Domain cert renews from command line but not automatically

I have two domains on a server. One renews automatically 30 days before expiration, the other, a virtual domain, does not. The virtual domain does renew from the command line.

My domain is: www.fellowshipofmenandwomen.com

I ran this command: certbot certonly -w /var/www/html/fmw -d www.fellowshipofmenandwomen.com

It produced this output:Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/www.fellowshipofmenandwomen.com-0001/fullchain.pem

My web server is (include version):Apache/2.4.25 (Debian)

The operating system my web server runs on is (include version): debian 9 (stretch)

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot)0.28.0

The cert renews from the command line just fine but does not do so automatically. 30 days before expiration certbot attempts to renews and fails. The log contains the following:

2022-02-08 10:37:23,461:INFO:certbot.auth_handler:http-01 challenge for www.fellowshipofmenandwomen.com
2022-02-08 10:37:23,461:INFO:certbot.plugins.webroot:Using the webroot path /var/www/html for all unmatched domains.
2022-02-08 10:37:23,461:DEBUG:certbot.plugins.webroot:Creating root challenges validation dir at /var/www/html/.well-known/acme-challenge

However, /var/www/html/ is not the webroot for www.fellowshipofmenandwomen.com
certbot writes /etc/letsencrypt/renewal/www.fellowshipofmenandwomen.com-0001.conf after success of the command line renewal, less comments, as follows:

version = 0.28.0
archive_dir = /etc/letsencrypt/archive/www.fellowshipofmenandwomen.com-0001
cert = /etc/letsencrypt/live/www.fellowshipofmenandwomen.com-0001/cert.pem
privkey = /etc/letsencrypt/live/www.fellowshipofmenandwomen.com-0001/privkey.pem
chain = /etc/letsencrypt/live/www.fellowshipofmenandwomen.com-0001/chain.pem
fullchain = /etc/letsencrypt/live/www.fellowshipofmenandwomen.com-0001/fullchain.pem

[renewalparams]
account = d031add068fe0d1b3c140df6ba59176e
authenticator = webroot
server = https://acme-v02.api.letsencrypt.org/directory
webroot_path = /var/www/html/fmw,
[[webroot_map]]
www.fellowshipofmenandwomen.com = /var/www/html/fmw

That command is incomplete.
It should be:
certbot certonly --webroot -w /var/www/html/fmw -d www.fellowshipofmenandwomen.com

Also, please show the output of:
certbot certificates

1 Like

certbot certificates

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: www.fellowshipofmenandwomen.com-0001
Domains: www.fellowshipofmenandwomen.com
Expiry Date: 2022-05-10 02:32:28+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/www.fellowshipofmenandwomen.com-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.fellowshipofmenandwomen.com-0001/privkey.pem
Certificate Name: o.mni.science
Domains: o.mni.science
Expiry Date: 2022-04-20 19:54:29+00:00 (VALID: 70 days)
Certificate Path: /etc/letsencrypt/live/o.mni.science/fullchain.pem
Private Key Path: /etc/letsencrypt/live/o.mni.science/privkey.pem


Seeing as there are 89 days on the cert. it will be a while before it would be expected to renew on its' own.

When you say:

Please show the full command that is being run automatically.
[and, ideally, any certbot log entries that might detail the failure]

2 Likes

Thanks for your prompt attention to this. I wish I could figure out how to attach a log file.

Command line run from systemd:
/usr/bin/certbot -q renew

From /var/log/letsencrypt/letsencrypt.log (at 10:37:22,751 note the wrong webroot_path from cerbot.cli. The correct webroot_path is in  /etc/letsencrypt/renewal/www.fellowshipofmenandwomen.com-0001.conf)

2022-02-08 10:37:22,730:DEBUG:certbot.main:certbot version: 0.28.0
2022-02-08 10:37:22,731:DEBUG:certbot.main:Arguments: ['-q']
2022-02-08 10:37:22,732:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalo\
ne,PluginEntryPoint#webroot)
2022-02-08 10:37:22,741:DEBUG:certbot.log:Root logging level set at 30
2022-02-08 10:37:22,742:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2022-02-08 10:37:22,751:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer <certbot.cli._Default object at 0x7f7e7ed74748>
2022-02-08 10:37:22,751:DEBUG:certbot.cli:Var authenticator=webroot (set by user).
2022-02-08 10:37:22,751:DEBUG:certbot.cli:Var webroot_path=/var/www/html (set by user).
2022-02-08 10:37:22,751:DEBUG:certbot.cli:Var webroot_map={'webroot_path'} (set by user).
2022-02-08 10:37:22,759:DEBUG:certbot.storage:Should renew, less than 30 days before certificate expiry 2022-03-09 20:44:54 UTC.
2022-02-08 10:37:22,759:INFO:certbot.renewal:Cert is due for renewal, auto-renewing...
2022-02-08 10:37:22,759:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2022-02-08 10:37:22,759:DEBUG:certbot.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
Initialized: <certbot.plugins.webroot.Authenticator object at 0x7f7e7edcb860>
Prep: True
2022-02-08 10:37:22,760:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x7f7e7edcb860> and installer None
2022-02-08 10:37:22,760:INFO:certbot.plugins.selection:Plugins selected: Authenticator webroot, Installer None
2022-02-08 10:37:22,765:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(new_authzr_uri='https://acme-v01.api.letsencrypt.org/acme/new-authz', uri='https://ac\
me-v01.api.letsencrypt.org/acme/reg/24584683', body=Registration(only_return_existing=None, status=None, agreement='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2\
017.pdf', terms_of_service_agreed=None, key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x7f7e7ed74320>)>), contact=('mailt\
o:o@o.mni.science',)), terms_of_service='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'), d031add068fe0d1b3c140df6ba59176e, Meta(creation_dt=datetime.date\
time(2017, 11, 20, 15, 4, 33, tzinfo=<UTC>), creation_host='localhost'))>
2022-02-08 10:37:22,767:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2022-02-08 10:37:22,780:DEBUG:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
2022-02-08 10:37:22,969:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 658
2022-02-08 10:37:22,970:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Tue, 08 Feb 2022 10:37:22 GMT
Content-Type: application/json
Content-Length: 658
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENYStrict-Transport-Security: max-age=604800

{
  "fcIOXt4nQ7E": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2022-02-08 10:37:22,971:INFO:certbot.main:Renewing an existing certificate
2022-02-08 10:37:23,040:DEBUG:certbot.crypto_util:Generating key (2048 bits): /etc/letsencrypt/keys/0135_key-certbot.pem
2022-02-08 10:37:23,044:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0135_csr-certbot.pem
2022-02-08 10:37:23,045:DEBUG:acme.client:Requesting fresh nonce
2022-02-08 10:37:23,045:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2022-02-08 10:37:23,090:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2022-02-08 10:37:23,091:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Tue, 08 Feb 2022 10:37:23 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 01023MEW9JBcVahYHztkXdO2eLtEn5BnZkHAvV2UsnYfRGU
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800


2022-02-08 10:37:23,091:DEBUG:acme.client:Storing nonce: 01023MEW9JBcVahYHztkXdO2eLtEn5BnZkHAvV2UsnYfRGU
2022-02-08 10:37:23,091:DEBUG:acme.client:JWS payload:
b'{\n  "identifiers": [\n    {\n      "type": "dns",\n      "value": "www.fellowshipofmenandwomen.com"\n    }\n  ]\n}'
2022-02-08 10:37:23,095:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{Strict-Transport-Security: max-age=604800

{
  "fcIOXt4nQ7E": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2022-02-08 10:37:22,971:INFO:certbot.main:Renewing an existing certificate
2022-02-08 10:37:23,040:DEBUG:certbot.crypto_util:Generating key (2048 bits): /etc/letsencrypt/keys/0135_key-certbot.pem
2022-02-08 10:37:23,044:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0135_csr-certbot.pem
2022-02-08 10:37:23,045:DEBUG:acme.client:Requesting fresh nonce
2022-02-08 10:37:23,045:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2022-02-08 10:37:23,090:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2022-02-08 10:37:23,091:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Tue, 08 Feb 2022 10:37:23 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 01023MEW9JBcVahYHztkXdO2eLtEn5BnZkHAvV2UsnYfRGU
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800


2022-02-08 10:37:23,091:DEBUG:acme.client:Storing nonce: 01023MEW9JBcVahYHztkXdO2eLtEn5BnZkHAvV2UsnYfRGU
2022-02-08 10:37:23,091:DEBUG:acme.client:JWS payload:
b'{\n  "identifiers": [\n    {\n      "type": "dns",\n      "value": "www.fellowshipofmenandwomen.com"\n    }\n  ]\n}'
2022-02-08 10:37:23,095:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "eyJraWQiOiAiaHR0cHM6Ly9hY21lLXYwMS5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvcmVnLzI0NTg0NjgzIiwgIm5vbmNlIjogIjAxMDIzTUVXOUpCY1ZhaFlIenRrWGRPMmVMdEVuNUJuWmtIQXZWMlVzbllmUkdVIiwgImFsZyI6ICJSUzI1NiIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvbmV3LW9yZGVyIn0",
  "signature": "mDcEjpusSRH46EZtj8gQjbcNnSQqDw2MiCfcplEQZFmD2xcaVTPAqxtJoxTFcJW8yE3Q84oB81LBTEjzfC2_FrVSiU0-aZEwm_kPKAhRPOqTOzG1FanYAigHZy9F8fALH7N4OYM_S_knsOxBMJWczVC_mvPtutW1UONq3ugl-aWA6fdBAsUfouWbSZwk3d4Bd77QAuUEpVweVAYTnG5GAMar-q52DvBL5kzNisSGTolOseyBUgUFW-ksWBRdj7PFPqZiW6zH-ivrCzyl-TZWp5I_ciaPbekuow_x48LuTEvTAv4livyThYCtH7m6GDJT4kcL-bTkEg_0mHBakTvYjg",
  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogInd3dy5mZWxsb3dzaGlwb2ZtZW5hbmR3b21lbi5jb20iCiAgICB9CiAgXQp9"
}
2022-02-08 10:37:23,400:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 353
2022-02-08 10:37:23,401:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Tue, 08 Feb 2022 10:37:23 GMT
Content-Type: application/json
Content-Length: 353
Connection: keep-alive
Boulder-Requester: 24584683
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-v02.api.letsencrypt.org/acme/order/24584683/62231302310
Replay-Nonce: 01014xiocSFmFz6WBciYmBZ_RfPWgMlAlhVhU64XxCts1UM
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "status": "pending",
  "expires": "2022-02-15T10:37:23Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "www.fellowshipofmenandwomen.com"
    }
  ],
  "authorizations": [
    "https://acme-v02.api.letsencrypt.org/acme/authz-v3/76439952620"
  ],
  "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/24584683/62231302310"
}
2022-02-08 10:37:23,401:DEBUG:acme.client:Storing nonce: 01014xiocSFmFz6WBciYmBZ_RfPWgMlAlhVhU64XxCts1UM
2022-02-08 10:37:23,401:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/76439952620.
2022-02-08 10:37:23,459:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /acme/authz-v3/76439952620 HTTP/1.1" 200 8122022-02-08 10:37:23,460:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Tue, 08 Feb 2022 10:37:23 GMT
Content-Type: application/json
Content-Length: 812
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "www.fellowshipofmenandwomen.com"
  },
  "status": "pending",
  "expires": "2022-02-15T10:37:23Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/76439952620/Wt2loQ",
      "token": "8MZNIxpZtnKu5EBLfmJudFqTAzxZH5mCfZbuh_mgyQ0"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/76439952620/t0fRCw",
      "token": "8MZNIxpZtnKu5EBLfmJudFqTAzxZH5mCfZbuh_mgyQ0"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/76439952620/HVOusA",
      "token": "8MZNIxpZtnKu5EBLfmJudFqTAzxZH5mCfZbuh_mgyQ0"
    }
  ]
}2022-02-08 10:37:23,460:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Tue, 08 Feb 2022 10:37:23 GMT
Content-Type: application/json
Content-Length: 812
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "www.fellowshipofmenandwomen.com"
  },
  "status": "pending",
  "expires": "2022-02-15T10:37:23Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/76439952620/Wt2loQ",
      "token": "8MZNIxpZtnKu5EBLfmJudFqTAzxZH5mCfZbuh_mgyQ0"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/76439952620/t0fRCw",
      "token": "8MZNIxpZtnKu5EBLfmJudFqTAzxZH5mCfZbuh_mgyQ0"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/76439952620/HVOusA",
      "token": "8MZNIxpZtnKu5EBLfmJudFqTAzxZH5mCfZbuh_mgyQ0"
    }
  ]
}
2022-02-08 10:37:23,460:INFO:certbot.auth_handler:Performing the following challenges:
2022-02-08 10:37:23,461:INFO:certbot.auth_handler:http-01 challenge for www.fellowshipofmenandwomen.com
2022-02-08 10:37:23,461:INFO:certbot.plugins.webroot:Using the webroot path /var/www/html for all unmatched domains.
2022-02-08 10:37:23,461:DEBUG:certbot.plugins.webroot:Creating root challenges validation dir at /var/www/html/.well-known/acme-challenge
2022-02-08 10:37:23,464:DEBUG:certbot.plugins.webroot:Attempting to save validation to /var/www/html/.well-known/acme-challenge/8MZNIxpZtnKu5EBLfmJudFqTAzxZH5mCfZbuh_mgyQ0
2022-02-08 10:37:23,465:INFO:certbot.auth_handler:Waiting for verification...
2022-02-08 10:37:23,466:DEBUG:acme.client:JWS payload:
b'{\n  "keyAuthorization": "8MZNIxpZtnKu5EBLfmJudFqTAzxZH5mCfZbuh_mgyQ0.cDI_PdvpLYyeUVQOWZ8-m_OYHMLp4z8vh0M1dh4FQW0",\n  "type": "http-01",\n  "resource": "challenge"\n}'
2022-02-08 10:37:23,468:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/76439952620/Wt2loQ:
{
  "protected": "eyJraWQiOiAiaHR0cHM6Ly9hY21lLXYwMS5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvcmVnLzI0NTg0NjgzIiwgIm5vbmNlIjogIjAxMDE0eGlvY1NGbUZ6NldCY2lZbUJaX1JmUFdnTWxBbGhWaFU2NFh4Q3RzMVVNIiwgImFsZyI6ICJSUzI1NiIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvY2hhbGwtdjMvNzY0Mzk5NTI2MjAvV3QybG9RIn0",
  "signature": "CUrbd0ZB3mIXKuCyfWm17_SLG4l_z5v0arJI-PAjCs4aG4A7t5N-ulXU-_pESS2FK5oAGrq7z3wY0xLMo31fFLg5omRC-AEPu2GVlfEJejeYpE-_dfp2vn_xs1WSH77BMo9iPNaNfY9D-6_dwvhd8ih5aswgxOzFvXl-SHUhrFvCVpPEqwwYBjnLCGE15y-PQqsX3nzTbU7902xR39DBDYzBow8vBFYZgYRq5KiAVE7LKaDy0sspCOeHmcjg1j-Mm7pxZFS-w71Z37imqvK-lysZ3dC4jI27hw_XpgQXzjWh5Qy1LyKVAIP96GNEgLB9PecKx6077FdXDyMBuQpVDQ",
  "payload": "ewogICJrZXlBdXRob3JpemF0aW9uIjogIjhNWk5JeHBadG5LdTVFQkxmbUp1ZEZxVEF6eFpINW1DZlpidWhfbWd5UTAuY0RJX1BkdnBMWXllVVZRT1daOC1tX09ZSE1McDR6OHZoME0xZGg0RlFXMCIsCiAgInR5cGUiOiAiaHR0cC0wMSIsCiAgInJlc291cmNlIjogImNoYWxsZW5nZSIKfQ"
}
2022-02-08 10:37:23,562:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/76439952620/Wt2loQ HTTP/1.1" 200 186
2022-02-08 10:37:23,564:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Tue, 08 Feb 2022 10:37:23 GMT
Content-Type: application/json
Content-Length: 186
Connection: keep-alive
Boulder-Requester: 24584683
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-v02.api.letsencrypt.org/acme/authz-v3/76439952620>;rel="up"
Location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/76439952620/Wt2loQ
Replay-Nonce: 01026VNW6SShZFe8xkLyjjxLG_6e8CpGFjPUuRPGGRPNeCM
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "type": "http-01",
  "status": "pending",
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/76439952620/Wt2loQ",
  "token": "8MZNIxpZtnKu5EBLfmJudFqTAzxZH5mCfZbuh_mgyQ0"
}2022-02-08 10:37:23,460:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Tue, 08 Feb 2022 10:37:23 GMT
Content-Type: application/json
Content-Length: 812
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "www.fellowshipofmenandwomen.com"
  },
  "status": "pending",
  "expires": "2022-02-15T10:37:23Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/76439952620/Wt2loQ",
      "token": "8MZNIxpZtnKu5EBLfmJudFqTAzxZH5mCfZbuh_mgyQ0"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/76439952620/t0fRCw",
      "token": "8MZNIxpZtnKu5EBLfmJudFqTAzxZH5mCfZbuh_mgyQ0"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/76439952620/HVOusA",
      "token": "8MZNIxpZtnKu5EBLfmJudFqTAzxZH5mCfZbuh_mgyQ0"
    }
  ]
}
2022-02-08 10:37:23,460:INFO:certbot.auth_handler:Performing the following challenges:
2022-02-08 10:37:23,461:INFO:certbot.auth_handler:http-01 challenge for www.fellowshipofmenandwomen.com
2022-02-08 10:37:23,461:INFO:certbot.plugins.webroot:Using the webroot path /var/www/html for all unmatched domains.
2022-02-08 10:37:23,461:DEBUG:certbot.plugins.webroot:Creating root challenges validation dir at /var/www/html/.well-known/acme-challenge
2022-02-08 10:37:23,464:DEBUG:certbot.plugins.webroot:Attempting to save validation to /var/www/html/.well-known/acme-challenge/8MZNIxpZtnKu5EBLfmJudFqTAzxZH5mCfZbuh_mgyQ0
2022-02-08 10:37:23,465:INFO:certbot.auth_handler:Waiting for verification...
2022-02-08 10:37:23,466:DEBUG:acme.client:JWS payload:
b'{\n  "keyAuthorization": "8MZNIxpZtnKu5EBLfmJudFqTAzxZH5mCfZbuh_mgyQ0.cDI_PdvpLYyeUVQOWZ8-m_OYHMLp4z8vh0M1dh4FQW0",\n  "type": "http-01",\n  "resource": "challenge"\n}'
2022-02-08 10:37:23,468:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/76439952620/Wt2loQ:
{
  "protected": "eyJraWQiOiAiaHR0cHM6Ly9hY21lLXYwMS5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvcmVnLzI0NTg0NjgzIiwgIm5vbmNlIjogIjAxMDE0eGlvY1NGbUZ6NldCY2lZbUJaX1JmUFdnTWxBbGhWaFU2NFh4Q3RzMVVNIiwgImFsZyI6ICJSUzI1NiIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvY2hhbGwtdjMvNzY0Mzk5NTI2MjAvV3QybG9RIn0",
  "signature": "CUrbd0ZB3mIXKuCyfWm17_SLG4l_z5v0arJI-PAjCs4aG4A7t5N-ulXU-_pESS2FK5oAGrq7z3wY0xLMo31fFLg5omRC-AEPu2GVlfEJejeYpE-_dfp2vn_xs1WSH77BMo9iPNaNfY9D-6_dwvhd8ih5aswgxOzFvXl-SHUhrFvCVpPEqwwYBjnLCGE15y-PQqsX3nzTbU7902xR39DBDYzBow8vBFYZgYRq5KiAVE7LKaDy0sspCOeHmcjg1j-Mm7pxZFS-w71Z37imqvK-lysZ3dC4jI27hw_XpgQXzjWh5Qy1LyKVAIP96GNEgLB9PecKx6077FdXDyMBuQpVDQ",
  "payload": "ewogICJrZXlBdXRob3JpemF0aW9uIjogIjhNWk5JeHBadG5LdTVFQkxmbUp1ZEZxVEF6eFpINW1DZlpidWhfbWd5UTAuY0RJX1BkdnBMWXllVVZRT1daOC1tX09ZSE1McDR6OHZoME0xZGg0RlFXMCIsCiAgInR5cGUiOiAiaHR0cC0wMSIsCiAgInJlc291cmNlIjogImNoYWxsZW5nZSIKfQ"
}
2022-02-08 10:37:23,562:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/76439952620/Wt2loQ HTTP/1.1" 200 186
2022-02-08 10:37:23,564:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Tue, 08 Feb 2022 10:37:23 GMT
Content-Type: application/json
Content-Length: 186
Connection: keep-alive
Boulder-Requester: 24584683
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-v02.api.letsencrypt.org/acme/authz-v3/76439952620>;rel="up"
Location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/76439952620/Wt2loQ
Replay-Nonce: 01026VNW6SShZFe8xkLyjjxLG_6e8CpGFjPUuRPGGRPNeCM
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "type": "http-01",
  "status": "pending",
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/76439952620/Wt2loQ",
  "token": "8MZNIxpZtnKu5EBLfmJudFqTAzxZH5mCfZbuh_mgyQ0"
}
2022-02-08 10:37:23,564:DEBUG:acme.client:Storing nonce: 01026VNW6SShZFe8xkLyjjxLG_6e8CpGFjPUuRPGGRPNeCM
  "token": "8MZNIxpZtnKu5EBLfmJudFqTAzxZH5mCfZbuh_mgyQ0"
}
2022-02-08 10:37:23,564:DEBUG:acme.client:Storing nonce: 01026VNW6SShZFe8xkLyjjxLG_6e8CpGFjPUuRPGGRPNeCM
2022-02-08 10:37:26,567:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/76439952620.
2022-02-08 10:37:26,625:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /acme/authz-v3/76439952620 HTTP/1.1" 200 1682
2022-02-08 10:37:26,626:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Tue, 08 Feb 2022 10:37:26 GMT
Content-Type: application/json
Content-Length: 1682
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "www.fellowshipofmenandwomen.com"
  },
  "status": "invalid",
  "expires": "2022-02-15T10:37:23Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "Invalid response from https://www.fellowshipofmenandwomen.com/.well-known/acme-challenge/8MZNIxpZtnKu5EBLfmJudFqTAzxZH5mCfZbuh_mgyQ0 [45.77.221.100]: \"\u003c!DOCTYPE HTML PUBLIC \\\"-//IETF//DTD HTML 2.0//EN\\\"\u003e\\n\u003chtml\u003e\u003chead\u003e\\n\u003ctitle\u003e404 Not Found\u003c/title\u003e\\n\u003c/head\u003e\u003cbody\u003e\\n\u003ch1\u003eNot Found\u003c/h1\u003e\\n\u003cp\"",
        "status": 403
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/76439952620/Wt2loQ",
      "token": "8MZNIxpZtnKu5EBLfmJudFqTAzxZH5mCfZbuh_mgyQ0",
      "validationRecord": [
        {
          "url": "http://www.fellowshipofmenandwomen.com/.well-known/acme-challenge/8MZNIxpZtnKu5EBLfmJudFqTAzxZH5mCfZbuh_mgyQ0",
          "hostname": "www.fellowshipofmenandwomen.com",
          "port": "80",2022-02-08 10:37:23,460:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Tue, 08 Feb 2022 10:37:23 GMT
Content-Type: application/json
Content-Length: 812
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "www.fellowshipofmenandwomen.com"
  },
  "status": "pending",
  "expires": "2022-02-15T10:37:23Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/76439952620/Wt2loQ",
      "token": "8MZNIxpZtnKu5EBLfmJudFqTAzxZH5mCfZbuh_mgyQ0"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/76439952620/t0fRCw",
      "token": "8MZNIxpZtnKu5EBLfmJudFqTAzxZH5mCfZbuh_mgyQ0"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/76439952620/HVOusA",
      "token": "8MZNIxpZtnKu5EBLfmJudFqTAzxZH5mCfZbuh_mgyQ0"
    }
  ]
}
2022-02-08 10:37:23,460:INFO:certbot.auth_handler:Performing the following challenges:
2022-02-08 10:37:23,461:INFO:certbot.auth_handler:http-01 challenge for www.fellowshipofmenandwomen.com
2022-02-08 10:37:23,461:INFO:certbot.plugins.webroot:Using the webroot path /var/www/html for all unmatched domains.
2022-02-08 10:37:23,461:DEBUG:certbot.plugins.webroot:Creating root challenges validation dir at /var/www/html/.well-known/acme-challenge
2022-02-08 10:37:23,464:DEBUG:certbot.plugins.webroot:Attempting to save validation to /var/www/html/.well-known/acme-challenge/8MZNIxpZtnKu5EBLfmJudFqTAzxZH5mCfZbuh_mgyQ0
2022-02-08 10:37:23,465:INFO:certbot.auth_handler:Waiting for verification...
2022-02-08 10:37:23,466:DEBUG:acme.client:JWS payload:
b'{\n  "keyAuthorization": "8MZNIxpZtnKu5EBLfmJudFqTAzxZH5mCfZbuh_mgyQ0.cDI_PdvpLYyeUVQOWZ8-m_OYHMLp4z8vh0M1dh4FQW0",\n  "type": "http-01",\n  "resource": "challenge"\n}'
2022-02-08 10:37:23,468:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/76439952620/Wt2loQ:
{
  "protected": "eyJraWQiOiAiaHR0cHM6Ly9hY21lLXYwMS5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvcmVnLzI0NTg0NjgzIiwgIm5vbmNlIjogIjAxMDE0eGlvY1NGbUZ6NldCY2lZbUJaX1JmUFdnTWxBbGhWaFU2NFh4Q3RzMVVNIiwgImFsZyI6ICJSUzI1NiIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvY2hhbGwtdjMvNzY0Mzk5NTI2MjAvV3QybG9RIn0",
  "signature": "CUrbd0ZB3mIXKuCyfWm17_SLG4l_z5v0arJI-PAjCs4aG4A7t5N-ulXU-_pESS2FK5oAGrq7z3wY0xLMo31fFLg5omRC-AEPu2GVlfEJejeYpE-_dfp2vn_xs1WSH77BMo9iPNaNfY9D-6_dwvhd8ih5aswgxOzFvXl-SHUhrFvCVpPEqwwYBjnLCGE15y-PQqsX3nzTbU7902xR39DBDYzBow8vBFYZgYRq5KiAVE7LKaDy0sspCOeHmcjg1j-Mm7pxZFS-w71Z37imqvK-lysZ3dC4jI27hw_XpgQXzjWh5Qy1LyKVAIP96GNEgLB9PecKx6077FdXDyMBuQpVDQ",
  "payload": "ewogICJrZXlBdXRob3JpemF0aW9uIjogIjhNWk5JeHBadG5LdTVFQkxmbUp1ZEZxVEF6eFpINW1DZlpidWhfbWd5UTAuY0RJX1BkdnBMWXllVVZRT1daOC1tX09ZSE1McDR6OHZoME0xZGg0RlFXMCIsCiAgInR5cGUiOiAiaHR0cC0wMSIsCiAgInJlc291cmNlIjogImNoYWxsZW5nZSIKfQ"
}
2022-02-08 10:37:23,562:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/76439952620/Wt2loQ HTTP/1.1" 200 186
2022-02-08 10:37:23,564:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Tue, 08 Feb 2022 10:37:23 GMT
Content-Type: application/json
Content-Length: 186
Connection: keep-alive
Boulder-Requester: 24584683
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-v02.api.letsencrypt.org/acme/authz-v3/76439952620>;rel="up"
Location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/76439952620/Wt2loQ
Replay-Nonce: 01026VNW6SShZFe8xkLyjjxLG_6e8CpGFjPUuRPGGRPNeCM
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "type": "http-01",
  "status": "pending",
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/76439952620/Wt2loQ",
  "token": "8MZNIxpZtnKu5EBLfmJudFqTAzxZH5mCfZbuh_mgyQ0"
}
2022-02-08 10:37:23,564:DEBUG:acme.client:Storing nonce: 01026VNW6SShZFe8xkLyjjxLG_6e8CpGFjPUuRPGGRPNeCM
  "token": "8MZNIxpZtnKu5EBLfmJudFqTAzxZH5mCfZbuh_mgyQ0"
}
2022-02-08 10:37:23,564:DEBUG:acme.client:Storing nonce: 01026VNW6SShZFe8xkLyjjxLG_6e8CpGFjPUuRPGGRPNeCM
2022-02-08 10:37:26,567:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/76439952620.
2022-02-08 10:37:26,625:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /acme/authz-v3/76439952620 HTTP/1.1" 200 1682
2022-02-08 10:37:26,626:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Tue, 08 Feb 2022 10:37:26 GMT
Content-Type: application/json
Content-Length: 1682
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "www.fellowshipofmenandwomen.com"
  },
  "status": "invalid",
  "expires": "2022-02-15T10:37:23Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "Invalid response from https://www.fellowshipofmenandwomen.com/.well-known/acme-challenge/8MZNIxpZtnKu5EBLfmJudFqTAzxZH5mCfZbuh_mgyQ0 [45.77.221.100]: \"\u003c!DOCTYPE HTML PUBLIC \\\"-//IETF//DTD HTML 2.0//EN\\\"\u003e\\n\u003chtml\u003e\u003chead\u003e\\n\u003ctitle\u003e404 Not Found\u003c/title\u003e\\n\u003c/head\u003e\u003cbody\u003e\\n\u003ch1\u003eNot Found\u003c/h1\u003e\\n\u003cp\"",
        "status": 403
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/76439952620/Wt2loQ",
      "token": "8MZNIxpZtnKu5EBLfmJudFqTAzxZH5mCfZbuh_mgyQ0",
      "validationRecord": [
        {
          "url": "http://www.fellowshipofmenandwomen.com/.well-known/acme-challenge/8MZNIxpZtnKu5EBLfmJudFqTAzxZH5mCfZbuh_mgyQ0",
          "hostname": "www.fellowshipofmenandwomen.com",
          "port": "80",
          "addressesResolved": [
            "45.77.221.100"
          ],
          "addressUsed": "45.77.221.100"
        },
        {
          "url": "https://www.fellowshipofmenandwomen.com/.well-known/acme-challenge/8MZNIxpZtnKu5EBLfmJudFqTAzxZH5mCfZbuh_mgyQ0",
          "hostname": "www.fellowshipofmenandwomen.com",
          "port": "443",
          "addressesResolved": [
            "45.77.221.100"
          ],
          "addressUsed": "45.77.221.100"
        }
      ],
      "validated": "2022-02-08T10:37:23Z"
    }
  ]
}
2022-02-08 10:37:26,626:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: www.fellowshipofmenandwomen.com
Type:   unauthorized
Detail: Invalid response from https://www.fellowshipofmenandwomen.com/.well-known/acme-challenge/8MZNIxpZtnKu5EBLfmJudFqTAzxZH5mCfZbuh_mgyQ0 [45.77.221.100]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

That is an interesting misspelling there "cerbot.cli"
And also the obvious: "wrong webroot_path"

Try:
find / -name cerbot.cli

2 Likes

Sorry, Rudy I should have written "note the wrong webroot_path from /etc/letsencrypt/cli.ini"

The webroot_path I am referring to is in both conf files:root@o:~# egrep webroot_path /etc/letsencrypt/renewal/*conf
/etc/letsencrypt/renewal/o.mni.science.conf:webroot_path = /var/www/html,
/etc/letsencrypt/renewal/www.fellowshipofmenandwomen.com-0001.conf:webroot_path = /var/www/html/fmw,

and in the logs, along with "certbot.cli":

root@o:~# egrep webroot_path /var/log/letsencrypt/letsencrypt.log
2022-02-07 18:41:17,281:DEBUG:certbot.cli:Var webroot_path=/var/www/html (set by user).
2022-02-07 18:41:17,281:DEBUG:certbot.cli:Var webroot_map={'webroot_path'} (set by user).
2022-02-07 18:41:17,291:DEBUG:certbot.cli:Var webroot_path=/var/www/html (set by user).
2022-02-07 18:41:17,291:DEBUG:certbot.cli:Var webroot_map={'webroot_path'} (set by user).
2022-02-08 10:37:22,751:DEBUG:certbot.cli:Var webroot_path=/var/www/html (set by user).

but there is no "certbot.cli" in the filesystem:

root@o:~# find / -mount -name cerbot.cli
root@o:~#

Why cannot cerbot pick up the correct webroot path from the conf files?

OK I figured this out. By using a webroot-map in cli.ini I can map domains to webroots:

root@o:~# diff /tmp/cli.ini /etc/letsencrypt/cli.ini
5,6c5
< webroot-map = {"o.mni.science":"/var/www/html","www.fellowshipofmenandwomen.com":"/var/www/html/fmw"}
< #webroot-path = /var/www/html

webroot-path = /var/www/html

root@o:~# certbot -c /tmp/cli.ini --force-renewal renew

succeeds in renewing both certs

Thanks, and please close this

1 Like

You shouldn't have to continue to use any webroot (permanently) in any cli.ini file.
Show the updated renewal conf file.

1 Like

Maybe needs an update?

2 Likes

Good catch - but that's a separate issue to the modified webroot.

2 Likes
root@o:~# cat /etc/letsencrypt/renewal/www.fellowshipofmenandwomen.com-0001.conf
# renew_before_expiry = 30 days
version = 0.28.0
archive_dir = /etc/letsencrypt/archive/www.fellowshipofmenandwomen.com-0001
cert = /etc/letsencrypt/live/www.fellowshipofmenandwomen.com-0001/cert.pem
privkey = /etc/letsencrypt/live/www.fellowshipofmenandwomen.com-0001/privkey.pem
chain = /etc/letsencrypt/live/www.fellowshipofmenandwomen.com-0001/chain.pem
fullchain = /etc/letsencrypt/live/www.fellowshipofmenandwomen.com-0001/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = d031add068fe0d1b3c140df6ba59176e
authenticator = webroot
server = https://acme-v02.api.letsencrypt.org/directory
webroot_path = /var/www/html,
[[webroot_map]]
o.mni.science = /var/www/html
www.fellowshipofmenandwomen.com = /var/www/html/fmw

I think you can remove the line:

And update the line:

to:
webroot_path = /var/www/html/fmw,

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.