Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
the warning email has been spammed: Expiration mail from Let's Encrypt Expiry Bot expiry@letsencrypt.org
it is impossible to remove it :Want to replace the certificate, with a new.
How to renew or replace the certificate: The renew failded. What solution to force the renewal.
I'm assuming that the renewal command failed. From the certificate history of be-safe.com, it looks like the automated renewals had been working correctly for some time.
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for be-safe.com
http-01 challenge for www.be-safe.com
Using the webroot path /var/www/be-safe.com/htdocs for all unmatched domains.
Waiting for verification...
Challenge failed for domain be-safe.com
Challenge failed for domain www.be-safe.com
http-01 challenge for be-safe.com
http-01 challenge for www.be-safe.com
Cleaning up challenges
Attempting to renew cert (be-safe.com) from /etc/letsencrypt/renewal/be-safe.com.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/be-safe.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/be-safe.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
I would guess that either your IPv6 address (AAAA record in your DNS) does not point to the same server as your IPv4 address (A record in your DNS) or that your webserver configuration does not respond to requests over IPv6, which Let's Encrypt uses by default. If it won't harm any of your operations, you could simply try removing your AAAA record then attempting the certbot dry run again.
Once the dry run succeeds, we'll also want to take a look at your renewal configuration file. Given that you're using webroot authentication without installation instead of nginx authentication with installation, we need to be sure that you have a --deploy-hook in place to reload your webserver when a new certificate is acquired.
Great to see you've got things working again! And thanks for the how-to regarding webinoly.
That said, my colleagues above do have a fair point: your IPv6 address (2001:41d0:305:2100::864d) isn't responsive on either port 80 nor 443. Even if you've succesfully managed to get a new certificate, I would urge you to fix your IPv6 connectivity, as this might lead to other weird behaviour or perhaps customers not being able to connect to your site.