Cannot renew certificate

I get the error ‘Attempting to renew cert (contractscholar.com-0001) from /etc/letsencrypt/renewal/contractscholar.com-0001.conf produced an unexpected error: Some challenges have failed… Skipping.’. For cefris I’m currently not using it so ignore the errors. Your help is greatly appreciated.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:www.contractscholar.com

I ran this command:certbot renew

It produced this output:Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/cefris.com.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator standalone, Installer None
Running pre-hook command: rc-service nginx stop
Output from pre-hook command rc-service:

  • Stopping nginx … [ ok ]

Renewing an existing certificate
Performing the following challenges:
http-01 challenge for cefris.com
http-01 challenge for static.cefris.com
http-01 challenge for www.cefris.com
Waiting for verification…
Challenge failed for domain cefris.com
Challenge failed for domain static.cefris.com
Challenge failed for domain www.cefris.com
http-01 challenge for cefris.com
http-01 challenge for static.cefris.com
http-01 challenge for www.cefris.com
Cleaning up challenges
Attempting to renew cert (cefris.com) from /etc/letsencrypt/renewal/cefris.com.conf produced an unexpected error: Some challenges have failed… Skipping.


Processing /etc/letsencrypt/renewal/contractscholar.com-0001.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator standalone, Installer None
Pre-hook command already run, skipping: rc-service nginx stop
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for cefris.com
Waiting for verification…
Challenge failed for domain cefris.com
http-01 challenge for cefris.com
Cleaning up challenges
Attempting to renew cert (contractscholar.com-0001) from /etc/letsencrypt/renewal/contractscholar.com-0001.conf produced an unexpected error: Some challenges have failed… Skipping.


Processing /etc/letsencrypt/renewal/contractscholar.com.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/rewryt.com.conf


Cert not yet due for renewal
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/cefris.com/fullchain.pem (failure)
/etc/letsencrypt/live/contractscholar.com-0001/fullchain.pem (failure)


The following certs are not due for renewal yet:
/etc/letsencrypt/live/contractscholar.com/fullchain.pem expires on 2020-06-08 (skipped)
/etc/letsencrypt/live/rewryt.com/fullchain.pem expires on 2020-06-08 (skipped)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/cefris.com/fullchain.pem (failure)
/etc/letsencrypt/live/contractscholar.com-0001/fullchain.pem (failure)


Running post-hook command: rc-service nginx start
Output from post-hook command rc-service:

  • Checking nginx’ configuration … [ ok ]
  • Starting nginx … [ ok ]

2 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: cefris.com
    Type: dns
    Detail: DNS problem: NXDOMAIN looking up A for cefris.com - check
    that a DNS record exists for this domain

  • The following errors were reported by the server:

    Domain: cefris.com
    Type: dns
    Detail: DNS problem: NXDOMAIN looking up A for cefris.com - check
    that a DNS record exists for this domain

    Domain: static.cefris.com
    Type: dns
    Detail: DNS problem: NXDOMAIN looking up A for static.cefris.com -
    check that a DNS record exists for this domain

    Domain: www.cefris.com
    Type: dns
    Detail: DNS problem: NXDOMAIN looking up A for www.cefris.com -
    check that a DNS record exists for this domain

My web server is (include version): nginx

The operating system my web server runs on is (include version): Gentoo

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):certbot 1.1.0

What’s the contents of /var/log/letsencrypt/letsencrypt.log?

2020-04-15 20:10:26,037:DEBUG:certbot._internal.error_handler:Calling registered functions
2020-04-15 20:10:26,037:INFO:certbot._internal.auth_handler:Cleaning up challenges
2020-04-15 20:10:26,038:DEBUG:certbot._internal.plugins.standalone:Stopping server at :::80…
2020-04-15 20:10:26,334:WARNING:certbot._internal.renewal:Attempting to renew cert (contractscholar.com-0001) from /etc/letsencrypt/renewal/contr>
2020-04-15 20:10:26,335:DEBUG:certbot._internal.renewal:Traceback was:
Traceback (most recent call last):
File “/usr/lib64/python3.6/site-packages/certbot/_internal/renewal.py”, line 448, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File “/usr/lib64/python3.6/site-packages/certbot/_internal/main.py”, line 1176, in renew_cert
renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
File “/usr/lib64/python3.6/site-packages/certbot/_internal/main.py”, line 116, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File “/usr/lib64/python3.6/site-packages/certbot/_internal/renewal.py”, line 306, in renew_cert
new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
File “/usr/lib64/python3.6/site-packages/certbot/_internal/client.py”, line 344, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File “/usr/lib64/python3.6/site-packages/certbot/_internal/client.py”, line 391, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File “/usr/lib64/python3.6/site-packages/certbot/_internal/auth_handler.py”, line 91, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File “/usr/lib64/python3.6/site-packages/certbot/_internal/auth_handler.py”, line 180, in _poll_authorizations
raise errors.AuthorizationError(‘Some challenges have failed.’)
certbot.errors.AuthorizationError: Some challenges have failed.

could this be an issue with permissions?

Can you show us the output of “sudo certbot certificates”?

The domain cefris.com is not registered. Did it expire recently?

What are you trying to accomplish? Do you want to delete the certificate?

I no longer use cefris. So it’s output doesn’t matter. I’m concerned with contractscholar.com. Thanks

Certificate Name: contractscholar.com-0001
Domains: contractscholar.com cefris.com rewryt.com
Expiry Date: 2020-04-10 22:06:05+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/contractscholar.com-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/contractscholar.com-0001/privkey.pem

What was the rest of the output?

Found the following certs:
Certificate Name: cefris.com
Domains: cefris.com static.cefris.com www.cefris.com
Expiry Date: 2020-03-27 22:05:01+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/cefris.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/cefris.com/privkey.pem
Certificate Name: contractscholar.com-0001
Domains: contractscholar.com cefris.com rewryt.com
Expiry Date: 2020-04-10 22:06:05+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/contractscholar.com-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/contractscholar.com-0001/privkey.pem
Certificate Name: contractscholar.com
Domains: contractscholar.com gold.contractscholar.com mail.contractscholar.com static.contractscholar.com static.gold.contractscholar.com www.contractscholar.com
Expiry Date: 2020-06-08 19:07:25+00:00 (VALID: 53 days)
Certificate Path: /etc/letsencrypt/live/contractscholar.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/contractscholar.com/privkey.pem
Certificate Name: rewryt.com
Domains: rewryt.com static.rewryt.com www.rewryt.com
Expiry Date: 2020-06-08 19:08:00+00:00 (VALID: 53 days)
Certificate Path: /etc/letsencrypt/live/rewryt.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/rewryt.com/privkey.pem

Do you need the contractscholar.com-0001 certificate at all? It’s redundant with the other ones.

Would it work to configure your software to use the other certificates, and then delete the cefris.com and contractscholar.com-0001 certificates?

Here is the output from ls -l /etc/letsencrypt.

drwxr-x— 5 root jabber 4096 Apr 13 09:22 accounts
drwxr-x— 6 root jabber 4096 Feb 24 18:17 archive
drwxr-x— 2 root jabber 12288 Apr 15 20:10 csr
drwxr-x— 2 root jabber 12288 Apr 15 20:10 keys
drwxr-x— 6 root jabber 4096 Feb 24 18:17 live
-rw-r–r-- 1 root root 742 Apr 15 18:13 options-ssl-nginx.conf
drwxr-x— 2 root jabber 4096 Mar 10 20:07 renewal
drwxr-xr-x 5 root root 4096 Feb 24 18:17 renewal-hooks
-rw-r–r-- 1 root root 424 Apr 15 18:13 ssl-dhparams.pem

I’ll need to consult on this first. Will get back.

I deleted the entries but it won’t work. My email client is still saying that the certificates are expired.

what’s the current output of certbot certificates ?

you should have run

certbot delete --cert-name "cefris.com"
certbot delete --cert-name "contractscholar.com-0001"

This can be a whole different issue. What domain is your email client trying to connect to? You might need to reinstall the certificate for the mailserver. Also, you should use --authenticator webroot or --authenticator nginx, not stopping nginx ad using --standalone

I can’t send nor receive messages on x@contractscholar.com because the certificate is expired (according to gmail). Now after running ```
certbot delete --cert-name “contractscholar.com-0001”

look here: https://check-your-website.server-daten.de/?q=contractscholar.com#connections

your mailserver is using an old certificate, you need to reconfigure its tls settings

Yes that’s true. I’ve try to renew but it certbot renew command exits with the failure above.

It won’t renew that cert, because it’s the cert including the expired domain. You need to point the mailserver to the actually renewed certificate, this one:

1 Like

Looks like the cefris domain in the certificate contractscholar.com-0001 was causing the problem. I removed the cefris entry and it was able to renew.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.