Challenge error

Help
1

Hello,
Recently I’ve moved a website from a server to another.
I’ve update correctly dns but I cannot install a new certificate.
All other domains on the server have no problems, certificates are installed perfectly via ISPConfig.
The folder .well-known/acme-challenge/ is accessible, as you can see at http://www.demetrashop.it/.well-known/acme-challenge/empty.dir
Thanks for any help.

My domain is:
http://www.demetrashop.it

I ran this command:
certbot-auto certonly --dry-run -w /var/www/demetrashop.it/web -d www.demetrashop.it -d demetrashop.it

It produced this output:
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for demetrashop.it
http-01 challenge for www.demetrashop.it
Using the webroot path /var/www/demetrashop.it/web for all unmatched domains.
Waiting for verification…
Challenge failed for domain demetrashop.it
Challenge failed for domain www.demetrashop.it
http-01 challenge for demetrashop.it
http-01 challenge for www.demetrashop.it
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

My web server is (include version):
Server version: Apache/2.4.25 (Debian)

The operating system my web server runs on is (include version):
Debian9

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
ISPConfig 3.x

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
0.34.2

2

If you use ispconifg, use ispconfig’s option to get letsencrypt certificate, it works better then multiple things thing try to edit web server setting

3

I’ve always used ISPConfig’s option, but when i checked the option for this domain, nothing happens.
On other domains in the same server it works, only for this nothing happens.

4

Hi @Blue

then you should ask your hoster.

Looks like your configuration is inconsistent. Or you had already changed some things manual.

5

Thank for your answer.
The server is fine, for example today I’ve:

  • added a new domain
  • checked on ISP Config the option to apply the certificate

and it works at the first attempt, without a problem.

I’ve tried also to rename the domain demetrashop.it in ISP Config to “demetraold.it”, create a new one “demetrashop.it”, then apply certificate. Same error. :frowning:

6

Checked your domain perhaps that may help ( https://check-your-website.server-daten.de/?q=demetrashop.it ):

The certificate used:

CN=agomodel.it
	10.05.2019
	08.08.2019
expires in 90 days	
agomodel.it, www.agomodel.it - 2 entries

Oh, wait, what's that? You have hitted the Letsencrypt limit:

CertSpotter-Id Issuer not before not after Domain names LE-Duplicate next LE
896875911 CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US 2019-05-06 08:18:55 2019-08-04 08:18:55 demetrashop.it, www.demetrashop.it
2 entries duplicate nr. 5 next Letsencrypt certificate: 2019-05-10 13:24:01
892639681 CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US 2019-05-03 13:43:55 2019-08-01 13:43:55 demetrashop.it, www.demetrashop.it
2 entries duplicate nr. 4
892636628 CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US 2019-05-03 13:40:58 2019-08-01 13:40:58 demetrashop.it, www.demetrashop.it
2 entries duplicate nr. 3
892628572 CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US 2019-05-03 13:33:55 2019-08-01 13:33:55 demetrashop.it, www.demetrashop.it
2 entries duplicate nr. 2
892619424 CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US 2019-05-03 13:24:01 2019-08-01 13:24:01 demetrashop.it, www.demetrashop.it
2 entries duplicate nr. 1
892290946 CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US 2019-05-03 08:35:00 2019-08-01 08:35:00 demetrashop.it
1 entries
827596299 CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US 2019-03-24 10:41:00 2019-06-22 10:41:00 demetrashop.it, www.demetrashop.it
2 entries

Looks like ISPConfig doesn't show the correct error.

Where are these certificates? Created with Certbot or with ISPConfig?

PS: You can create max. 5 certificates with the same set of domain names in one week.

7

Thank you,
I think when i moved the domain and ask for a new certificate the dns was not fully propagated, so I hit the limit.
Is there a method to revoke those certificates?

8

Revocation doesn't help.

Please read

Revoking certificates does not reset rate limits, because the resources used to issue those certificates have already been consumed.

But you should be able to create a new certificate:

next Letsencrypt certificate: 2019-05-10 13:24:01

Perhaps two or three hours later.

But the more important question: Where are these certificates?

9

I dunno…I’ve always used the automatic ispconfig function.
Ok, I’ll try again later, thank you.

10

next Letsencrypt certificate: 2019-05-10 13:24:01

In the last 3 days I have not requested any certificate, but nothing changes, the problem persist and only for this domain :frowning:

11

The limit is per 7 days.

You can create 5 identical certificates in one day -> seven days later.

You can create one certificate per day -> limit after 5 days, two days later -> one certificate.

But it's always terrible if you create duplicated certificates and don't use these. Then something is wrong.

12

Little update.
After another attempt, looking at the log file I notice this

2019-05-15 14:48:03,345:INFO:certbot.renewal:Cert not yet due for renewal
2019-05-15 14:48:03,346:INFO:certbot.main:Keeping the existing certificate

So, the problem is somewhere in ISPConfig, not in the missing certificate.

I took the certificate saved in the server and I installed it manually... It works!
Obviously this means no autorenew, but maybe when the certificate will be expired ISPConfig will replace it correctly.

13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.