Certificates cannot be updated

My domain is: www.viteunveto.com

I ran this command:
sudo certbot renew --preferred-challenges http

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/viteunveto.ch.conf

expected /etc/letsencrypt/live/viteunveto.ch/cert.pem to be a symlink
Renewal configuration file /etc/letsencrypt/renewal/viteunveto.ch.conf is broken. Skipping.


Processing /etc/letsencrypt/renewal/www.viteunveto.be-0001.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.viteunveto.be
Waiting for verification…
Cleaning up challenges
Unable to clean up challenge directory /var/www/html/.well-known/acme-challenge


Processing /etc/letsencrypt/renewal/viteunveto.com-0001.conf

Cert not yet due for renewal

Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.viteunveto.com
Waiting for verification…
Cleaning up challenges
Unable to clean up challenge directory /var/www/html/.well-known/acme-challenge
Attempting to renew cert (www.viteunveto.com-0001) from /etc/letsencrypt/renewal/www.viteunveto.com-0001.conf produced an unexpected error: Failed authorization procedure. www.viteunveto.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.viteunveto.com/.well-known/acme-challenge/Hs5rwuBOCP-n9uo42Wo8DTzzF2FHf6jQsp52DID4Nws: “\r\n403 Forbidden\r\n<body bgcolor=“white”>\r\n

403 Forbidden

\r\n
”. Skipping.

Processing /etc/letsencrypt/renewal/viteunveto.com.conf

expected /etc/letsencrypt/live/viteunveto.com/cert.pem to be a symlink
Renewal configuration file /etc/letsencrypt/renewal/viteunveto.com.conf is broken. Skipping.


Processing /etc/letsencrypt/renewal/www.viteunveto.com.conf

Cert not yet due for renewal
The following certs could not be renewed:
/etc/letsencrypt/live/www.viteunveto.com-0001/fullchain.pem (failure)
/etc/letsencrypt/live/www.viteunveto.ch-0001/fullchain.pem (failure)
/etc/letsencrypt/live/www.viteunveto.fr-0001/fullchain.pem (failure)
/etc/letsencrypt/live/www.viteunveto.be/fullchain.pem (failure)
/etc/letsencrypt/live/viteunveto.fr/fullchain.pem (failure)


The following certs are not due for renewal yet:
/etc/letsencrypt/live/viteunveto.com-0001/fullchain.pem (skipped)
/etc/letsencrypt/live/www.viteunveto.fr/fullchain.pem (skipped)
/etc/letsencrypt/live/load.viteunveto.fr/fullchain.pem (skipped)
/etc/letsencrypt/live/www.viteunveto.ch/fullchain.pem (skipped)
/etc/letsencrypt/live/test.viteunveto.com/fullchain.pem (skipped)
/etc/letsencrypt/live/www.viteunveto.com/fullchain.pem (skipped)
The following certs were successfully renewed:
/etc/letsencrypt/live/www.viteunveto.be-0001/fullchain.pem (success)

The following certs could not be renewed:
/etc/letsencrypt/live/www.viteunveto.com-0001/fullchain.pem (failure)
/etc/letsencrypt/live/www.viteunveto.ch-0001/fullchain.pem (failure)
/etc/letsencrypt/live/www.viteunveto.fr-0001/fullchain.pem (failure)
/etc/letsencrypt/live/www.viteunveto.be/fullchain.pem (failure)
/etc/letsencrypt/live/viteunveto.fr/fullchain.pem (failure)

Additionally, the following renewal configuration files were invalid:
/etc/letsencrypt/renewal/viteunveto.ch.conf (parsefail)
/etc/letsencrypt/renewal/viteunveto.com.conf (parsefail)

5 renew failure(s), 2 parse failure(s)

IMPORTANT NOTES:

My web server is (include version): nginx version: nginx/1.10.3 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 16.04.9

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Hello for a few days I have a problem to create new certificates everything worked perfectly until now I don’t really understand what’s going on…

As well as my nginx configuration

server {
listen 80;
server_name viteunveto.com;

location ~/.well-known {
allow all;
alias /var/www/html/.well-known;
}
location / {
return 301 https://www.$host$request_uri;
}
}

server {
listen 443 ssl;
listen [::]:443 ssl;

client_max_body_size 25M;
server_name www.viteunveto.com;
location = /favico.ico {
root /app/favico.ico;
}

location ~/.well-known {
allow all;
alias /var/www/html/.well-known;
}

location / {
proxy_pass http://127.0.0.1:8080;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}

ssl_certificate /etc/letsencrypt/live/www.viteunveto.com-0001/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.viteunveto.com-0001/privkey.pem;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;

ssl_dhparam /etc/nginx/dhparam.pem;
}

Hi @projeta618

if you use webroot, what's your webroot entry in your configuration file?

You must fix the 502 - error, so that domain can send the file.

403 means: Missing rights. So create a file (file name 1234 without extension), save this file under yourWebroot/.well-known/acme-challenge and try to load this file via browser:

http://one-domain.com/.well-known/acme-challenge/1234
1 Like

It looks like you are already handling the challenge requests in the config.
You should probably just remove the webroot use in the renewal configs.
/etc/letsencrypt/renewal/

1 Like

Thank you for your solution !!
I am saved.

I’m glad you have a solution.
But for those that may read this later, what was the solution?
(you can just mark that post as the solution)

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.