TmQ2qXcr8fWMDNqGV9fE1UpWhtQ9HobWhGwzJ2I1E:
  Timeout during connect (likely firewall problem)

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address. Additionally, please check that
  your computer has a publicly routable IP address and that no
  firewalls are preventing the server from communicating with the
  client. If you're using the webroot plugin, you should also verify
  that you are serving files from the webroot path you provided.

My web server is (include version): nginx version: nginx/1.10.3

The operating system my web server runs on is (include version): debian

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.28.0

Sorry for my stupid question and my bad English, I'm a very new in Linux

hello
Could anybody look up my issue ?

Yes. We can. But waiting two hours isn't that unusual. It's just morning here in UTC+2 and the US is still fast asleep.

Anyways, is 171.233.66.213 still your IP address?

Hi @thangvc91

your port 80 is closed / blocked, doesn't answer ( https://check-your-website.server-daten.de/?q=thangvc91.ddns.net ):

You must have an open port 80.

You have one older certificate.

Perhaps you have used tls-sni-01 validation (port 443), that's not longer supported.

Thank you much for your info. let me try after open port 80.

Hi Auer,
after i open port 80, it transfered to a new issue, sorry for my bothering but could you help take a look on it ?
Log as below , sorry i’m new can not upload log file in here.

pi@pi3B:~ $ sudo /opt/letsencrypt/certbot-auto renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/thangvc91.ddns.net.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for thangvc91.ddns.net
Using default address 80 for authentication.
Waiting for verification...
Challenge failed for domain thangvc91.ddns.net
http-01 challenge for thangvc91.ddns.net
Cleaning up challenges
Attempting to renew cert (thangvc91.ddns.net) from /etc/letsencrypt/renewal/thangvc91.ddns.net.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/thangvc91.ddns.net/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/thangvc91.ddns.net/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: thangvc91.ddns.net
   Type:   unauthorized
   Detail: Invalid response from
   http://thangvc91.ddns.net/.well-known/acme-challenge/Rp9KA-kvDf3qmQNOnGpds4ms5QmIknek_IvvtfKJkuI
   [171.233.66.213]: "<?xml version=\"1.0\"
   encoding=\"iso-8859-1\"?>\n<!DOCTYPE html PUBLIC \"-//W3C//DTD
   XHTML 1.0 Transitional//EN\"\n         \"http://www."

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

yup, what error with that ?

Now it looks better:

Port 80 is open, checking a file in /.well-known/acme-challenge there is the expected http status 404 - Not Found.

So find your root (root declaration in your vHost file) and use it.

certbot run -a webroot -i nginx -w yourRoot -d thangvc91.ddns.net

hi Auer,
Sorry for my bad, but could you tell me where should the vHost file locate? i use Nginx , it is in /etc/Nginx/ config file ? right ? or sth ?

i tried with :

certbot run -a webroot -i nginx -w root -d thangvc91.ddns.net -> failed
certbot run -a webroot -i nginx -w pi -d thangvc91.ddns.net -> still failed

Hi Auer,
Is this the root app of Nginx ?
/etc/nginx/sites-available/ , right ?

Hi There,
After i found where my root vHost file located (using nginx , i think the root of vHost file is in /etc/nginx/site-available) , i ran command as your suggest , and it show outcome as below. Could you give me any advise ?

pi@pi3B:~ $ sudo certbot run -a webroot -i nginx -w /etc/nginx/sites-available/ -d thangvc91.ddns.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer nginx
Attempting to parse the version 0.31.0 renewal configuration file found at /etc/letsencrypt/renewal/thangvc91.ddns.net.conf with version 0.28.0 of Certbot. This might not work.
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for thangvc91.ddns.net
Using the webroot path /etc/nginx/sites-available for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. thangvc91.ddns.net (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://thangvc91.ddns.net/.well-known/acme-challenge/ha3NDcwrgzxQguO1BCQvBjHujMcaBdO5IgTtkoV33Jg [171.233.66.213]: "<?xml version=\"1.0\" encoding=\"iso-8859-1\"?>\n<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"\n "http://www."

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: thangvc91.ddns.net
  Type: unauthorized
  Detail: Invalid response from
  http://thangvc91.ddns.net/.well-known/acme-challenge/ha3NDcwrgzxQguO1BCQvBjHujMcaBdO5IgTtkoV33Jg
  [171.233.66.213]: "<?xml version=\"1.0\" encoding=\"iso-8859-1\"?>\n<!DOCTYPE html PUBLIC "-//W3C//DTD
  XHTML 1.0 Transitional//EN"\n "http://www."

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address.

This

is not your root. That's the site-available - directory with your config files. There you must find the correct file, there is a root directive.

hi Auer,
I really forgot the path of root directory, refer some solution on the internet, i figured out 1 comand, not sure it could use in my case, but i still tried, then it show me error as below.

pi@pi3B:~ $ sudo /usr/bin/certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

---

Processing /etc/letsencrypt/renewal/thangvc91.ddns.net.conf

---

Attempting to parse the version 0.31.0 renewal configuration file found at /etc/letsencrypt/renewal/thangvc91.ddns.net.conf with version 0.28.0 of Certbot. This might not work.
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for thangvc91.ddns.net
Using default address 80 for authentication.
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (thangvc91.ddns.net) from /etc/letsencrypt/renewal/thangvc91.ddns.net.conf produced an unexpected error: Failed authorization procedure. thangvc91.ddns.net (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://thangvc91.ddns.net/.well-known/acme-challenge/w5-KV39wWdeVCDuJ30H0gyti_w6m6zZdtdH5WvWEQ7E [171.233.66.213]: "<?xml version=\"1.0\" encoding=\"iso-8859-1\"?>\n<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"\n "http://www.". Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/thangvc91.ddns.net/fullchain.pem (failure)

---

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/thangvc91.ddns.net/fullchain.pem (failure)

---

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: thangvc91.ddns.net
  Type: unauthorized
  Detail: Invalid response from
  http://thangvc91.ddns.net/.well-known/acme-challenge/w5-KV39wWdeVCDuJ30H0gyti_w6m6zZdtdH5WvWEQ7E
  [171.233.66.213]: "<?xml version=\"1.0\" encoding=\"iso-8859-1\"?>\n<!DOCTYPE html PUBLIC "-//W3C//DTD
  XHTML 1.0 Transitional//EN"\n "http://www."

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address.

Do you have any idea for my case ?

Your configuration is buggy, so renew can’t work. As written: Use webroot.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.