Certificate generation failing because of 404 error

Selinux be blocking it ? - I will read about this

Or, could your echo to the terminal just be lost and some other problem causing the load balancer commands to not run? .-- I will try to remove other stuff from deploy-hook.sh except echo statement and see if it is geting called.

And, what do you mean it runs ok from renew.sh? --- I was just doing a test, When I removed the certbot force renewal command and call the deploy-hook.sh file directly from renew.sh, it was getting called.

The renew.sh is a file which contains the certbot force renewal command having --deploy-hook attribute as well, this --deploy--hook needs to call the deploy--hook.sh file which basically needs to do some stuff after succesful renewal.

1 Like

Why would you need to forcible renew any certificates?


I will schedule it to run every month via cron job. Currently I am getting "too many certificates error ..". I will retry after couple of days.

Stop forcing it to renew.


Sure, I have found the way, not to renew it forcefully.

Thank you all for your quick support. I have found the reason and solution of my problem.

1 Like

It would be nice if you would detail whatever was learned here.
So that others may benefit from it.


Sure, Here are my learnings which might help others :

  1. How I sorted 404 issue in tomcat : I created an action(in strtus.xml) similar to .well-known/acme-challenge/* using wildcard(*) in my struts2 application. The corresponding java class for this action provides the download facility for the dynamically generated file by letsencrypt.

  2. The reason deploy-hook was not getting executed : My deploy-hook script contains the oci commands. The oci lb command that I was using to reload the certificate to loadbalancer, was looking for a config file for root user. It's a file which contains the required credentials to run oci commands. After setting up the file, it started executing properly.

  3. How I stoped force-renewal : My renew script is calculating the remaining days of certificate, if it's less than 30 days then only it's going for renewal using certbot renew command without --force-renewal.


You don't have to do your own check for less than 30 days. The certbot renew does that already. That is, it checks the days remaining on the cert and renews if and only if needed.


Ya that's right. Actually my renew script is scheduled to run on every 15 days, I just don't want my script to attempt the renewal if expiration of current certificate is greater than 30.

That's too few attempts. Temporary failures can occur with Let's Encrypt itself. And, problems on your end can develop which may take time to resolve.

The Certbot renew doesn't do much until the cert is nearing expiration (<30 days remaining as they are now). It just looks at the cert on your local system. If it is "fresh enough" then nothing more is done. If it needs renewal then hooks and renewal process is attempted.

Given how little work happens just to check we recommend running at least daily.


And depending on your "schedule" implementation...
Twice a day may help to offset any "busy time of the day".

Are you using some sort of random time offset in your scheduling?

For the improvement of general knowledge:
“Insanity is doing the same thing over and over and expecting different results.”
-Albert Einstein

If/when it fails at any specific point in time, it makes no sense to try again on another day at that same point in time of the day - odds are not in your favor.


Sure I will give a thought and try to increase the frequency of renewal attempt.

1 Like

If you can use an odd interval like 23h21m instead of 24h, then it will auto-adjust.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.