Error 'Some challenges have failed' from `certbot renew`

Can anyone advise. The current certificate is valid and expires today. The 404 is correct. There is no directory '.well-known' on the machine. So I have manually created the directory '.well-known/acme-challenge' and added the file 'foo.txt'. Apache serves the file:

1974 root@clanmills:/var/www/html/familytree # mkdir -p .well-known/acme-challenge
1975 root@clanmills:/var/www/html/familytree # cp foo.txt .well-known/acme-challenge/
1976 root@clanmills:/var/www/html/familytree # cat .well-known/acme-challenge/foo.txt
i am foo.txt
1977 root@clanmills:/var/www/html/familytree # curl https://familytree.clanmills.com/.well-known/acme-challenge/foo.txt
i am foo.txt
1978 root@clanmills:/var/www/html/familytree #

The current certificate has been working well for three months. I can inspect it with:

# openssl s_client -servername familytree.clanmills.com -connect familytree.clanmills.com:443 </dev/null 2>/dev/null | openssl x509 -text

When I tail -f /var/log/apache2/familytree-error.log, I see the challenge fail when I run certbot renew --verbose --cert-name familytree.clanmills.com --dry-run

[client 66.133.109.36:46405] AH00128: File does not exist: /var/www/familytree/.well-known/acme-challenge/6QhOnPYXnL0d6qGbqDO54H2WedvoUWD7lKjwhD0_Tb4

It feels to me that certbot has created the temporary challenge file in the wrong location. Here is the Apache configuration file:

1987 root@clanmills:/etc/apache2/sites-available # cat familytree-le-ssl.conf 
<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName familytree.clanmills.com
    ServerAlias familytree.clanmills.co.uk
    DocumentRoot /var/www/familytree

    ErrorLog ${APACHE_LOG_DIR}/familytree-error.log
    CustomLog ${APACHE_LOG_DIR}/familytree-access.log combined

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/familytree.clanmills.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/familytree.clanmills.com/privkey.pem
</VirtualHost>
</IfModule>

Stumped! It'll be something obvious. Any help or ideas will be gratefully received. Thank You, Everybody.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

root@clanmills:~# certbot renew --verbose --cert-name familytree.clanmills.com --dry-run

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/familytree.clanmills.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cannot extract OCSP URI from /etc/letsencrypt/archive/familytree.clanmills.com/cert1.pem
Certificate is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Simulating renewal of an existing certificate for familytree.clanmills.com and familytree.clanmills.co.uk
Performing the following challenges:
http-01 challenge for familytree.clanmills.co.uk
http-01 challenge for familytree.clanmills.com

Waiting for verification...
Challenge failed for domain familytree.clanmills.co.uk
Challenge failed for domain familytree.clanmills.com
http-01 challenge for familytree.clanmills.co.uk
http-01 challenge for familytree.clanmills.com
Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:

Domain: familytree.clanmills.co.uk
Type: unauthorized
Detail: 147.93.86.33: Invalid response from http://familytree.clanmills.co.uk/.well-known/acme-challenge/CFNIjsy0v_7ImijqTzpALDiJ2oeAHwtjEdJo5Z62yXU: 404
Domain: familytree.clanmills.com
Type: unauthorized
Detail: 147.93.86.33: Invalid response from http://familytree.clanmills.com/.well-known/acme-challenge/wiu-1KCl0kxSnd_GCL9AfY5RK0yRJK1yEnKt1qybiIM: 404

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Cleaning up challenges
Failed to renew certificate familytree.clanmills.com with error: Some challenges have failed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/familytree.clanmills.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

My web server is (include version): Apache 2.4.58

The operating system my web server runs on is (include version):

root@clanmills:~# uname -a
Linux clanmills.co.uk 6.8.0-90-generic #91-Ubuntu SMP PREEMPT_DYNAMIC Tue Nov 18 14:14:30 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

My hosting provider, if applicable, is: VPS on Hostinger.com

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.9.0

Note that the apache authenticator plugin adds some stuff to your Apache webserver based on HTTP and not HTTPS. The http-01 challenge is always initiated on port 80.

Please provide the output of the following command:

sudo apachectl -t -D DUMP_VHOSTS

Thank you for your quick response:

1990 root@clanmills:/etc/apache2/sites-available # apachectl -t -D DUMP_VHOSTS
VirtualHost configuration:
*:80                   is a NameVirtualHost
         default server clanmills.co.uk (/etc/apache2/sites-enabled/clanmills.co.uk.conf:1)
         port 80 namevhost clanmills.co.uk (/etc/apache2/sites-enabled/clanmills.co.uk.conf:1)
                 alias clanmills.com
                 alias www.clanmills.co.uk
                 alias www.clanmills.com
         port 80 namevhost familytree.clanmills.com (/etc/apache2/sites-enabled/familytree.conf:1)
                 alias familytree.clanmills.co.uk
*:443                  is a NameVirtualHost
         default server clanmills.co.uk (/etc/apache2/sites-enabled/clanmills.co.uk-le-ssl.conf:2)
         port 443 namevhost clanmills.co.uk (/etc/apache2/sites-enabled/clanmills.co.uk-le-ssl.conf:2)
                 alias clanmills.co.uk
                 alias www.clanmills.co.uk
                 alias clanmills.com
                 alias www.clanmills.com
         port 443 namevhost familytree.clanmills.com (/etc/apache2/sites-enabled/familytree-le-ssl.conf:2)
                 alias familytree.clanmills.co.uk
         port 443 namevhost ubuntu-24.localhost (/etc/apache2/apache2.conf:229)
1991 root@clanmills:/etc/apache2/sites-available # 

Apache correctly serves my home-made .well-known/acme-challenge/foo.txt file on both ports 80 and 443

1991 root@clanmills:/etc/apache2/sites-available # curl https://familytree.clanmills.com/.well-known/acme-challenge/foo.txt
i am foo.txt
1992 root@clanmills:/etc/apache2/sites-available # curl http://familytree.clanmills.com/.well-known/acme-challenge/foo.txt
i am foo.txt
1993 root@clanmills:/etc/apache2/sites-available # 

When using the apache authenticator, certbot does not actually create a challenge file, but rather makes a temporary modification to your apache configuration to serve the challenge data directly. My guess is that your current apache configuration isn't compatible with this temporary modification.

Try adding --debug-challenges to your certbot call then inspecting your apache configuration files while certbot is waiting.

Thank you, @griffin Jonathon. We agree that this issue is caused by the failing challenge.

Is there a way to renew the certificate without the challenge? For example, can I delete the current certificate and get a brand new certificate and _(delete using certbot delete --cert-name familytree.clanmills.com)

Working on that, @griffin Thanks for you time and assistance.

Renewing a certificate and acquiring a new certificate are fundamentally the same operation from the CA's perspective, so deleting the current certificate will accomplish nothing. It is your Apache configuration blocking the renewal, not your current certificate. You could try switching to using the webroot authenticator instead of the Apache authenticator.

Try this as a test:

certbot renew --verbose --cert-name familytree.clanmills.com --dry-run -a webroot -w /var/www/familytree

I've fixed it with:

certbot certonly --webroot -w /var/www/html/familytree  -d familytree.clanmills.com -d familytree.clanmills.com 

Thank you @griffin for your help. When I created the certificate in October, I received wonderful help from @MikeMcQ I am so grateful to you and Mike. Thank you very much.

I'm so grateful, I want to give $50 to somebody. Please suggest a person or cause.

BTW, I maintained Exiv2 for 10 years. (https://exiv2.org GitHub - Exiv2/exiv2: Image metadata library and tools)

Glad that worked for you.

I'm the author of the CertSage ACME client. You can find donation links at the bottom of this page:

Please be sure to check the installer for your certbot/config command to be sure that your Apache is getting reloaded with the new cert:

certbot certonly -a webroot -w /var/www/html/familytree -d familytree.clanmills.com -d familytree.clanmills.co.uk -i apache

(I also fixed the double .com in the command you mentioned above.)

If you look at the days until expiration at these two links (one is for .com and one is for .co.uk) you'll see the current problem:

Didn't know we're taking paychecks on this Community now..

We're not, but as you know everything about this community has always been funded via donation. Never required of course.

Sure, but is your conscience OK with accepting $50 for switching from the apache to the webroot authenticator? Something we used to do daily back in the day? Mine wouldn't. You do you though...

Guys. I'm trying to say "Thanks". That's all. I've happily made the donation.

Everything's almost perfect. Chrome accepts the new certificate. There's a little red mark concerning the chain: SSL Checker

That chain indication happens with my sites too. No worries there.

Thank you for your donation!

Thank you @griffin, @Osiris and @MikeMcQ for your wonderful help.

You are most welcome! I'm doing a last check on your certs.

Please note that if you ever change the webroot path of those sites, you also need to modify the webroot path in Certbot again. You can use the certbot reconfigure command for that, but you might need to update Certbot for it to be present. 2.9.0 is fairly old.

Edit: 2.9.0 does have the reconfigure subcommand.