Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for shop.example.com
Waiting for verification…
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/shop.example.com.conf produced an unexpected error: Failed authorization procedure. shop.example.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://shop.example.com/.well-known/acme-challenge/3DDhheqPSYDx0LVwARFFx1N6J0KRd7Q3fMK8c9600W0: "
Example Printing
<meta http-equiv="Content-Type" ", example.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://exampleprint.com/.well-known/acme-challenge/wi8UHkyPC4AtECCQZB5ei3F15WohATWc9Y7-t1Zu5WA: "
Example Printing
<meta http-equiv="Content-Type" ", member.exampleprint.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://member.exampleprint.com/.well-known/acme-challenge/ASXCozOlBWoxRdzUSIkvjO2CneR011s2UaY9-nk51iM: "
<meta na". Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/shop.everyprint.co.id/fullchain.pem (failure)
/etc/letsencrypt/live/exploraprint.com/fullchain.pem (failure)
2 renew failure(s), 0 parse failure(s)
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.
And if i run certbot certificates
result:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
If you look in /etc/letsencrypt/renewal/shop.example.com.conf and /etc/letsencrypt/renewal/example.com.conf, there is a web root directory configured (or possibly several such directories), which is where Certbot tries to put the challenge files to prove that you control the domain names in question. If you’ve changed your web server configuration since you originally got the certificate, the web root might no longer be correct.
For example, if each of these subdomains has different content, each one might have a different web root.
Can you take a look and see if you can see a way that these directories are no longer accurate?
Hi @schoen thanks to answer, i am sure the webroot configuration are same with /etc/letsencrypt/renewal/shop.example.com.conf and /etc/letsencrypt/renewal/example.com.conf webroot congigured… And i don’t change anything in webserver configuration.
Is it just a single webroot configuration for each? If so, can you make a single test file in .well-known/acme-challenge each webroot and confirm that it appears on the web at the corresponding location under each domain?
and how to make single test as your suggested for each webroot, is it edit in /etc/nginx/sites-enable/shop.example.com.conf by adding .well-known/acme-challenge, and how to confirm that appear on the web?
If both of these work as described, make sure that the results would be the same for a visitor who connects via IPv6, if any of your domain names publishes an AAAA record in DNS.
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Attempting to renew cert from /etc/letsencrypt/renewal/shop.example.com.conf produced an unexpected error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new authz :: Too many invalid authorizations recently… Skipping.
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Attempting to renew cert from /etc/letsencrypt/renewal/example.com.conf produced an unexpected error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new authz :: Too many invalid authorizations recently… Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/shop.example.com/fullchain.pem (failure)
/etc/letsencrypt/live/example.com/fullchain.pem (failure)
How to solve this without create new certificate, because i am trying many time to renewal i think.
Thank you
this back to renewal failed when i close terminal and reopen and run certbot renew not appear:
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Attempting to renew cert from /etc/letsencrypt/renewal/shop.example.com.conf produced an unexpected error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new authz :: Too many invalid authorizations recently… Skipping.
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Attempting to renew cert from /etc/letsencrypt/renewal/example.com.conf produced an unexpected error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new authz :: Too many invalid authorizations recently… Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/shop.example.com/fullchain.pem (failure)
/etc/letsencrypt/live/example.com/fullchain.pem (failure)
just still back to first failed when i post first time
This means that you must wait an hour before trying to get a certificate again. In any case, it won't work until you fix the other 404 problem, so it's not necessary to keep trying. The problem is with your configuration (possibly Certbot's renewal configuration no longer matches your web server's configuration), not on the certificate authority's side.
That's definitely enough to prevent the renewal authorizations from working!
A next step for debugging purposes would be to try to make test files at the top level of your web sites (instead of within /.well-known/acme-challenge). Can you do that?
OK! This is making progress in analyzing the situation. So, what made you say that /srv/examplestore/www/public is your web root directory? Are there any other individual files in there that are visible on your web site? Do you know a way to post an individual file on your web site?
Is it possible that when you originally configured the web server, you had files in /srv/examplestore/www/public but then you set up a web application like WordPress or Drupal or Joomla or something, and rerouted URLs on your site to be handled by that web application instead of being served out of the filesystem?
So base on your question that /srv/examplestore/www/public is not my
webroot? the second question, i don’t know how to upload file from website
i thing from admin dasboard that created by laravel progammer,
For the last, usually i deploy web on the server on /srv directory, and the
configuration was setup by previosly sysadmin…
Then how i can renewal Lets Encrypt vie certbot renew command?
It might indeed require a location directive in your nginx configuration to make clear that that location should be served from a specified location. I would suggest root /src/examplestore/www/public/.well-known/acme-challenge rather than root /src/examplestore/www/public as a first try, though, unless I'm misremembering how location works.
In general, it will be necessary to find or create some direct relationship between "files get written over here on the disk" and "those same files show up over here on the web site", because that's what Certbot is expecting with the webroot setting.
To elaborate a bit on @schoen’s comments, you can set this up many ways, but I would recommend the following to have minimal impact on the rest of your setup. Add the following to your nginx config:
This will leave everything else the same, except that now any requests to http(s)://whatever.example.com/.well-known/acme-challenge will pull files from /src/examplestore/www/public/.well-known/acme-challenge. You would then set /src/examplestore/www/public as your webroot for certbot and it will place the challenges in the proper directory. (Create these first so nginx doesn’t get mad.)
So, what made you say that