Error renewing certificate

I have two domains on XAMPP, Ubuntu 20.x Linux, both run as virtual hosts. Both run fine with https using the originally generated LetsEncrypt certificates. One domain is oisnc.org and its certificate renewed fine. The other domain is omitttradeschool.com and its renewal attempt threw an error:

My domain is: omitttradeschool.com

I ran this command: sudo certbot certonly --force-renew -d omitttradeschool.com -d www.omitttradeschool.com

It produced this output:
Challenge failed for domain omitttradeschool.com
Challenge failed for domain www.omitttradeschool.com
http-01 challenge for omitttradeschool.com
http-01 challenge for www.omitttradeschool.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

My web server is (include version): XAMPP v 7.4.12-0, Apache 2.3.0

The operating system my web server runs on is (include version): Ubuntu 20.10

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): version 0.40.0

1 Like

There are a few pieces of missing information here and some misunderstandings.

Your command and output do not indicate which authenticator (webroot, apache) certbot used to try to fulfill the http-01 challenges.

You should avoid using --force-renewal like the plague. It is not the correct way to renew a certificate.

Try this instead and let us know the complete output:

sudo certbot renew --cert-name omitttradeschool.com --dry-run

1 Like

Your redirects (or lack thereof) are curious. There is no http to https redirect or a canonical choice of domain name (www versus non-www).

http://omitttradeschool.com
302 Found
http://omitttradeschool.com/dashboard/
200 OK
http://www.omitttradeschool.com
302 Found
http://www.omitttradeschool.com/dashboard/
200 OK
https://omitttradeschool.com
200 OK
https://www.omitttradeschool.com
200 OK
1 Like

Hi @coldje

there runs an Apache.

So if that doesn't work, your Apache config may be buggy.

What says

apachectl -S
2 Likes

Output of dry run:

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/omitttradeschool.com.conf


Attempting to parse the version 1.10.1 renewal configuration file found at /etc/letsencrypt/renewal/omitttradeschool.com.conf with version 0.40.0 of Certbot. This might not work.
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for omitttradeschool.com
http-01 challenge for www.omitttradeschool.com
Using the webroot path /opt/lampp/htdocs/omitttrade for all unmatched domains.
Waiting for verification...
Challenge failed for domain omitttradeschool.com
Challenge failed for domain www.omitttradeschool.com
http-01 challenge for omitttradeschool.com
http-01 challenge for www.omitttradeschool.com
Cleaning up challenges
Attempting to renew cert (omitttradeschool.com) from /etc/letsencrypt/renewal/omitttradeschool.com.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/omitttradeschool.com/fullchain.pem (failure)


** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/omitttradeschool.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

1 Like

XAMPP might not be using the HTTPS port.

But I am also curious on why one works and one doesn't.
Perhaps we should have a look, and compare, the two HTTP vhost config sections.

1 Like

coldje@oisnc:/opt/lampp$ apachectl -S
VirtualHost configuration:
*:80 cpe-172-74-15-207.nc.res.rr.com (/etc/apache2/sites-enabled/000-default.conf:1)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex watchdog-callback: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33 not_used
Group: name="www-data" id=33 not_used

1 Like

PS: If you use webroot and if that doesn't work, your webroot is wrong.

1 Like

Agreed. @JuergenAuer already prompted to get it started.

There

is no matching port 80 vHost with your domain name (non-www and www).

And there is a different DocumentRoot = webroot.

1 Like

It seems that ALL is being handled by the one single file!
Let's have a look at it.
And the two renewal config files found in /etc/letsencrypt/renewal/

1 Like

I'm off to lunch, gentlemen. I believe this will be resolved quickly. :slightly_smiling_face:

1 Like

OK, I think I've confused things a bit. I originally installed Apache2 and then switch to XAMPP. The Apache2 that I'm using is at /opt/lampp/apache2

2 Likes

Fax me a sandwich!
And enjoy your lunch :slight_smile:
LOL

1 Like

That's not the webroot in your config file.

1 Like

We need to have a look at:

And

1 Like
# renew_before_expiry = 30 days
version = 1.10.1
archive_dir = /etc/letsencrypt/archive/omitttradeschool.com
cert = /etc/letsencrypt/live/omitttradeschool.com/cert.pem
privkey = /etc/letsencrypt/live/omitttradeschool.com/privkey.pem
chain = /etc/letsencrypt/live/omitttradeschool.com/chain.pem
fullchain = /etc/letsencrypt/live/omitttradeschool.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = fc0eca16fcd9aa9104808367e345eded
renew_hook = sudo /opt/lampp/lampp reloadapache
authenticator = webroot
manual_public_ip_logging_ok = None
webroot_path = /opt/lampp/htdocs/omitttrade,
server = https://acme-v02.api.letsencrypt.org/directory
[[webroot_map]]
omitttradeschool.com = /opt/lampp/htdocs/omitttrade
www.omitttradeschool.com = /opt/lampp/htdocs/omitttrade
1 Like
  GNU nano 4.8                    oisnc.org.conf
# renew_before_expiry = 30 days
version = 1.12.0
archive_dir = /etc/letsencrypt/archive/oisnc.org
cert = /etc/letsencrypt/live/oisnc.org/cert.pem
privkey = /etc/letsencrypt/live/oisnc.org/privkey.pem
chain = /etc/letsencrypt/live/oisnc.org/chain.pem
fullchain = /etc/letsencrypt/live/oisnc.org/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = fc0eca16fcd9aa9104808367e345eded
renew_hook = sudo /opt/lampp/lampp reloadapache
authenticator = webroot
webroot_path = /opt/lampp/htdocs,
server = https://acme-v02.api.letsencrypt.org/directory
[[webroot_map]]
oisnc.org = /opt/lampp/htdocs
www.oisnc.org = /opt/lampp/htdocs
1 Like

So they go to different locations.

Now we need to see the two vhost config sections.

OR
Take a wild guess and just use the shorter path for both.

1 Like

Create the two subdirectories

/opt/lampp/htdocs/omitttrade/.well-known/acme-challenge

there a file (file name 1234), then try to load that file via

http://omitttradeschool.com/.well-known/acme-challenge/1234