Certbot renew doesnt work , creates this error

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: I have many many domains

I ran this command: certbot renew

It produced this output: Detail: Invalid response from https://domain_name/.well-known/acme-challenge/9NRycVGsbGzcHwrguK_qrZ-i8arWsNXbUDx3w3qmL_w []: "\n\n404 Not Found\n\n

Not Found


Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

My web server is (include version):
The operating system my web server runs on is (include version):centos 8

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): I dont know

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 1.17.0

Port 80 has been opened , but still same error.

1 Like

Are all the domains failing?

It would really help to know one of the problematic domains, as well as:

  1. The output of httpd -t -D DUMP_VHOSTS and
  2. The VirtualHost .conf file for that domain

The sever running certbot is in a private subnet , could that be an issue , please help me resolve this i have tried almost everything.

1 Like

Taking this domain as an example ... how do you have the networking setup in AWS?

The domain has 3 A records, but it seems that one of the destination webservers is different to the other two:

$ dig +short domain_name | xargs -I{} sh -c 'curl -s -X GET -I --resolve domain_name:80:{} http://domain_name/.well-known/acme-challenge/test.txt | grep -i server'
Server: Apache/2.4.48 (codeit) OpenSSL/1.1.1k PHP/7.4.20
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.4.20
Server: Apache/2.4.48 (codeit) OpenSSL/1.1.1k PHP/7.4.20

This makes me concerned that some of the ACME validation requests are being routed to the wrong server (with a 33% chance).

1 Like

@_az We have a nlb the A records point to this nlb. There are 5 nodes to the target group of this nlb. Also could you give any suggestions on how to resolve this.

1 Like

As I mentioned in my last post, it looks like there are multiple distinct Apache servers responding to requests for domain_name.

If that's the case, then certbot renew (if using --apache) can't succeed, because it will only perform the required steps, at most, on a single one of those Apache servers.

I can't really say more without a detailed description of your setup.

1 Like

@_az Can I use renew with webroot aunthentication . Rather than Apache !

1 Like

Sure, you can try it:

certbot renew --cert-name domain_name \
--webroot -w /path/to/webroot \
1 Like

Did you use the literal text /path/to/webroot instead of replacing that with a directory path to each individual web site's content?

1 Like

ACMEv01 is deprecated and no longer active.

1 Like

I see no errors in the screenshot you posted because you're attempting to renew certificates that are not yet expired.

Please use the following commands to test certificate acquisition:

sudo certbot certonly --webroot -w /var/www/html/domain_name/public_html -d "domain_name" --dry-run

sudo certbot certonly --webroot -w /var/www/html/domain_name/public_html -d "domain_name" --dry-run

1 Like

Out of curiosity, what's the complete output of this:

sudo certbot certonly --apache -d "domain_name" --dry-run

1 Like

@griffin I also changed the renewal.conf for the certificate to add the webroot path and the authenticator still fails with 401 unauthorized .

1 Like

You probably only want to use a renewal configuration file to test if you're sure that the tests for the individual domain names on the certificate associated with that renewal configuration file will authorize correctly.

I want to make something clear before proceeding: the -w parameter works with --webroot, NOT --apache. You might already know this, but since it's a somewhat common mistake, I wanted to be sure.

Please try the following command, being sure to replace the webroot path with the correct path if necessary:

sudo certbot certonly --webroot -w /var/www/html/domain_name/public_html -d "domain_name" --dry-run

1 Like

The 401 Unauthorized is likely from the apache configuration file, an .htaccess file, or the permissions of the webroot directory itself (or the /.well-known/acme-challenge folder structure therein).


1 Like

Glad you found the culprit. :face_with_monocle:

You should now have everything you need to use the webroot authenticator. If you try to combine domain names into one certificate, keep in mind that certbot can accept multiple -w parameters and will associate the most recent -w parameter in the command with all -d parameters to the right of it until another -w is encountered.

For example (webroot authenticator, apache installer):

sudo certbot -a webroot -w /first/webroot/path -d "firstdomain.com,www.firstdomain.com" -w /second/webroot/path -d "seconddomain.com,www.seconddomain.com" -i apache

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.