Certbot renew was working, now gives "Error getting validation data"

jlgtx · September 4, 2025, 7:29pm

This setup has been working for many months, actually several years, and all of a sudden this one domain has stopped working. I have two others in the same configuration that renew without issue. I have verified that the /.well-known/acme-challenge directory is writable by the certbot process, and readable via web browser on a remote host. Looking at the certbot log file, it appears to successfully write and remove the challenge file.

My domain is: www.gardnerfabrications.com

I ran this command: certbot renew -v

It produced this output:

Saving debug log to /opt/local/var/log/letsencrypt/letsencrypt.log
Cannot extract OCSP URI from /opt/local/etc/letsencrypt/archive/kim.kairosnet.com/cert18.pem
Cannot extract OCSP URI from /opt/local/etc/letsencrypt/archive/www.brazoslink.net/cert22.pem
Certificate is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Performing the following challenges:
http-01 challenge for www.gardnerfabrications.com
Waiting for verification...
Challenge failed for domain www.gardnerfabrications.com
http-01 challenge for www.gardnerfabrications.com
Cleaning up challenges
Failed to renew certificate www.gardnerfabrications.com with error: Some challenges have failed.
All renewals failed. The following certificates could not be renewed:
  /opt/local/etc/letsencrypt/live/www.gardnerfabrications.com/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /opt/local/var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): Apache 2.4.55 (so shoot me)

The operating system my web server runs on is (include version): macOS 10.13.6 (again, so shoot me)

My hosting provider, if applicable, is: Texas Communications

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 4.2.0

Debug log contents (let me know if you need more -- I cut out a good bit because I wasn't sure about the security ramifications of the "protected" and "signature" data blocks):

2025-09-04 14:13:02,895:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz/357089530/578788394471 HTTP/1.1" 200 1431
2025-09-04 14:13:02,896:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 04 Sep 2025 19:13:02 GMT
Content-Type: application/json
Content-Length: 1431
Connection: keep-alive
Boulder-Requester: 357089530
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: znbRssP_1Ys_mvkvK-aNhJQY6iIINO3mI9D8RYbsCPzLHWRm2JA
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "www.gardnerfabrications.com"
  },
  "status": "invalid",
  "expires": "2025-09-11T19:13:01Z",
  "challenges": [
    {
      "type": "http-01",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall/357089530/578788394471/hEWaHQ",
      "status": "invalid",
      "validated": "2025-09-04T19:13:01Z",
      "error": {
        "type": "urn:ietf:params:acme:error:connection",
        "detail": "69.39.49.199: Fetching https://www.gardnerfabrications.com/.well-known/acme-challenge/Tir3eXVaa5SHir4V2C7dJLL19ue_HzwxYiUpLQV8I9I: Error getting validation data",
        "status": 400
      },
      "token": "Tir3eXVaa5SHir4V2C7dJLL19ue_HzwxYiUpLQV8I9I",
      "validationRecord": [
        {
          "url": "http://www.gardnerfabrications.com/.well-known/acme-challenge/Tir3eXVaa5SHir4V2C7dJLL19ue_HzwxYiUpLQV8I9I",
          "hostname": "www.gardnerfabrications.com",
          "port": "80",
          "addressesResolved": [
            "69.39.49.199"
          ],
          "addressUsed": "69.39.49.199"
        },
        {
          "url": "https://www.gardnerfabrications.com/.well-known/acme-challenge/Tir3eXVaa5SHir4V2C7dJLL19ue_HzwxYiUpLQV8I9I",
          "hostname": "www.gardnerfabrications.com",
          "port": "443",
          "addressesResolved": [
            "69.39.49.199"
          ],
          "addressUsed": "69.39.49.199"
        }
      ]
    }
  ]
}
2025-09-04 14:13:02,896:DEBUG:acme.client:Storing nonce: znbRssP_1Ys_mvkvK-aNhJQY6iIINO3mI9D8RYbsCPzLHWRm2JA
2025-09-04 14:13:02,896:INFO:certbot._internal.auth_handler:Challenge failed for domain www.gardnerfabrications.com
2025-09-04 14:13:02,897:INFO:certbot._internal.auth_handler:http-01 challenge for www.gardnerfabrications.com
2025-09-04 14:13:02,897:DEBUG:certbot._internal.display.obj:Notifying user:
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: www.gardnerfabrications.com
  Type:   connection
  Detail: 69.39.49.199: Fetching https://www.gardnerfabrications.com/.well-known/acme-challenge/Tir3eXVaa5SHir4V2C7dJLL19ue_HzwxYiUpLQV8I9I: Error getting validation data

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

2025-09-04 14:13:02,899:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/opt/local/Library/Frameworks/Python.framework/Versions/3.13/lib/python3.13/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
    ~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/local/Library/Frameworks/Python.framework/Versions/3.13/lib/python3.13/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2025-09-04 14:13:02,899:DEBUG:certbot._internal.error_handler:Calling registered functions
2025-09-04 14:13:02,899:INFO:certbot._internal.auth_handler:Cleaning up challenges
2025-09-04 14:13:02,899:DEBUG:certbot._internal.plugins.webroot:Removing /Data/Websites/gardnerfabrications.com/.well-known/acme-challenge/Tir3eXVaa5SHir4V2C7dJLL19ue_HzwxYiUpLQV8I9I
2025-09-04 14:13:02,899:DEBUG:certbot._internal.plugins.webroot:All challenges cleaned up
2025-09-04 14:13:02,900:ERROR:certbot._internal.renewal:Failed to renew certificate www.gardnerfabrications.com with error: Some challenges have failed.
2025-09-04 14:13:02,904:DEBUG:certbot._internal.renewal:Traceback was:
Traceback (most recent call last):
  File "/opt/local/Library/Frameworks/Python.framework/Versions/3.13/lib/python3.13/site-packages/certbot/_internal/renewal.py", line 667, in handle_renewal_request
    main.renew_cert(lineage_config, plugins, renewal_candidate)
    ~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/local/Library/Frameworks/Python.framework/Versions/3.13/lib/python3.13/site-packages/certbot/_internal/main.py", line 1535, in renew_cert
    renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
  File "/opt/local/Library/Frameworks/Python.framework/Versions/3.13/lib/python3.13/site-packages/certbot/_internal/main.py", line 131, in _get_and_save_cert
    renewal.renew_cert(config, domains, le_client, lineage)
    ~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/local/Library/Frameworks/Python.framework/Versions/3.13/lib/python3.13/site-packages/certbot/_internal/renewal.py", line 520, in renew_cert
    new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
                                      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^
  File "/opt/local/Library/Frameworks/Python.framework/Versions/3.13/lib/python3.13/site-packages/certbot/_internal/client.py", line 430, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/opt/local/Library/Frameworks/Python.framework/Versions/3.13/lib/python3.13/site-packages/certbot/_internal/client.py", line 508, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
  File "/opt/local/Library/Frameworks/Python.framework/Versions/3.13/lib/python3.13/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
    ~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/local/Library/Frameworks/Python.framework/Versions/3.13/lib/python3.13/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2025-09-04 14:13:02,907:DEBUG:certbot._internal.display.obj:Notifying user:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2025-09-04 14:13:02,907:DEBUG:certbot._internal.display.obj:Notifying user: The following certificates are not due for renewal yet:
2025-09-04 14:13:02,907:DEBUG:certbot._internal.display.obj:Notifying user:   /opt/local/etc/letsencrypt/live/kim.kairosnet.com/fullchain.pem expires on 2025-12-03 (skipped)
  /opt/local/etc/letsencrypt/live/www.brazoslink.net/fullchain.pem expires on 2025-10-09 (skipped)
2025-09-04 14:13:02,907:ERROR:certbot._internal.renewal:All renewals failed. The following certificates could not be renewed:
2025-09-04 14:13:02,908:ERROR:certbot._internal.renewal:  /opt/local/etc/letsencrypt/live/www.gardnerfabrications.com/fullchain.pem (failure)
2025-09-04 14:13:02,908:DEBUG:certbot._internal.display.obj:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2025-09-04 14:13:02,908:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/opt/local/bin/certbot", line 8, in <module>
    sys.exit(main())
             ~~~~^^
  File "/opt/local/Library/Frameworks/Python.framework/Versions/3.13/lib/python3.13/site-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
           ~~~~~~~~~~~~~~~~~~^^^^^^^^^^
  File "/opt/local/Library/Frameworks/Python.framework/Versions/3.13/lib/python3.13/site-packages/certbot/_internal/main.py", line 1877, in main
    return config.func(config, plugins)
           ~~~~~~~~~~~^^^^^^^^^^^^^^^^^
  File "/opt/local/Library/Frameworks/Python.framework/Versions/3.13/lib/python3.13/site-packages/certbot/_internal/main.py", line 1623, in renew
    renewal.handle_renewal_request(config)
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^
  File "/opt/local/Library/Frameworks/Python.framework/Versions/3.13/lib/python3.13/site-packages/certbot/_internal/renewal.py", line 697, in handle_renewal_request
    raise errors.Error(
        f"{len(renew_failures)} renew failure(s), {len(parse_failures)} parse failure(s)")
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)
2025-09-04 14:13:02,910:ERROR:certbot._internal.log:1 renew failure(s), 0 parse failure(s)

rg305 · September 4, 2025, 7:30pm

Has anything changed?

jlgtx · September 4, 2025, 7:33pm

No significant changes on the server at all, other than normal updates (macports etc.). No file path changes, for sure. The other two domains are still renewing. That's what has me scratching my head.

griffin · September 4, 2025, 8:00pm

Welcome Back to the Let's Encrypt Community!

More than likely, the validation file is unreachable.

See this related topic:

rg305 · September 4, 2025, 8:04pm

I'd rather not shoot you...
But that's very likely where the problem exists.

griffin · September 4, 2025, 8:05pm

jlgtx · September 4, 2025, 8:05pm

I hear you, but two of the three domains are still working just fine.

rg305 · September 4, 2025, 8:06pm

Start by showing (whichever works):

sudo apachectl -t -D DUMP_VHOSTS
sudo httpd -t -D DUMP_VHOSTS

jlgtx · September 4, 2025, 8:10pm

I'm not sure what this test indicates. When I create the "letsdebug-test" file in the acme-challenge directory, that portion of the test succeeds, so the directory is readable from the web. Or, at least from my corner of the web. Can you hit it?

https://www.gardnerfabrications.com/.well-known/acme-challenge/letsdebug-test

jlgtx · September 4, 2025, 8:17pm

I don't get anything from either command, but this is macOS Server, which has its own interesting apache setup.

jlgtx · September 4, 2025, 8:23pm

In the letsencrypt log file, I see these lines that seem to indicate successful writing & removing of the challenge file:

2025-09-04 14:13:01,628:DEBUG:certbot._internal.plugins.webroot:Creating root challenges validation dir at /Data/Websites/gardnerfabrications.com/.well-known/acme-challenge
2025-09-04 14:13:01,629:DEBUG:certbot._internal.plugins.webroot:Attempting to save validation to /Data/Websites/gardnerfabrications.com/.well-known/acme-challenge/Tir3eXVaa5SHir4V2C7dJLL19ue_HzwxYiUpLQV8I9I
2025-09-04 14:13:01,630:DEBUG:acme.client:JWS payload:
b'{}'
2025-09-04 14:13:01,632:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall/357089530/578788394471/hEWaHQ:
...
2025-09-04 14:13:02,899:INFO:certbot._internal.auth_handler:Cleaning up challenges
2025-09-04 14:13:02,899:DEBUG:certbot._internal.plugins.webroot:Removing /Data/Websites/gardnerfabrications.com/.well-known/acme-challenge/Tir3eXVaa5SHir4V2C7dJLL19ue_HzwxYiUpLQV8I9I
2025-09-04 14:13:02,899:DEBUG:certbot._internal.plugins.webroot:All challenges cleaned up

Is there a flag I can use when calling "certbot renew" that will make it leave the challenge file in place, so I can verify that it's actually being written?

MikeMcQ · September 4, 2025, 8:31pm

Sort of. Use --debug-challenges -v to confirm it got written to right place. You could try to get it from afar. But, once you press enter to proceed Certbot will delete the challenge file per usual.

Also add --cert-name X using just this one name to check just that one

griffin · September 4, 2025, 8:32pm

Nope.

griffin · September 4, 2025, 8:37pm

I think I may have collided with your changes.

Now I'm getting this:

jlgtx · September 4, 2025, 8:40pm

That's what you should get.

curl -v https://www.gardnerfabrications.com/.well-known/acme-challenge/letsdebug-test
* Host www.gardnerfabrications.com:443 was resolved.
* IPv6: (none)
* IPv4: 69.39.49.199
*   Trying 69.39.49.199:443...
* Connected to www.gardnerfabrications.com (69.39.49.199) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 / [blank] / UNDEF
* ALPN: server accepted http/1.1
* Server certificate:
*  subject: CN=www.gardnerfabrications.com
*  start date: Jul  1 05:02:18 2025 GMT
*  expire date: Sep 29 05:02:17 2025 GMT
*  subjectAltName: host "www.gardnerfabrications.com" matched cert's "www.gardnerfabrications.com"
*  issuer: C=US; O=Let's Encrypt; CN=R10
*  SSL certificate verify ok.
* using HTTP/1.x
> GET /.well-known/acme-challenge/letsdebug-test HTTP/1.1
> Host: www.gardnerfabrications.com
> User-Agent: curl/8.7.1
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 200 OK
< Date: Thu, 04 Sep 2025 20:39:57 GMT
< Server: Apache
< Last-Modified: Thu, 04 Sep 2025 20:07:32 GMT
< ETag: "7-63dff457c6900"
< Accept-Ranges: bytes
< Content-Length: 7
< MS-Author-Via: DAV
<
howdy!
* Connection #0 to host www.gardnerfabrications.com left intact

griffin · September 4, 2025, 8:41pm

As a note, you should always test HTTP-01 challenges starting from HTTP, not HTTPS, to ensure proper connectivity.

Not this:

https://www.gardnerfabrications.com/.well-known/acme-challenge/letsdebug-test

but this:

http://www.gardnerfabrications.com/.well-known/acme-challenge/letsdebug-test

griffin · September 4, 2025, 8:42pm

I'm back to this again (directly from HTTPS):

griffin · September 4, 2025, 8:43pm

Sometimes it works and sometimes it doesn't.

jlgtx · September 4, 2025, 8:44pm

Let's reboot the server and try this again. You never know. I've had to reboot my refrigerator to get it to make ice before...

griffin · September 4, 2025, 8:45pm

Even worse...

Edit: I probably caught your reboot.

Topic		Replies	Views
Error 'Some challenges have failed' from `certbot renew` Help	25	138	February 2, 2026
Error Getting Validation Data Help	28	7308	May 16, 2021
Error getting validation data (webserver says 200 status) Help	8	1712	August 8, 2020
Challenge failed for domain Help	12	3125	September 3, 2020
Challenge file not created during update Help	42	6844	April 1, 2020

Certbot renew was working, now gives "Error getting validation data"

Related topics