Error Renewing certificate Before March 4

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
batcavelounge.eu
I ran this command:
sudo certbot renew --force-renewal
It produced this output:

Processing /etc/letsencrypt/renewal/batcavelounge.eu.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for batcavelounge.eu
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (batcavelounge.eu) from /etc/letsencrypt/renewal/batcavelounge.eu.conf produced an unexpected error: Failed authorization procedure. batcavelounge.eu (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://batcavelounge.eu/.well-known/acme-challenge/2B3U64XZuMUXA3ztRJ5WsWwB59xoNi90cxUeF6zU-0A [198.100.146.181]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>". Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.batcavelounge.eu.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/www.batcavelounge.eu/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certs could not be renewed:
  /etc/letsencrypt/live/batcavelounge.eu/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following certs were successfully renewed:
  /etc/letsencrypt/live/www.batcavelounge.eu/fullchain.pem (success)

The following certs could not be renewed:
  /etc/letsencrypt/live/batcavelounge.eu/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: batcavelounge.eu
   Type:   unauthorized
   Detail: Invalid response from
   https://batcavelounge.eu/.well-known/acme-challenge/2B3U64XZuMUXA3ztRJ5WsWwB59xoNi90cxUeF6zU-0A
   [198.100.146.181]: "<html>\r\n<head><title>404 Not
   Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404
   Not Found</h1></center>\r\n<hr><center>"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version):

The operating system my web server runs on is (include version):
Linux ns5000316 4.15.0-72-generic #81-Ubuntu SMP Tue Nov 26 12:20:02 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
My hosting provider, if applicable, is:
kimsufi
I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):certbot 0.31.0

I completely overlooked this. Check the server blocks in your nginx config and make sure there is a server_name batcavelounge.eu; next to server_name www.batcavelounge.eu; (they can be together like server_name batcavelounge.eu www.batcavelounge.eu;)

Have that correctly,

server {
#server_name ;
root /var/www;
server_name batcavelounge.eu www.batcavelounge.eu;
index index.php index.html index.htm;


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: batcavelounge.eu
    Type: unauthorized
    Detail: Invalid response from
    https://batcavelounge.eu/.well-known/acme-challenge/OT2qNIBdcCj092okHP9MurQDagNXlhkcix4ApCg51Zo
    [198.100.146.181]: “\r\n404 Not
    Found\r\n<body bgcolor=“white”>\r\n

    404
    Not Found

    \r\n

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

did you reload nginx after editing that file?

service nginx configtest

and then, if it goes ok:

service nginx reload

I did not have to edit anything, that’s what i had/have originally.

Hi @scooter1

share the content of that file. Is there /var/www used?

1 Like

:/etc/letsencrypt/renewal$ ls
batcavelounge.eu.conf www.batcavelounge.eu.conf

[[webroot_map]]
www.batcavelounge.eu = /etc/letsencrypt
batcavelounge.eu = /etc/letsencrypt

# renew_before_expiry = 30 days
version = 0.22.2
archive_dir = /etc/letsencrypt/archive/batcavelounge.eu
cert = /etc/letsencrypt/live/batcavelounge.eu/cert.pem
privkey = /etc/letsencrypt/live/batcavelounge.eu/privkey.pem
chain = /etc/letsencrypt/live/batcavelounge.eu/chain.pem
fullchain = /etc/letsencrypt/live/batcavelounge.eu/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = d3f276c81270a19bdd65435678c63ebf
authenticator = webroot
installer = None
[[webroot_map]]
www.batcavelounge.eu = /etc/letsencrypt
batcavelounge.eu = /etc/letsencrypt

2 posts were split to a new topic: DNS error while renewing certificates

I just ran, https://checkhost.unboundtest.com/checkhost

i got a result ,
The certificate currently available on www.batcavelounge.eu is OK. It is not one of the certificates affected by the Let’s Encrypt CAA rechecking problem. Its serial number is (etc.etc).

It should stay like that after the 4th? no need to worry to renew?

Read the output of https://check-your-website.server-daten.de/?q=batcavelounge.eu

There is a new certificate

CN=www.batcavelounge.eu
	03.03.2020
	01.06.2020
expires in 90 days	www.batcavelounge.eu - 1 entry

so you have renewed your certificate today and you have replaced the critical certificate. So the CAA problem is fixed.

But you have created the wrong certificate, your non-www version is insecure. Create one certificate with both domain names.

Welp, that’s a start. Thank you.

How would i Create one certificate with both domain names. ? should i start a new topic?

A post was split to a new topic: CAA Checking tool caching responses?

The certificate currently available on www.batcavelounge.eu is OK. It is not one of the certificates affected by the Let’s Encrypt CAA rechecking problem. Its serial number is 038

EDITED
Nevermind, I ran the renew command again and this time it worked… maybe it just needs a couple of attempts sometimes?