Certbot cert renewal

My domain is: vmln-1.shroyerco.com
I ran this command: certbot renew --cert-name vmln-1.shroyerco.com -i apache --dry-run

It produced this output: Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/vmln-1.shroyerco.com.conf


Simulating renewal of an existing certificate for vmln-1.shroyerco.com and www.vmln-1.shroyerco.com

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: www.vmln-1.shroyerco.com
Type: connection
Detail: 132.147.1.135: Fetching http://www.vmln-1.shroyerco.com/.well-known/acme-challenge/OUywTv7Q9D0JeRYbTcKv5HOAKadoeKFytQLxcLR6iHY: Error getting validation data

Domain: vmln-1.shroyerco.com
Type: connection
Detail: 132.147.1.135: Fetching http://vmln-1.shroyerco.com/.well-known/acme-challenge/J4ZpROAlpGnPwjzk6fjAjC-etj5OQI18L8pkCKNOfF4: Error getting validation data

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Failed to renew certificate vmln-1.shroyerco.com with error: Some challenges have failed.


All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/vmln-1.shroyerco.com/fullchain.pem (failure)


My web server is (include version):
httpd -v
Server version: Apache/2.4.6 (CentOS)
Server built: Nov 16 2020 16:18:20

The operating system my web server runs on is (include version):
Centos 7

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): more info
I have 3 websites using letsEncrypt certificates

/usr/bin/certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: bossdatacenters.com
Serial Number: 4d2f809d6c0de41fc55ff00529fc46c8196
Key Type: RSA
Domains: bossdatacenters.com www.bossdatacenters.com
Expiry Date: 2023-01-08 12:47:14+00:00 (VALID: 61 days)
Certificate Path: /etc/letsencrypt/live/bossdatacenters.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/bossdatacenters.com/privkey.pem

Certificate Name: vmln-1.shroyerco.com
Serial Number: 49a83e945651d034350c8f89b3925e94f16
Key Type: RSA
Domains: vmln-1.shroyerco.com www.vmln-1.shroyerco.com
Expiry Date: 2022-11-29 14:55:06+00:00 (VALID: 21 days)
Certificate Path: /etc/letsencrypt/live/vmln-1.shroyerco.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/vmln-1.shroyerco.com/privkey.pem

Certificate Name: www.shroyerelectric.com
Serial Number: 3f8b5809b29d8faba921873efc9704ee243
Key Type: RSA
Domains: www.shroyerelectric.com shroyerelectric.com
Expiry Date: 2022-11-30 10:23:04+00:00 (VALID: 22 days)
Certificate Path: /etc/letsencrypt/live/www.shroyerelectric.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.shroyerelectric.com/privkey.pem


vmln-1.shroyerco.com & www.shroyerelectric.com will not renew
bossdatacenters.com works?

dig +short a vmln-1.shroyerco.com
132.147.1.135

dig +short a www.vmln-1.shroyerco.com
132.147.1.135

dig +short a bossdatacenters.com
132.147.1.137

dig +short a www.bossdatacenters.com
bossdatacenters.com.
132.147.1.137

curl -I vmln-1.shroyerco.com
HTTP/1.1 302 Found
Date: Mon, 07 Nov 2022 18:18:17 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_auth_gssapi/1.5.1 mod_fcgid/2.3.9 mod_nss/1.0.14 NSS/3.28.4 mod_wsgi/3.4 Python/2.7.5 PHP/7.3.29
X-Powered-By: PHP/7.3.29
Set-Cookie: PHPSESSID=6c30bec241d42fff15aa7ca23678e45d; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Location: /auth/logout.php
Content-Type: text/html; charset=UTF-8

sudo apachectl -S
VirtualHost configuration:
10.168.1.149:80 vmln-1.shroyerco.com (/etc/httpd/conf.d/domain.com.conf:9)
10.168.1.149:443 vmln-1.shroyerco.com (/etc/httpd/conf.d/ssl.conf:60)
10.168.1.102:443 www.bossdatacenters.com (/etc/httpd/conf.d/domain.com-le-ssl.conf:14)
10.168.1.102:80 www.bossdatacenters.com (/etc/httpd/conf.d/domain.com.conf:14)
10.168.1.126:443 www.shroyerelectric.com (/etc/httpd/conf.d/domain.com-le-ssl.conf:2)
10.168.1.126:80 www.shroyerelectric.com (/etc/httpd/conf.d/domain.com.conf:1)
*:8443 10.168.1.149 (/etc/httpd/conf.d/nss.conf:84)
ServerRoot: "/etc/httpd"
Main DocumentRoot: "/home/shroyerco/www/"
Main ErrorLog: "/etc/httpd/logs/error_log"
Mutex authdigest-opaque: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex authdigest-client: using_defaults
Mutex fcgid-proctbl: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/run/httpd/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex fcgid-pipe: using_defaults
PidFile: "/run/httpd/httpd.pid"
Define: _RH_HAS_HTTPPROTOCOLOPTIONS
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="shroyerco" id=1010
Group: name="shroyerco" id=1010

bossdatacenters.com works

certbot renew --cert-name bossdatacenters.com -i apache --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/bossdatacenters.com.conf


Simulating renewal of an existing certificate for bossdatacenters.com and www.bossdatacenters.com


Congratulations, all simulated renewals succeeded:
/etc/letsencrypt/live/bossdatacenters.com/fullchain.pem (success)


certbot renew --cert-name vmln-1.shroyerco.com -i apache --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/vmln-1.shroyerco.com.conf


It was working the past few months then the domain vmln-1.shroyerco.com stopped renewing.

thanks for any help

1 Like

Not for me:

$ curl -i http://www.vmln-1.shroyerco.com
curl: (7) Failed to connect to www.vmln-1.shroyerco.com port 80 after 30925 ms: Network is down

That "network is down" error is probably why Let's Encrypt is reporting the fallback "Error getting validation data".

Similar result from Let's Debug:

4 Likes

curl -i vmln-1.shroyerco.com works

curl -i www.vmln-1.shroyerco.com does not so I have to get it working with the www

thanks for the reply

1 Like

I think I have this working now, and I still cannot renew the cert. getting same error ?

curl -i www.vmln-1.shroyerco.com
HTTP/1.1 302 Found
Date: Mon, 07 Nov 2022 19:56:19 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_auth_gssapi/1.5.1 mod_fcgid/2.3.9 mod_nss/1.0.14 NSS/3.28.4 mod_wsgi/3.4 Python/2.7.5 PHP/7.3.29
X-Powered-By: PHP/7.3.29
Set-Cookie: PHPSESSID=8295db95c95584a9a100d7e835af7705; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Location: /auth/logout.php
Content-Length: 0
Content-Type: text/html; charset=UTF-8

thanks for any help

1 Like

It doesn't work for me, and same result from Let's Debug for that domain.

Are you trying these requests from outside of your local network?

3 Likes

from inside, so I will have to start testing this from outside.
thanks

2 Likes