Certbot Renew failure

Hi all,

Bit new to this. I'm trying to update the SSL cert on my unifi controller.
Currently running Server version: Apache/2.4.41 (Ubuntu)
Server built: 2022-06-14T13:30:55

I run the sudo cerbot renew command and get the following output:

Renewing an existing certificate
Performing the following challenges:
http-01 challenge for controller.rockfieldit.com
Waiting for verification...
Challenge failed for domain controller.rockfieldit.com
http-01 challenge for controller.rockfieldit.com
Cleaning up challenges
Attempting to renew cert (unificontroller.rockfieldit.com) from /etc/letsencrypt /renewal/controller.rockfieldit.com.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/unificontroller.rockfieldit.com/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/unificontroller.rockfieldit.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)


The DNS records are all ok and I definitely have the correct IP address.
Any Ideas of what might be going on?

Does your website otherwise work fine?

No, it doesn't. There are no DNS records for that name. Did you remove them?

1 Like

Yes the site works properly. Just no SSL cert at the moment.

We need your actual domain name.

Otherwise we're completely in the dark and I believe a crystal ball would provide more insight than we can.


Apologies, it may have been redacted the domain name should be unificontroller.rockfieldit.com

Ok, I see a proper 404 error where it should be.

Do you know what authentication plugin is certbot using? Ie, what command did you run when you first got your certificate? And what webserver is running on your device?

1 Like

We are running on Server version: Apache/2.4.41 (Ubuntu) Server built: 2022-06-14T13:30:55
Is there a way to check the authentication plugin?

You'd first need to know which plugin is being used.
For that, check the renewal config or the LE log file.


We are using Version 0.40.0

Just following up to see if anyone has a solution?

Can you show contents of this file?


And show result of this

sudo certbot certificates

Contents of configuration file below.

# renew_before_expiry = 30 days
version = 0.40.0
archive_dir = /etc/letsencrypt/archive/unificontroller.rockfieldit.com
cert = /etc/letsencrypt/live/unificontroller.rockfieldit.com/cert.pem
privkey = /etc/letsencrypt/live/unificontroller.rockfieldit.com/privkey.pem
chain = /etc/letsencrypt/live/unificontroller.rockfieldit.com/chain.pem
fullchain = /etc/letsencrypt/live/unificontroller.rockfieldit.com/fullchain.pem

# Options used in the renewal process
account = c54953572430bf62707fce3f967499b6
authenticator = apache
installer = apache
server = https://acme-v02.api.letsencrypt.org/directory

sudo certbot certificates results.

root@unificontroller:~# sudo certbot certificates

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: unificontroller.rockfieldit.com
    Domains: unificontroller.rockfieldit.com
    Expiry Date: 2022-10-12 13:39:06+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/unificontroller.rockfieldit.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/unificontroller.rockfieldit.com/privkey.pem
1 Like

Might be Apache config problem. Can you show result of this

sudo apachectl -t -D DUMP_VHOSTS

OR, your unifi management system is in the way. See these example curl's. Normally we see a "Server: Apache" response header but there is not one from your system. It is possible to configure Apache to not send one, but that is not typical.

curl -i  unificontroller.rockfieldit.com
HTTP/1.1 302
Location: /manage
Date: Fri, 21 Oct 2022 15:07:54 GMT

(the 404 is expected since Test123 does not exist on your system.  Just showing there is no Server: response header)
curl -i  unificontroller.rockfieldit.com/.well-known/acme-challenge/Test123
HTTP/1.1 404
Content-Type: text/html;charset=utf-8
Content-Language: en
Content-Length: 431
Date: Fri, 21 Oct 2022 15:08:10 GMT

Results of sudo apachectl -t -D DUMP_VHOSTS

root@unificontroller:~# sudo apachectl -t -D DUMP_VHOSTS
VirtualHost configuration:
*:443 unificontroller.rockfieldit.com (/etc/apache2/sites-enabl ed/000-default-le-ssl.conf:2)
*:80 unificontroller.rockfieldit.com (/etc/apache2/sites-enabl ed/000-default.conf:1)

last week, i have solved with this case Plesk SSL Let's Encrypt Error - #10 by devahaminapurnama

now, i am try to issue again with different server and domain, then trouble again why Let's Encrypt looking to IPv6, i am not use any IPv6 on my server only IPv4

Could not issue an SSL/TLS certificate for thkforum2022.com

Could not issue a Let's Encrypt SSL/TLS certificate for thkforum2022.com. Authorization for the domain failed.


Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/167106839976.


Type: urn:ietf:params:acme:error:dns

Status: 400

Detail: DNS problem: SERVFAIL looking up A for thkforum2022.com - the domain's nameservers may be malfunctioning; DNS problem: query timed out looking up AAAA for thkforum2022.com


Please create a new topic with your problem. Yours is not related at all to this thread


Can you show contents of that file? Please add 3 backticks before and after the output to ensure key info is not lost due to formatting. Like
contents of file


sorry, my mistake. Already open in Plesk SSL Let's Encrypt Error - #12 by devahaminapurnama


Please see contents of /etc/apache2/sites-enabled/000-default.conf below.

# The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        #ServerName www.example.com

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf
RewriteEngine on
RewriteCond %{SERVER_NAME} =unificontroller.rockfieldit.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

Contents are incomplete.