Can't renew anymore with certbot

Help
1

It seems I can't renew my cert anymore.

My domain is: host3.perenip.cloud

I ran this command: certbot -q renew

It produced this output:
Challenge failed for domain host3.perenip.cloud
Failed to renew certificate host3.perenip.cloud with error: Some challenges have failed.
All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/host3.perenip.cloud/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

My web server is (include version): Apache/2.4.56 (Debian)

The operating system my web server runs on is (include version): Debian 11.7

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.12.0

Any idea ?

2

Please post the entire output of Certbot. Currently, the response of the ACME server is missing.

3 Likes
3

Is the following helpful ?

2023-06-08 08:18:39,522:DEBUG:acme.client:Storing nonce: 371CGmq8NCTUeV0Lehsoa3SmhIyA0L6KaI8aIq8iByVf-dY
2023-06-08 08:18:39,524:INFO:certbot._internal.auth_handler:Performing the following challenges:
2023-06-08 08:18:39,524:INFO:certbot._internal.auth_handler:http-01 challenge for host3.perenip.cloud
2023-06-08 08:18:39,525:DEBUG:certbot._internal.plugins.webroot:Creating root challenges validation dir at /var/www/html/.well-known/acme-challenge
2023-06-08 08:18:39,529:DEBUG:certbot._internal.plugins.webroot:Attempting to save validation to /var/www/html/.well-known/acme-challenge/srMxu-nzP42OtdtExPdD6Dv9C__N97G1f1Cv7R4fGtA
2023-06-08 08:18:39,530:INFO:certbot._internal.auth_handler:Waiting for verification...
2023-06-08 08:18:39,530:DEBUG:acme.client:JWS payload:
b'{}'
2023-06-08 08:18:39,539:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/234945462847/TcBP4g:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTAzNzQ4MTI4IiwgIm5vbmNlIjogIjM3MUNHbXE4TkNUVWVWMExlaHNvYTNTbWhJeUEwTDZLYUk4YUlxOGlCeVZmLWRZIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9jaGFsbC12My8yMzQ5NDU0NjI4NDcvVGNCUDRnIn0",
  "signature": "WBZLvzvYXBdqIP0xH1x2No4Tx6nWCA44scDtNWyZDwvTTx4p4CE1kFv-W7JHwUX2lNpPBfcTXneqC8ZoO54vAIjGi_adyIsv1oMPlF4LldzcdaeFI9XTUKOZwnJsP3BZcIMcPmCl02aJGBhcH8moMBDHDqTMqdbjCE1PR0SZOHuEEvdDaVXL0uJ31zLO98g3yjCbGCPKWzb0EfSq6-EURCH0x3pJzlkJqtJ2OkGUDajbgSgJiickldYob72GUrTSO40Oi-Kt0FjbcYASqbLdAyLspzb7aEQB3XR4Hh2bJmwx3_CDsqRkoTqACBoXtooxsLKBlpAqFRukknqwBeL09A",
  "payload": "e30"
}
2023-06-08 08:18:39,670:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/234945462847/TcBP4g HTTP/1.1" 200 187
2023-06-08 08:18:39,671:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 08 Jun 2023 06:18:39 GMT
Content-Type: application/json
Content-Length: 187
Connection: keep-alive
Boulder-Requester: 103748128
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-v02.api.letsencrypt.org/acme/authz-v3/234945462847>;rel="up"
Location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/234945462847/TcBP4g
Replay-Nonce: 891FSSAxX6IrglFrvxpUTFi0tRm3V38rAWgRCpVtnBPjUyE
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "type": "http-01",
  "status": "pending",
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/234945462847/TcBP4g",
  "token": "srMxu-nzP42OtdtExPdD6Dv9C__N97G1f1Cv7R4fGtA"
}
2023-06-08 08:18:39,672:DEBUG:acme.client:Storing nonce: 891FSSAxX6IrglFrvxpUTFi0tRm3V38rAWgRCpVtnBPjUyE
2023-06-08 08:18:40,674:DEBUG:acme.client:JWS payload:
b''
2023-06-08 08:18:40,682:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/234945462847:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTAzNzQ4MTI4IiwgIm5vbmNlIjogIjg5MUZTU0F4WDZJcmdsRnJ2eHBVVEZpMHRSbTNWMzhyQVdnUkNwVnRuQlBqVXlFIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8yMzQ5NDU0NjI4NDcifQ",
  "signature": "lMMyM_UKlA0Dpf2ZM05q7izdJQzTaNE3AvJM61jlxhuOOmqi4rK3PHoKuSlGa05LZU7UmnDtEjNwu03x7p0X101RyJ-XloUM1CDcY7-bkaKQQofAf-xqdgcGAsRAu540WljgzdM_gtpdoXQjLEHXh2ESijXNtze2_rITf7aXwIIR3PBEkKYXtMfV9eVxOYtAY3xCrxepBWD6s1E9_w-qtbd1F4zmXwd7G76U5pGxYaRqw9qkvh2pmYH7b8jfdS1Rez7wFRUn0erJu3sfd4Js3qDMCT_pK54jt55vGdQa4AAlOSE3oxExbYegl144KOChhmldz2IbW0uJufAGxdu5Iw",
  "payload": ""
}
2023-06-08 08:18:40,810:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/234945462847 HTTP/1.1" 200 1044
2023-06-08 08:18:40,812:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 08 Jun 2023 06:18:40 GMT
Content-Type: application/json
Content-Length: 1044
Connection: keep-alive
Boulder-Requester: 103748128
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 891F2Q0sCm0JtDutZepItsSIXt-4JYq588FODyAt1MMXrkg
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "host3.perenip.cloud"
  },
  "status": "invalid",
  "expires": "2023-06-15T06:18:39Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "163.172.46.34: Invalid response from http://host3.perenip.cloud/.well-known/acme-challenge/srMxu-nzP42OtdtExPdD6Dv9C__N97G1f1Cv7R4fGtA: 404",
        "status": 403
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/234945462847/TcBP4g",
      "token": "srMxu-nzP42OtdtExPdD6Dv9C__N97G1f1Cv7R4fGtA",
      "validationRecord": [
        {
          "url": "http://host3.perenip.cloud/.well-known/acme-challenge/srMxu-nzP42OtdtExPdD6Dv9C__N97G1f1Cv7R4fGtA",
          "hostname": "host3.perenip.cloud",
          "port": "80",
          "addressesResolved": [
            "163.172.46.34"
          ],
          "addressUsed": "163.172.46.34"
        }
      ],
      "validated": "2023-06-08T06:18:39Z"
    }
  ]
}
2023-06-08 08:18:40,812:DEBUG:acme.client:Storing nonce: 891F2Q0sCm0JtDutZepItsSIXt-4JYq588FODyAt1MMXrkg
2023-06-08 08:18:40,813:WARNING:certbot._internal.auth_handler:Challenge failed for domain host3.perenip.cloud
2023-06-08 08:18:40,814:INFO:certbot._internal.auth_handler:http-01 challenge for host3.perenip.cloud
2023-06-08 08:18:40,814:DEBUG:certbot._internal.reporter:Reporting to user: The following errors were reported by the server:

Domain: host3.perenip.cloud
Type:   unauthorized
Detail: 163.172.46.34: Invalid response from http://host3.perenip.cloud/.well-known/acme-challenge/srMxu-nzP42OtdtExPdD6Dv9C__N97G1f1Cv7R4fGtA: 404

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
2023-06-08 08:18:40,816:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 91, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 180, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
4

Yes, that helps.

Can you show us your Apache <VirtualHost> for host3.perenip.cloud?

5 Likes
5

Yes that was it !

On the same host, I did some testing preparing installation of a future web app. Doing so, I added a file in /etc/apache2/sites-enabled and forgot about. Disabling this site (with Debian's a2dissite) instantly solved the certbot issue.

Thanks again !

2 Likes
6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.