Failed Authentication on renew

I have been using letsencrypt for a while, but renew fails now. i switched to the certbot system, installed as per the instructions, and failure.

My domain is:

I ran this command: certbot renew --apache --dryrun

It produced this output:

My web server is (include version): Apache 2.4.18

The operating system my web server runs on is (include version): Ubuntu 16.04

My hosting provider, if applicable, is: Digital Ocean

I can login to a root shell on my machine YES

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.28.0

Could you please provide all your Apache configuration files? If your server is directly connected to the internet (i.e., without any reverse proxy between the server and the internet), this should work.

Perhaps you have some kind of Apache configuration which is interfering with the temporary Apache configuration file used by certbot for the authentication.

main config has some folder restrictions

<Directory />
        Options FollowSymLinks
        AllowOverride None
        Require all denied

<Directory /usr/share>
        AllowOverride None
        Require all granted

<Directory /var/www/>
        Options Indexes FollowSymLinks
        AllowOverride None
        Require all granted

I used to have this all in one file, but thought that may be the issue, so have 2 sites enabled across 2 confs

<VirtualHost *:80>

ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

RewriteEngine on
RewriteCond %{SERVER_NAME} [OR]
RewriteCond %{SERVER_NAME}
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]


<IfModule mod_ssl.c>
  <VirtualHost *:443>

    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
    SSLCertificateFile /etc/letsencrypt/live/
    SSLCertificateKeyFile /etc/letsencrypt/live/
    Include /etc/letsencrypt/options-ssl-apache.conf
    SSLCertificateChainFile /etc/letsencrypt/live/

Hi @wvalters

I see, you have already tested your domain via


Domainname Http-Status redirect Sec. G 200 0.213 H 200 0.210 H 200 1.980 N
Certificate error: RemoteCertificateChainErrors 200 1.983 N
Certificate error: RemoteCertificateChainErrors 404 0.214 A
Not Found 404 0.210 A
Not Found

is a 404 reported, not a 403. The 404 is good, port 80 answers.

So try to find your "DocumentRoot" in your VirtualHost, then use it.

certbot certonly -a webroot -w /var/www/html -d -d --dry-run

Your certificate is already expired, so you need a new.

certbot run -a webroot -i apache -w /var/www/html -d -d

that was it… so, use the same when doing the certbot-auto?

1 Like

You said you have "regular" certbot 0.28.0. There's no specific need to use certbot-auto.

Happy to see now you have a new certificate:
	04.05.2019, - 2 entries

Yes, certbot-auto should run with the same command. Later "renew" should be enough.

sorry. meant “automating” vie crontab. Thanks for the quick help!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.