Certbot renewal errors yet it still works

Help
1

I'm using OpenSuse LEAP 15.4 with an Apache webserver. Certbot is working but I am getting some curious errors. Even though it says it failed, the certificate seems to be renewed as the browser displays the website correctly.

The errors are a bit confusing as it shows failed then later succeeded. Should these errors be fixed or should I ignore them?

safeandtacticalfirearmstraining:/run/media/geno/Data/Library/Reference/Technical/Computing/Software - Linux/OpenSuse/Let's Encrypt renewal # certbot -v renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/stft.ddns.net.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate is due for renewal, auto-renewing...
ssl_module is statically linked but --apache-bin is missing; not disabling session tickets.
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate for stft.ddns.net
Performing the following challenges:
http-01 challenge for stft.ddns.net
Waiting for verification...
Cleaning up challenges
Reloading apache server after certificate renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.safeandtacticalfirearmstraining.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate is due for renewal, auto-renewing...
ssl_module is statically linked but --apache-bin is missing; not disabling session tickets.
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate for www.safeandtacticalfirearmstraining.com and safeandtacticalfirearmstraining.com
Performing the following challenges:
http-01 challenge for safeandtacticalfirearmstraining.com
http-01 challenge for www.safeandtacticalfirearmstraining.com
Waiting for verification...

Challenge failed for domain safeandtacticalfirearmstraining.com
Challenge failed for domain www.safeandtacticalfirearmstraining.com
http-01 challenge for safeandtacticalfirearmstraining.com
http-01 challenge for www.safeandtacticalfirearmstraining.com

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
  Domain: safeandtacticalfirearmstraining.com
  Type:   unauthorized
  Detail: 3.33.251.168: Invalid response from http://safeandtacticalfirearmstraining.com/.well-known/acme-challenge/l7PsJf7tWmFeVtItoco4PL7H6Rqr2S63IjgHdPN1Hf8: 403

  Domain: www.safeandtacticalfirearmstraining.com
  Type:   unauthorized
  Detail: 3.33.251.168: Invalid response from http://www.safeandtacticalfirearmstraining.com/.well-known/acme-challenge/h34FM8vICtxP_COVhVX1wMZ7a20L0nxWy4px2k7EG3c: 403

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Cleaning up challenges
Failed to renew certificate www.safeandtacticalfirearmstraining.com with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following renewals succeeded:
  /etc/letsencrypt/live/stft.ddns.net/fullchain.pem (success)

The following renewals failed:
  /etc/letsencrypt/live/www.safeandtacticalfirearmstraining.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
2 
safeandtacticalfirearmstraining.com

and its www version is using godaddy certificate that's valid until march 2026, but you likely didn't see that because its 301 redirected to ddns domain

2 Likes
3

Yeah, you should delete the unused Let's Encrypt cert for your long name. But, first we need to make sure you aren't referencing that cert in your Apache server.

Your long domain name is not handled in your Apache. As noted above and in your previous thread it is handled by a GoDaddy redirect service.

But, your Apache might still be referencing that cert file.

If you show output of this we can clean this up.

apachectl -t -D DUMP_VHOSTS

2 Likes
4

apachectl -t -D DUMP_VHOSTS

VirtualHost configuration:
*:80 www.safeandtacticalfirearmstraining.com (/etc/apache2/vhosts.d/STFT-vhost.conf:17)
*:443 www.safeandtacticalfirearmstraining.com (/etc/apache2/vhosts.d/STFT-vhost.conf:58)

5

Great, now please show the contents of the above file.

Or at least all the lines that start with SSLCertificate (probably just two)

2 Likes
6 
<VirtualHost _default_:80>

        #  General setup for the virtual host
        DocumentRoot "/srv/www/htdocs/STFT"
        ServerName www.safeandtacticalfirearmstraining.com
        ServerAlias safeandtacticalfirearmstraining.com
        ServerAdmin geno11x11@gmail.com
        ErrorLog /var/log/apache2/error_log
        TransferLog /var/log/apache2/access_log

        #   SSL Engine Switch:
        #   Enable/Disable SSL for this virtual host.
        SSLEngine off

        #   OCSP Stapling:
        #   Enable/Disable OCSP for this virtual host.
        SSLUseStapling  off

        #   You can use per vhost certificates if SNI is supported.

        #   Per-Server Logging:
        #   The home of a custom SSL log file. Use this when you want a
        #   compact non-error SSL logfile on a virtual host basis.
        CustomLog /var/log/apache2/ssl_request_log   ssl_combined

RewriteEngine on
RewriteCond %{SERVER_NAME} =safeandtacticalfirearmstraining.com [OR]
RewriteCond %{SERVER_NAME} =www.safeandtacticalfirearmstraining.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>


<IfDefine SSL>
<IfDefine !NOSSL>

##
## SSL Virtual Host Context
##
#Listen 80
#Listen 443

<VirtualHost _default_:443>

        #  General setup for the virtual host
        DocumentRoot "/srv/www/htdocs/STFT"
        ServerName www.safeandtacticalfirearmstraining.com
        ServerAlias safeandtacticalfirearmstraining.com
        ServerAdmin geno11x11@gmail.com
        ErrorLog /var/log/apache2/error_log
        TransferLog /var/log/apache2/access_log

        #   SSL Engine Switch:
        #   Enable/Disable SSL for this virtual host.
        SSLEngine on

        #   OCSP Stapling:
        #   Enable/Disable OCSP for this virtual host.
        #   SSLUseStapling  on

        #   You can use per vhost certificates if SNI is supported.

        #   Per-Server Logging:
        #   The home of a custom SSL log file. Use this when you want a
        #   compact non-error SSL logfile on a virtual host basis.
        CustomLog /var/log/apache2/ssl_request_log ssl_combined

        Include /etc/letsencrypt/options-ssl-apache.conf
        ServerAlias stft.ddns.net
	SSLCertificateFile /etc/letsencrypt/live/stft.ddns.net/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/stft.ddns.net/privkey.pem
</VirtualHost>

</IfDefine>
</IfDefine>
7

Okay good. That confirms you are only using that one certificate.

You can delete the other. In fact, you should.

sudo certbot delete --cert-name www.safeandtacticalfirearmstraining.com

Your auto-renew will run without errors. And you won't waste resources trying to renew something that will never succeed.

5 Likes