Certificate renewal simulation failure

First of all I apologize, I am probably one of the clumsiest people on this forum:

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: meteosanjuan.com and meteoensevilla.es

I ran this command:

sudo certbot renew --dry-run

It produced this output:

All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/meteoensevilla.es/fullchain.pem (failure)
/etc/letsencrypt/live/meteosanjuan.com/fullchain.pem (failure)
/etc/letsencrypt/live/www.meteoensevilla.es/fullchain.pem (failure)
/etc/letsencrypt/live/www.meteosanjuan.com/fullchain.pem (failure)

My web server is (include version):

Server version: Apache/2.4.58 (Ubuntu)
Server built: 2024-07-17T18:55:23

The operating system my web server runs on is (include version):

Ubuntu 24.04.1 LTS (GNU/Linux 6.8.0-44-generic x86_64)

My hosting provider, if applicable, is:

Ionos

I can login to a root shell on my machine (yes or no, or I don't know):

Yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Installed: 2.9.0-1

1 Like

Please provide the entire output of Certbot, preferably with the option -v for more verbose output. Just the output with "it failed" without actually mentioning WHY it failed is kinda useless. :slight_smile:

Also, from crt.sh | meteoensevilla.es and crt.sh | meteosanjuan.com it seems like you have some duplicate certificates: one certificate just for the www subdomain and a certificate for both the www subdomain and the apex domain name. Which makes the certificate with just the www subdomain redundant/superfluous.

Can you post the output of sudo certbot certificates?

2 Likes

Also, there are multiple IPs involved:

Name:    meteoensevilla.es
Address: 212.227.90.101

Name:      meteosanjuan.com
Addresses: 2001:8d8:100f:f000::200
           217.160.0.146

Please ensure your server is at the correct IP.

3 Likes

use Google Translate to communicate so I hope I am understood.

In the first message I did not want to put the output to the command that I used to do a certbot renewal drill:
sudo certbot renew --dry-run

I know I have SSL activated with my hosting and domain provider, which I have tried to revoke but it doesn't seem to work. Since I have two domains and only one of them covers me, that's why I decided to use Let's Encrypt. My lack of experience leads me to not knowing how to solve the problem. I attach the output of the sudo certbot certificates command
root@ubuntu:~# sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:

Certificate Name: meteoensevilla.es
Serial Number: 45be2b4b68573a0888800c181d56edfccad
Key Type: ECDSA
Domains: meteoensevilla.es meteosanjuan.com www.meteoensevilla.es www.meteosanjuan.com
Expiry Date: 2024-12-12 06:22:21+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/meteoensevilla.es/fullchain.pem
Private Key Path: /etc/letsencrypt/live/meteoensevilla.es/privkey.pem

Certificate Name: meteosanjuan.com
Serial Number: 4ea831fdfe57b443862359ec2788238c413
Key Type: ECDSA
Domains: meteosanjuan.com
Expiry Date: 2024-12-12 08:15:42+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/meteosanjuan.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/meteosanjuan.com/privkey.pem

Certificate Name: www.meteoensevilla.es
Serial Number: 4c594070eb3fffa82a490fc75ae483fa4aa
Key Type: ECDSA
Domains: www.meteoensevilla.es www.meteosanjuan.com
Expiry Date: 2024-12-12 06:40:19+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/www.meteoensevilla.es/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.meteoensevilla.es/privkey.pem

Certificate Name: www.meteosanjuan.com
Serial Number: 490dc6a162bccaa81c677675034b53310e9
Key Type: ECDSA
Domains: www.meteosanjuan.com
Expiry Date: 2024-11-29 21:44:11+00:00 (VALID: 77 days)
Certificate Path: /etc/letsencrypt/live/www.meteosanjuan.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.meteosanjuan.com/privkey.pem


root@ubuntu:~#

1 Like

Thank you for that info. Let us talk about one domain at a time.

I do not believe you need a Let's Encrypt cert for your meteosanjuan.com domain (or its www subdomain).

You have a redirect service at your hosting site that takes care of the cert for that name. And, it is working properly. Your hosting service uses a cert from DigiCert for that.

Do you agree with this? If not please explain how you want meteosanjuan.com to work and we can talk about certificates.

These are requests for your "home" page at that domain and you can see they redirect properly to meteoensevilla.es

curl -I http://meteosanjuan.com
HTTP/1.1 302 Found
Server: Apache
Location: https://www.meteoensevilla.es

curl -I https://meteosanjuan.com
HTTP/2 302
location: https://www.meteoensevilla.es
server: Apache
3 Likes

In the contract with my hosting site I am only allowed one certificate, one of the domains would be left out. so I understand (maybe I'm wrong) that the redirect would not cover me. That is why it occurred to me to use the Let's Encrypt service.

I know I'm not doing something right, but I don't know how to solve it.

Thanks

1 Like

What do you think is not working? Because requests to all of your domains work correctly right now.

Enter each of the names into an SSL Checker site like below. Enter both of your domain names and their www subdomains. They all validate correctly. One domain uses the DigiCert certificate and the other a Let's Encrypt cert.

3 Likes

I am concerned about the errors obtained when simulating the renewal when doing a drill:

sudo certbot renew --dry-run

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

2024-09-13 21:15:07,960:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2024-09-13 21:15:07,960:DEBUG:certbot._internal.error_handler:Calling registered functions
2024-09-13 21:15:07,960:INFO:certbot._internal.auth_handler:Cleaning up challenges
2024-09-13 21:15:08,104:ERROR:certbot._internal.renewal:Failed to renew certificate www.meteosanjuan.com with error: Some challenges have failed.
2024-09-13 21:15:08,106:DEBUG:certbot._internal.renewal:Traceback was:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/_internal/renewal.py", line 540, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1550, in renew_cert
renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 131, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File "/usr/lib/python3/dist-packages/certbot/_internal/renewal.py", line 399, in renew_cert
new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 428, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 496, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2024-09-13 21:15:08,112:DEBUG:certbot._internal.display.obj:Notifying user:


2024-09-13 21:15:08,113:ERROR:certbot._internal.renewal:All simulated renewals failed. The following certificates could not be renewed:
2024-09-13 21:15:08,114:ERROR:certbot._internal.renewal: /etc/letsencrypt/live/meteoensevilla.es/fullchain.pem (failure)
/etc/letsencrypt/live/meteosanjuan.com/fullchain.pem (failure)
/etc/letsencrypt/live/www.meteoensevilla.es/fullchain.pem (failure)
/etc/letsencrypt/live/www.meteosanjuan.com/fullchain.pem (failure)
2024-09-13 21:15:08,114:DEBUG:certbot._internal.display.obj:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2024-09-13 21:15:08,114:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 33, in
sys.exit(load_entry_point('certbot==2.9.0', 'console_scripts', 'certbot')())
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/certbot/main.py", line 19, in main
return internal_main.main(cli_args)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1894, in main
return config.func(config, plugins)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1642, in renew
renewed_domains, failed_domains = renewal.handle_renewal_request(config)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/certbot/_internal/renewal.py", line 568, in handle_renewal_request
raise errors.Error(
certbot.errors.Error: 4 renew failure(s), 0 parse failure(s)
2024-09-13 21:15:08,115:ERROR:certbot._internal.log:4 renew failure(s), 0 parse failure(s)

I understand that but I see you have 4 certificate profiles in Certbot but all of them are wrong. You must have changed something in your system configuration since you got some of these certs because they will not work today.

I was trying to understand what you wanted so I could help you to success.

I will make a guess as to the best fix and we can try more from there.

Would you show the contents of this file

/etc/letsencrypt/renewal/meteoensevilla.es.conf
3 Likes

Of course, yes to whatever you ask me. I am very grateful to you. I know little, but I learn and take note of everything, so that it doesn't happen to me again.
In my server (VPS) / folder there are 4 files:

"meteosevilla.es"
"meteosanjuan.com"
"www.meteoensevilla.es"
"www.meteosanjuan.com"

The content of /etc/letsencrypt/renewal/meteoensevilla.es.conf:

# renew_before_expiry = 30 days
version = 2.9.0
archive_dir = /etc/letsencrypt/archive/meteoensevilla.es
cert = /etc/letsencrypt/live/meteoensevilla.es/cert.pem
privkey = /etc/letsencrypt/live/meteoensevilla.es/privkey.pem
chain = /etc/letsencrypt/live/meteoensevilla.es/chain.pem
fullchain = /etc/letsencrypt/live/meteoensevilla.es/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = 879e47d92751f04edd6d6011d7b246d1
authenticator = apache
installer = apache
server = https://acme-v02.api.letsencrypt.org/directory
key_type = ecdsa
1 Like

Okay. Try this command. It is a test only. Please show the output. It should ask you if you intend to remove domains from the cert. You should confirm that is okay for this test.

sudo certbot certonly --apache --dry-run --cert-name meteoensevilla.es -d meteosevilla.es -d www.meteosevilla.es
3 Likes

This is the answer:

The line "Some challenges have failed" appears in red

root@ubuntu:~# sudo certbot certonly --apache --dry-run --cert-name meteoensevil la.es -d meteosevilla.es -d www.meteosevilla.es
Saving debug log to /var/log/letsencrypt/letsencrypt.log


You are updating certificate meteoensevilla.es to include new domain(s):

  • meteosevilla.es
  • www.meteosevilla.es

You are also removing previously included domain(s):

Did you intend to make this change?


(U)pdate certificate/(C)ancel: U
Simulating renewal of an existing certificate for meteosevilla.es and www.meteosevilla.es

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: meteosevilla.es
Type: unauthorized
Detail: 185.176.40.98: Invalid response from http://meteosevilla.es/.well-known/acme-challenge/szm0Tl1QwY9nao2jH7FCDK6GMyDJmg4TSSMhvBGn2aI: 404

Domain: www.meteosevilla.es
Type: unauthorized
Detail: 185.176.40.98: Invalid response from http://www.meteosevilla.es/.well-known/acme-challenge/wHMcISOhXrl1btU3GrMEZggRrhgDgRjX5UPdpJlSGiE: 404

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Yeah, sorry, there was a typo in that command. You had misspelled one of your domain names and I used that in the command.

It should be:

sudo certbot certonly --apache --dry-run --cert-name meteoensevilla.es -d meteoensevilla.es -d www.meteoensevilla.es
3 Likes

In this case no errors have been generated. I understand that the meteosanjuan.com certificates have been cleaned because they are already working with DigiCert. The truth is that from my hosting provider's control panel I don't see anything regarding the certificate issued for meteosanjuan, in fact it appears as if it were not issued. Well, in any case, it is clear that it is and there is about a year left, so perhaps the prudent thing to do would be to wait. I pass you the output of the command:

root@ubuntu:~# sudo certbot certonly --apache --dry-run --cert-name meteoensevil la.es -d meteoensevilla.es -d www.meteoensevilla.es
Saving debug log to /var/log/letsencrypt/letsencrypt.log


You are updating certificate meteoensevilla.es to include new domain(s):
(None)

You are also removing previously included domain(s):

Did you intend to make this change?


(U)pdate certificate/(C)ancel: U
Simulating renewal of an existing certificate for meteoensevilla.es and www.mete oensevilla.es
The dry run was successful.

1 Like

Okay. Good. I am pretty sure the meteosanjuan DigiCert is managed automatically by your hosting service. You showed your panel that said it was in a state of "Redirection". And, this domain name has DNS entries that point to a different server than your meteoensevilla.es. In short, you do not have to worry about meteosanjuan with "Redirection" enabled.

Now we need to do two things. First, fix your ensevilla cert and then we will delete the others so the auto-renew runs without problem.

Run this to fix it

sudo certbot --apache --cert-name meteoensevilla.es -d meteoensevilla.es -d www.meteoensevilla.es

As before, agree to update the cert with the domain name change

2 Likes

Well we're not going well. The page has remained in HTTP ERROR 500

I understand that when redirecting to www.meteoensevilla it has been left without a certificate.

I wonder if any changes had to be made (since meteosanjuan.com continues to appear) in the files:
/etc/apache2/sites-available/000-default.conf
and
/etc/apache2/sites-available/your_domain.conf

This is the output to the command:

root@ubuntu:~# sudo certbot --apache --cert-name meteoensevilla.es -d meteoensev illa.es -d www.meteoensevilla.es
Saving debug log to /var/log/letsencrypt/letsencrypt.log


You are updating certificate meteoensevilla.es to include new domain(s):
(None)

You are also removing previously included domain(s):

Did you intend to make this change?


(U)pdate certificate/(C)ancel: U
Renewing an existing certificate for meteoensevilla.es and www.meteoensevilla.es

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/meteoensevilla.es/fullchain.pem
Key is saved at: /etc/letsencrypt/live/meteoensevilla.es/privkey.pem
This certificate expires on 2024-12-13.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in t he background.

Deploying certificate
Successfully deployed certificate for meteoensevilla.es to /etc/apache2/sites-en abled/000-default.conf
Successfully deployed certificate for www.meteoensevilla.es to /etc/apache2/sites-enabled/000-default.conf
Your existing certificate has been successfully renewed, and the new certificate has been installed.


If you like Certbot, please consider supporting our work by:


That is not related to certificates. We can look at that later. Let us finish fixing your certs first.

I don't know what that means. Your meteosanjuan is still redirecting properly to meteoensevilla. The certs for both are correct.

This is very good. And, your Apache server is using the new cert. This new cert will also work for auto-renew.

Do these to delete the unused certs. No worry. If needed they can be created again later but you don't need these now.

sudo certbot delete --cert-name meteosanjuan.com
sudo certbot delete --cert-name www.meteoensevilla.es
sudo certbot delete --cert-name www.meteosanjuan.com

If any errors for these commands please show that output.

Once those are done show us output of this

sudo certbot renew --dry-run
3 Likes

The redirection from meteosanjuan.com to meteoensevilla.es works, but meteoensevilla.es does not load the page, I don't know if I understand myself.

root@ubuntu:~# sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/meteoensevilla.es.conf


Simulating renewal of an existing certificate for meteoensevilla.es and www.meteoensevilla.es


Congratulations, all simulated renewals succeeded:
/etc/letsencrypt/live/meteoensevilla.es/fullchain.pem (success)


Excellent. We have now solved the original problem. You have valid certs which work for auto-renew. You may see several emails from Let's Encrypt in about 60-70 days alerting you to certs that are expiring. This is because you created so many certs with different combinations of names that you are no longer using. Read those emails with care and the domain names it describes.

Yes, that is because your Apache server replies with a "500 Internal Server Error" for requests to your home page. Your Apache replies properly for the cert challenges so something is affecting other requests to your server.

Making Apache work for your "home" page is something best handled with an Apache support forum or your hosting service. But, I will take a quick look. Please show output of this command to start

sudo apache2ctl -t -D DUMP_VHOSTS

Just for your info below is how I test redirects.

# This http request for home page to sanjuan goes to https for ensevilla
# Note just "Server: Apache" indicates your hosting "Redirect" service
curl -i http://meteosanjuan.com
HTTP/1.1 302 Found
Server: Apache
Location: https://www.meteoensevilla.es

# Following that redirect gets the same 500 error as when trying ensevilla directly
# Note "Server: Apache/2.4.58" is your Apache
curl -i https://www.meteoensevilla.es
HTTP/1.0 500 Internal Server Error
Server: Apache/2.4.58 (Ubuntu)

For testing if the domains use the correct cert I use the link I provided earlier. All 4 of your domain names use the correct cert. See: SSL Checker

3 Likes

I don't know why the problem has occurred. It used to work although it is true that it had a tremendous mess with the certificates. It is possible that the error is in the Apache configuration files, but I don't know how to resolve it. I hope you can help me,

root@ubuntu:~# sudo apache2ctl -t -D DUMP_VHOSTS
VirtualHost configuration:
*:80 127.0.0.1 (/etc/apache2/sites-enabled/000-default.conf:1)
*:443 is a NameVirtualHost
default server meteosanjuan.com (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
port 443 namevhost meteosanjuan.com (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
port 443 namevhost meteosanjuan.com (/etc/apache2/sites-enabled/000-default.conf:12)
port 443 namevhost www.meteosanjuan.com (/etc/apache2/sites-enabled/000-default.conf:18)
port 443 namevhost meteoensevilla.es (/etc/apache2/sites-enabled/000-default.conf:27)
port 443 namevhost www.meteoensevilla.es (/etc/apache2/sites-enabled/000-default.conf:36)

1 Like