Can't renew certificate (ACME challenge failed) some weird results

My domain is: https://financieelonafhankelijkworden.nl/

I ran this command: certbot renew and certbot renew --force-renewal

It produced this output:


Processing /etc/letsencrypt/renewal/financieelonafhankelijkworden.nl.conf


Certificate not yet due for renewal

The following certificates are not due for renewal yet:
/etc/letsencrypt/live/financieelonafhankelijkworden.nl/fullchain.pem expires on 2023-02-22 (skipped)

But when forcing renewal:

Domain: penke.nl
Type: unauthorized
Detail: 83.96.253.108: Invalid response from Penke: hoe kan ik jou helpen? "<!doctype html><html lang="nl"><meta charset="utf-8"><meta name="viewp ort" content="width=devic"

Domain: www.financieelonafhankelijkworden.nl
Type: unauthorized
Detail: 83.96.253.108: Invalid response from Financieel Onafhankelijk Worden "\n<html class="no-js" lang="nl" prefix="og: http://ogp.me/ns#\">\n\n <meta charset="UTF-8">\n <meta name="view"

Note: there are multiple domains in the cert.

My web server is (include version): Apache/2.4.37

The operating system my web server runs on is (include version): Centos 8 stream

I can login to a root shell on my machine (yes or no, or I don't know): yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.32.0


The certbot renew command works fine. But when forcing to update the certificate it fails. The weird part is that the command tells me

Penke: hoe kan ik jou helpen?

is not reachable but when entering this in my browser I can access it. Also, the certificate is renewed yesterday so that seems to work.

For domain https://financieelonafhankelijkworden.nl/ it only says that Financieel Onafhankelijk Worden unauthorised without mentioning the ".well-known/acme-challenge/" path.

I don't understand why it did renew the certificate for penke.nl but not for https://financieelonafhankelijkworden.nl/ while both virtual hosts are the same. Does this have to do with the redirect to HTTPS?

Update: when I run certbot --apache it does update the certificate for financieelonafhankelijkworden.nl but I'm not sure what certbot changed...

But another domain in that same certificate get an error: too many failed authorizations recently

Update: the other domain is also updated.

Now the question is, what did certbot --apache in the httpd config?

Testing and debugging are best done using the Staging Environment as the Rate Limits are much higher. Rate Limits are per week (rolling).

Using this online tool letsdebug-toolkit the result are here crt.sh | financieelonafhankelijkworden.nl I see

3 Likes

Has also hit the rate limits as well. Using this online tool letsdebug-toolkit shows results here letsdebug-toolkit
And a certificate was issued 25 Nov 2022 10:21:07 UTC

And using this online tool SSL Server Test (Powered by Qualys SSL Labs) the results here SSL Server Test: penke.nl (Powered by Qualys SSL Labs) show a recently issued certificate being served

2 Likes

Why would you force renewal when you already have a perfectly fine certificate? I don't understand the train of thought.

4 Likes