Certbot Renewal problems

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: openbsd-network.org

I ran this command: certbot certonly -d openbsd-network.org -d www.openbsd-network.org -d mail.openbsd-network.org

It produced this output:IMPORTANT NOTES:

My web server is (include version): httpd

The operating system my web server runs on is (include version): openbsd 6.6

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):certbot

Well if i use a test.txt on the folder acme/ i can see it from http://www.openbsd-network.org/.well-known/acme-challenge/test.txt

the folder is 666

The folder needs to be 755. 666 gives read/write permissions for everyone. 755 gives read/execute instead of write/execute, which allows people to browse into the directory and read the contents, with only the owner having write permissions.

Hi @warrior

your test file should have the name “test” without an extension.

But if that works, you have found your correct webroot.

So use it.

Looks like you use the --apache, that may not work.

1 Like

the problem is i have error 404

Please share all required informations. Your complete command, your config file. And the absolute path of your test file.

Can you show us the rest of Certbot’s output?

openbsd-network# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/openbsd-network.org.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for mail.openbsd-network.org
http-01 challenge for openbsd-network.org
http-01 challenge for www.openbsd-network.org
Waiting for verification…
Challenge failed for domain mail.openbsd-network.org
Challenge failed for domain openbsd-network.org
Challenge failed for domain www.openbsd-network.org
http-01 challenge for mail.openbsd-network.org
http-01 challenge for openbsd-network.org
http-01 challenge for www.openbsd-network.org
Cleaning up challenges
Attempting to renew cert (openbsd-network.org) from /etc/letsencrypt/renewal/openbsd-network.org.conf produced an unexpected error: Some challenges have failed… Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/openbsd-network.org/fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/openbsd-network.org/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

Is the file there? If it’s not then there’s an issue with your Certbot configuration or the directory ownership/permissions that’s preventing Certbot from writing the file.

http://www.openbsd-network.org/cert.txt

"test.txt" file doesn’t simulate the same “type” of file used in the HTTP authentication.
try accessing via a name more like “test123” [without a period]

If you examine the /etc/letsencrypt/renewal/openbsd-network.org.conf file, it will say which document root directory or directories Certbot is configured to use. Are they correct? (/foo/ means Certbot will place the files in /foo/.well-known/acme-challenge/.)

What do the web server error logs show?

What’s changed since the certificates were created or the last time they were renewed? Is the IP address in the DNS records still correct? Have the websites been changed to use different document roots?

1 Like

maybe document root what to do in this case

i also have this in /var/www/logs/access.log

openbsd-network.org 52.15.254.228 - - [09/Feb/2020:17:59:48 -0500] “GET /.well-known/acme-challenge/QlHCOS1ar8AYDekARYon4XCb1bYaPUlNaJM6yI-9zD0 HTTP/1.1” 404 0
www.openbsd-network.org 52.15.254.228 - - [09/Feb/2020:17:59:48 -0500] “GET /.well-known/acme-challenge/Y4RtdgX9DSNJO_oImLdR_B270-PPZjS2OQUpamSt1vE HTTP/1.1” 404 0
mail.openbsd-network.org 52.28.236.88 - - [09/Feb/2020:17:59:48 -0500] “GET /.well-known/acme-challenge/iiYNTR_cN1HoOYsmpxTY3XoKBZl9Ji9q4Bge40-X0SQ HTTP/1.1” 404 0

Attempting to renew cert (openbsd-network.org) from /etc/letsencrypt/renewal/openbsd-network.org.conf produced an unexpected error: Some challenges have failed… Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/openbsd-network.org/fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/openbsd-network.org/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)

is this possible just to create new certificates without renewing by removing old certificates?

and in http://www.openbsd-network.org/cert.txt that tell: “expires”: “2020-02-16T22:31:25.079096926Z”,

Why today the certificates does not work at all

well just remade certificates

acme-client -v openbsd-network.org