Certificates renewing issue, need help understanding the hint messages

Hello,

I just found out that my certificates renewing isn't working. When I run sudo certbot -v --dry-run renew, I get the following:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/cloud.kosmopolis.ca.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Simulating renewal of an existing certificate for cloud.kosmopolis.ca
Performing the following challenges:
http-01 challenge for cloud.kosmopolis.ca
Using the webroot path /var/www/_letsencrypt for all unmatched domains.
Waiting for verification...
Challenge failed for domain cloud.kosmopolis.ca
http-01 challenge for cloud.kosmopolis.ca

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: cloud.kosmopolis.ca
  Type:   unauthorized
  Detail: 135.23.198.195: Invalid response from https://cloud.kosmopolis.ca/.well-known/acme-challenge/v_R-oFmqhoaYDLGj6py6qz8Ap6hw_ojoNNTFE22vcbg: 404

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Cleaning up challenges
Failed to renew certificate cloud.kosmopolis.ca with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/collabora.kosmopolis.ca.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Simulating renewal of an existing certificate for collabora.kosmopolis.ca
Performing the following challenges:
http-01 challenge for collabora.kosmopolis.ca
Waiting for verification...
Challenge failed for domain collabora.kosmopolis.ca
http-01 challenge for collabora.kosmopolis.ca

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: collabora.kosmopolis.ca
  Type:   unauthorized
  Detail: 135.23.198.195: Invalid response from https://collabora.kosmopolis.ca/.well-known/acme-challenge/beGEcmzyxrE2YkGWGxl7lC1A8G6_xLBqyvOD35ASl5I: 404

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Cleaning up challenges
Failed to renew certificate collabora.kosmopolis.ca with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/kosmopolis.ca.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Simulating renewal of an existing certificate for kosmopolis.ca and www.kosmopolis.ca
Performing the following challenges:
http-01 challenge for kosmopolis.ca
http-01 challenge for www.kosmopolis.ca
Cleaning up challenges
Failed to renew certificate kosmopolis.ca with error: Missing command line flag or config entry for this setting:
Input the webroot for kosmopolis.ca:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All simulated renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/cloud.kosmopolis.ca/fullchain.pem (failure)
  /etc/letsencrypt/live/collabora.kosmopolis.ca/fullchain.pem (failure)
  /etc/letsencrypt/live/kosmopolis.ca/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Running post-hook command: /etc/letsencrypt/renewal-hooks/post/nginx-reload.sh
Hook 'post-hook' ran with error output:
 nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
 nginx: configuration file /etc/nginx/nginx.conf test is successful
3 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

I see the error messages and the hints, it says there is something wrong with the "challenges", maybe related to "webroot paths", but I don't know what to do with that. Any clue?

Thanks for your support!

Web server: nginx 1.22.1
OS: Debian 12
Certbot: 2.11.0

UPDATE:

I did the following and got 1 certificate out of 3 to successfully renew: I added the line webroot_path = /var/www/nextcloud to the /etc/letsencrypt/renewal/cloud.kosmopolis.ca.conf file, and it seems to work.

But this domain is a Nextcloud instance, and it does have a ".well-known" directory. For the other domains, there is no such directory in their web roots. The kosmopolis.ca domain web root is /var/www/kosmopolis.ca/, but inside there is only a single index.html file, that's it. collabora.kosmopolis.ca is a domain for a CollaboraOnline server, I don't think it has any "web root" directory... What should I do?

Thanks again.

1 Like

Hello @renbus, welcome to the Let's Encrypt community. :slightly_smiling_face:

Detail: 135.23.198.195: Invalid response from https://cloud.kosmopolis.ca/.well-known/acme-challenge/v_R-oFmqhoaYDLGj6py6qz8Ap6hw_ojoNNTFE22vcbg: 404
This is saying the expect response wasn't provided (actually File Not Found).

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
This is Hinting at a possible reason that the content being served location might not match the location that the Certbot option --webroot-path/-w is pointing to.

Edit:

To assist debugging you could add a file, say HelloWorld, to the location that you believe should serve
https://cloud.kosmopolis.ca/.well-known/acme-challenge/HelloWorldfile

Create the HelloWorld file with something like this (to that actual root of the serving location)
sudo echo HelloWorld > .well-known/acme-challenge/HelloWorldfile
sudo chmod 744 well-known/acme-challenge/HelloWorldfile
That doesn't actually work, just use an editor and make sure the file permissions readable by the server (something line chmod 644 should make sure everyone can read the file)

This does work:
sudo /bin/bash -c "echo HelloWorld > ./.well-known/acme-challenge/HelloWorldfile"
sudo /bin/bash -c "chmod 644 ./.well-known/acme-challenge/HelloWorldfile"

And then verify, web browser or curl, that https://cloud.kosmopolis.ca/.well-known/acme-challenge/HelloWorldfile is serving up the contents, in this case `HelloWorld with a HTTP Response Code of 200 (possibly any Success HTTP response status codes - HTTP | MDN).
If the contents are being served ideally the HTTP Response code of 404 (but should be in Client error HTTP response status codes - HTTP | MDN).

UPDATE:

Testing and debugging are best done using the Staging Environment as the Rate Limits are much higher.

Also note that the is a redirection from HTTP to HTTPS as demonstrated here

Ask for the HTTP challenge and its Response

$ curl -Ii http://cloud.kosmopolis.ca/.well-known/acme-challenge/sometestfile
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Tue, 11 Jun 2024 21:42:00 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Location: https://cloud.kosmopolis.ca/.well-known/acme-challenge/sometestfile

We get a redirect (i.e. Location: above) to HTTPS
and here is the HTTPS Response

$ curl -k -Ii https://cloud.kosmopolis.ca/.well-known/acme-challenge/sometestfile
HTTP/2 404
server: nginx
date: Tue, 11 Jun 2024 21:42:12 GMT
content-type: text/html; charset=utf-8
content-length: 146
referrer-policy: no-referrer
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-permitted-cross-domain-policies: none
x-robots-tag: noindex, nofollow
x-xss-protection: 1; mode=block
1 Like

It looks like you sorted out most of the problem. You may have an unused cert remaining since two certs have your base name in it

You may want to review your nginx config and see which cert files it actually uses from this list

sudo certbot certificates

and then delete the one(s) you don't need with

sudo delete --cert-name (name)

Where (name) is the cert name from the certificates list.

Your recent cert history

2 Likes