Certification renewed error

Hello. I'm trying to renew certifications for some virtual domains. But I have gotten following errors and renew process has been failed.

My domain is:
blog.koshirophotography.com
nightview.koshirophotography.com
www.corp-associe.jp

I ran this command: certbot-auto renew

It produced this output:

My web server is (include version): apache2.4.46

The operating system my web server runs on is (include version): CentOS8

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.8.0

The error is as below.

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for blog.koshirophotography.com
http-01 challenge for nightview.koshirophotography.com
http-01 challenge for www.corp-associe.jp
http-01 challenge for www.koshirophotography.com
Waiting for verification...
Challenge failed for domain blog.koshirophotography.com
Challenge failed for domain nightview.koshirophotography.com
Challenge failed for domain www.corp-associe.jp
http-01 challenge for blog.koshirophotography.com
http-01 challenge for nightview.koshirophotography.com
http-01 challenge for www.corp-associe.jp
Cleaning up challenges
Attempting to renew cert (www.corp-associe.jp) from /etc/letsencrypt/renewal/www.corp-associe.jp.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/www.corp-associe.jp/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/www.corp-associe.jp/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: blog.koshirophotography.com
   Type:   unauthorized
   Detail: Invalid response from
   https://blog.koshirophotography.com/.well-known/acme-challenge/ceXzRnVdNfyNbCSVjDpU9PGtlUe5_4YTIP31fn-JRW4
   [xxx.xxx.xxx.xxx]: "<!DOCTYPE html>\n\n<html class=\"no-js\"
   lang=\"ja\">\n\n\t<head>\n\n\t\t<meta charset=\"UTF-8\">\n\t\t<meta
   name=\"viewport\" content=\"width=device"

Hi @bravo

if you use webroot and if that doesn't work, your webroot (saved in the config file) is wrong.

Use your correct webroot.

Perhaps you changed the document root location of a domain (since the last renewal).
If so, certbot-auto would not know of this change and would try the old location (and fail).
Do you know how to find the document root location for the failing domain?
[it must be matched by the webroot setting in the renewal config file]

Hi, JuergenAuer

Thanks for your quick feedback. How can I use correct webroot? I need to change some parameters in the config file?? Basically, I've not changed anything since I have gotten certifications.

Hi, rg305

Thanks for your quick response. Well, the document root location has not been changed since I've setup website and apache server. Is there anything I need to submit log file or change something?

1 Like

Hello @bravo,

You should review the conf file /etc/letsencrypt/renewal/www.corp-associe.jp.conf and check that all the web root defined for your domains (in section [[webroot_map]]) are the right ones you are using in your Apache conf.

If the paths are the right ones, you could create a test file inside /path/to/document/root/of/your/domain/.well-known/acme-challenge/ and check that you can get the file using your browser.

If you create the file we can check whether we can reach it too.

Cheers,
sahsanu

1 Like

Hi, sahsanu

Thanks for your reply and feedback. I tried to change the web root, but I still have no luck for following domains. These are subdomain of "koshirophotography.com"

The "koshirophotography.com" and "www.corp-associe.jp" domains are fine in this time.

  1. blog.koshirophotography.com
  2. nightview.koshirophotograhy.com

The error log is as below.

Waiting for verification...
Challenge failed for domain blog.koshirophotography.com
Challenge failed for domain nightview.koshirophotography.com
http-01 challenge for blog.koshirophotography.com
http-01 challenge for nightview.koshirophotography.com
Cleaning up challenges
Attempting to renew cert (www.corp-associe.jp) from /etc/letsencrypt/renewal/www.corp-associe.jp.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/www.corp-associe.jp/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/www.corp-associe.jp/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: blog.koshirophotography.com
   Type:   unauthorized
   Detail: Invalid response from
   https://blog.koshirophotography.com/.well-known/acme-challenge/KkDLKWMx0Kt0WLPNh0WuWEK8MDIFPXwEvul2P7AFO8o
   [203.141.138.215]: "<!DOCTYPE html>\n\n<html class=\"no-js\"
   lang=\"ja\">\n\n\t<head>\n\n\t\t<meta charset=\"UTF-8\">\n\t\t<meta
   name=\"viewport\" content=\"width=device"

   Domain: nightview.koshirophotography.com
   Type:   unauthorized
   Detail: Invalid response from
   https://nightview.koshirophotography.com/.well-known/acme-challenge/9Maxmt08BmXeOwE4e9mARynzSp45BN0SpUtwXg0WpS4
   [203.141.138.215]: "<!DOCTYPE html>\n\n<html class=\"no-js\"
   lang=\"ja\">\n\n\t<head>\n\n\t\t<meta charset=\"UTF-8\">\n\t\t<meta
   name=\"viewport\" content=\"width=device"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

When you say you tried to change the web root... did you change it on renewal conf file or in Apache?.

To be able to help you, please, show the output of command:

cat /etc/letsencrypt/renewal/www.corp-associe.jp.conf

And also the conf in Apache for domains blog.koshirophotography.com and nightview.koshirophotograhy.com.

1 Like

Hi, sahsanu

Yes, I changed the web root in the renewal conf file. BTW, I've found that both domain names are incorrect. So I fixed these names. However, I got error as below.
I guess that this is because of many attempt of authorization. In this case, I will need to wait for 30-40 minutes?

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Attempting to renew cert (www.corp-associe.jp) from /etc/letsencrypt/renewal/www.corp-associe.jp.conf produced an unexpected error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/www.corp-associe.jp/fullchain.pem (failure)

Yes, you have reached this limit:

There is a Failed Validation limit of 5 failures per account, per hostname, per hour.

So, you should wait one hour before trying to renew your cert again.

Good luck,
sahsanu

Hi, sahsanu

Finally, the renew process has been done successfully!
Thank you so much for your help!!

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/www.corp-associe.jp/fullchain.pem (success)

2 Likes

I'm glad you finally got your cert :wink:

1 Like