Certificate renewal failure

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: webmail.at.fcen.uba.ar

I ran this command: certbot renew

It produced this output: Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/webmail.at.fcen.uba.ar.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for webmail.at.fcen.uba.ar
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (webmail.at.fcen.uba.ar) from /etc/letsencrypt/renewal/webmail.at.fcen.uba.ar.conf produced an unexpected error: Failed authorization procedure. webmail.at.fcen.uba.ar (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://webmail.at.fcen.uba.ar/.well-known/acme-challenge/T0hmzim5M8Bg2Rv2bbVfYqfqo-CB15WB1DJjmJ9TSOo [157.92.28.15]: “\n\n404 Not Found\n\n

Not Found

\n<p”. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/webmail.at.fcen.uba.ar/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/webmail.at.fcen.uba.ar/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

My web server is (include version): Apache/2.4.38 (Debian)

The operating system my web server runs on is (include version): Debian GNU/Linux 10 (buster)

My hosting provider, if applicable, is: local/at.fcen.uba.ar

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

Thanks in advance!!

2 Likes

Welcome to the Let’s Encrypt Community :slightly_smiling_face:

According to https://crt.sh/?q=webmail.at.fcen.uba.ar it looks a certificate was successfully generated previously for webmail.at.fcen.uba.ar, but is now expired and still being served. At present, it appears that the Let’s Encrypt server is unable to retrieve the http-01 challenge file to verify your control of webmail.at.fcen.uba.ar. I’ve also noticed that your version of certbot is rather outdated (0.31.0), but I’m not sure if that’s really related to what you’re experiencing.

Perhaps try the following:
certbot certonly --apache --dry-run

3 Likes

Hi @lastudillo

if webroot doesn't work, your webroot is wrong. And the 0.31 has sometimes a webroot relevant bug.

So first step: What says

apachectl -S
3 Likes

hi @griffin

thanks for the welcome!. install it using aptitude. It says that it is in the latest version. I see now that it is outdated :confused:

hi @JuergenAuer

thanks for the reply! I copy you the output of apachectl -S:

VirtualHost configuration:
*:80 webmail.at.fcen.uba.ar (/etc/apache2/sites-enabled/000-default.conf:1)
*:443 webmail.at.fcen.uba.ar (/etc/apache2/sites-enabled/default-ssl.conf:2)
ServerRoot: “/etc/apache2”
Main DocumentRoot: “/var/www/html”
Main ErrorLog: “/var/log/apache2/error.log”
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
PidFile: “/var/run/apache2/apache2.pid”
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name=“www-data” id=33
Group: name=“www-data” id=33

2 Likes

That's good, so --apache should work. No duplicated definitions.

What's the DocumentRoot in the 000-default.conf? And what's the webroot in the /etc/letsencrypt/renewal/webmail.at.fcen.uba.ar.conf?

3 Likes

mmm… in 000-default.conf is “/var/lib/roundcube” and /etc/letsencrypt/renewal/webmail.at.fcen.uba.ar.conf point to “webroot_path = /var/www/html”.

should they point to the same route?

2 Likes

There is your problem.

3 Likes

ok. I changed the path in the .conf file and I was able to renew it successfully.

thank you very much for your help!!

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.