Certificate renewal failure

lastudillo · August 28, 2020, 7:57pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: webmail.at.fcen.uba.ar

I ran this command: certbot renew

It produced this output: Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/webmail.at.fcen.uba.ar.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for webmail.at.fcen.uba.ar
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (webmail.at.fcen.uba.ar) from /etc/letsencrypt/renewal/webmail.at.fcen.uba.ar.conf produced an unexpected error: Failed authorization procedure. webmail.at.fcen.uba.ar (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://webmail.at.fcen.uba.ar/.well-known/acme-challenge/T0hmzim5M8Bg2Rv2bbVfYqfqo-CB15WB1DJjmJ9TSOo [157.92.28.15]: “\n\n404 Not Found\n\n

Not Found

\n<p”. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/webmail.at.fcen.uba.ar/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/webmail.at.fcen.uba.ar/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: webmail.at.fcen.uba.ar
Type: unauthorized
Detail: Invalid response from
https://webmail.at.fcen.uba.ar/.well-known/acme-challenge/T0hmzim5M8Bg2Rv2bbVfYqfqo-CB15WB1DJjmJ9TSOo
[157.92.28.15]: “\n\n404 Not
Found\n\n

Not Found
\n<p”
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

My web server is (include version): Apache/2.4.38 (Debian)

The operating system my web server runs on is (include version): Debian GNU/Linux 10 (buster)

My hosting provider, if applicable, is: local/at.fcen.uba.ar

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

Thanks in advance!!

griffin · August 28, 2020, 8:48pm

Welcome to the Let’s Encrypt Community

According to https://crt.sh/?q=webmail.at.fcen.uba.ar it looks a certificate was successfully generated previously for webmail.at.fcen.uba.ar, but is now expired and still being served. At present, it appears that the Let’s Encrypt server is unable to retrieve the http-01 challenge file to verify your control of webmail.at.fcen.uba.ar. I’ve also noticed that your version of certbot is rather outdated (0.31.0), but I’m not sure if that’s really related to what you’re experiencing.

Perhaps try the following:
certbot certonly --apache --dry-run

JuergenAuer · August 28, 2020, 8:57pm

Hi @lastudillo

if webroot doesn't work, your webroot is wrong. And the 0.31 has sometimes a webroot relevant bug.

So first step: What says

apachectl -S

lastudillo · August 28, 2020, 9:11pm

hi @griffin

thanks for the welcome!. install it using aptitude. It says that it is in the latest version. I see now that it is outdated

hi @JuergenAuer

thanks for the reply! I copy you the output of apachectl -S:

VirtualHost configuration:
*:80 webmail.at.fcen.uba.ar (/etc/apache2/sites-enabled/000-default.conf:1)
*:443 webmail.at.fcen.uba.ar (/etc/apache2/sites-enabled/default-ssl.conf:2)
ServerRoot: “/etc/apache2”
Main DocumentRoot: “/var/www/html”
Main ErrorLog: “/var/log/apache2/error.log”
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
PidFile: “/var/run/apache2/apache2.pid”
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name=“www-data” id=33
Group: name=“www-data” id=33

JuergenAuer · August 28, 2020, 9:16pm

That's good, so --apache should work. No duplicated definitions.

What's the DocumentRoot in the 000-default.conf? And what's the webroot in the /etc/letsencrypt/renewal/webmail.at.fcen.uba.ar.conf?

lastudillo · August 28, 2020, 9:24pm

mmm… in 000-default.conf is “/var/lib/roundcube” and /etc/letsencrypt/renewal/webmail.at.fcen.uba.ar.conf point to “webroot_path = /var/www/html”.

should they point to the same route?

JuergenAuer · August 28, 2020, 9:25pm

There is your problem.

lastudillo · August 28, 2020, 9:35pm

ok. I changed the path in the .conf file and I was able to renew it successfully.

thank you very much for your help!!

system · September 27, 2020, 9:36pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Certificate Renewal Keeps failing, getting an email per minute about it! Help	11	1086	June 10, 2018
I wanted to renew my cert and got an error Help	8	483	April 27, 2023
Failed to renew - Some challenges have failed Help	3	602	January 9, 2022
Error Renewing Expired Certificate Help	4	990	September 16, 2019
Renew fails, Ubuntu 16 Help	12	1377	April 9, 2019

Certificate renewal failure

Not Found

Not Found

Related topics