Can't renew certificate

magreen_8da · March 4, 2020, 12:30am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

8ctoda.dev
almach.8ctoda.dev

I ran this command:

certbot --apache renew --force-renewal

It produced this output:

certbot --apache renew --force-renewal
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/8ctoda.dev.conf

Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for 8ctoda.dev
http-01 challenge for almach.8ctoda.dev
Waiting for verification…
Challenge failed for domain 8ctoda.dev
Challenge failed for domain almach.8ctoda.dev
http-01 challenge for 8ctoda.dev
http-01 challenge for almach.8ctoda.dev
Cleaning up challenges
Attempting to renew cert (8ctoda.dev) from /etc/letsencrypt/renewal/8ctoda.dev.conf produced an unexpected error: Some challenges have failed… Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/8ctoda.dev/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/8ctoda.dev/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: 8ctoda.dev
Type: unauthorized
Detail: Invalid response from
http://8ctoda.dev/.well-known/acme-challenge/FBMULVy5d9gXZYHPi2eUUk21D4AZtcpZSDMcIgBDPSM
[24.130.11.200]: "<?xml version=“1.0”
encoding=“UTF-8”?>\n<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0
Strict//EN”\n “http://www.w3.org/TR/xhtml1/D”

Domain: almach.8ctoda.dev
Type: unauthorized
Detail: Invalid response from
http://almach.8ctoda.dev/.well-known/acme-challenge/Qf16bNI647DC-WcLKoWcdxwqf5ncU2uSS-nqqkblktI
[24.130.11.200]: "<?xml version=“1.0”
encoding=“UTF-8”?>\n<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0
Strict//EN”\n “http://www.w3.org/TR/xhtml1/D”

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

My web server is (include version):

Server version: Apache/2.4.41 (Linux/SUSE)
Server built: 2020-01-20 13:06:59.000000000 +0000

The operating system my web server runs on is (include version):

LSB Version: core-2.0-noarch:core-3.2-noarch:core-4.0-noarch:core-2.0-x86_64:core-3.2-x86_64:core-4.0-x86_64:desktop-4.0.fake-amd64:desktop-4.0.fake-noarch:graphics-2.0-amd64:graphics-2.0-noarch:graphics-3.2-amd64:graphics-3.2-noarch:graphics-4.0.fake-amd64:graphics-4.0.fake-noarch
Distributor ID: openSUSE
Description: openSUSE Tumbleweed
Release: 20200128
Codename: n/a

Linux almach 5.4.14-1-default #1 SMP Thu Jan 23 08:54:47 UTC 2020 (fc4ea7a) x86_64 x86_64 x86_64 GNU/Linux

My hosting provider, if applicable, is:

noip.com

I can login to a root shell on my machine (yes or no, or I don’t know):

Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

certbot 1.1.0

Thanks for your help

rg305 · March 4, 2020, 2:06am

Unrelated, but certbot 1.3.0 was just released.

Just to be 100% certain there is nothing weird, please show file:

then also, the output of:
apachectl -S

magreen_8da · March 4, 2020, 2:11am

File /etc/letsencrypt/renewal/8ctoda.dev.conf:

# renew_before_expiry = 30 days
version = 0.40.1
archive_dir = /etc/letsencrypt/archive/8ctoda.dev
cert = /etc/letsencrypt/live/8ctoda.dev/cert.pem
privkey = /etc/letsencrypt/live/8ctoda.dev/privkey.pem
chain = /etc/letsencrypt/live/8ctoda.dev/chain.pem
fullchain = /etc/letsencrypt/live/8ctoda.dev/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = d8ebabe9b75f58afb408d956bdadddb6
authenticator = apache
installer = apache
server = https://acme-v02.api.letsencrypt.org/directory

Output of apachectl -S

base) almach:/srv/www/vhosts/8ctoda.dev/htdocs # apachectl -S
VirtualHost configuration:
*:80                   is a NameVirtualHost
         default server www.8ctoda.dev (/etc/apache2/vhosts.d/8ctoda.dev.conf:13)
         port 80 namevhost www.8ctoda.dev (/etc/apache2/vhosts.d/8ctoda.dev.conf:13)
         port 80 namevhost www.chipsense.io (/etc/apache2/vhosts.d/chipsense.io.conf:13)
         port 80 namevhost www.8ctoda.dev (/etc/apache2/vhosts.d/8ctoda.dev.conf:13)
         port 80 namevhost www.chipsense.io (/etc/apache2/vhosts.d/chipsense.io.conf:13)
ServerRoot: "/srv/www"
Main DocumentRoot: "/srv/www/htdocs"
Main ErrorLog: "/var/log/apache2/error_log"
Mutex ssl-stapling-refresh: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/run/" mechanism=default 
Mutex mpm-accept: using_defaults
PidFile: "/var/run/httpd.pid"
Define: SYSCONFIG
Define: SSL
Define: phpMyAdmin
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="wwwrun" id=464
Group: name="www" id=466

I have to admit I just changed my webserver configuration. I now am trying to setup two virtual hosts:

One with URL: www.8ctoda.dev
Another with URL: www.chipsense.io

I just swapped out the .conf files to onese that don’t require SSL certificates. Having problems

magreen_8da · March 4, 2020, 2:18am

Is there a way I can delete my old certificate and create a new one?

schoen · March 4, 2020, 2:25am

You can delete your old certificate with certbot delete (specifying the certificate name to delete with the --cert-name option, but this is rarely beneficial. For example, if your web server configuration still refers to the old certificate anywhere, deleting it could prevent your web server from starting up.

If you have a valid certificate that covers names that you need, it’s generally a good idea to keep it and keep using it; deleting it rarely solves any problems.

If you need to change the names that are covered by a particular certificate, you can reissue it with certbot certonly, specifying the existing certificate name with --cert-name and all of the desired names that will be covered in the newly-issued certificate with -d options.

rg305 · March 4, 2020, 3:08am

The names are repeated (twice each):

port 80 namevhost www.8ctoda.dev   (/etc/apache2/vhosts.d/8ctoda.dev.conf:13)
port 80 namevhost www.8ctoda.dev   (/etc/apache2/vhosts.d/8ctoda.dev.conf:13)

port 80 namevhost www.chipsense.io (/etc/apache2/vhosts.d/chipsense.io.conf:13)
port 80 namevhost www.chipsense.io (/etc/apache2/vhosts.d/chipsense.io.conf:13)

I can only assume that their files are INCLUDED twice.
Check you config for include statements and ensure there are no files/folders with duplicate inclusions.

afrizalnet · March 4, 2020, 5:06am

I got same problem past night, but now everything running well. I am using Let’s encrypt plugins on cPanel.

magreen_8da · March 8, 2020, 1:45am

I was able to resolve my issue.

My DocumentRoot settings were set here /srv/www/vhosts/8ctoda.dev/htdocs

For some reason I needed to put them here: /srv/www/htdocs/8ctoda.dev

Then it worked.

system · April 7, 2020, 1:45am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Cannot renew my SSL Certificate Help	8	1767	March 23, 2021
Can't Renew Certs Help	3	3242	November 13, 2019
Certificate error returned and the certificate cannot be renewed Help	7	725	January 8, 2021
Difficulty in renewing letsencrypt certificate Help	8	1123	June 25, 2020
Cert renewal attempts failed Help	12	1549	August 27, 2019

Can't renew certificate

Related topics