Can't renew certificate anymore

I successfully issued a certificate on January, on Ubuntu 20.04 + nginx, I have ssh root access.
The provider is ovh, the certificate is not wildcard.
Following certbot instructions it did all automatically and back then "sudo certbot renew --dry-run" worked.
certbot version 1.13.0

Now the renewal returns:

Failed to renew certificate with error: Error determining zone identifier for 403 Client Error: Forbidden for url: https:/
/ (Are your Application Key and Consumer Key values correct?)

cat /etc/letsencrypt/renewal/

# renew_before_expiry = 30 days
version = 1.11.0
archive_dir = /etc/letsencrypt/archive/
cert = /etc/letsencrypt/live/
privkey = /etc/letsencrypt/live/
chain = /etc/letsencrypt/live/
fullchain = /etc/letsencrypt/live/

# Options used in the renewal process
account = 852[...]
authenticator = dns-ovh
installer = nginx
dns_ovh_credentials = /root/ssl/ovh.ini
manual_public_ip_logging_ok = None
server =

Why this error occurs? How can I test if my credentials are still valid? Could it be related to the recent OVH incident?

1 Like

Not sure what "OVH incident" has occured, but your error seems to be related to your OVH credentials.

1 Like

OVH had an entire datacenter in Strasbourg burn down recently. :frowning:

It's conceivable that their DNS API availability was affected somehow—@xalloc, I know OVH support is probably extraordinarily busy, but would it be possible to check with them whether this could be the case?


I contacted OVH, I'll update here asap.


No answer from them so far, but I didn't expect anything else.
I tried and the report says:



The current status as reported by the Let's Encrypt status page is Service Disruption as at 2021-03-24 17:02:51.975 +0000 UTC. Depending on the reported problem, this may affect certificate issuance. For more information, please visit the status page.

So there's actually an outage Let's Encrypt side?
Does anybody know anything? I really need to renew the certificate, or it will expire soon.

1 Like

Not really, only a test certificate log has a disruption. See the link for more info. This shouldn't affect certificate issuance.

Are you still getting the exact same error as before?

1 Like

Thanks for the answer, yes same error.

1 Like

It's really hard to say anything about it.. If I look at the code for the OVH DNS plugin, the error is triggered by the "403 Client Error" string returned by OVH when accessing an URL from the API, which is also presented in the error message.

Without more info presented by us by the plugin, it's really hard to pin down where the actual issue is.

Can you perhaps experiment with the OVH API on the staging server? Trying to get a certificate from a testing subdomain with --staging as an option to certbot and see if you can issue certificates with the OVH DNS authenticator?

1 Like

Staging didn't have any effect, the problem persists.
This one anyway succeeds:

me@host:~$ sudo certbot certonly --nginx --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Cert is due for renewal, auto-renewing...
Simulating renewal of an existing certificate for and
Performing the following challenges:
http-01 challenge for
http-01 challenge for
Waiting for verification...
Cleaning up challenges


  • The dry run was successful.

The command is to create a new cert, but the output says it simulates renewal anyway?
Due to the certificate expiring next week, I'll try to issue a new cert from scratch. Can I use that command to do that?

1 Like

Because it contains the same hostnames as an already existing certificate.

But if I understand correctly: you don't actually NEED the OVH DNS plugin? In that case you can just remove the --dry-run from the command you just ran and get a real certificate....

All this time I assumed you actually required the dns-01 challenge.. Most people don't take the effort to get a DNS plugin up and running when it's 1000x easier to just run the http-01 challenge, as you did just now.

A perfect example that due to obscurity by OP we don't get to see the real domain name in question, so we can't check further than the limited information offered..

1 Like

I see now the two commands used two different challenges, but forgive me if I don't understand. How can I renew without using the ovh plugin?
I don't even know why it was installed.

A perfect example that due to obscurity by OP we don't get to see the real domain name in question, so we can't check further than the limited information offered..

Sorry about that, that's because it's for a third-party website and I don't know if I can write about it without third-party consent.

EDIT: Ok i see after the successful http-01 renewal, the renew command uses the same challenge. Thanks a lot for your support!


Because DNS isn't the only way Let's Encrypt can validate ownership of the hostname(s). Please see the following documentation:

Great! Indeed, certbot stores the most recently used command line options in the renewal configuration file, so it'll use the --nginx option you've used. Note that --dry-run doesn't store this info, as it's for testing only. But once you've issued a real, valid certificate with the new options, it gets stored for future use.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.