Can't --dry-run renew 3 certificates at the same time (Jitsi)

Help
1

My domain is: talk.yctct.com, rezept.yctct.com, agency.yctct.com

I ran this command:

certbot renew --dry-run --webroot -w /var/www/letsencrypt

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/agency.yctct.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for agency.yctct.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/rezept.yctct.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for rezept.yctct.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/talk.yctct.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for talk.yctct.com

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: talk.yctct.com
  Type:   unauthorized
  Detail: 93.95.229.191: Invalid response from http://talk.yctct.com/.well-known/acme-challenge/S1nKzPpXdyKi6urcPGfeX5i3AMWQkQPqtGHKmy68exM: 404

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Failed to renew certificate talk.yctct.com with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following simulated renewals succeeded:
  /etc/letsencrypt/live/agency.yctct.com/fullchain.pem (success)
  /etc/letsencrypt/live/rezept.yctct.com/fullchain.pem (success)

The following simulated renewals failed:
  /etc/letsencrypt/live/talk.yctct.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

So I looked in:

/etc/nginx/sites-available/talk.yctct.com.conf

And saw this:

   location ^~ /.well-known/acme-challenge/ {
        default_type "text/plain";
        root         /usr/share/jitsi-meet;
    }

So I ran this command:

certbot renew --dry-run --webroot -w /usr/share/jitsi-meet

It produced the output:


Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/agency.yctct.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for agency.yctct.com

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: agency.yctct.com
  Type:   unauthorized
  Detail: 93.95.229.191: Invalid response from http://agency.yctct.com/.well-known/acme-challenge/ZkAnfQtkYQV6vU6Xa-6iDlpowPcD9C93f1C1CbMzRTA: 404

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Failed to renew certificate agency.yctct.com with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/rezept.yctct.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for rezept.yctct.com

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: rezept.yctct.com
  Type:   unauthorized
  Detail: 93.95.229.191: Invalid response from http://rezept.yctct.com/.well-known/acme-challenge/emjsEn6ivtDq3wJ0opUnZ37XTQpuec67WyA0FlIIQ88: 404

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Failed to renew certificate rezept.yctct.com with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/talk.yctct.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for talk.yctct.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following simulated renewals succeeded:
  /etc/letsencrypt/live/talk.yctct.com/fullchain.pem (success)

The following simulated renewals failed:
  /etc/letsencrypt/live/agency.yctct.com/fullchain.pem (failure)
  /etc/letsencrypt/live/rezept.yctct.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

So I tried my luck adding both paths:

certbot renew --dry-run --webroot -w /usr/share/jitsi-meet -w /var/www/letsencrypt/

to see if all three certificates dry run would pass, in vain. It produced:


Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/agency.yctct.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for agency.yctct.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/rezept.yctct.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for rezept.yctct.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/talk.yctct.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for talk.yctct.com

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: talk.yctct.com
  Type:   unauthorized
  Detail: 93.95.229.191: Invalid response from http://talk.yctct.com/.well-known/acme-challenge/W0SM6d_vBqdqvLUcyGxoLtT-ls49L-AA3ipSJQGu9hY: 404

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Failed to renew certificate talk.yctct.com with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following simulated renewals succeeded:
  /etc/letsencrypt/live/agency.yctct.com/fullchain.pem (success)
  /etc/letsencrypt/live/rezept.yctct.com/fullchain.pem (success)

The following simulated renewals failed:
  /etc/letsencrypt/live/talk.yctct.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): nginx version: nginx/1.18.0 (Trisquel GNU/Linux)

The operating system my web server runs on is (include version): Linux talk.yctct.com 5.15.0-84-generic #93+11.0trisquel24 SMP Wed Sep 20 04:23:53 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

My hosting provider, if applicable, is: 1984.hosting

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.21.0

How can I renew all three certificates?

It is the first time I try to renew --dry-run since I set up these two websites and the instance of Jitsi.

2

You need to be careful using the renew command with extra options like --webroot. The renew command affects all of your certificates.

It is good that you used --dry-run so did not permanently damage the renewal profile for your other 2 certs.

So, with that lesson learned ... using the --cert-name option is needed when testing or overriding options for just one certificate profile.

certbot renew --cert-name talk.yctct.com --dry-run --webroot -w /usr/share/jitsi-meet

If that works issue the same command including --cert-name but without --dry-run to update the renewal profile.

Then test your full renewal with just

certbot renew --dry-run
4 Likes
3

Thank you. --cert-name is what I needed.

2 Likes
4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.