Certicate renewal failure. It says Unauthorized

ict_ium · April 22, 2024, 5:07pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: hoba.ium.edu.mv

I ran this command: sudo certbot renew

It produced this output:

Renewing an existing certificate for hoba.ium.edu.mv

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: hoba.ium.edu.mv
Type: unauthorized

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: DigitalOcean

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

This is the first time I need to renew, but the renewal command returned an 'unauthorized' error.

Bruce5051 · April 22, 2024, 5:17pm

Hello @ict_ium, welcome to the Let's Encrypt community.

Your server is returning 500 Internal Server Error - HTTP | MDN
that doesn't seem correct to me.

$ curl -Ii http://hoba.ium.edu.mv/.well-known/acme-challenge/sometestfile
HTTP/1.1 500 Internal Server Error
Date: Mon, 22 Apr 2024 17:15:17 GMT
Server: Apache/2.4.52 (Ubuntu)
X-Powered-By: Express
X-RateLimit-Limit: 500
X-RateLimit-Remaining: 498
X-RateLimit-Reset: 1713806145
Cache-Control: max-age=604800
Content-Type: text/html; charset=utf-8
Content-Length: 280782
ETag: W/"448ce-xZZwdxSJO+QZTRzo/5kL9CPoPzk"
Vary: Accept-Encoding
Connection: close

Bruce5051 · April 22, 2024, 5:18pm

Yet Let's Debug doesn't complain https://letsdebug.net/hoba.ium.edu.mv/1895479
Is that correct @Nummer378?

jonadab · April 22, 2024, 5:51pm

Does Let's Debug actually check anything at all? As near as I can tell, it just refers everyone to this forum, pretty much regardless of the nature of their problem. (Maybe it checks some very minimal stuff, like whether the domain resolves and port 80 is open? Not much beyond that, that I can see.)

rg305 · April 22, 2024, 6:30pm

As with all things Apache [on this forum], we should start with the output of:
sudo apachectl -t -D DUMP_VHOSTS

Nummer378 · April 22, 2024, 7:37pm

The issues detected by Let's Debug are documented here: GitHub - letsdebug/letsdebug: Diagnostic tool/website to help figure out why you can't issue a certificate for Let's Encrypt

Let's Debug does see the 500 status code too (Let's Debug), but it doesn't complain because it doesn't expect the fictitious challenge file to exist. As long as a web server responds properly as per HTTP spec, the test is considered successful. We could consider warning on server-side errors as those are more unexpected than a 404 though.

Bruce5051 · April 22, 2024, 7:40pm

Thanks! @Nummer378

ict_ium · April 23, 2024, 6:23am

Lets Debug does not show any errors. How can I find the exact issue with the renewal?

MikeMcQ · April 23, 2024, 2:05pm

A good place to start is by showing us output of this

You probably need to use sudo apache2ctl -t -D DUMP_VHOSTS but it's the same command