Certificate renewal fails with certbot

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: lajung.com.my

I ran this command:
/usr/local/certbot-auto renew --no-self-upgrade --post-hook "/opt/rh/httpd24/root/usr/sbin/apachectl -k restart" >> /var/log/cert-renew.log

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Attempting to parse the version 0.36.0 renewal configuration file found at /etc/letsencrypt/renewal/lajung.com.my.conf with version 0.35.1 of Certbot. This might not work.
Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for lajung.com.my
Waiting for verification…
Challenge failed for domain lajung.com.my
http-01 challenge for lajung.com.my
Cleaning up challenges
Attempting to renew cert (lajung.com.my) from /etc/letsencrypt/renewal/lajung.com.my.conf produced an unexpected error: Some challenges have failed… Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/lajung.com.my/fullchain.pem (failure)
Running post-hook command: /opt/rh/httpd24/root/usr/sbin/apachectl -k restart
Output from post-hook command apachectl:
Passing arguments to httpd using apachectl is no longer supported.
You can only start/stop/restart httpd using this script.
If you want to pass extra arguments to httpd, edit the
/etc/sysconfig/httpd config file.

1 renew failure(s), 0 parse failure(s)

My web server is (include version):
httpd24-httpd
Server version: Apache/2.4.34 (Red Hat)

The operating system my web server runs on is (include version):
CentOS Linux release 7.6.1810 (Core)

My hosting provider, if applicable, is:
NA

I can login to a root shell on my machine (yes or no, or I don’t know):
No

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

[root@lajung ~]# certbot --version
certbot 1.6.0
[root@lajung ~]#

[root@lajung ~]# certbot-auto --version
bash: certbot-auto: command not found
[root@lajung ~]#

Hi @anaigini

there are some problems.

  • There is no Letsencrypt error visible, so relevant informations are missing
  • Your script doesn’t work. Change that.
  • Your command uses certbot-auto, but your version is certbot. certbot-auto --version - the same path from your command is required. Having two certbot versions is always bad.

Hi @JuergenAuer,

I tried other commands (from answers in the Let’s Encrypt forums itself). The first one to test :

[root@lajung ~]# certbot renew -a webroot -w /opt/rh/httpd24/root/var/www/html --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/lajung.com.my.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for lajung.com.my
Using the webroot path /opt/rh/httpd24/root/var/www/html for all unmatched domains.
Waiting for verification...
Challenge failed for domain lajung.com.my
http-01 challenge for lajung.com.my
Cleaning up challenges
Attempting to renew cert (lajung.com.my) from /etc/letsencrypt/renewal/lajung.com.my.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/lajung.com.my/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/lajung.com.my/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: lajung.com.my
   Type:   unauthorized
   Detail: Invalid response from
   http://lajung.com.my/.well-known/acme-challenge/iaqbcwWnmV2ijPgXhwUfC1eF4tQYq8RXEi2y1UfTUP8
   [103.240.177.72]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>403
   Forbidden</title>\n</head><body>\n<h1>Forbidden</h1>\n<p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

And the 2nd one :

[root@lajung ~]# certbot renew --cert-name lajung.com.my --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/lajung.com.my.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Could not choose appropriate plugin: The requested apache plugin does not appear to be installed
Attempting to renew cert (lajung.com.my) from /etc/letsencrypt/renewal/lajung.com.my.conf produced an unexpected error: The requested apache plugin does not appear to be installed. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/lajung.com.my/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/lajung.com.my/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

So we know you have already all relevant informations. Fix your bug.

Umh…not like that actually. I just put some effort to figure out if I could resolve it.
However, since you mentioned bug, this is the output of “certbot plugins” :

[root@lajung ~]# certbot plugins
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
* standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot._internal.plugins.standalone:Authenticator

* webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot._internal.plugins.webroot:Authenticator
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[root@lajung ~]#

And this is the certbot config file for this domain :

[root@lajung ~]# cat /etc/letsencrypt/renewal/lajung.com.my.conf
# renew_before_expiry = 30 days
version = 0.36.0
archive_dir = /etc/letsencrypt/archive/lajung.com.my
cert = /etc/letsencrypt/live/lajung.com.my/cert.pem
privkey = /etc/letsencrypt/live/lajung.com.my/privkey.pem
chain = /etc/letsencrypt/live/lajung.com.my/chain.pem
fullchain = /etc/letsencrypt/live/lajung.com.my/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = webroot
account = 956f742f1afb0d4948e306dda015e82b
server = https://acme-v02.api.letsencrypt.org/directory
[[webroot_map]]
lajung.com.my = /opt/rh/httpd24/root/var/www/html/

And these are from the logs :

2020-08-25 16:03:52,645:DEBUG:certbot._internal.main:certbot version: 1.6.0
2020-08-25 16:03:52,645:DEBUG:certbot._internal.main:Arguments: []
2020-08-25 16:03:52,645:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2020-08-25 16:03:52,691:DEBUG:certbot._internal.log:Root logging level set at 20
2020-08-25 16:03:52,691:INFO:certbot._internal.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2020-08-25 16:03:52,693:DEBUG:certbot._internal.main:Expected interfaces: None
2020-08-25 16:03:52,693:DEBUG:certbot._internal.main:Filtered plugins: PluginsRegistry(PluginEntryPoint#standalone,PluginEntryPoint#webroot)
/var/log/letsencrypt/letsencrypt.log (END)

Not sure which one is the bug here.

Please read your output:

Now you have the expected http status 404 - Not Found checking /.well-known/acme-challenge/random-filename.

That’s the expected result.

Yes, thx. I edited the “Options” value for the /.well-known/acme-challenge path and it worked.