Challenge failed when renewing

phonegal2 · March 30, 2023, 7:29pm

My Domain Name is : bdnetbreeze.blackdragonnetworks.com
I ran this command: certbot renew

It produced this output:
[root@bdnetbreeze ~]# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/bdnetbreeze.blackdragonnetworks.com.conf

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate for bdnetbreeze.blackdragonnetworks.com
Performing the following challenges:
http-01 challenge for bdnetbreeze.blackdragonnetworks.com
Using default addresses 80 and [::]:80 ipv6only=on for authentication.
Waiting for verification...
Challenge failed for domain bdnetbreeze.blackdragonnetworks.com
http-01 challenge for bdnetbreeze.blackdragonnetworks.com
Cleaning up challenges
Failed to renew certificate bdnetbreeze.blackdragonnetworks.com with error: Some challenges have failed.

All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/bdnetbreeze.blackdragonnetworks.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: bdnetbreeze.blackdragonnetworks.com
Type: unauthorized
Detail: 144.202.76.212: Invalid response from
https://bdnetbreeze.blackdragonnetworks.com/.well-known/acme-challenge/x_utJdYV5Ke6zn2dOEnGsUwBt0CDj-PxNTgJOEXPv6E:
404

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address...

I looked up my most recent certificate and downloaded it. Number Certificate 8516514919.
I had to restore this system from a snapshot on the Vultr Cloud so I think my certificates are out of synch. Where would I put this file to get https://bdnetbreeze.blackdragonnetworks.com:8082 going again. It will expire April 22 according to the website.

phonegal2 · March 30, 2023, 7:47pm

Here is my log output::
I'm using: Centos7
My server is nginx - 443 porting server running on port 8082.
2023-03-30 14:39:36,351:DEBUG:certbot._internal.main:certbot version: 1.11.0
2023-03-30 14:39:36,351:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot
2023-03-30 14:39:36,351:DEBUG:certbot._internal.main:Arguments:
2023-03-30 14:39:36,351:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2023-03-30 14:39:36,368:DEBUG:certbot._internal.log:Root logging level set at 20
2023-03-30 14:39:36,368:INFO:certbot._internal.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2023-03-30 14:39:36,409:DEBUG:certbot.ocsp:Querying OCSP for /etc/letsencrypt/live/bdnetbreeze.blackdragonnetworks.com/cert.pem
2023-03-30 14:39:36,409:DEBUG:certbot.ocsp:openssl ocsp -no_nonce -issuer /etc/letsencrypt/live/bdnetbreeze.blackdragonnetworks.com/chain.pem -cert /etc/letsencrypt/live/bdnetbreeze.blackdragonnetworks.com/cert.pem -CAfile /etc/letsencrypt/live/bdnetbreeze.blackdragonnetworks.com/chain.pem -verify_other /etc/letsencrypt/live/bdnetbreeze.blackdragonnetworks.com/chain.pem -trust_other -timeout 10 -header Host r3.o.lencr.org -url http://r3.o.lencr.org
2023-03-30 14:39:36,432:DEBUG:certbot.display.util:Notifying user: Found the following certs:
Certificate Name: bdnetbreeze.blackdragonnetworks.com
Serial Number: 427eea5171ad0139274a8a110a457d2bbc6
Key Type: RSA
Domains: bdnetbreeze.blackdragonnetworks.com
Expiry Date: 2023-04-19 05:03:22+00:00 (VALID: 19 days)
Certificate Path: /etc/letsencrypt/live/bdnetbreeze.blackdragonnetworks.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/bdnetbreeze.blackdragonnetworks.com/privkey.pem

Osiris · March 30, 2023, 8:51pm

I've moved your posts to their own separate thread. Please don't hijack other peoples threads.

You say nginx runs on port 8082? How's that? Can you explain more about your setup in detail, as I'm also seeing an Apache webserver listening on port 80?

The certificate validation for the http-01 challenge always starts on port 80. It seems Apache just redirects to HTTPS (on default port 443, which is mandatory for the challenge when following HTTP to HTTPS redirects), where a nginx server is listening.

rg305 · March 30, 2023, 9:45pm

Please show this file:

phonegal2 · March 31, 2023, 7:45pm

# renew_before_expiry = 30 days
version = 1.9.0
archive_dir = /etc/letsencrypt/archive/bdnetbreeze.blackdragonnetworks.com
cert = /etc/letsencrypt/live/bdnetbreeze.blackdragonnetworks.com/cert.pem
privkey = /etc/letsencrypt/live/bdnetbreeze.blackdragonnetworks.com/privkey.pem
chain = /etc/letsencrypt/live/bdnetbreeze.blackdragonnetworks.com/chain.pem
fullchain = /etc/letsencrypt/live/bdnetbreeze.blackdragonnetworks.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = nginx
account = 73f5f7d43c9116eea6f3a761ed7e7155
server = https://acme-v02.api.letsencrypt.org/directory
installer = nginx

Bruce5051 · March 31, 2023, 8:01pm

On your system you have both Apache and nginx; as @Osiris noted.

See here for HTTP-01 challenge details.
Most importantly is the < TOKEN > being put where nginx's can server https://bdnetbreeze.blackdragonnetworks.com/.well-known/acme-challenge/`< TOKEN >`

I note the HTTP-01 challenge starting on Port 80 seems to be Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips;

$ curl -Ii http://bdnetbreeze.blackdragonnetworks.com/.well-known/acme-challenge/sometestfile
HTTP/1.1 301 Moved Permanently
Date: Fri, 31 Mar 2023 19:53:15 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips
Location: https://bdnetbreeze.blackdragonnetworks.com/.well-known/acme-challenge/sometestfile
Content-Type: text/html; charset=iso-8859-1

And is redirected to HTTPS Port 443 nginx

$ curl -k -Ii https://bdnetbreeze.blackdragonnetworks.com/.well-known/acme-challenge/sometestfile
HTTP/1.1 404 Not Found
Server: nginx/1.20.1
Date: Fri, 31 Mar 2023 19:53:18 GMT
Content-Type: text/html
Content-Length: 3650
Connection: keep-alive
ETag: "636d2d22-e42"

phonegal2 · April 5, 2023, 8:24pm

So you are telling me I need to put my "Token" in the Apache server directory?

So I should renew the certificate using the apache switch?

phonegal2 · April 5, 2023, 8:48pm

I used the : Certbot certonly command and picked the apache option. I think I have my certs renewed.

lrwxrwxrwx 1 root root 60 Apr 5 15:42 cert.pem -> ../../archive/bdnetbreeze.blackdragonnetworks.com/cert14.pem
lrwxrwxrwx 1 root root 61 Apr 5 15:42 chain.pem -> ../../archive/bdnetbreeze.blackdragonnetworks.com/chain14.pem
lrwxrwxrwx 1 root root 65 Apr 5 15:42 fullchain.pem -> ../../archive/bdnetbreeze.blackdragonnetworks.com/fullchain14.pem
lrwxrwxrwx 1 root root 63 Apr 5 15:42 privkey.pem -> ../../archive/bdnetbreeze.blackdragonnetworks.com/privkey14.pem
-rw-r--r-- 1 root root 692 Dec 7 2020 README

Bruce5051 · April 5, 2023, 8:57pm

It doesn't look like that to me
https://www.ssllabs.com/ssltest/analyze.html?d=bdnetbreeze.blackdragonnetworks.com

Nor here SSL Checker

rg305 · April 5, 2023, 9:04pm

Please show:
certbot certificates

system · May 5, 2023, 9:05pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Letsencrypt Renewal Failed Help	17	773	October 20, 2023
Help Centos 7 No CA Certificate renewal problem Help	2	604	April 7, 2021
Renewal not avaiable Help	7	414	August 4, 2023
Help Creating Certificate Manual Mode, don't know where to put Help	6	512	May 20, 2022
Certbot Renew Challenge failed Help	14	2242	December 15, 2022

Challenge failed when renewing

Related topics