Certbot apache renewal fails

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
I ran this command:
sudo certbot rene
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/jgklinux.jankom.net.conf

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for jgklinux.jankom.net
Waiting for verification...
Challenge failed for domain jgklinux.jankom.net
http-01 challenge for jgklinux.jankom.net
Cleaning up challenges
Attempting to renew cert (jgklinux.jankom.net) from /etc/letsencrypt/renewal/jgklinux.jankom.net.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/jgklinux.jankom.net/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/jgklinux.jankom.net/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)


My web server is (include version):
apache2 - version is current, always fully updated by ubuntu
The operating system my web server runs on is (include version):
xubuntu 20.04
My hosting provider, if applicable, is:
web server is running on a linode vps instance
I can login to a root shell on my machine (yes or no, or I don't know):
yes, using terminal, not gui
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
don't know what control panel is, just use terminal commands
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.40.0

1 Like

Hi @jankom, and welcome to the LE community forum :slight_smile:

I suspect the problem is within the Apache configuration.
Please show the output if:
sudo apachectl -S

1 Like

Hi @rg305 and thanks for the quick attention and response to my problem.
I have not changed anything on Apache set up ever and in the past it has always renewd without an error. Nevertheless, here is the output:

gellert@jgklinux:~$ sudo apachectl -S
VirtualHost configuration:
*:443                  jgklinux.jankom.net (/etc/apache2/sites-enabled/jgklinux.jankom.net-le-ssl.conf:2)
*:80                   jgklinux.jankom.net (/etc/apache2/sites-enabled/jgklinux.jankom.net.conf:9)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default 
Mutex mpm-accept: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
User: name="www-data" id=33
Group: name="www-data" id=33

Sorry if I misused th"Blockquote feature.

1 Like

Hi, I posted my reply in the web forum, and here is my very primitive web server page that I'm securing with the letsencrypt certificate. - Janos

@jankom The e-mail you received wasn't from @rg305 personally, but is a notification service from the forum software and when you reply to said e-mail, it'll post your reply in the thread on the Community too :wink:

In any case, I'm not seeing anything weird in your Apache configuration, at least not from the apachectl -S output.. :thinking:

However, you said you're running the latest version of Apache on Ubuntu, while your website answers with:

Server: Apache/2.2.15 (CentOS)

That's weird! Also, usually the HTTP virtualhost on port 80 would redirect from HTTP to HTTPS, but that's not happening too. But when I manually try the HTTPS server on port 443, I'm getting:

Server: Apache/2.4.41 (Ubuntu)

So it seems your HTTP port 80 is on a different server than your HTTPS webserver behind port 443.


I must agree; something is not the same with the two ports.

I can get to port 443, but I'm unable to reach port 80:

curl -Iki http://jgklinux.jankom.net/
curl: (56) Recv failure: Connection reset by peer

curl -Iki https://jgklinux.jankom.net/
HTTP/1.1 200 OK
Date: Thu, 22 Jul 2021 20:02:45 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Thu, 10 Dec 2020 19:56:09 GMT
ETag: "a6a-5b621912785dd"
Accept-Ranges: bytes
Content-Length: 2666
Vary: Accept-Encoding
Content-Type: text/html
1 Like

Yep, port 80 is down right now, while it was working fine earlier. I guess @jankom is working on it :slight_smile:


@Osiris @rg305 yes, port 80 was forwarded to another server connecting to jgklinux.jankom.net via vpn to serve a simple http site. But yes, I removed the port forewarding with iptables. I don't understand why is it not accessible. Here is my iptables -S command output.

gellert@jgklinux:~$ sudo iptables -S
[sudo] password for gellert:
-A FORWARD -d -p tcp -m tcp --dport 110 -j ACCEPT
-A FORWARD -d -p tcp -m tcp --dport 587 -j ACCEPT

Ports 110 and 587 are for my mailserver on that other machine

I thought iptables changes take effect immediately, I did not reboot..

1 Like

@rg305 @Osiris - problem solved, certificate renewed. Thank you guys for your quick help and inspiration. The issue was: my iptables was all messed up. Yes, I did not change apache configuration but about a month ago I tinkered with iptables. Lesson learned.
Please, mark it as solved. I'm new so I'm not sure how to check the box "solution".


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.