Hello, I'm having a problem renewing my certificate.

I have an EC2 instance at AWS, everything was working fine.
But this summer the customer changed domain name provider from OVH to PlanetHoster, so in the meantime the certificate has expired.
The sub-domain soge.iu-data.fr does point to the server's IP address.
Here's the info below, thanks for your help, I'm blocking.

My domain is: https://soge.iu-data.fr

I ran this command: certbot renew

It produced this output: No renewals were attempted

My web server is (include version): Apache/2.4.6

The operating system my web server runs on is (include version): Red Hat Enterprise Linux Server release 7.9 (Maipo)

My hosting provider, if applicable, is: PlanetHoster

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.11.0

Below, you'll find more commands executed on the server:

[root@soge ~]# echo | openssl s_client -connect soge.iu-data.fr:443 2>/dev/null | openssl x509 -noout -dates
notBefore=Apr 17 13:06:05 2024 GMT
notAfter=Jul 16 13:06:04 2024 GMT

[root@soge ~]# certbot certificates
No certificates found.

[root@soge ~]# certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

Which names would you like to activate HTTPS for?

---

1: soge.iu-data.fr

---

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Requesting a certificate for soge.iu-data.fr
Performing the following challenges:
http-01 challenge for soge.iu-data.fr
Waiting for verification...
Challenge failed for domain soge.iu-data.fr
http-01 challenge for soge.iu-data.fr
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: soge.iu-data.fr
  Type: connection
  Detail: 16.16.53.216: Fetching
  http://soge.iu-data.fr/.well-known/acme-challenge/Iqee3FfpWlZ8j_gLVYnUHlBMAwSa31_vtPqGMmiTt0k:
  Error getting validation data

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address. Additionally, please check that
  your computer has a publicly routable IP address and that no
  firewalls are preventing the server from communicating with the
  client. If you're using the webroot plugin, you should also verify
  that you are serving files from the webroot path you provided.

Hi @abipit, and welcome to the LE community forum

That would make it hard impossible to renew a cert.
Did it previously have a cert?
Did someone delete it?
Did the server change?

Doesn't that mean that changed their hosting too?

That said, we should probably treat this a a new cert [for this new server].

Please show the output of:

sudo apachectl -t -D DUMP_VHOSTS

You may also need to open port 80 to the Internet.
OR ensure HTTP can reach your server from the Internet.

My IP gets:

curl -Ii soge.iu-data.fr
curl: (7) Failed to connect to soge.iu-data.fr port 80 after 138 ms: No route to host

Hi @rg305 and thank you for your response

Yes i agree, i think we need to treat this as a new cert, no problem.
Because, before to post this topic, i try a lot of things. No certificates found, yes maybe il's my fault with my tests.
The server and the hosting did not change, just the domain name (and sub domain) from OVH to PlanetHoster.

Thank you

root@soge ~]# apachectl -t -D DUMP_VHOSTS
Passing arguments to httpd using apachectl is no longer supported.
You can only start/stop/restart httpd using this script.
If you want to pass extra arguments to httpd, edit the
/etc/sysconfig/httpd config file.
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using fe80::400:5eff:fe8a:b9ff. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:80 soge.iu-data.fr (/etc/httpd/conf.d/soge.conf:1)
*:443 is a NameVirtualHost
default server soge.iu-data.fr (/etc/httpd/conf.d/soge-le-ssl.conf:2)
port 443 namevhost soge.iu-data.fr (/etc/httpd/conf.d/soge-le-ssl.conf:2)
alias soge.iu-data.fr
port 443 namevhost fe80::400:5eff:fe8a:b9ff (/etc/httpd/conf.d/ssl.conf:56)
[root@soge ~]#

Please show these two files:

And also address my previously encountered error/access denial:

The port 80 is open on AWS.

But when i check the firewall on the server :

[root@soge ~]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources:
  services: dhcpv6-client https samba ssh
  ports: 443/tcp
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

I'm not sure you actually need a firewall running on the local server - since AWS does that for you.
That said, you don't have to disable it.
You do have to get it to allow HTTP [TCP port 80] inbound.

[root@soge ~]# cat /etc/httpd/conf.d/soge.conf
<VirtualHost *:80>
  ServerName soge.iu-data.fr
  ServerAlias soge.iu-data.fr
  DocumentRoot /applis/soge/web/sographic/htdocs/web
  <Directory /applis/soge/web/sographic/htdocs/web>
      Options -Indexes +FollowSymLinks
      AllowOverride All
  </Directory>
  ErrorLog /applis/soge/web/sographic/logs/soge.log
  CustomLog /applis/soge/web/sographic/logs/soge.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =soge.iu-data.fr
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
[root@soge ~]#

[root@soge ~]# cat /etc/httpd/conf.d/soge-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
  ServerName soge.iu-data.fr
  ServerAlias soge.iu-data.fr
  DocumentRoot /applis/soge/web/sographic/htdocs/web
  <Directory /applis/soge/web/sographic/htdocs/web>
      Options -Indexes +FollowSymLinks
      AllowOverride All
  </Directory>
  ErrorLog /applis/soge/web/sographic/logs/soge.log
  CustomLog /applis/soge/web/sographic/logs/soge.log combined
#SSLCertificateFile /etc/letsencrypt/live/soge.iu-data.fr/cert.pem
#SSLCertificateKeyFile /etc/letsencrypt/live/soge.iu-data.fr/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
#SSLCertificateChainFile /etc/letsencrypt/live/soge.iu-data.fr/chain.pem

SSLCertificateFile /etc/letsencrypt/live/soge.iu-data.fr/cert.pem
SSLCertificateChainFile /etc/letsencrypt/live/soge.iu-data.fr/chain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/soge.iu-data.fr/privkey.pem

</VirtualHost>
</IfModule>

It's done ! Do you confirm too ?

[root@soge ~]# curl -Ii soge.iu-data.fr
HTTP/1.1 301 Moved Permanently
Date: Wed, 18 Sep 2024 08:45:04 GMT
Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips PHP/7.1.33
Location: https://soge.iu-data.fr/
Content-Type: text/html; charset=iso-8859-1

You should remove these unused lines:

You should remove the unnecessary aliases:

All else seems OK.

Even port 80 seems to work now:

curl -Ii soge.iu-data.fr
HTTP/1.1 301 Moved Permanently
Date: Wed, 18 Sep 2024 08:48:22 GMT
Server: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.2k-fips PHP/7.1.33
Location: https://soge.iu-data.fr/
Content-Type: text/html; charset=iso-8859-1

Try again:
certbot --apache

[root@soge ~]# certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

Which names would you like to activate HTTPS for?

1: soge.iu-data.fr

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Requesting a certificate for soge.iu-data.fr
Performing the following challenges:
http-01 challenge for soge.iu-data.fr
Waiting for verification...
Challenge failed for domain soge.iu-data.fr
http-01 challenge for soge.iu-data.fr
Cleaning up challenges
Error while running apachectl graceful.

Job for httpd.service invalid.

Unable to restart apache using ['apachectl', 'graceful']

Error while running apachectl restart.

Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.

Encountered exception during recovery: MisconfigurationError: Error while running apachectl restart.

Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.
Some challenges have failed.

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: soge.iu-data.fr
  Type: connection
  Detail: 16.16.53.216: Fetching
  http://soge.iu-data.fr/.well-known/acme-challenge/IS3WhLsGQdRLEwlA56GX9dD77_gbOvUMMUZGwGa81xo:
  Connection refused

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address. Additionally, please check that
  your computer has a publicly routable IP address and that no
  firewalls are preventing the server from communicating with the
  client. If you're using the webroot plugin, you should also verify
  that you are serving files from the webroot path you provided.
  [root@soge ~]#

===================================

[root@soge ~]# systemctl restart httpd
Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.

===================================

[root@soge ~]# systemctl status httpd.service
● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Wed 2024-09-18 10:59:11 CEST; 7s ago
Docs: man:httpd(8)
man:apachectl(8)
Process: 2371 ExecReload=/usr/sbin/httpd $OPTIONS -k graceful (code=exited, status=0/SUCCESS)
Process: 2422 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
Main PID: 2422 (code=exited, status=1/FAILURE)

Sep 18 10:59:11 soge systemd[1]: Starting The Apache HTTP Server...
Sep 18 10:59:11 soge httpd[2422]: AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using fe80::400:5eff:fe8a:b9ff. Set the 'ServerName' direc...s this message
Sep 18 10:59:11 soge systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
Sep 18 10:59:11 soge systemd[1]: Failed to start The Apache HTTP Server.
Sep 18 10:59:11 soge systemd[1]: Unit httpd.service entered failed state.
Sep 18 10:59:11 soge systemd[1]: httpd.service failed.
Hint: Some lines were ellipsized, use -l to show in full.

===================================

[root@soge ~]# journalctl -xe
Sep 18 10:58:47 soge systemd[1]: Stopped The Apache HTTP Server.
-- Subject: Unit httpd.service has finished shutting down
-- Defined-By: systemd
-- Support: systemd-devel Info Page
--
-- Unit httpd.service has finished shutting down.
Sep 18 10:58:47 soge systemd[1]: Unit httpd.service entered failed state.
Sep 18 10:58:47 soge systemd[1]: httpd.service failed.
Sep 18 10:58:47 soge systemd[1]: Starting The Apache HTTP Server...
-- Subject: Unit httpd.service has begun start-up
-- Defined-By: systemd
-- Support: systemd-devel Info Page
--
-- Unit httpd.service has begun starting up.
Sep 18 10:58:48 soge httpd[2410]: AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using fe80::400:5eff:fe8a:b9ff. Set the 'ServerName' directive globally to
Sep 18 10:58:48 soge systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
Sep 18 10:58:48 soge systemd[1]: Failed to start The Apache HTTP Server.
-- Subject: Unit httpd.service has failed
-- Defined-By: systemd
-- Support: systemd-devel Info Page
--
-- Unit httpd.service has failed.
--
-- The result is failed.
Sep 18 10:58:48 soge systemd[1]: Unit httpd.service entered failed state.
Sep 18 10:58:48 soge systemd[1]: httpd.service failed.
Sep 18 10:58:48 soge polkitd[508]: Unregistered Authentication Agent for unix-process:2389:570652 (system bus name :1.48, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale C) (di
Sep 18 10:59:11 soge polkitd[508]: Registered Authentication Agent for unix-process:2416:574946 (system bus name :1.49 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/
Sep 18 10:59:11 soge systemd[1]: Starting The Apache HTTP Server...
-- Subject: Unit httpd.service has begun start-up
-- Defined-By: systemd
-- Support: systemd-devel Info Page
--
-- Unit httpd.service has begun starting up.
Sep 18 10:59:11 soge httpd[2422]: AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using fe80::400:5eff:fe8a:b9ff. Set the 'ServerName' directive globally to
Sep 18 10:59:11 soge systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
Sep 18 10:59:11 soge systemd[1]: Failed to start The Apache HTTP Server.
-- Subject: Unit httpd.service has failed
-- Defined-By: systemd
-- Support: systemd-devel Info Page
--
-- Unit httpd.service has failed.
--
-- The result is failed.
Sep 18 10:59:11 soge systemd[1]: Unit httpd.service entered failed state.
Sep 18 10:59:11 soge systemd[1]: httpd.service failed.
Sep 18 10:59:11 soge polkitd[508]: Unregistered Authentication Agent for unix-process:2416:574946 (system bus name :1.49, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.
[root@soge ~]#

[root@soge ~]# ls -l /etc/letsencrypt/live/
total 4
-rw-r--r-- 1 root root 740 Apr 17 16:06 README
drwxr-xr-x 2 root root 79 Sep 11 22:40 soge.iu-data.fr

[root@soge ~]# ls -l /etc/letsencrypt/live/soge.iu-data.fr/
total 0
lrwxrwxrwx 1 root root 39 Sep 11 22:36 cert.pem -> ../../archive/soge.iu-data.fr/cert1.pem
lrwxrwxrwx 1 root root 40 Sep 11 22:38 chain.pem -> ../../archive/soge.iu-data.fr/chain1.pem
lrwxrwxrwx 1 root root 44 Sep 11 22:38 fullchain.pem -> ../../archive/soge.iu-data.fr/fullchain1.pem
lrwxrwxrwx 1 root root 42 Sep 11 22:39 privkey.pem -> ../../archive/soge.iu-data.fr/privkey1.pem

Try:

certbot certonly \
--webroot -w /applis/soge/web/sographic/htdocs/web \
-d soge.iu-data.fr

[root@soge ~]# certbot certonly --webroot -w /applis/soge/web/sographic/htdocs/web -d soge.iu-data.fr
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Requesting a certificate for soge.iu-data.fr
Performing the following challenges:
http-01 challenge for soge.iu-data.fr
Using the webroot path /applis/soge/web/sographic/htdocs/web for all unmatched domains.
Waiting for verification...
Challenge failed for domain soge.iu-data.fr
http-01 challenge for soge.iu-data.fr
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: soge.iu-data.fr
  Type: connection
  Detail: 16.16.53.216: Fetching
  http://soge.iu-data.fr/.well-known/acme-challenge/k3OsM3i_gojDssrDoDKSpDHWBWNloJSLRFVa3xf0EIQ:
  Connection refused

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address. Additionally, please check that
  your computer has a publicly routable IP address and that no
  firewalls are preventing the server from communicating with the
  client. If you're using the webroot plugin, you should also verify
  that you are serving files from the webroot path you provided.

hmm...

Did you change anything within the firewalls and port 80?

Now I see this again:

curl -Ii soge.iu-data.fr
curl: (7) Failed to connect to soge.iu-data.fr port 80 after 210 ms: Connection refused

Yes the restart of apache is on error since the changes in the file /etc/httpd/conf.d/soge-le-ssl.conf
apache no longer restarts

Please show that file.

[root@soge ~]# cat /etc/httpd/conf.d/soge-le-ssl.conf

<IfModule mod_ssl.c>
<VirtualHost *:443>
  ServerName soge.iu-data.fr
#ServerAlias soge.iu-data.fr
  DocumentRoot /applis/soge/web/sographic/htdocs/web
  <Directory /applis/soge/web/sographic/htdocs/web>
      Options -Indexes +FollowSymLinks
      AllowOverride All
  </Directory>
  ErrorLog /applis/soge/web/sographic/logs/soge.log
  CustomLog /applis/soge/web/sographic/logs/soge.log combined
#SSLCertificateFile /etc/letsencrypt/live/soge.iu-data.fr/cert.pem
#SSLCertificateKeyFile /etc/letsencrypt/live/soge.iu-data.fr/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
#SSLCertificateChainFile /etc/letsencrypt/live/soge.iu-data.fr/chain.pem

#SSLCertificateFile /etc/letsencrypt/live/soge.iu-data.fr/cert.pem
#SSLCertificateChainFile /etc/letsencrypt/live/soge.iu-data.fr/chain.pem
#SSLCertificateKeyFile /etc/letsencrypt/live/soge.iu-data.fr/privkey.pem


</VirtualHost>
</IfModule>

Now they are in twice and all are disabled.
Remove the first three lines and uncomment the last three lines.

[root@soge ~]# cat /etc/httpd/conf.d/soge-le-ssl.conf

<IfModule mod_ssl.c>
<VirtualHost *:443>
  ServerName soge.iu-data.fr
  DocumentRoot /applis/soge/web/sographic/htdocs/web
  <Directory /applis/soge/web/sographic/htdocs/web>
      Options -Indexes +FollowSymLinks
      AllowOverride All
  </Directory>
  ErrorLog /applis/soge/web/sographic/logs/soge.log
  CustomLog /applis/soge/web/sographic/logs/soge.log combined
  Include /etc/letsencrypt/options-ssl-apache.conf

SSLCertificateFile /etc/letsencrypt/live/soge.iu-data.fr/cert.pem
SSLCertificateChainFile /etc/letsencrypt/live/soge.iu-data.fr/chain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/soge.iu-data.fr/privkey.pem

</VirtualHost>
</IfModule>

[root@soge ~]#
[root@soge ~]# systemctl start httpd
[root@soge ~]#