Dry run without errors but actual run with errors

My domain is:

www.buchausgabe.de

I ran this command:

#!/bin/sh                                                                                                                                
certbot certonly --webroot \
-w /home/webhost/www/www.buchausgabe.de/jshop/public \                                                                                   -d www.buchausgabe.de \
-d buchausgabe.de \
--config-dir=/home/webhost/letsencrypt/config \
--work-dir=/home/webhost/letsencrypt/work \
--logs-dir=/home/webhost/letsencrypt/log

It produced this output:

**Saving debug log to /home/webhost/letsencrypt/log/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.buchausgabe.de
http-01 challenge for buchausgabe.de
Using the webroot path /home/webhost/www/www.buchausgabe.de/jshop/public for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. buchausgabe.de (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://buchausgabe.de/.well-known/acme-challenge/rTxfGMFOiz0cYHK8jWbZMxE8S7wGlF3jM0a5pIXtiD8: "<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>", www.buchausgabe.de (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.buchausgabe.de/.well-known/acme-challenge/VKzyg8uBsUX573BtovqO7qQGhB4ljuyOUMoPATLEjOg: "<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: buchausgabe.de
   Type:   unauthorized
   Detail: Invalid response from
   http://buchausgabe.de/.well-known/acme-challenge/rTxfGMFOiz0cYHK8jWbZMxE8S7wGlF3jM0a5pIXtiD8:
   "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"

   Domain: www.buchausgabe.de
   Type:   unauthorized
   Detail: Invalid response from
   http://www.buchausgabe.de/.well-known/acme-challenge/VKzyg8uBsUX573BtovqO7qQGhB4ljuyOUMoPATLEjOg:
   "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.t

But when I ran this command with the --dry-run option everything worked fine:

#!/bin/sh                                                                                                                                
certbot certonly --webroot \
-w /home/webhost/www/www.buchausgabe.de/jshop/public \                                                                                   -d www.buchausgabe.de \
-d buchausgabe.de \
--config-dir=/home/webhost/letsencrypt/config \
--work-dir=/home/webhost/letsencrypt/work \
--logs-dir=/home/webhost/letsencrypt/log --dry-run

Saving debug log to /home/webhost/letsencrypt/log/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for buchausgabe.de
http-01 challenge for www.buchausgabe.de
Using the webroot path /home/webhost/www/www.buchausgabe.de/jshop/public for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:

  • The dry run was successful.

My web server is (include version):

Nginx 1.12.2

The operating system my web server runs on is (include version):

FreeBSD 11.2

My hosting provider, if applicable, is:

Self hosting

I can login to a root shell on my machine (yes or no, or I don’t know):

Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

No, I use the shell.

Maybe naming the option --dry-run is misleading if it produces false positives. The name --dry-run suggests that a positive result would guarantee that the actual run works too. Yet it returns false positives resulting in too many failed authorizations because of exceeded rate limits.

That’s not good.

Hi @mkastner,

This is the intention of --dry-run, and it's almost always the case. So, you've probably come across a bug in Certbot or an unusual configuration case. What version of Certbot are you running?

I'm also confused by this. In my recollection, the logic for certificate renewal doesn't renew an existing certificate when using certonly unless you specify all of the name in the existing certificate. Here, you've specified only -d buchausgabe.de and not -d www.buchausgabe.de and so I would expect Certbot not to treat this as a renewal because of the lack of -d www.buchausgabe.de.

Could you post the log file from /var/log/letsencrypt and the output of certbot certificates?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.