Hi LE team, I'm trying to renew my ssl certificate (it was expired a month ago). However, I got the following error. Could anyone help to provide any suggestions on how to debug on this? Thanks a lot for your time and attention!
My domain is: www.apkdcx.com
I ran this command: certbot renew --dry-run -v
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Processing /etc/letsencrypt/renewal/www.apkdcx.com.conf
Certificate is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Simulating renewal of an existing certificate for www.apkdcx.com
Performing the following challenges:
http-01 challenge for www.apkdcx.com
Using the webroot path /var/www/certbot for all unmatched domains.
Waiting for verification...
Challenge failed for domain www.apkdcx.com
http-01 challenge for www.apkdcx.com
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: www.apkdcx.com
Type: unauthorized
Detail: 8.134.195.218: Invalid response from https://www.apkdcx.com/.well-known/acme-challenge/vgFJ8hEqGgCw3CDZu3UTa__j1S6Y_pK6EQ9ZGHxSTW8: "<!doctype html><html lang="en"><meta charset="utf-8"/><link rel="icon" href="./favicon.ico"/><meta name="viewport" content"
Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
Cleaning up challenges
Failed to renew certificate www.apkdcx.com with error: Some challenges have failed.
All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/www.apkdcx.com/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
My web server is (include version): nginxinc/nginx-unprivileged:1-alpine
The operating system my web server runs on is (include version): Ubuntu 22.04.3 LTS
My hosting provider, if applicable, is: Unknown
I can login to a root shell on my machine (yes or no, or I don't know): Yes
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you're using Certbot): certbot 2.8.0
Additional information:
It seems Niginx returned 200 when challenged:
proxy | 66.133.109.36 - - [22/Apr/2024:07:39:33 +0000] "GET /.well-known/acme-challenge/ETVm_dv7IQnxhi5nY6LvmHVT1dfhoNAV2hqz4dWgQyk HTTP/1.1" 302 138 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "-"
proxy | 13.53.235.28 - - [22/Apr/2024:07:39:33 +0000] "GET /.well-known/acme-challenge/ETVm_dv7IQnxhi5nY6LvmHVT1dfhoNAV2hqz4dWgQyk HTTP/1.1" 302 138 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "-"
proxy | 18.143.92.227 - - [22/Apr/2024:07:39:33 +0000] "GET /.well-known/acme-challenge/ETVm_dv7IQnxhi5nY6LvmHVT1dfhoNAV2hqz4dWgQyk HTTP/1.1" 302 138 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "-"
proxy | 18.218.184.140 - - [22/Apr/2024:07:39:33 +0000] "GET /.well-known/acme-challenge/ETVm_dv7IQnxhi5nY6LvmHVT1dfhoNAV2hqz4dWgQyk HTTP/1.1" 302 138 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "-"
proxy | 18.143.92.227 - - [22/Apr/2024:07:39:33 +0000] "GET /.well-known/acme-challenge/ETVm_dv7IQnxhi5nY6LvmHVT1dfhoNAV2hqz4dWgQyk HTTP/1.1" 200 667 "http://www.apkdcx.com/.well-known/acme-challenge/ETVm_dv7IQnxhi5nY6LvmHVT1dfhoNAV2hqz4dWgQyk" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "-"
proxy | 66.133.109.36 - - [22/Apr/2024:07:39:33 +0000] "GET /.well-known/acme-challenge/ETVm_dv7IQnxhi5nY6LvmHVT1dfhoNAV2hqz4dWgQyk HTTP/1.1" 200 667 "http://www.apkdcx.com/.well-known/acme-challenge/ETVm_dv7IQnxhi5nY6LvmHVT1dfhoNAV2hqz4dWgQyk" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "-"
proxy | 13.53.235.28 - - [22/Apr/2024:07:39:33 +0000] "GET /.well-known/acme-challenge/ETVm_dv7IQnxhi5nY6LvmHVT1dfhoNAV2hqz4dWgQyk HTTP/1.1" 200 667 "http://www.apkdcx.com/.well-known/acme-challenge/ETVm_dv7IQnxhi5nY6LvmHVT1dfhoNAV2hqz4dWgQyk" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "-"
Here is the trace in the log file:
Link: https://acme-staging-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: _O0fw7ZkabkErWy6X3DOE9QUFu6UyNCHIqHbWYltFnt3MDuvyfA
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800{
"identifier": {
"type": "dns",
"value": "www.apkdcx.com"
},
"status": "invalid",
"expires": "2024-04-29T07:39:31Z",
"challenges": [
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "8.134.195.218: Invalid response from https://www.apkdcx.com/.well-known/acme-challenge/ETVm_dv7IQnxhi5nY6LvmHVT1dfhoNAV2hqz4d
WgQyk: "\u003c!doctype html\u003e\u003chtml lang=\"en\"\u003e\u003chead\u003e\u003cmeta charset=\"utf-8\"/\u003e\u003clink rel=\"icon
\" href=\"./favicon.ico\"/\u003e\u003cmeta name=\"viewport\" content"",
"status": 403
},
k3ADaW3PyWSbYmMs
2024-04-22 07:50:42,274:DEBUG:certbot._internal.plugins.webroot:All challenges cleaned up
2024-04-22 07:50:42,275:ERROR:certbot._internal.renewal:Failed to renew certificate www.apkdcx.com with error: Some challenges have failed.
2024-04-22 07:50:42,276:DEBUG:certbot._internal.renewal:Traceback was:
Traceback (most recent call last):
File "/opt/certbot/src/certbot/certbot/_internal/renewal.py", line 540, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File "/opt/certbot/src/certbot/certbot/_internal/main.py", line 1550, in renew_cert
renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
File "/opt/certbot/src/certbot/certbot/_internal/main.py", line 131, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File "/opt/certbot/src/certbot/certbot/_internal/renewal.py", line 399, in renew_cert
new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
File "/opt/certbot/src/certbot/certbot/_internal/client.py", line 428, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/opt/certbot/src/certbot/certbot/_internal/client.py", line 496, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
File "/opt/certbot/src/certbot/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
File "/opt/certbot/src/certbot/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.