Failed to renew certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: nucleuswealth.com

I ran this command: sudo certbot renew

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/nucleuswealth.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for nucleuswealth.com

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: nucleuswealth.com
  Type:   connection
  Detail: 52.63.10.5: Fetching http://nucleuswealth.com/.well-known/acme-challenge/h1U_EtEhsbzCi49JbZwFfB_ebGmtTP89Mb2LQ_k1psk: Connection refused

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Failed to renew certificate nucleuswealth.com with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/nucleuswealth.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): Apache/2.4.41 (Ubuntu)

The operating system my web server runs on is (include version): (Ubuntu)

My hosting provider, if applicable, is: AWS ec2

I can login to a root shell on my machine (yes or no, or I don't know): Yes, via terminal

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.28.0

Hi @Abi95, and welcome to the LE community forum :slight_smile:

Please show the output of:
apachectl -t -D DUMP_VHOSTS

3 Likes

Hi @rg305 , thank you!

VirtualHost configuration:
*:443                  nucleuswealth.com (/etc/apache2/sites-enabled/wordpress-le-ssl.conf:2)
*:80                   is a NameVirtualHost
         default server nucleuswealth.com (/etc/apache2/sites-enabled/wordpress-le-ssl.conf:42)
         port 80 namevhost nucleuswealth.com (/etc/apache2/sites-enabled/wordpress-le-ssl.conf:42)
                 alias www.nucleuswealth.com
         port 80 namevhost nucleuswealth.com (/etc/apache2/sites-enabled/wordpress.conf:1)
1 Like

As I suspected, there is a name:port overlap/conflict that Apache has allowed to go unnoticed:

port 80 namevhost nucleuswealth.com (/etc/apache2/sites-enabled/wordpress-le-ssl.conf:42)
port 80 namevhost nucleuswealth.com (/etc/apache2/sites-enabled/wordpress.conf:1)

We should review both files and keep only whichever HTTP section makes more sense of the two.

3 Likes

@rg305
I've removed the overlapping conflict but the issue has not been solved.

Here's my apachectl -t -D DUMP_VHOSTS:

VirtualHost configuration:
*:443                  nucleuswealth.com (/etc/apache2/sites-enabled/wordpress-le-ssl.conf:2)
*:80                   nucleuswealth.com (/etc/apache2/sites-enabled/wordpress-le-ssl.conf:42)

Error message:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/nucleuswealth.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for nucleuswealth.com

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: nucleuswealth.com
  Type:   connection
  Detail: 52.63.10.5: Fetching http://nucleuswealth.com/.well-known/acme-challenge/W7hk1NJgRh6BNE9t0lcTaGaNRhSubTggjHPWToZGBd0: Connection refused

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Failed to renew certificate nucleuswealth.com with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/nucleuswealth.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Would it be best to remove letsencrypt completely and reinstall it?

It worked!!!

2 Likes