Cannot renew certificate

Tameri · April 15, 2020, 6:48pm

I get the error ‘Attempting to renew cert (contractscholar.com-0001) from /etc/letsencrypt/renewal/contractscholar.com-0001.conf produced an unexpected error: Some challenges have failed… Skipping.’. For cefris I’m currently not using it so ignore the errors. Your help is greatly appreciated.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:www.contractscholar.com

I ran this command:certbot renew

It produced this output:Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/cefris.com.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator standalone, Installer None
Running pre-hook command: rc-service nginx stop
Output from pre-hook command rc-service:

Stopping nginx … [ ok ]

Renewing an existing certificate
Performing the following challenges:
http-01 challenge for cefris.com
http-01 challenge for static.cefris.com
http-01 challenge for www.cefris.com
Waiting for verification…
Challenge failed for domain cefris.com
Challenge failed for domain static.cefris.com
Challenge failed for domain www.cefris.com
http-01 challenge for cefris.com
http-01 challenge for static.cefris.com
http-01 challenge for www.cefris.com
Cleaning up challenges
Attempting to renew cert (cefris.com) from /etc/letsencrypt/renewal/cefris.com.conf produced an unexpected error: Some challenges have failed… Skipping.

Processing /etc/letsencrypt/renewal/contractscholar.com-0001.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator standalone, Installer None
Pre-hook command already run, skipping: rc-service nginx stop
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for cefris.com
Waiting for verification…
Challenge failed for domain cefris.com
http-01 challenge for cefris.com
Cleaning up challenges
Attempting to renew cert (contractscholar.com-0001) from /etc/letsencrypt/renewal/contractscholar.com-0001.conf produced an unexpected error: Some challenges have failed… Skipping.

Processing /etc/letsencrypt/renewal/contractscholar.com.conf

Cert not yet due for renewal

Processing /etc/letsencrypt/renewal/rewryt.com.conf

Cert not yet due for renewal
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/cefris.com/fullchain.pem (failure)
/etc/letsencrypt/live/contractscholar.com-0001/fullchain.pem (failure)

The following certs are not due for renewal yet:
/etc/letsencrypt/live/contractscholar.com/fullchain.pem expires on 2020-06-08 (skipped)
/etc/letsencrypt/live/rewryt.com/fullchain.pem expires on 2020-06-08 (skipped)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/cefris.com/fullchain.pem (failure)
/etc/letsencrypt/live/contractscholar.com-0001/fullchain.pem (failure)

Running post-hook command: rc-service nginx start
Output from post-hook command rc-service:

Checking nginx’ configuration … [ ok ]
Starting nginx … [ ok ]

2 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: cefris.com
Type: dns
Detail: DNS problem: NXDOMAIN looking up A for cefris.com - check
that a DNS record exists for this domain
The following errors were reported by the server:

Domain: cefris.com
Type: dns
Detail: DNS problem: NXDOMAIN looking up A for cefris.com - check
that a DNS record exists for this domain

Domain: static.cefris.com
Type: dns
Detail: DNS problem: NXDOMAIN looking up A for static.cefris.com -
check that a DNS record exists for this domain

Domain: www.cefris.com
Type: dns
Detail: DNS problem: NXDOMAIN looking up A for www.cefris.com -
check that a DNS record exists for this domain

My web server is (include version): nginx

The operating system my web server runs on is (include version): Gentoo

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):certbot 1.1.0

Osiris · April 15, 2020, 6:57pm

What’s the contents of /var/log/letsencrypt/letsencrypt.log?

Tameri · April 15, 2020, 8:18pm

2020-04-15 20:10:26,037:DEBUG:certbot._internal.error_handler:Calling registered functions
2020-04-15 20:10:26,037:INFO:certbot._internal.auth_handler:Cleaning up challenges
2020-04-15 20:10:26,038:DEBUG:certbot._internal.plugins.standalone:Stopping server at :::80…
2020-04-15 20:10:26,334:WARNING:certbot._internal.renewal:Attempting to renew cert (contractscholar.com-0001) from /etc/letsencrypt/renewal/contr>
2020-04-15 20:10:26,335:DEBUG:certbot._internal.renewal:Traceback was:
Traceback (most recent call last):
File “/usr/lib64/python3.6/site-packages/certbot/_internal/renewal.py”, line 448, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File “/usr/lib64/python3.6/site-packages/certbot/_internal/main.py”, line 1176, in renew_cert
renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
File “/usr/lib64/python3.6/site-packages/certbot/_internal/main.py”, line 116, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File “/usr/lib64/python3.6/site-packages/certbot/_internal/renewal.py”, line 306, in renew_cert
new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
File “/usr/lib64/python3.6/site-packages/certbot/_internal/client.py”, line 344, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File “/usr/lib64/python3.6/site-packages/certbot/_internal/client.py”, line 391, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File “/usr/lib64/python3.6/site-packages/certbot/_internal/auth_handler.py”, line 91, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File “/usr/lib64/python3.6/site-packages/certbot/_internal/auth_handler.py”, line 180, in _poll_authorizations
raise errors.AuthorizationError(‘Some challenges have failed.’)
certbot.errors.AuthorizationError: Some challenges have failed.

could this be an issue with permissions?

mnordhoff · April 15, 2020, 8:24pm

Can you show us the output of “sudo certbot certificates”?

The domain cefris.com is not registered. Did it expire recently?

What are you trying to accomplish? Do you want to delete the certificate?

Tameri · April 15, 2020, 8:26pm

I no longer use cefris. So it’s output doesn’t matter. I’m concerned with contractscholar.com. Thanks

Tameri · April 15, 2020, 8:27pm

Certificate Name: contractscholar.com-0001
Domains: contractscholar.com cefris.com rewryt.com
Expiry Date: 2020-04-10 22:06:05+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/contractscholar.com-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/contractscholar.com-0001/privkey.pem

mnordhoff · April 15, 2020, 8:28pm

What was the rest of the output?

Tameri · April 15, 2020, 8:29pm

Found the following certs:
Certificate Name: cefris.com
Domains: cefris.com static.cefris.com www.cefris.com
Expiry Date: 2020-03-27 22:05:01+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/cefris.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/cefris.com/privkey.pem
Certificate Name: contractscholar.com-0001
Domains: contractscholar.com cefris.com rewryt.com
Expiry Date: 2020-04-10 22:06:05+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/contractscholar.com-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/contractscholar.com-0001/privkey.pem
Certificate Name: contractscholar.com
Domains: contractscholar.com gold.contractscholar.com mail.contractscholar.com static.contractscholar.com static.gold.contractscholar.com www.contractscholar.com
Expiry Date: 2020-06-08 19:07:25+00:00 (VALID: 53 days)
Certificate Path: /etc/letsencrypt/live/contractscholar.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/contractscholar.com/privkey.pem
Certificate Name: rewryt.com
Domains: rewryt.com static.rewryt.com www.rewryt.com
Expiry Date: 2020-06-08 19:08:00+00:00 (VALID: 53 days)
Certificate Path: /etc/letsencrypt/live/rewryt.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/rewryt.com/privkey.pem

mnordhoff · April 15, 2020, 8:33pm

Do you need the contractscholar.com-0001 certificate at all? It’s redundant with the other ones.

Would it work to configure your software to use the other certificates, and then delete the cefris.com and contractscholar.com-0001 certificates?

Tameri · April 15, 2020, 8:46pm

Here is the output from ls -l /etc/letsencrypt.

drwxr-x— 5 root jabber 4096 Apr 13 09:22 accounts
drwxr-x— 6 root jabber 4096 Feb 24 18:17 archive
drwxr-x— 2 root jabber 12288 Apr 15 20:10 csr
drwxr-x— 2 root jabber 12288 Apr 15 20:10 keys
drwxr-x— 6 root jabber 4096 Feb 24 18:17 live
-rw-r–r-- 1 root root 742 Apr 15 18:13 options-ssl-nginx.conf
drwxr-x— 2 root jabber 4096 Mar 10 20:07 renewal
drwxr-xr-x 5 root root 4096 Feb 24 18:17 renewal-hooks
-rw-r–r-- 1 root root 424 Apr 15 18:13 ssl-dhparams.pem

Tameri · April 15, 2020, 8:46pm

I’ll need to consult on this first. Will get back.

Tameri · April 16, 2020, 8:21am

I deleted the entries but it won’t work. My email client is still saying that the certificates are expired.

9peppe · April 16, 2020, 9:13am

what's the current output of certbot certificates ?

you should have run

certbot delete --cert-name "cefris.com"
certbot delete --cert-name "contractscholar.com-0001"

This can be a whole different issue. What domain is your email client trying to connect to? You might need to reinstall the certificate for the mailserver. Also, you should use --authenticator webroot or --authenticator nginx, not stopping nginx ad using --standalone

Tameri · April 16, 2020, 10:19am

I can’t send nor receive messages on x@contractscholar.com because the certificate is expired (according to gmail). Now after running ```
certbot delete --cert-name “contractscholar.com-0001”

9peppe · April 16, 2020, 10:36am

look here: contractscholar.com - Make your website better - DNS, redirects, mixed content, certificates

your mailserver is using an old certificate, you need to reconfigure its tls settings

Tameri · April 16, 2020, 10:44am

Yes that’s true. I’ve try to renew but it certbot renew command exits with the failure above.

9peppe · April 16, 2020, 10:46am

It won't renew that cert, because it's the cert including the expired domain. You need to point the mailserver to the actually renewed certificate, this one:

Tameri · April 16, 2020, 6:13pm

Looks like the cefris domain in the certificate contractscholar.com-0001 was causing the problem. I removed the cefris entry and it was able to renew.

system · May 16, 2020, 6:13pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.