Certbot renewal failing

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: guggsdu.de

I ran this command: sudo certbot renew

It produced this output: Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: guggsdu.de
Type: unauthorized
Detail: Invalid response from https://guggsdu.de/.well-known/acme-challenge/sXM40hKw25FZsOgpHnu3Gbm1k7_hdmamMD4Q65gAhfU: 404

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

My web server is (include version): Apache/2.4.38 (Debian)

The operating system my web server runs on is (include version): ubuntu 22.04

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.21.0

Hi @guggsdu, and welcome to the LE community forum :slight_smile:

Since you are using Apache, I suggest we start with the output of:
sudo apachectl -t -D DUMP_VHOSTS


And when you get a chance...
You should remove the apt version of certbot and follow the recommended installation instructions:
Certbot Instructions | Certbot (eff.org)
[installation for ubuntu 22 works same as ubuntu 20]


Hi @rg305 ! Thx for the fast response! apache says:
apache2: Could not reliably determine the server's fully qualified domain name, using Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:80 guggsdu.de (/etc/apache2/sites-enabled/guggsdu.de-le-ssl.conf:1)
*:443 guggsdu.de (/etc/apache2/sites-enabled/guggsdu.de-le-ssl.conf:8)
Any idea?

Here is the full confirmation file:

<VirtualHost *:80>
    ServerName guggsdu.de
    Redirect / https://guggsdu.de/

<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName guggsdu.de
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
    DocumentRoot ${APACHE_DOCUMENT_ROOT}
     allow from all
     Options Indexes FollowSymLinks MultiViews
     Require all granted
    AllowOverride All
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/live/guggsdu.de/fullchain.pem
SSLCertificateKeyFile /etc/apache2/ssl/live/guggsdu.de/privkey.pem
Include /etc/apache2/ssl/options-ssl-apache.conf
ServerAlias www.guggsdu.de

certbot 2.9.0 installed from snap still getting the same result.

Background: I am using a docker compose installation for my web server and the apache config files are in a virtual directory provided to the container. Same thing for the letsencrypt certificates: they are also in a directory on the host machine provided to the container.

It's also not a read/write permission issue on the server: the directory .well-known/acme-challenge/ has 775 permissions. changing that to 777 also does not change anything.

If you look in below renewal profile config does its webroot path match the value of your Apache DocumentRoot folder? You have that assigned to a variable so check the run-time value of that variable to the webroot path in the renewal config. Did your run-time variable change since your last cert?


Your Apache VirtualHost

    DocumentRoot ${APACHE_DOCUMENT_ROOT}

THX @MikeMcQ!

That did the trick! Certificate successfully renewed! Happy encryption! :slight_smile:

I had to change the path to the new web root after server migration in /etc/letsencrypt/renewal/guggsdu.de.conf and all is working fine!

This thread can be closed!


This section:

Is missing:

It may work now because you have no other vhosts and that vhost is now also the default.
But once you start to add other vhosts, things might not work as you have come to expect.


THX vhost config updated!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.