Certbot renew keeps failing, I can't figure out why it works only sometimes

Hello,
I've taken over the site from someone else who made it and do not really know where to start. I've looked up many guides and nothing seems to work when I try to fix it. It's set up on an auto renew but is not auto renewing, and normally each renew, it takes at least a few days to work, but then all of a sudden it works and it doesn't seem to have a pattern, I really need to find the root cause of this and appreciate all assistance. Please explain if you are able, this is not something I know much about.

I ran this command: certbot renew

It produced this output:
Certificate is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Simulating renewal of an existing certificate for rgicloud.com
Performing the following challenges:
http-01 challenge for rgicloud.com
Using the webroot path /ubos/http/wellknown/s6e5a3f2776d044f895dadccc6914a1a90ec82c42 for all unmatched domains.
Waiting for verification...
Challenge failed for domain rgicloud.com
http-01 challenge for rgicloud.com

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: rgicloud.com
Type: unauthorized
Detail: During secondary validation: 23.244.67.28: Invalid response from http://rgicloud.com/.well-known/acme-challenge/NyOg08790B6Qj15VUb_pV-Y2tt5N7BOQyYge1e1XTz8: 403

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Cleaning up challenges
Failed to renew certificate rgicloud.com with error: Some challenges have failed.


All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/rgicloud.com/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)

Well, it looks like your system is sometimes returning a 403 (Forbidden) response to Let's Encrypt's checks. Or really in general. I tried an online tool that tries to connect from many places around the world, and from some places it worked and from some places it didn't.

So I'm guessing that you have some sort of firewall which is intentionally blocking things that it thinks is an "attack" (or at least unexpected), which is including Let's Encrypt's attempts to validate that you have control over the domain name. Let's Encrypt needs to check from multiple places around the world, to make sure that you actually control the name as seen from everywhere in the world. This FAQ might help with explaining why:

So you need to figure out what is (sometimes) returning that 403, and configure it to allow traffic that you want, such as the validation attempts from Let's Encrypt.

4 Likes

Thank you, I will look into this and see if it fixes the problem.

3 Likes

I think Peter made good suggestion. The Let's Debug site that we also often use shows the text of the 403 as "Reason: Threat reputation No reputation". Maybe this helps isolate exactly what on your system is issuing those 403

4 Likes