Challenge failed when renewing

My Domain Name is :
I ran this command: certbot renew

It produced this output:
[root@bdnetbreeze ~]# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1):
Renewing an existing certificate for
Performing the following challenges:
http-01 challenge for
Using default addresses 80 and [::]:80 ipv6only=on for authentication.
Waiting for verification...
Challenge failed for domain
http-01 challenge for
Cleaning up challenges
Failed to renew certificate with error: Some challenges have failed.

All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/ (failure)

1 renew failure(s), 0 parse failure(s)


I looked up my most recent certificate and downloaded it. Number Certificate 8516514919.
I had to restore this system from a snapshot on the Vultr Cloud so I think my certificates are out of synch. Where would I put this file to get going again. It will expire April 22 according to the website.

Here is my log output::
I'm using: Centos7
My server is nginx - 443 porting server running on port 8082.
2023-03-30 14:39:36,351:DEBUG:certbot._internal.main:certbot version: 1.11.0
2023-03-30 14:39:36,351:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot
2023-03-30 14:39:36,351:DEBUG:certbot._internal.main:Arguments:
2023-03-30 14:39:36,351:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2023-03-30 14:39:36,368:DEBUG:certbot._internal.log:Root logging level set at 20
2023-03-30 14:39:36,368:INFO:certbot._internal.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2023-03-30 14:39:36,409:DEBUG:certbot.ocsp:Querying OCSP for /etc/letsencrypt/live/
2023-03-30 14:39:36,409:DEBUG:certbot.ocsp:openssl ocsp -no_nonce -issuer /etc/letsencrypt/live/ -cert /etc/letsencrypt/live/ -CAfile /etc/letsencrypt/live/ -verify_other /etc/letsencrypt/live/ -trust_other -timeout 10 -header Host -url
2023-03-30 14:39:36,432:DEBUG:certbot.display.util:Notifying user: Found the following certs:
Certificate Name:
Serial Number: 427eea5171ad0139274a8a110a457d2bbc6
Key Type: RSA
Expiry Date: 2023-04-19 05:03:22+00:00 (VALID: 19 days)
Certificate Path: /etc/letsencrypt/live/
Private Key Path: /etc/letsencrypt/live/

I've moved your posts to their own separate thread. Please don't hijack other peoples threads.

You say nginx runs on port 8082? How's that? Can you explain more about your setup in detail, as I'm also seeing an Apache webserver listening on port 80?

The certificate validation for the http-01 challenge always starts on port 80. It seems Apache just redirects to HTTPS (on default port 443, which is mandatory for the challenge when following HTTP to HTTPS redirects), where a nginx server is listening.


Please show this file:

# renew_before_expiry = 30 days
version = 1.9.0
archive_dir = /etc/letsencrypt/archive/
cert = /etc/letsencrypt/live/
privkey = /etc/letsencrypt/live/
chain = /etc/letsencrypt/live/
fullchain = /etc/letsencrypt/live/

# Options used in the renewal process
authenticator = nginx
account = 73f5f7d43c9116eea6f3a761ed7e7155
server =
installer = nginx

On your system you have both Apache and nginx; as @Osiris noted.

See here for HTTP-01 challenge details.
Most importantly is the < TOKEN > being put where nginx's can server`< TOKEN >`

I note the HTTP-01 challenge starting on Port 80 seems to be Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips;

$ curl -Ii
HTTP/1.1 301 Moved Permanently
Date: Fri, 31 Mar 2023 19:53:15 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips
Content-Type: text/html; charset=iso-8859-1

And is redirected to HTTPS Port 443 nginx

$ curl -k -Ii
HTTP/1.1 404 Not Found
Server: nginx/1.20.1
Date: Fri, 31 Mar 2023 19:53:18 GMT
Content-Type: text/html
Content-Length: 3650
Connection: keep-alive
ETag: "636d2d22-e42"
1 Like

So you are telling me I need to put my "Token" in the Apache server directory?

So I should renew the certificate using the apache switch?

I used the : Certbot certonly command and picked the apache option. I think I have my certs renewed.

lrwxrwxrwx 1 root root 60 Apr 5 15:42 cert.pem -> ../../archive/
lrwxrwxrwx 1 root root 61 Apr 5 15:42 chain.pem -> ../../archive/
lrwxrwxrwx 1 root root 65 Apr 5 15:42 fullchain.pem -> ../../archive/
lrwxrwxrwx 1 root root 63 Apr 5 15:42 privkey.pem -> ../../archive/
-rw-r--r-- 1 root root 692 Dec 7 2020 README

It doesn't look like that to me

Nor here SSL Checker

Please show:
certbot certificates


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.