Certificate Renewal Keeps failing, getting an email per minute about it!


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: 1chan.net

I ran this command: N/A (Auto Renewal)

It produced this output: Attempting to renew cert (1chan.net) from /etc/letsencrypt/renewal/1chan.net.conf produced an unexpected error: Failed authorization procedure. www.1chan.net (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.1chan.net/.well-known/acme-challenge/Xj5jPQBKKZlQGh2iFEFJU4pBE1f8ZPpTn17WMKUAMOw: "

404 Not Found

Not Found

<p". Skipping. All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/1chan.net/fullchain.pem (failure) 1 renew failure(s), 0 parse failure(s)

My web server is (include version): a VPS?

The operating system my web server runs on is (include version): CentOS Linux version 2.6.32-042stab127.2 (root@kbuild-rh6-x64.eng.sw.ru) (gcc version 4.4.6 20120305 (Red Hat 4.4.6-4) (GCC) ) #1 SMP Thu Jan 4 16:41:44 MSK 2018

My hosting provider, if applicable, is: Hostus

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Yes, cPanel 68.0 (build 38)


#2

So pasted above was the first output I received in my email.
1 Minute Later I received this:

Attempting to renew cert (1chan.net) from /etc/letsencrypt/renewal/1chan.net.conf produced an unexpected error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new authz :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/. Skipping.

Then 1 minute later I received this:

Attempting to renew cert (1chan.net) from /etc/letsencrypt/renewal/1chan.net.conf produced an unexpected error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new authz :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/1chan.net/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

I have continued to receive 1 email per minute with the last error pasted. I even tried rebooting the server with no luck.


#3

So you apparently have a cron job set to run every minute. Doesn’t sound like a good plan. Fix that, then you can worry about why you’re getting 404 for the validation file.


#4

Thank you for taking a look! I’m having some trouble finding the Cron Job. These are the only ones I can find, https://i.imgur.com/96M3UNW.png and none of them look right. Any advice?

Edit: The Emails have finally stopped… After an hour of constant messages.


#5

This makes it sound like you might have a cron job specified as * 10 * * * (or something) instead of 10 * * * * (that is, running every minute within a particular hour, rather than at a particular minute past every hour).

You could look in /etc/crontab as well as running crontab -l as root.


#6

That’s what I’ve got going on! Also that was weird, I found the cron in /etc/crontab, however the output above was from running crontab -l as root. Weird… I’m sure it was something I did wrong on my end however.

So I’m going to change * 12 * * * root certbot renew --quiet
To 12 * * * * root certbot renew --quiet

Does that sound right?


#7

That should be all right, although we usually suggest running it only twice per day rather than once per hour.


#8

Better would be 12 12 * * * root certbot renew --quiet to run it once a day. The time can, of course, be whatever you want–the first field is the minute, and the second the hour.


#9

Okay I’ve got it updated to 12 12 * * * root certbot renew --quiet

What’s my next step for fixing the initial renewal which didn’t workout?

Again thanks for all the help so far. TBH I don’t often deal with stuff this deep, it just kind of falls on my lap since I’ve got some Linux experience. :slight_smile:


#10

You can try it directly by running certbot renew on the command line and seeing what the output is.

Can you take a look in /etc/letsencrypt/renewal/1chan.net.conf and see if the information is up to date? Does it, for example, specify a particular webroot directory that is no longer a place where files can be placed in order to appear on the web site?


#11

Output is as follows:
certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/rebeccapetro.com.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/1chan.net-0001.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/1chan.net.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for 1chan.net
http-01 challenge for www.1chan.net
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (1chan.net) from /etc/letsencrypt/renewal/1chan.net.conf produced an unexpected error: Failed authorization procedure. www.1chan.net (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.1chan.net/.well-known/acme-challenge/qdS8hAU_HnYiru1t2tkSPx1-Q_g6Vql9xOA763TRMvw: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p". Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/1chan.net/fullchain.pem (failure)

-------------------------------------------------------------------------------

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/rebeccapetro.com/fullchain.pem (skipped)
  /etc/letsencrypt/live/1chan.net-0001/fullchain.pem (skipped)
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/1chan.net/fullchain.pem (failure)
-------------------------------------------------------------------------------
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.1chan.net
   Type:   unauthorized
   Detail: Invalid response from
   http://www.1chan.net/.well-known/acme-challenge/qdS8hAU_HnYiru1t2tkSPx1-Q_g6Vql9xOA763TRMvw:
   "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
   <html><head>
   <title>404 Not Found</title>
   </head><body>
   <h1>Not Found</h1>
   <p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

I did have an issue with the directory on the config file. After fixing that, I had no issues renewing the cert. Everything seems to be fine now. Thank you for all your help :grinning:


#12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.