I got an email notice because my (domalys.fr) domain certificate is about to expire.
Iāve tried this :
sudo certbot -q renew
Attempting to parse the version 0.12.0 renewal configuration file found at /etc/letsencrypt/renewal/domalys.fr.conf with version 0.10.2 of Certbot. This might not work.
Attempting to renew cert from /etc/letsencrypt/renewal/domalys.fr.conf produced an unexpected error: Failed authorization procedure. www.domalys.fr (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.domalys.fr/.well-known/acme-challenge/dBuGPD_MD5Zhp5xytxzbOq7uoQfOEYBLdEKYjTWsAmw: "<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<ht". Skipping.
The following certs are not due for renewal yet:
/etc/letsencrypt/live/domalys.fr-0001/fullchain.pem (skipped)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/domalys.fr/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
We may find that it doesn't match the cert seen from the Internet (which will expire in 7 days):
Valid until Thu, 15 Jun 2017 18:58:00 UTC (expires in 7 days, 14 hours)
Those are PUBLIC certificates.
They get handed out on every SSL connection.
You donāt have to hide them.
Private certificates (which should never be given out) always contain the word PRIVATE.
Like:
-----BEGIN PRIVATE KEY-----
-----BEGIN EC PRIVATE KEY-----
If you could just copy paste the first in your reply. From first BEGIN to first END.
Simple trick to view the cert:
copy the text and save it to a file name "whatever.CRT"
double-click āwhatever.CRTā file in Windows
This is what is being served now:
-----BEGIN CERTIFICATE-----
MIIFCDCCA/CgAwIBAgISA7/Wz195lWqTU70NY5gR4H6jMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzAzMTcxODU4MDBaFw0x
NzA2MTUxODU4MDBaMBUxEzARBgNVBAMTCmRvbWFseXMuZnIwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQDOeWOyyqTo5AW/+IDERRyhvir52rT+woLxrFBl
nkyWZ1vrVunbd63gTq3biiAaRxkgQqxWKrAzFWbob4cP3DBXRNAbLattMeOb0Pzk
DaUiDXjY3woiklvfMoobm5q+Dd4m37ftdlcakut1Fiz3VjexCRnRWcEkjJxImK9m
BZn+JYHTZ2UmgwaSplLqHWEjfE7KtvteeL3IZ2QyLXBxQPZBcOBgz4BoR21soMUg
hUH+pE0opngCDyAPDqIFNRbamtWx+PZTImnKvrp7K+11mdu+TUzBx7r9EJxVad1w
q+FlXNuE0qT3rciW5rHtS9/VVBfmVvnjj+f5wP/RQZTGIPd/AgMBAAGjggIbMIIC
FzAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC
MAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFBk4YDBHtARvN/yhRL5f/H2miUafMB8G
A1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyhMHAGCCsGAQUFBwEBBGQwYjAv
BggrBgEFBQcwAYYjaHR0cDovL29jc3AuaW50LXgzLmxldHNlbmNyeXB0Lm9yZy8w
LwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlwdC5vcmcv
MCUGA1UdEQQeMByCCmRvbWFseXMuZnKCDnd3dy5kb21hbHlzLmZyMIH+BgNVHSAE
gfYwgfMwCAYGZ4EMAQIBMIHmBgsrBgEEAYLfEwEBATCB1jAmBggrBgEFBQcCARYa
aHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwgasGCCsGAQUFBwICMIGeDIGbVGhp
cyBDZXJ0aWZpY2F0ZSBtYXkgb25seSBiZSByZWxpZWQgdXBvbiBieSBSZWx5aW5n
IFBhcnRpZXMgYW5kIG9ubHkgaW4gYWNjb3JkYW5jZSB3aXRoIHRoZSBDZXJ0aWZp
Y2F0ZSBQb2xpY3kgZm91bmQgYXQgaHR0cHM6Ly9sZXRzZW5jcnlwdC5vcmcvcmVw
b3NpdG9yeS8wDQYJKoZIhvcNAQELBQADggEBAEzfthAbLkc3xJNSiobegSiWg8hv
gA/io0w0HGVFVo7AvhPkru7Y3NTiviI9/vtQUFIDi6e/o/1mU7T7D8hyhpgEDJQX
vjQnbRHU3ynrvZImhjgeA3lgGAUrl6WL3E3BnRUE0vS6pEoxaNAfCdEFn1gT9Uho
vEXpnh4AlVPh7kaTO/Ph9vFR3vXHs0FVSErXnj8LQbEqxy5pSSc4Z5HSmQeo+whe
6AjFobGHtEqlB8stp4wyIrkocXUffMMtIkwCT3QjZedxHoHEhCgpWqNKu1f9Vmji
A7KXVCS/H8OF16VcAmjBuRHKFMZn5+c5/gA9RRWqMDHxqdoYYa8dc/MJgG0=
-----END CERTIFICATE-----
Which will expire in 7 days.
If you can find the file with that content, you can update that file with the content of:
/etc/letsencrypt/live/domalys.fr-0001/fullchain.pem
And you will have 90 days to figure out why it canāt update properly and get it fixed.
You could verify that the private key and the public cert are matched, as follows:
openssl x509 -noout -modulos -in /etc/letsencrypt/live/domalys.fr-0001/cert.pem |openssl sha256
openssl x509 -noout -modulos -in /etc/letsencrypt/live/domalys.fr-0001/priv.key |openssl sha256
compare the two SHA256 outputs - they should be exactly the same.
@maximilien, I wanted to suggest that this is weird because run --renew-by-default (now known as run --force-renew) and renew ultimately use the same logic to complete the renewal.
However, it looks like you are actually running two different versions of Certbot when you use these different commands, which you could check with --version. If you run certbot, you may be using your operating systemās packaged version of Certbot, which may be older; if you run /root/letsencrypt/letsencrypt-auto, youāre running a copy of the Certbot autoupdater, which downloads the newest released version from our site and then runs that. One possibility is that the newest version is able to complete the renewal successfully, while the OS-packaged version is not, for some reason.
If this is so, you may be able to use /root/letsencrypt/letsencrypt-auto renew, which would be preferable to the other form for frequent use from cron because it only renews when a certificate is less than 30 days from expiry, rather than immediately.