Certificate expired

My domain is: helitowers.dsait.net

I ran this command: perl letsencrypt_glassfish_helitowers.pl

It produced this output: none

My web server is (include version):Payara Server 5.2020.2 #badassfish (build 547)

The operating system my web server runs on is (include version):CentOS Linux 7.9.2009

My hosting provider, if applicable, is:Contabo

I can login to a root shell on my machine (yes or no, or I don't know):yes

Yesterday my certificate expired, I am always waiting to renew it before expiration. Run the renewal process, restart the application server and restart the service as I always do and the application server did not get up for a message that the certificate was expired; then I went to Cpanel I deleted the subdomain I created it again and also in the DNS I deleted that subdomain and then I ran the certificate renewal procedure again I restarted the application server and the server and this time if I raise the application but not The renewed certificate appeared, 3 hours have passed and it still has the problem that it is insecure, what can I do to solve this problem? my server is a Centos 7

Hi @dsait, and welcome to the LE community forum

Please show us your renewal script ("letsencrypt_glassfish_helitowers.pl").

It has always worked for me when I do it before the certificate date expires.
It is a script provided to me by Michael R. Elliott Software Engineering and Computer Forensics

#!/usr/bin/perl

###################################################################
# 
# Copyright 2019 - 2020
#
# Michael R. Elliott Software Engineering and Computer Forensics
#
# Licensed under the Creative Commons License.
#
# This document may be copied, distributed, edited, remixed and
# built upon by anyone, including commercial users.
#
###################################################################
# 
# This script is intended to simplify the installation of a Let's
# Encrypt certificate in a Glassfish/Payara server and provide an
# automated way of renewing all Let's Encrypt certificates about to
# expire.
#
# There exists a significant amount of documentation on the web which
# addresses this problem but I have found much of it to be ambiguous
# and incomplete.  This is an attempt to remove that ambiguity and
# incompleteness by giving a real world working example which can be
# modified to suit a particular situation.
#
# The script is designed to be located in the glassfish/payara config
# directory.  In my installation that is:
#
# /opt/payara5/glassfish/domains/domain1/config
#
# Note that all steps shown may not actually apply to your
# implementation.  Judiciously skip those which don't apply.  There
# may even be steps which are unnecessary.  I don't really know.
# However, if there are, they're at least harmless.  If you find an
# unnecessary step, please let me know!
#
# Examine all the values up to the Actions section, modifying them as
# fits your individual implementation.  In particular, change the value
# of $execute_command to $true to actually do something other than show
# what would be done if you allowed it.
#
# Two important problems were encountered in the creation of this
# script:
#
# 1) I was initally using a version of Java which was incompatible.
#    Unfortunately, I didn't get around to checking the server log
#    file for way too long (exceptions were being thrown).  This
#    upgrading of the Java version necessary to get past this problem
#    is not addressed by this script.  Let this be a warning to you:
#    closely monitor the server log file.  If your installation is
#    throwing exceptions, fix that problem first.
#
# 2) I switched to payara half way through the script's development.
#    However payara has (had?) a problem with VNC's which prevented it
#    from running.  I had to initially start my host (a Raspberry Pi)
#    without a VNC and then change the payara runtime environment.
#    You may need to start payara from an SSH shell then disable
#    hazelcast (the problematic payara service) via:
#
#    asadmin set-hazelcast-configuration --enabled=false
#
# Please send any comments or corrections to mre@m79.net.  I REALLY
# want this to work for everyone using a UNIX variant like Linux.  If
# you're a Windows user, best of luck to you. I'm not a Windows person
# so my knowledge of your domain is minimal. However, perhaps this can
# give you something to adapt to your environment.  If you make some
# variant of this work for you in Windows, please let me know!
#
# Note 1: that at the end of this script is a subroutine which can be
# used for certificate renewal, which has to be done every 90 days
# (or less) - but that's only after you've managed to create and
# install the initial certificate.
#
# Note 2: I have successfully used this script to create certificates
# for multiple domains in less than five minutes.  Additionally, it
# has been used to successfully renew those certificates from a cron
# job with no manual intervention.
#
# Note 3: Sometimes additional tweaking may be needed.  I have found this
# article (which existed as of June 2020) to be helpful:
#
#    https://blog.payara.fish/
#       securing-payara-server-with-custom-ssl-certificate
#   
# ----
# Installation control
#
# These can be set to just show the commands to be executed, to
# execute only, or to show and execute.  Initial value is to only show
# the commands without executing them.
#
my ($true, $false) = (1, 0);
my $print_cmd = $true;
my $execute_cmd = $true; # Change this to actually do something!

# ----
# Target domain stuff.  
#
# The list of domains which are to be made usable through TLS.  Add
# all your domains here. These were mine, but after multiple
# colleagues whose advice I respect told me not to, I changed them to
# bogus domans for illustrative purposes only.  It's OK if this list
# contains only one domain, but it must contain at least one domain.
# Otherwise, there's nothing for which a cert can be generated.
#
my @domains = qw/
   helitowers.com
/;

# ----
# Glassfish/Payara and certbot stuff
#
# These need to be set to reflect your particular installation
#
my $certbot = "/usr/bin/certbot";
my $glassfish_base = "/opt/payara5/glassfish";
my $asadmin = "$glassfish_base/bin/asadmin";

# These values should probably not be changed.  Do so only if you really
# know what you're doing.
#
my $keystore_jks = "keystore.jks";
my $cacerts_jks = "cacerts.jks";
my $domain_name = "domain1";
my $http_listener = "http-listener-1";
my $https_listener = "http-listener-2";
my $domain_path = "$glassfish_base/domains/$domain_name";
my $config = "$domain_path/config";
my $docroot = "$domain_path/docroot";

# This is the password of both the server and the keystore.  The
# default is 'changeit'.  The two need to have the same password.
# This password will be used throughout this script.  I have retained
# the default, perhaps unwisely, but at the time I wrote this script
# this is the situation.  If you change this password and it works for
# you, please let me know!
#
my $password = 'mypassword';

# ----
# Let's Encrypt stuff
#
# This is the name used to specify this set of certificates.  Here
# it's the first domain in the domain list.  Let's Encrypt typically
# uses the name of a domain as the place to store the certificates,
# but it might be confusing if multiple certificates are listed.  This
# resolves that potential ambiguity.
#
my $cert_name = $domains[0];

# These values are almost certainly correct as written.  Change only
# under unusual circumstances.
#
my $letsencrypt_base = "/etc/letsencrypt/live/$cert_name";
my $certificate_public_key = "$letsencrypt_base/fullchain.pem";
my $certificate_private_key = "$letsencrypt_base/privkey.pem";

# These values are arbitrary, but known to work.
#
my $pkcs12_file = "pkcs.p12";
my $certificateNickName = "${domain_name}cert";

# ------------------------------------------------------------------------
# Validiations

# Before we go any further, confirm that the script can find asadmin.
#
die "Can't find asadmin in $glassfish_base\n" unless -e $asadmin;

# This script is intended to be run in the domain's config directory.
# It will check to see that that is the case before continuing.
#
die "Script must be run in $config\n" unless confirm_config_directory();

# ------------------------------------------------------------------------
# Actions

# The following steps have been found to be useful.  Note that all are
# initially disabled.  Some steps may not be necessary in your
# particular situation.  If so, feel free to skip them. For those not
# Perl knowledgable, the # character denotes the beginning of a
# comment.  The lines beginning with ## are the ones which are to be
# selectively activated.
#
# Check the documentation for a particular subroutine for more details
# about that step.  Note that if you only want to see what the
# generated command actually is, rather than immediately running it,
# you can set the variable $execute_cmd to '$false' and the variable
# $print_cmd to $true to see the generated command without actually
# executing it.
#
# In order to enable a step, uncomment the requisite subroutine.  I
# recommend that you initially do this step by step, carefully
# observing the result at each step, before going to the next step.
#
# ========
# Step 1
# Change glassfish/payara to listen on ports 80 and 443 rather than the
# default.  By default, glassfish/payara creates http-listener-1 and
# http-listener-2 on 8080 and 8181.
#
# *****
listen_port( $http_listener, 80 );
listen_port( $https_listener, 443 );

# ========
# Step 2
# Generate the Let's Encrypt certificate keys in webroot mode. Make
# sure that the server is running and listening on port 80 before
# running this.
#
# *****
 generate_webroot_letsencrypt_keys();

# ========
# Step 3
# Change the keystore password to match that of the glassfish/payara
# server.  This is probably not necessary, but included here for
# completeness.
#
# *****
 system change_keystore_password();

# ========
# Step 4
# Create a keystore
#
# *****
 create_pkcs12_file();

# ========
# Step 5
# Import the created keystore into the Glassfish/Payara keystores
#
# *****
 import_PKCS_to_keystore( $keystore_jks );
 import_PKCS_to_keystore( $cacerts_jks );

# ========
# Step 6
# Apply new certificate to https listener
#
 apply_certificate();

# ========
# Step 7
# Update the $glassfish_domain SSL information
#
 update_SSL();

# ========
# Step 8
# If necessary, set the admin password.  This should only be done if
# the admin password is the default (empty) password.
#
 set_admin_password();

# ========
# Step 9
# Set up the https domain.  Note: this consists of steps which must be
# manually executed.
##
 set_https_domain();

# ------------------------------------------------------------------------
# Subroutines.
#
# You shouldn't have to modify any of the following subroutines as
# written.  If you feel the need to modify any of these routines,
# please let me know as others may have encountered the same situation.

# Invoke certbot (which needs to already be installed) placing
# authentication artifacts in the server's docroot directory in order
# to generate a set of certificate keys. Getting certbot is left as an
# exercise for the reader, but I managed to get it with 'apt-get
# install certbot'.
#
# This is to be executed when glassfish/payara is running
#
sub generate_webroot_letsencrypt_keys {
    #die "Server is not running on port 80\n"
    #    unless server_is_running( 80 );
    die "Can't find docroot at $docroot\n"
        unless -d $docroot;
    pre_cert_access();
    print_execute(
        "$certbot certonly"
        . " --webroot"
        . " --webroot-path $docroot"
        . " --cert-name $cert_name"
        . " -d " . join( " -d ", @domains ) );
    post_cert_access();
}

# Invoke certbot (which needs to already be installed) in standalone
# mode in order to generate a set of certificate keys.
#
sub generate_standalone_letsencrypt_keys {
    die "Server is running on port 80\n" if server_is_running( 80 );
    print_execute(
        "$certbot certonly"
        . " --standalone"
        . " --cert-name $cert_name"
        . " -d " . join( " -d ", @domains )
        );
    print "Make sure the server is running"
        . " after this action has completed\n";
}

# Configure a network listener to listen on a specific port
#
# Usage:
#
#    listen_port( "http-listener-1", 80 );
#
# will cause http-listener-1 to listen on port 80.
#
sub listen_port {
    my $network_listener = shift;
    my $port = shift;

    print "-- Setting $network_listener to listen on $port\n\n";
    print_execute(
        "$asadmin set configs.config.server-config" 
        . ".network-config.network-listeners" 
        . ".network-listener.$network_listener"
        . ".port=$port"
        );
}

# Change the password of the keystore.
#
sub change_keystore_password() {
    print "-- Changing keystore $keystore_jks password to $password\n\n";
    print "-- The expected password is $password\n"
        . "Change as necessary:\n\n";
    print_execute( "keytool -storepassword -keystore $keystore_jks" );
}

# Create PKCS.p12 file with key and certificate
#
sub create_pkcs12_file() {
    print "-- Creating pkcs12_file in $pkcs12_file\n";
    print "-- Expected password is $password\n\n";
    print_execute(
        "openssl pkcs12 -export" 
        . " -in $certificate_public_key" 
        . " -inkey $certificate_private_key" 
        . " -out $pkcs12_file" 
        . " -name $certificateNickName"
        );
}

# Import the created keystore ($pkcs12_file) into one of the
# existing server keystores.
#
sub import_PKCS_to_keystore() {
    my $keystore = shift;
    print "-- Importing the created keystore ($pkcs12_file)" .
	" into $keystore\n\n";
    print_execute( 
        "keytool -importkeystore" 
        . " -srckeystore $pkcs12_file"
        . " -srcstorepass $password"
        . " -srcstoretype PKCS12"
        . " -destkeystore $keystore"
        . " -deststorepass $password"
        . " -alias $certificateNickName"
        );
}

# Set the admin password for the server.
#
sub set_admin_password() {
    print "-- ";
    print "Setting admin password. Default is the empty password";
    print "\n\n";
    print_execute(
        "$asadmin change-admin-password"
        );
}

# Update the server's SSL configuration.
#
sub update_SSL() {
    my $asadmin_prefix =
        "$asadmin set configs"
        . ".config.server-config.network-"
        . "config.protocols.protocol.http-listener-2.";

    print "-- Update server SSL listener\n\n";
    print_execute(
        $asadmin_prefix . "security-enabled=true"
        );
    print_execute(
        $asadmin_prefix . "ssl.tls-enabled=true"
        );
    print_execute(
        $asadmin_prefix . "ssl.tls11-enabled=true"
        );
    print_execute(
        $asadmin_prefix . "ssl.tls12-enabled=true"
        );
}

# Apply certificate to $https_listener.
#
sub apply_certificate {
    print "-- Apply certificate to listener $https_listener\n\n";
    print_execute(
        "asadmin set"
        . " configs.config.server"
        . "-config.network"
        . "-config.protocols.protocol."
        . $https_listener
        . ".ssl.cert"
        . "-nickname=$certificateNickName"
        );
}

# Provide user instructions as to how (through the administration
# console page) the user can set the https domain.
#
sub set_https_domain {
    print "-- ";
    print "Using the admin console, access Configurations"
        . "\n--   -> default-config"
        . "\n--   -> HTTP Service"
        . "\n--   -> Http listeners"
        . "\n--   -> $https_listener"
        . "\n";
    print "\n-- Then, using the SSL tab\n"
        . "--   set the Certificate NickName to $certificateNickName\n"
        . "--   and the Key Store to $keystore_jks\n"
        . "--   then Save\n";
    print "\n Using the admin console, access Configurations"
        . "\n--   -> server-config"
        . "\n--   -> HTTP Service"
        . "\n--   -> Http listeners"
        . "\n--   -> $https_listener"
        . "\n";
    print "\n-- Then, using the SSL tab\n"
        . "--   set the Certificate NickName to $certificateNickName\n"
        . "--   then Save\n";
}

# Determine whether something (presumably the server) is listening on
# the given port.
#
sub server_is_running {
    my $port = shift;
    open( PROC, "netstat -ltnp | grep -w ':$port' |" );
    my $line = <PROC>;
    chomp $line;
    my $result = $line =~ /$port/;
    close PROC;
    return $result;
 }

# Confirm that the script is running in the config directory
#
sub confirm_config_directory {
    my $result = $false;
    open( PWD, "pwd |" );
    my $line = <PWD>;
    chomp $line;
    $result = $line =~ /^$config$/;
    close PWD;
    return $result;
}

# Print the command and/or execute it
#
sub print_execute {
    my $cmd = shift;
    if ($print_cmd) {
        if ($execute_cmd) {
            print "# $cmd\n\n";
        }
        else {
            print "-- Command: $cmd\n";
        }
    }
    system $cmd if $execute_cmd;
}

###########################################################
# Domain renewal routines
###########################################################

# Return a list of domains needing renewal.
#
# Takes a single parameter indicating days remaining until renewal.
# Default is 28.
#
sub domains_to_renew {
    my $days = shift;
    my $max_days = 28;
    $days = $max_days unless defined $days;

    my @result = ();
    my $cert_name = "";
    my $expiry = 1000;
    open( CERTBOT, "$certbot certificates 2>&1 |" );
    while (<CERTBOT>) {
        if (m/\s+Certificate Name:\s+(.*)/) {
            $cert_name = $1;
            $expiry = 1000000;
        }
        if (m/\s+Expiry.*?(\d+) days/) {
            $expiry = $1;
            push @result, $cert_name if $expiry <= $days;
        }
        
    }
    close CERTBOT;
    return @result;
}

# Decide if there are domains needing renewal and if so, renew them.
#
# Note well: Certificate renewal should be done only if all the
# subroutines used to create the certificate in the first place are
# commented out!
#
sub check_and_renew {
    # This can be run by specifying a parameter (renew) to the script.
    # This subroutine forces the values of $print_cmd and $execute_cmd
    # to false and true, respectively, to be more friendly in an
    # automated environment.
    #
    # An example crontab entry is:
    #
    #  0 4 * * * (cd <path to config> && ./letsencrypt_glassfish.pl renew)
    #
    # which will run this script daily at 4 a.m. to renew any domains
    # close to expiry.  Running daily is probably overkill but it does
    # work.  Weekly is probably good enough.
    #
    $print_cmd = $false;
    $execute_cmd = $true;

    my @domains_to_renew = domains_to_renew();
    if ((scalar @domains_to_renew) > 0) {
        print "[letsencrypt_glassfish] Renewing @domains_to_renew\n";
	pre_cert_access();
        system "$certbot renew";
	post_cert_access();
    }
    else {
        print "[letsencrypt_glassfish] No domains need renewal\n";
    }
}

# Sometimes renewals must be forced, as in the recent problem caused
# by a bug in the Letsencrypt security code in early 2020.  In that
# case, renewals must be forced without concern for how long they are
# currently valid.
#
# This routine will execute a forced renewal, and can be activated
# from the command line by adding the command line argument
# "force-renew".
#
sub force_renew {
    # This can be run by specifying a parameter (force-renew) to the
    # script execution.
    #
    $print_cmd = $true;
    $execute_cmd = $true;

    pre_cert_access();
    print_execute( "$certbot renew --force-renewal" );
    post_cert_access();
    print "[letsencrypt_glassfish] certbot force renewal completed\n";
}

# Return a list of all current applications about which glassfish is
# aware, regardless of whether they're enabled or disabled.
# 
sub list_all_applications {
    my @result;
    open( APPS, "$asadmin list-applications --type web |" )
	or die "Can't fetch applications\n";
    while (<APPS>) {
	next unless $_ =~ /^(.+?)\s+<web>/;
	push @result, $1;
    }
    close APPS;
    return @result;
}

# Disable all current applications.  Note that this is a fairly big
# hammer - all known applications will be disabled whether or not they
# were already disabled.
#
sub pre_cert_access {
    foreach (list_all_applications()) {
	print_execute( "$asadmin disable $_" );
    }
}

# Re-enable all applications.  Again, a big hammer, but this is
# probably the right solution for the majority of installations.
# However, if your installation has applications which are known to
# glassfish but which should not be re-enabled, this subroutine will
# need to be modified accordingly.
#
sub post_cert_access {
    foreach (list_all_applications()) {
	print_execute( "$asadmin enable $_" );
    }
}

# Check to see if the command has as its first argument the string
# 'renew'.  If it does, attempt to renew all domains which are within
# the necessary time for renewal window.
#
check_and_renew() if defined $ARGV[0] && $ARGV[0] eq 'renew';

# Check to see if the command has as its first argument the string
# 'force-renew'.  If it does, force renewal of all domains.
#
force_renew() if defined $ARGV[0] && $ARGV[0] eq 'force-renew';

Please show the current file: /var/log/letsencrypt/letsencrypt.log
and, then (after), the outputs of:
which certbot
/usr/bin/certbot --version

This may be overstated; as experienced with this specific FQDN:

This name has yet to be renewed.
[and the initial install created 5 duplicate certs on that same day]
See: crt.sh | helitowers.dsait.net

2021-07-05 07:07:11,470:DEBUG:certbot._internal.main:certbot version: 1.11.0
2021-07-05 07:07:11,470:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot
2021-07-05 07:07:11,470:DEBUG:certbot._internal.main:Arguments: ['--webroot', '--webroot-path', '/opt/payara5/glassfish/domains/domain1/docroot', '--cert-name', 'helitowers.dsait.net', '-d', 'helitowers.dsait.net']
2021-07-05 07:07:11,470:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2021-07-05 07:07:11,501:DEBUG:certbot._internal.log:Root logging level set at 20
2021-07-05 07:07:11,501:INFO:certbot._internal.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2021-07-05 07:07:11,509:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer None
2021-07-05 07:07:11,510:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot._internal.plugins.webroot:Authenticator
Initialized: <certbot._internal.plugins.webroot.Authenticator object at 0x7fed401a8fd0>
Prep: True
2021-07-05 07:07:11,511:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot._internal.plugins.webroot.Authenticator object at 0x7fed401a8fd0> and installer None
2021-07-05 07:07:11,511:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator webroot, Installer None
2021-07-05 07:07:11,565:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(status=None, terms_of_service_agreed=None, agreement=None, only_return_existing=None, contact=(), key=None, external_account_binding=None), uri=u'https://acme-v02.api.letsencrypt.org/acme/acct/118076228', new_authzr_uri=None, terms_of_service=None), 625f279e993d29397e50c7f714d8e17d, Meta(creation_host=u'vmi558898.contaboserver.net', register_to_eff=None, creation_dt=datetime.datetime(2021, 4, 5, 3, 46, 16, tzinfo=<UTC>)))>
2021-07-05 07:07:11,574:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2021-07-05 07:07:11,595:INFO:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
2021-07-05 07:07:11,714:DEBUG:urllib3.connectionpool:"GET /directory HTTP/1.1" 200 658
2021-07-05 07:07:11,715:DEBUG:acme.client:Received response:
HTTP 200
content-length: 658
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
cache-control: public, max-age=0, no-cache
date: Mon, 05 Jul 2021 13:07:11 GMT
x-frame-options: DENY
content-type: application/json

{
  "MdjA00QiQW4": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2021-07-05 07:07:11,751:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer <certbot._internal.cli.cli_utils._Default object at 0x7fed3fdb4850>
2021-07-05 07:07:11,812:DEBUG:certbot._internal.storage:Should renew, less than 30 days before certificate expiry 2021-07-04 19:48:08 UTC.
2021-07-05 07:07:11,812:INFO:certbot._internal.renewal:Cert is due for renewal, auto-renewing...
2021-07-05 07:07:11,814:DEBUG:certbot.display.util:Notifying user: Renewing an existing certificate for helitowers.dsait.net
2021-07-05 07:07:11,927:DEBUG:certbot.crypto_util:Generating RSA key (2048 bits): /etc/letsencrypt/keys/0009_key-certbot.pem
2021-07-05 07:07:11,930:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0009_csr-certbot.pem
2021-07-05 07:07:11,930:DEBUG:acme.client:Requesting fresh nonce
2021-07-05 07:07:11,930:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2021-07-05 07:07:11,957:DEBUG:urllib3.connectionpool:"HEAD /acme/new-nonce HTTP/1.1" 200 0
2021-07-05 07:07:11,958:DEBUG:acme.client:Received response:
HTTP 200
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
cache-control: public, max-age=0, no-cache
date: Mon, 05 Jul 2021 13:07:11 GMT
x-frame-options: DENY
replay-nonce: 0102VAqVKyeYn_ryShohkh1wRWFxfta7c-jmfCwoxV7PDPU


2021-07-05 07:07:11,959:DEBUG:acme.client:Storing nonce: 0102VAqVKyeYn_ryShohkh1wRWFxfta7c-jmfCwoxV7PDPU
2021-07-05 07:07:11,959:DEBUG:acme.client:JWS payload:
{
  "identifiers": [
    {
      "type": "dns", 
      "value": "helitowers.dsait.net"
    }
  ]
}
2021-07-05 07:07:11,962:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "eyJub25jZSI6ICIwMTAyVkFxVkt5ZVluX3J5U2hvaGtoMXdSV0Z4ZnRhN2Mtam1mQ3dveFY3UERQVSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvbmV3LW9yZGVyIiwgImtpZCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hY2N0LzExODA3NjIyOCIsICJhbGciOiAiUlMyNTYifQ", 
  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwgCiAgICAgICJ2YWx1ZSI6ICJoZWxpdG93ZXJzLmRzYWl0Lm5ldCIKICAgIH0KICBdCn0", 
  "signature": "DMABHME1x5-C2_SW1Qrgs0bYkb4-ecPTrIBhOdUy6dY4ECwFQSylxWBT7ob1zACkkodKDzIR3mxSYY1D7nGwpTVJWgiyNcBW0eyvf78UfEzYZ93Ocy2CWmfEWd0C3XsgDTD8zQXP4X5uwEQizHLg3-dulX3MNuHzSzkYkRXbEkgZsNtiUcpbb7OVad-WzsYhnC92EGDKhspvq0HCm1e8n6yXnY_pcyFN_EMK4TkBDQtayb1mJno8kCV5gAbNrE6sbIoC57JygtZAmsrJbhqRhT5vv8qIdxVNhEaorHW2uvSIKRXeyl5Tya8fgWy-BDqGxn2yikDmQsqHa1klgZ0yVg"
}
2021-07-05 07:07:12,158:DEBUG:urllib3.connectionpool:"POST /acme/new-order HTTP/1.1" 201 343
2021-07-05 07:07:12,159:DEBUG:acme.client:Received response:
HTTP 201
content-length: 343
cache-control: public, max-age=0, no-cache
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
location: https://acme-v02.api.letsencrypt.org/acme/order/118076228/10865312961
boulder-requester: 118076228
date: Mon, 05 Jul 2021 13:07:12 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: 0102GxlEjOqwSK4nrH_fwqHz2HqhS9b3C-br4GReku4Z9c0

{
  "status": "pending",
  "expires": "2021-07-12T13:07:12Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "helitowers.dsait.net"
    }
  ],
  "authorizations": [
    "https://acme-v02.api.letsencrypt.org/acme/authz-v3/14557783186"
  ],
  "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/118076228/10865312961"
}
2021-07-05 07:07:12,160:DEBUG:acme.client:Storing nonce: 0102GxlEjOqwSK4nrH_fwqHz2HqhS9b3C-br4GReku4Z9c0
2021-07-05 07:07:12,160:DEBUG:acme.client:JWS payload:

2021-07-05 07:07:12,162:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/14557783186:
{
  "protected": "eyJub25jZSI6ICIwMTAyR3hsRWpPcXdTSzRuckhfZndxSHoySHFoUzliM0MtYnI0R1Jla3U0WjljMCIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHotdjMvMTQ1NTc3ODMxODYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTE4MDc2MjI4IiwgImFsZyI6ICJSUzI1NiJ9", 
  "payload": "", 
  "signature": "HeZlBkXGrxWdKWklmD9yAn14xPKN44xtSVgzW8k38Wt3Fr4XoGKJ0fP8b-kWtgrsKevb61uNZhwFUNb8h_WFCdvgP6aRGuziVn1TlTmjjaF8OSObVTLoGs9UPqNKWE6fVTBUNkn1DbkzA438scJ1kLIWeKwb-A6z1T9tkFVM4stXvryP-w9WxzZqfc2oDyggmCRGYYThw1Bcp7nNEk-JWtTNX03xP3L0e4GVMasrjqtBaEVMcuM5RpCL31ate5ZYpODfzpofW2tsaeIUZCrPi68z3JDKzpdfPvCe6tKO4d-B3TPO1ebzulblJZ4ThYWH2AmP9zLG-wYIN_VepJPPwQ"
}
2021-07-05 07:07:12,218:DEBUG:urllib3.connectionpool:"POST /acme/authz-v3/14557783186 HTTP/1.1" 200 801
2021-07-05 07:07:12,219:DEBUG:acme.client:Received response:
HTTP 200
content-length: 801
cache-control: public, max-age=0, no-cache
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
boulder-requester: 118076228
date: Mon, 05 Jul 2021 13:07:12 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: 0101jgVHvgb374SxCwssBJ8Nt4pNrG3HA7KjlxQX-OFW484

{
  "identifier": {
    "type": "dns",
    "value": "helitowers.dsait.net"
  },
  "status": "pending",
  "expires": "2021-07-12T13:07:12Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/14557783186/6MbweQ",
      "token": "vYw3t-xdSNVVYCAbiWvpEKrL32f6E6Nv-LO1_aySByg"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/14557783186/idKJlA",
      "token": "vYw3t-xdSNVVYCAbiWvpEKrL32f6E6Nv-LO1_aySByg"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/14557783186/mYvrGg",
      "token": "vYw3t-xdSNVVYCAbiWvpEKrL32f6E6Nv-LO1_aySByg"
    }
  ]
}
2021-07-05 07:07:12,220:DEBUG:acme.client:Storing nonce: 0101jgVHvgb374SxCwssBJ8Nt4pNrG3HA7KjlxQX-OFW484
2021-07-05 07:07:12,221:INFO:certbot._internal.auth_handler:Performing the following challenges:
2021-07-05 07:07:12,237:INFO:certbot._internal.auth_handler:http-01 challenge for helitowers.dsait.net
2021-07-05 07:07:12,238:INFO:certbot._internal.plugins.webroot:Using the webroot path /opt/payara5/glassfish/domains/domain1/docroot for all unmatched domains.
2021-07-05 07:07:12,240:DEBUG:certbot._internal.plugins.webroot:Creating root challenges validation dir at /opt/payara5/glassfish/domains/domain1/docroot/.well-known/acme-challenge
2021-07-05 07:07:12,247:DEBUG:certbot._internal.plugins.webroot:Attempting to save validation to /opt/payara5/glassfish/domains/domain1/docroot/.well-known/acme-challenge/vYw3t-xdSNVVYCAbiWvpEKrL32f6E6Nv-LO1_aySByg
2021-07-05 07:07:12,248:INFO:certbot._internal.auth_handler:Waiting for verification...
2021-07-05 07:07:12,249:DEBUG:acme.client:JWS payload:
{}
2021-07-05 07:07:12,251:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/14557783186/6MbweQ:
{
  "protected": "eyJub25jZSI6ICIwMTAxamdWSHZnYjM3NFN4Q3dzc0JKOE50NHBOckczSEE3S2pseFFYLU9GVzQ4NCIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvY2hhbGwtdjMvMTQ1NTc3ODMxODYvNk1id2VRIiwgImtpZCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hY2N0LzExODA3NjIyOCIsICJhbGciOiAiUlMyNTYifQ", 
  "payload": "e30", 
  "signature": "gGnL3HPJBg--QCfrwb8Ndk5lbDpxkVCWWYMVtu-AHXMG2j8_gVdejrFXTOhpQGTr-yaHmr61iDxQrL85UVrPLkxtkWdSeONLJPetLEaWazUZjKtUZyhtd9Znl00dfRc8-kui1Fus0scLjRMZNEs6VGAs-5PyAPL1XX5YNIhM43eG_zptyStS_R_7AN5Js1PPKZXf135xXC3H-A4ku33xgAs8lG8THbEfnvBOwUaFqqfr6PSnid7WhOhOyNbT-pJi3LmnLaxLrwzJd5KL9ZARZCBB27P4ya-QMRzjRRhM2XscKfL-tF-WY-Zb2fJg1m40DAOXY8gAq8Zfb3qH0XVXLg"
}
2021-07-05 07:07:12,325:DEBUG:urllib3.connectionpool:"POST /acme/chall-v3/14557783186/6MbweQ HTTP/1.1" 200 186
2021-07-05 07:07:12,326:DEBUG:acme.client:Received response:
HTTP 200
content-length: 186
cache-control: public, max-age=0, no-cache
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-v02.api.letsencrypt.org/acme/authz-v3/14557783186>;rel="up"
location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/14557783186/6MbweQ
boulder-requester: 118076228
date: Mon, 05 Jul 2021 13:07:12 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: 0102x8WD-dE1YpOSChtvFHLKpT6xdF-VINbEM5E9xaiJNo8

{
  "type": "http-01",
  "status": "pending",
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/14557783186/6MbweQ",
  "token": "vYw3t-xdSNVVYCAbiWvpEKrL32f6E6Nv-LO1_aySByg"
}
2021-07-05 07:07:12,326:DEBUG:acme.client:Storing nonce: 0102x8WD-dE1YpOSChtvFHLKpT6xdF-VINbEM5E9xaiJNo8
2021-07-05 07:07:13,328:DEBUG:acme.client:JWS payload:

2021-07-05 07:07:13,330:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/14557783186:
{
  "protected": "eyJub25jZSI6ICIwMTAyeDhXRC1kRTFZcE9TQ2h0dkZITEtwVDZ4ZEYtVklOYkVNNUU5eGFpSk5vOCIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHotdjMvMTQ1NTc3ODMxODYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTE4MDc2MjI4IiwgImFsZyI6ICJSUzI1NiJ9", 
  "payload": "", 
  "signature": "dWZvHEqQZ-ZLmyLstFbetzhd_ZCSNnWNxqUH700qGl3Ma3K0uaLVyVbmOes2IuN-jSnRutRH2l7IHQaQPfnRgFmdQKRULzfnK10abT4U7myGLCJKt9L2M-nee7CsMrwR9Hi1xJqKj-zXvA6olmCC0biQKS8JAzXgW6_bzAcHITMTB81tml4gCsCTeSjg7bmLhbzl54WFJjdmw1nXYiWJdTzWPamaQGshKaZ1mwcMEMPgrkWe4Z9aHkiSeowP-avv3LogTpYuUAcxK7NViT-2COsBOth7q22p2GWNR3Py6lTG3d0kequL1_CfpAmYpYzOiSm37f9jQM1Z0nSxpW7U6A"
}
2021-07-05 07:07:13,386:DEBUG:urllib3.connectionpool:"POST /acme/authz-v3/14557783186 HTTP/1.1" 200 1294
2021-07-05 07:07:13,387:DEBUG:acme.client:Received response:
HTTP 200
content-length: 1294
cache-control: public, max-age=0, no-cache
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
boulder-requester: 118076228
date: Mon, 05 Jul 2021 13:07:13 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: 0101-7NoGBn8Aq2ECOQdfxIeU1ivPFqlIbJ_67d984MlX6w

{
  "identifier": {
    "type": "dns",
    "value": "helitowers.dsait.net"
  },
  "status": "invalid",
  "expires": "2021-07-12T13:07:12Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "Invalid response from http://helitowers.dsait.net/.well-known/acme-challenge/vYw3t-xdSNVVYCAbiWvpEKrL32f6E6Nv-LO1_aySByg [207.244.255.112]: \"\u003c!DOCTYPE HTML PUBLIC \\\"-//IETF//DTD HTML 2.0//EN\\\"\u003e\\n\u003chtml\u003e\u003chead\u003e\\n\u003ctitle\u003e404 Not Found\u003c/title\u003e\\n\u003c/head\u003e\u003cbody\u003e\\n\u003ch1\u003eNot Found\u003c/h1\u003e\\n\u003cp\"",
        "status": 403
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/14557783186/6MbweQ",
      "token": "vYw3t-xdSNVVYCAbiWvpEKrL32f6E6Nv-LO1_aySByg",
      "validationRecord": [
        {
          "url": "http://helitowers.dsait.net/.well-known/acme-challenge/vYw3t-xdSNVVYCAbiWvpEKrL32f6E6Nv-LO1_aySByg",
          "hostname": "helitowers.dsait.net",
          "port": "80",
          "addressesResolved": [
            "207.244.255.112"
          ],
          "addressUsed": "207.244.255.112"
        }
      ],
      "validated": "2021-07-05T13:07:12Z"
    }
  ]
}
2021-07-05 07:07:13,387:DEBUG:acme.client:Storing nonce: 0101-7NoGBn8Aq2ECOQdfxIeU1ivPFqlIbJ_67d984MlX6w
2021-07-05 07:07:13,388:WARNING:certbot._internal.auth_handler:Challenge failed for domain helitowers.dsait.net
2021-07-05 07:07:13,403:INFO:certbot._internal.auth_handler:http-01 challenge for helitowers.dsait.net
2021-07-05 07:07:13,404:DEBUG:certbot._internal.reporter:Reporting to user: The following errors were reported by the server:

Domain: helitowers.dsait.net
Type:   unauthorized
Detail: Invalid response from http://helitowers.dsait.net/.well-known/acme-challenge/vYw3t-xdSNVVYCAbiWvpEKrL32f6E6Nv-LO1_aySByg [207.244.255.112]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
2021-07-05 07:07:13,409:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.py", line 91, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.py", line 180, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
AuthorizationError: Some challenges have failed.

2021-07-05 07:07:13,409:DEBUG:certbot._internal.error_handler:Calling registered functions
2021-07-05 07:07:13,409:INFO:certbot._internal.auth_handler:Cleaning up challenges
2021-07-05 07:07:13,410:DEBUG:certbot._internal.plugins.webroot:Removing /opt/payara5/glassfish/domains/domain1/docroot/.well-known/acme-challenge/vYw3t-xdSNVVYCAbiWvpEKrL32f6E6Nv-LO1_aySByg
2021-07-05 07:07:13,410:DEBUG:certbot._internal.plugins.webroot:All challenges cleaned up
2021-07-05 07:07:13,414:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 9, in <module>
    load_entry_point('certbot==1.11.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
  File "/usr/lib/python2.7/site-packages/certbot/_internal/main.py", line 1421, in main
    return config.func(config, plugins)
  File "/usr/lib/python2.7/site-packages/certbot/_internal/main.py", line 1294, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/lib/python2.7/site-packages/certbot/_internal/main.py", line 124, in _get_and_save_cert
    renewal.renew_cert(config, domains, le_client, lineage)
  File "/usr/lib/python2.7/site-packages/certbot/_internal/renewal.py", line 331, in renew_cert
    new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
  File "/usr/lib/python2.7/site-packages/certbot/_internal/client.py", line 374, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python2.7/site-packages/certbot/_internal/client.py", line 421, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.py", line 91, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.py", line 180, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
AuthorizationError: Some challenges have failed.
2021-07-05 07:07:13,420:ERROR:certbot._internal.log:Some challenges have failed.

The 5 duplicates is probably because I ran it several times when I saw that it did not work for me since on other occasions it is almost instantly that it is already renewed

Your script settings seems incomplete:
my $domain_name = "domain1";

is then referenced as such:

2021-07-05 07:07:12,238:INFO:certbot._internal.plugins.webroot:Using the webroot path /opt/payara5/glassfish/domains/domain1/docroot for all unmatched domains.
2021-07-05 07:07:12,240:DEBUG:certbot._internal.plugins.webroot:Creating root challenges validation dir at /opt/payara5/glassfish/domains/domain1/docroot/.well-known/acme-challenge
2021-07-05 07:07:12,247:DEBUG:certbot._internal.plugins.webroot:Attempting to save validation to /opt/payara5/glassfish/domains/domain1/docroot/.well-known/acme-challenge/vYw3t-xdSNVVYCAbiWvpEKrL32f6E6Nv-LO1_aySByg

Not doing anything is not that same as saying:

Again: Overstated.

Let's have a look at:
ls -l /opt/payara5/glassfish/domains/

Please show these outputs:
which certbot
certbot certificates

Please show this output:
which certbot

And this file:
/var/log/letsencrypt/letsencrypt.log

2021-07-06 10:19:15,171:DEBUG:certbot._internal.main:certbot version: 1.11.0
2021-07-06 10:19:15,171:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot
2021-07-06 10:19:15,171:DEBUG:certbot._internal.main:Arguments: ['--webroot', '--webroot-path', '/opt/payara5/glassfish/domains/domain1/docroot', '--cert-name', 'helitowers.dsait.net', '-d', 'helitowers.dsait.net']
2021-07-06 10:19:15,171:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2021-07-06 10:19:15,193:DEBUG:certbot._internal.log:Root logging level set at 20
2021-07-06 10:19:15,193:INFO:certbot._internal.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2021-07-06 10:19:15,207:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer None
2021-07-06 10:19:15,209:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot._internal.plugins.webroot:Authenticator
Initialized: <certbot._internal.plugins.webroot.Authenticator object at 0x7f09f6ab7fd0>
Prep: True
2021-07-06 10:19:15,209:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot._internal.plugins.webroot.Authenticator object at 0x7f09f6ab7fd0> and installer None
2021-07-06 10:19:15,209:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator webroot, Installer None
2021-07-06 10:19:15,254:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(status=None, terms_of_service_agreed=None, agreement=None, only_return_existing=None, contact=(), key=None, external_account_binding=None), uri=u'https://acme-v02.api.letsencrypt.org/acme/acct/118076228', new_authzr_uri=None, terms_of_service=None), 625f279e993d29397e50c7f714d8e17d, Meta(creation_host=u'vmi558898.contaboserver.net', register_to_eff=None, creation_dt=datetime.datetime(2021, 4, 5, 3, 46, 16, tzinfo=<UTC>)))>
2021-07-06 10:19:15,263:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2021-07-06 10:19:15,274:INFO:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
2021-07-06 10:19:15,429:DEBUG:urllib3.connectionpool:"GET /directory HTTP/1.1" 200 658
2021-07-06 10:19:15,430:DEBUG:acme.client:Received response:
HTTP 200
content-length: 658
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
cache-control: public, max-age=0, no-cache
date: Tue, 06 Jul 2021 16:19:15 GMT
x-frame-options: DENY
content-type: application/json

{
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "lSwovuu2jLE": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2021-07-06 10:19:15,447:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer <certbot._internal.cli.cli_utils._Default object at 0x7f09f66c3850>
2021-07-06 10:19:15,469:DEBUG:certbot._internal.storage:Should renew, less than 30 days before certificate expiry 2021-07-04 19:48:08 UTC.
2021-07-06 10:19:15,469:INFO:certbot._internal.renewal:Cert is due for renewal, auto-renewing...
2021-07-06 10:19:15,484:DEBUG:certbot.display.util:Notifying user: Renewing an existing certificate for helitowers.dsait.net
2021-07-06 10:19:15,527:DEBUG:certbot.crypto_util:Generating RSA key (2048 bits): /etc/letsencrypt/keys/0008_key-certbot.pem
2021-07-06 10:19:15,529:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0008_csr-certbot.pem
2021-07-06 10:19:15,530:DEBUG:acme.client:Requesting fresh nonce
2021-07-06 10:19:15,530:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2021-07-06 10:19:15,570:DEBUG:urllib3.connectionpool:"HEAD /acme/new-nonce HTTP/1.1" 200 0
2021-07-06 10:19:15,572:DEBUG:acme.client:Received response:
HTTP 200
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
cache-control: public, max-age=0, no-cache
date: Tue, 06 Jul 2021 16:19:15 GMT
x-frame-options: DENY
replay-nonce: 0001nelxZcmmtaL3irX_ho-klQbpeNUCk_QX9P7N445hMUQ


2021-07-06 10:19:15,572:DEBUG:acme.client:Storing nonce: 0001nelxZcmmtaL3irX_ho-klQbpeNUCk_QX9P7N445hMUQ
2021-07-06 10:19:15,573:DEBUG:acme.client:JWS payload:
{
  "identifiers": [
    {
      "type": "dns", 
      "value": "helitowers.dsait.net"
    }
  ]
}
2021-07-06 10:19:15,574:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "eyJub25jZSI6ICIwMDAxbmVseFpjbW10YUwzaXJYX2hvLWtsUWJwZU5VQ2tfUVg5UDdONDQ1aE1VUSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvbmV3LW9yZGVyIiwgImtpZCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hY2N0LzExODA3NjIyOCIsICJhbGciOiAiUlMyNTYifQ", 
  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwgCiAgICAgICJ2YWx1ZSI6ICJoZWxpdG93ZXJzLmRzYWl0Lm5ldCIKICAgIH0KICBdCn0", 
  "signature": "IkdwNo5vgMqb7O5EtNOzphwiZLLc-Xi74ytq6zn2NpYeKeV5u96LnqRkkBWmCqqKXega78p9TtNEWrdPUCEgbeWxJm1L5Z7qM0r0pSNOOLVXGsInzCKQW5_Zd13CQ_1oJum-MNbs0d4NS83VERm3D6E7Lb9zUGGh0z1xNZY3NiB0Ore627v4WTq8LA9YjTYmMMk_C-uyifNmQwrZNM_UPU3a450jnU6VTclVTeRZS56zKoJigyJ_LW2RNFTjk5RnLc7hNvEC3m7ocv3qCM4P1TmvoDj4zCym1m4TRRrKI11BK5EtH1A1IVNfX_qIvigCQgIQQCkZCUKbuHoGT94_kg"
}
2021-07-06 10:19:15,755:DEBUG:urllib3.connectionpool:"POST /acme/new-order HTTP/1.1" 201 343
2021-07-06 10:19:15,756:DEBUG:acme.client:Received response:
HTTP 201
content-length: 343
cache-control: public, max-age=0, no-cache
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
location: https://acme-v02.api.letsencrypt.org/acme/order/118076228/10891113962
boulder-requester: 118076228
date: Tue, 06 Jul 2021 16:19:15 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: 0001zQpcujYzqwqcYNkdxVAa8ZnbNRTbF8jizPfPOiQ66Yc

{
  "status": "pending",
  "expires": "2021-07-13T16:19:15Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "helitowers.dsait.net"
    }
  ],
  "authorizations": [
    "https://acme-v02.api.letsencrypt.org/acme/authz-v3/14588967823"
  ],
  "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/118076228/10891113962"
}
2021-07-06 10:19:15,756:DEBUG:acme.client:Storing nonce: 0001zQpcujYzqwqcYNkdxVAa8ZnbNRTbF8jizPfPOiQ66Yc
2021-07-06 10:19:15,756:DEBUG:acme.client:JWS payload:

2021-07-06 10:19:15,758:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/14588967823:
{
  "protected": "eyJub25jZSI6ICIwMDAxelFwY3VqWXpxd3FjWU5rZHhWQWE4Wm5iTlJUYkY4aml6UGZQT2lRNjZZYyIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHotdjMvMTQ1ODg5Njc4MjMiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTE4MDc2MjI4IiwgImFsZyI6ICJSUzI1NiJ9", 
  "payload": "", 
  "signature": "MtAhqp6MwlVV3CzByvJdMXYWeN8DpFo5do38YEVHCh8xUu2VcnThGJU9vxlCozx1gPURhljnu08Dh3tNYJWg8he5v-datTgmXCBGCt9Plfg74Rv7iXhuJ4f0BMVF0lYv-GNBXTeor1irFx20DZj5twIkOydq_pxTbQtn1oLvF01ZtdqOmkhIlT9w6vGZo1JjtiaPqL04B_M3sKh2dHZH-Drtnu4y2pcrkc2MLp1AImau9EcCUauDQFVFFPHqQO-fNBdCEfTbWCC4ZiYlhJwOxJLKvgDNfbtmcZzy1LXMOibUuKIQu8eiViY_suEqS5rGFg_E93jlOwO7HpqFWb0ERg"
}
2021-07-06 10:19:15,807:DEBUG:urllib3.connectionpool:"POST /acme/authz-v3/14588967823 HTTP/1.1" 200 801
2021-07-06 10:19:15,808:DEBUG:acme.client:Received response:
HTTP 200
content-length: 801
cache-control: public, max-age=0, no-cache
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
boulder-requester: 118076228
date: Tue, 06 Jul 2021 16:19:15 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: 0001rZUHTaH__1XGdSJ3Q0UweeDEo2Dq3JmHgSPY4aONCw0

{
  "identifier": {
    "type": "dns",
    "value": "helitowers.dsait.net"
  },
  "status": "pending",
  "expires": "2021-07-13T16:19:15Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/14588967823/Aaf4xw",
      "token": "2w6j1_8i4vfhZAuEK0f5l8L7MmPD9os3dPXHs2K3cAQ"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/14588967823/TmoRGQ",
      "token": "2w6j1_8i4vfhZAuEK0f5l8L7MmPD9os3dPXHs2K3cAQ"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/14588967823/YdUSFw",
      "token": "2w6j1_8i4vfhZAuEK0f5l8L7MmPD9os3dPXHs2K3cAQ"
    }
  ]
}
2021-07-06 10:19:15,808:DEBUG:acme.client:Storing nonce: 0001rZUHTaH__1XGdSJ3Q0UweeDEo2Dq3JmHgSPY4aONCw0
2021-07-06 10:19:15,809:INFO:certbot._internal.auth_handler:Performing the following challenges:
2021-07-06 10:19:15,815:INFO:certbot._internal.auth_handler:http-01 challenge for helitowers.dsait.net
2021-07-06 10:19:15,817:INFO:certbot._internal.plugins.webroot:Using the webroot path /opt/payara5/glassfish/domains/domain1/docroot for all unmatched domains.
2021-07-06 10:19:15,818:DEBUG:certbot._internal.plugins.webroot:Creating root challenges validation dir at /opt/payara5/glassfish/domains/domain1/docroot/.well-known/acme-challenge
2021-07-06 10:19:15,824:DEBUG:certbot._internal.plugins.webroot:Attempting to save validation to /opt/payara5/glassfish/domains/domain1/docroot/.well-known/acme-challenge/2w6j1_8i4vfhZAuEK0f5l8L7MmPD9os3dPXHs2K3cAQ
2021-07-06 10:19:15,825:INFO:certbot._internal.auth_handler:Waiting for verification...
2021-07-06 10:19:15,826:DEBUG:acme.client:JWS payload:
{}
2021-07-06 10:19:15,828:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/14588967823/Aaf4xw:
{
  "protected": "eyJub25jZSI6ICIwMDAxclpVSFRhSF9fMVhHZFNKM1EwVXdlZURFbzJEcTNKbUhnU1BZNGFPTkN3MCIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvY2hhbGwtdjMvMTQ1ODg5Njc4MjMvQWFmNHh3IiwgImtpZCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hY2N0LzExODA3NjIyOCIsICJhbGciOiAiUlMyNTYifQ", 
  "payload": "e30", 
  "signature": "tdleXkX8_EKmXNBlytxg5PkI3E88M3RPJglzBu3OzCD3vfmk_npCdbme6gKmSrHSrlotKBQO8Rxt2YFd4KOaU28Of05f7fI1_czWSddjQJKQhprrIknPGVPNkvT4ahAe9f8LsSoCentg73aRXinGPs2ib7I0mC3M8aI84YsGGxLUAkKSPP1X5_kVGEYUEy9h9hQpkO9kS6IUARg4FIcPS1YEWaZgrz283u7BecRjDnZbu_lGteMOJST7kpqcfgmVhqXqR95CdsNU1PQXR5ROAhYa1hVjs9ag-b15bKcZy7XOHIBQ9ieKc38vHtX8PZD6avnM04gNsE-jDFSMG-U9OQ"
}
2021-07-06 10:19:15,873:DEBUG:urllib3.connectionpool:"POST /acme/chall-v3/14588967823/Aaf4xw HTTP/1.1" 200 186
2021-07-06 10:19:15,874:DEBUG:acme.client:Received response:
HTTP 200
content-length: 186
cache-control: public, max-age=0, no-cache
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-v02.api.letsencrypt.org/acme/authz-v3/14588967823>;rel="up"
location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/14588967823/Aaf4xw
boulder-requester: 118076228
date: Tue, 06 Jul 2021 16:19:15 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: 0002y0LD4BYM6zVU_A5BC36fh-FtmgGUEmkDOZluYE1-ABY

{
  "type": "http-01",
  "status": "pending",
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/14588967823/Aaf4xw",
  "token": "2w6j1_8i4vfhZAuEK0f5l8L7MmPD9os3dPXHs2K3cAQ"
}
2021-07-06 10:19:15,874:DEBUG:acme.client:Storing nonce: 0002y0LD4BYM6zVU_A5BC36fh-FtmgGUEmkDOZluYE1-ABY
2021-07-06 10:19:16,876:DEBUG:acme.client:JWS payload:

2021-07-06 10:19:16,879:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/14588967823:
{
  "protected": "eyJub25jZSI6ICIwMDAyeTBMRDRCWU02elZVX0E1QkMzNmZoLUZ0bWdHVUVta0RPWmx1WUUxLUFCWSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHotdjMvMTQ1ODg5Njc4MjMiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTE4MDc2MjI4IiwgImFsZyI6ICJSUzI1NiJ9", 
  "payload": "", 
  "signature": "fFv81JvAZZwGHhQHTNDO1gvj417a1qkiD6ldotxzN1x1GXz9CXcXfYn_QsVRquQldL2Ca_2EsIMXfDgNBtF5GGFTb6P8MExGOZgYzNU2hrJ54EmtUK4VfVyFJ-UR8PDf0nt8OgQLl4xa6OpRVd5UqkI2NN5TKot45DeIDf2qjhkchdTZ9pHla2DA2I0gQLjg6PP7vU3WdMYskEcTeMoWxHvb3eI4nzD_zQmznCfmtheVb3xK_FFga-FIfGM-bBZCoKY9f5MXxYuBRLJ2DEWqfLE21X3VVPvFm_U4vF57v-B1g7rrQWaYik0e6u5mE9wX-vxXYRKB0EGQ-epOXgGJpw"
}
2021-07-06 10:19:16,926:DEBUG:urllib3.connectionpool:"POST /acme/authz-v3/14588967823 HTTP/1.1" 200 1294
2021-07-06 10:19:16,927:DEBUG:acme.client:Received response:
HTTP 200
content-length: 1294
cache-control: public, max-age=0, no-cache
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
boulder-requester: 118076228
date: Tue, 06 Jul 2021 16:19:16 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: 0001W5dUFCpgEQSE7mRc_EWhvyjxq-382qvFv3srF7PfIAI

{
  "identifier": {
    "type": "dns",
    "value": "helitowers.dsait.net"
  },
  "status": "invalid",
  "expires": "2021-07-13T16:19:15Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "Invalid response from http://helitowers.dsait.net/.well-known/acme-challenge/2w6j1_8i4vfhZAuEK0f5l8L7MmPD9os3dPXHs2K3cAQ [207.244.255.112]: \"\u003c!DOCTYPE HTML PUBLIC \\\"-//IETF//DTD HTML 2.0//EN\\\"\u003e\\n\u003chtml\u003e\u003chead\u003e\\n\u003ctitle\u003e404 Not Found\u003c/title\u003e\\n\u003c/head\u003e\u003cbody\u003e\\n\u003ch1\u003eNot Found\u003c/h1\u003e\\n\u003cp\"",
        "status": 403
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/14588967823/Aaf4xw",
      "token": "2w6j1_8i4vfhZAuEK0f5l8L7MmPD9os3dPXHs2K3cAQ",
      "validationRecord": [
        {
          "url": "http://helitowers.dsait.net/.well-known/acme-challenge/2w6j1_8i4vfhZAuEK0f5l8L7MmPD9os3dPXHs2K3cAQ",
          "hostname": "helitowers.dsait.net",
          "port": "80",
          "addressesResolved": [
            "207.244.255.112"
          ],
          "addressUsed": "207.244.255.112"
        }
      ],
      "validated": "2021-07-06T16:19:15Z"
    }
  ]
}
2021-07-06 10:19:16,927:DEBUG:acme.client:Storing nonce: 0001W5dUFCpgEQSE7mRc_EWhvyjxq-382qvFv3srF7PfIAI
2021-07-06 10:19:16,928:WARNING:certbot._internal.auth_handler:Challenge failed for domain helitowers.dsait.net
2021-07-06 10:19:16,931:INFO:certbot._internal.auth_handler:http-01 challenge for helitowers.dsait.net
2021-07-06 10:19:16,932:DEBUG:certbot._internal.reporter:Reporting to user: The following errors were reported by the server:

Domain: helitowers.dsait.net
Type:   unauthorized
Detail: Invalid response from http://helitowers.dsait.net/.well-known/acme-challenge/2w6j1_8i4vfhZAuEK0f5l8L7MmPD9os3dPXHs2K3cAQ [207.244.255.112]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
2021-07-06 10:19:16,934:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.py", line 91, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.py", line 180, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
AuthorizationError: Some challenges have failed.

2021-07-06 10:19:16,934:DEBUG:certbot._internal.error_handler:Calling registered functions
2021-07-06 10:19:16,934:INFO:certbot._internal.auth_handler:Cleaning up challenges
2021-07-06 10:19:16,935:DEBUG:certbot._internal.plugins.webroot:Removing /opt/payara5/glassfish/domains/domain1/docroot/.well-known/acme-challenge/2w6j1_8i4vfhZAuEK0f5l8L7MmPD9os3dPXHs2K3cAQ
2021-07-06 10:19:16,936:DEBUG:certbot._internal.plugins.webroot:All challenges cleaned up
2021-07-06 10:19:16,936:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 9, in <module>
    load_entry_point('certbot==1.11.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
  File "/usr/lib/python2.7/site-packages/certbot/_internal/main.py", line 1421, in main
    return config.func(config, plugins)
  File "/usr/lib/python2.7/site-packages/certbot/_internal/main.py", line 1294, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/lib/python2.7/site-packages/certbot/_internal/main.py", line 124, in _get_and_save_cert
    renewal.renew_cert(config, domains, le_client, lineage)
  File "/usr/lib/python2.7/site-packages/certbot/_internal/renewal.py", line 331, in renew_cert
    new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
  File "/usr/lib/python2.7/site-packages/certbot/_internal/client.py", line 374, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python2.7/site-packages/certbot/_internal/client.py", line 421, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.py", line 91, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.py", line 180, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
AuthorizationError: Some challenges have failed.
2021-07-06 10:19:16,939:ERROR:certbot._internal.log:Some challenges have failed.

AND also this file:
/etc/letsencrypt/renewal/helitowers.dsait.net.conf

AND also the output of:
sudo apachectl -S