Dry-run error messages

hello -

i apologize for asking what is probably an obvious question, but i cannot figure out what i might need to do with the fullchain.pem file.

here is how my apache httpd.conf looks:

SSLCertificateFile      /etc/letsencrypt/live/MYDOMAIN.com/cert.pem
SSLCertificateKeyFile      /etc/letsencrypt/live/MYDOMAIN.com/privkey.pem
SSLCertificateChainFile     /etc/letsencrypt/live/MYDOMAIN.com/chain.pem

and the results of apachectl configtest ; is fine. the apache server restarts no problem.

yet during a dry-run i see several error messages like this:

certbot renew --dry-run ;

The following simulated renewals failed:
/etc/letsencrypt/live/MYDOMAIN.COM/fullchain.pem (failure)

note: i just moved all of these websites from one server to another. i just tar-copied all the /etc/letsencrypt/archive files over. everything looks fine on https://www.sslshopper.com/ssl-checker.html

should i delete the certs from the old server and start over with new & fresh ones?

hopefully my $$$ donation today compensates for questions that have answers that are probably documented somewhere, but i was unable to find it.

checked here too:


EDIT: both of these seem to work just fine according to sslshoppper.com:

   SSLCertificateChainFile     /etc/letsencrypt/live/MYDOMAIN.com/chain.pem
   SSLCertificateChainFile     /etc/letsencrypt/live/MYDOMAIN.com/fullchain.pem
1 Like

This depends upon your apache version. :slightly_smiling_face:

You want to use fullchain.pem with the SSLCertificateFile Directive if you are using version 2.4.8 or later. Otherwise, use cert.pem with the SSLCertificateFile Directive and chain.pem with the SSLCertificateChainFile Directive.

The SSLCertificateFile Directive points to a file with certificate data in PEM format, or the certificate identifier through a configured cryptographic token. If using a PEM file, at minimum, the file must include an end-entity (leaf) certificate.

The file may also include intermediate CA certificates, sorted from leaf to root. This is supported with version 2.4.8 and later, and obsoletes SSLCertificateChainFile.


Your dry-run errors are likely due to the staging environment being under maintenance.


Thanks so much for donating! :smiley:


thank you griffin for your reply. i consider it a great honor to donate to letsencrypt.


huh, i assumed that centos-8 would have a later version.

sorry, but i am not quite sure where to go from here. a staging environment under maintenance? when i click that link i am not seeing any maintenance going on. or are you saying to try it again tomorrow?

1 Like

It just ended 5 minutes ago. :grin:

It has been happening sporadically for the last couple of weeks.

You should be able to try again right now.

1 Like

thanks - i was about to issue a

certbot certonly --cert-name MYDOMAIN.COM -d MYDOMAIN.COM ;

then create a new one and see what happens.


Try your dry-run again. I bet it will work. :wink:

1 Like

nope.... just finished - same set of errors. what did you bet, by the way? steak dinner?


Really!? What is the output?

1 Like


The following simulated renewals failed:
/etc/letsencrypt/live/MYDOMAIN.COM/fullchain.pem (failure)

i reset all the 'fullchain.pem' references back to 'chain.pem', at least until apache updates via dnf/yum.

i am running certbot renew --dry-run yet again.


What says this?

sudo apachectl -S

1 Like

lotsa output - are we looking for something in particular?

1 Like

Well, to be sure the vHosts are completely sane is usually how we start here.

1 Like

The other output I usually check is:

ls -lRa /etc/letsencrypt

1 Like

is it possible for me to email you a zip file of the results?

1 Like

You can. Or you can just PM me the results if you wish. We can carry this into the PM to prevent exposure.

1 Like

Please paste the entire output so we can see what the actual reported error by the ACME server is. Just knowing it failed leaves too much room for guessing and is like trying to fix it in the dark.


update: i selected just one of the domain names and did:

certbot --apache certonly --dry-run --domains MYDOMAINNAME.COM ;

that was successful.:grin:

 - The dry run was successful.

occasionally i get this message back:

Failed to renew certificate MYDOMAINNAME.COM with error: HTTPSConnectionPool(host='acme-staging-v02.api.letsencrypt.org', port=443): Read timed out. (read timeout=45)

but as Griffin very patiently and kindly educated me, its important to check https://letsencrypt.status.io/ since occasionally the letsencrypt servers might not be answering quickly.

for whatever reason (bad timing?) trying to do them all at once with

certbot renew --dry-run ;

is not working consistently, at least for now. any thoughts on this?


Are the ones that are failing consistent or random? Are you seeing the same type of error as before or something different? As Osiris mentioned, knowing the exact error sent by Let's Encrypt, as opposed to the ACME client's interpretation of it, is very helpful.

1 Like

it's very random. i see notices like this:

# certbot --apache renew --dry-run ;

Processing /etc/letsencrypt/renewal/MYDOMAIN.com.conf

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Simulating renewal of an existing certificate for MYDOMAIN.com and 3 more domains
Performing the following challenges:
http-01 challenge for admin.MYDOMAIN.com
http-01 challenge for MYDOMAIN.com
http-01 challenge for webmail.MYDOMAIN.com
http-01 challenge for www.MYDOMAIN.com
Waiting for verification...
Cleaning up challenges
Failed to renew certificate MYDOMAIN.COM with error: HTTPSConnectionPool(host='acme-staging-v02.api.letsencrypt.org', port=443): Read timed out. (read timeout=45)

1 Like

I can't say that I'm really familiar with that error. I'll give time for someone who might have specific knowledge to respond. If no one with specific knowledge responds to provide assistance, I'll start an inquiry.