Failed to renew certificate xxx with error: Some challenges have failed

Help
1

My domain is: frankhaefele.spdns.eu

I ran this command: 'sudo certbot renew --dry-run'

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/frankhaefele.spdns.eu.conf

Simulating renewal of an existing certificate for frankhaefele.spdns.eu

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: frankhaefele.spdns.eu
Type: unauthorized
Detail: 217.240.7.50: Invalid response from http://frankhaefele.spdns.eu/.well-known/acme-challenge/tfRR1rU6Z5-oZFi5SxIwJiw09_hFpp_6fLW6PGFyYEI: 404

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Failed to renew certificate frankhaefele.spdns.eu with error: Some challenges have failed.

All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/frankhaefele.spdns.eu/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): nginx version: nginx/1.22.1

The operating system my web server runs on is (include version): rasparian bookworm

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.1.0

I am not sure what is the issue here.
Can anybody help please?
The last month I faced no issue.

Maybee some hint from log files:

2024-06-30 15:27:36,228:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 106, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 206, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2024-06-30 15:27:36,229:DEBUG:certbot._internal.error_handler:Calling registered functions
2024-06-30 15:27:36,229:INFO:certbot._internal.auth_handler:Cleaning up challenges
2024-06-30 15:27:36,230:DEBUG:certbot._internal.plugins.webroot:Removing /var/www/letsencrypt/.well-known/acme-challenge/08NxeL8JPkzRLG-Fx2FQD_jU5IcNzrjSerwv1kVZUB4
2024-06-30 15:27:36,231:DEBUG:certbot._internal.plugins.webroot:All challenges cleaned up
2024-06-30 15:27:36,232:ERROR:certbot._internal.renewal:Failed to renew certificate frankhaefele.spdns.eu with error: Some challenges have failed.
2024-06-30 15:27:36,241:DEBUG:certbot._internal.renewal:Traceback was:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/_internal/renewal.py", line 532, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1540, in renew_cert
renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 126, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File "/usr/lib/python3/dist-packages/certbot/_internal/renewal.py", line 395, in renew_cert
new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 428, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 496, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 106, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 206, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2024-06-30 15:27:36,248:DEBUG:certbot._internal.display.obj:Notifying user:

2024-06-30 15:27:36,251:ERROR:certbot._internal.renewal:All simulated renewals failed. The following certificates could not be renewed:
2024-06-30 15:27:36,252:ERROR:certbot._internal.renewal: /etc/letsencrypt/live/frankhaefele.spdns.eu/fullchain.pem (failure)
2024-06-30 15:27:36,253:DEBUG:certbot._internal.display.obj:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2024-06-30 15:27:36,254:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 33, in
sys.exit(load_entry_point('certbot==2.1.0', 'console_scripts', 'certbot')())

1 Like
2

Welcome to the community @hasenradball

The "404" in the error message is an HTTP "Not Found" error. The Let's Encrypt server sent the HTTP Challenge to your domain. But, your system responded with a "Not Found" rather than sending back the required challenge token.

It looks to me like your nginx server is not the one replying to HTTP requests. When I send a request for the "home" page using HTTP I see

curl -i http://frankhaefele.spdns.eu
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 1383
Connection: keep-alive
Keep-Alive: timeout=2000

<!DOCTYPE html>
<html lang="de">
<head> <meta charset='UTF-8'>
<title>ESP8266 - Voltage, Temperature, Humidity</title>
<style>
(rest of data omitted)

Note there is no server: nginx response header like I see when I make an HTTPS request to your domain.

Do you recognize that? Have you redirected HTTP requests on port 80 to something other than your nginx?

Interestingly, not only are your response headers different for an HTTPS request, a request for the "home" page results in 404. So, seems a very different system than what replies to HTTP.

curl -i https://frankhaefele.spdns.eu
HTTP/2 404
server: nginx
date: Sun, 30 Jun 2024 14:22:11 GMT
content-type: text/html
content-length: 146
strict-transport-security: max-age=31536000; includeSubDomains
1 Like
3

Dear MikeMcQ,

thank you so much for your fast reply.
The only thing I changed in between the last weeks was the router.

Maybee this could be the reason.

I will check what coould be here the reason.

1 Like
4

when I use curl Iget the following:

frank@pi-websrv2:~ $ curl -i http://frankhaefele.spdns.eu
HTTP/1.1 404 Not Found
Server: nginx
Date: Sun, 30 Jun 2024 17:14:51 GMT
Content-Type: text/html
Content-Length: 146
Connection: keep-alive

404 Not Found

404 Not Found

nginx frank@pi-websrv2:~ $ curl -i https://frankhaefele.spdns.eu HTTP/2 404 server: nginx date: Sun, 30 Jun 2024 17:16:36 GMT content-type: text/html content-length: 146 strict-transport-security: max-age=31536000; includeSubDomains 404 Not Found

404 Not Found

nginx frank@pi-websrv2:~ $
1 Like
5

What if you try it from a machine on the public internet. Like a mobile phone with Wi-Fi disabled so using the carrier Network make sure you type http: explicitly in a browser window if you try that

1 Like
6

Dear MikeMcQ,

I checked the following:

frank@pi-websrv2:~ $ sudo certbot renew --cert-name frankhaefele.spdns.eu --deploy-hook "nginx -s reload" --force-renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/frankhaefele.spdns.eu.conf

Renewing an existing certificate for frankhaefele.spdns.eu
Hook 'deploy-hook' ran with error output:
2024/06/30 19:29:30 [notice] 91575#91575: signal process started

Congratulations, all renewals succeeded:
/etc/letsencrypt/live/frankhaefele.spdns.eu/fullchain.pem (success)

And then the following gives:

frank@pi-websrv2:~ $ sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: frankhaefele.spdns.eu
Serial Number: 431e56823cc61b30b72ce31d40910a32e93
Key Type: RSA
Domains: frankhaefele.spdns.eu
Expiry Date: 2024-09-28 16:29:25+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/frankhaefele.spdns.eu/fullchain.pem
Private Key Path: /etc/letsencrypt/live/frankhaefele.spdns.eu/privkey.pem

Do you understand?

And then:

frank@pi-websrv2:~ $ sudo certbot renew --dry-run

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/frankhaefele.spdns.eu.conf

Simulating renewal of an existing certificate for frankhaefele.spdns.eu

Congratulations, all simulated renewals succeeded:
/etc/letsencrypt/live/frankhaefele.spdns.eu/fullchain.pem (success)

Do you understand this behavior?

1 Like
7

Seems to be working just fine.

1 Like
8

Thanks.

should the auto-renew also work now?

Do you have an hint how to setup geoip now on Debian10.
I wanted to switch to geoip2 but did not get to work.

9

Yes, if sudo certbot renew --dry-run works, then running sudo certbot renew should also work.

I have no idea what that is, so: nope, sorry.

1 Like
10

@MikeMcQ
Hi Mike do you know the latest status how tobuse geoip2?
Is there an installation instruction?

11

Isn't that question better suited for a geoip2 support channel?

1 Like
12

Is there such channel?
Or should I make a new Topic?

13

This Forum is not for generic tech support. You'll have to find it on your own, or wait for some especially kind volunteer here to find it for you.

1 Like
14

This Community is for Let's Encrypt, ACME, TLS/SSL/HTTPS, certificates and the web-PKI. Unless geip(2) has anything to do with these subjects, I'm afraid the chances are bigger elsewhere.

Configuring a webserver such as Apache or nginx are a subject we're okay with to some level with regard to certificates. There's usually no to little experience with other services, so I would not recommend opening threads here about how to configure TLS.

15

I am so sorry,
I thought geoIP is a part of letsencrypt.
I was wrong, sorry for the inconvience.

1 Like