Failed to renew certificate

Help
1

My domain is: https://gs-management.arca-edu.com/

I ran this command: sudo certbot renew --dry-run

It produced this output:

aving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/gs-test.arca-edu.com.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for gs-test.arca-edu.com
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (gs-test.arca-edu.com) from /etc/letsencrypt/renewal/gs-test.arca-edu.com.conf produced an unexpected error: Failed authorization procedure.gs-test.arca-edu.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://gs-test.arca-edu.com/.well-known/acme-challenge/X6pHFGjOuUzTqurc7-zXUt_apDGm7OhHm5K88MmZWG0:Error getting validation data. Skipping.

Processing /etc/letsencrypt/renewal/gs-management.arca-edu.com.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for gs-management.arca-edu.com
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (gs-management.arca-edu.com) from /etc/letsencrypt/renewal/gs-management.arca-edu.com.conf produced an unexpected error: Failed authorization procedure. gs-management.arca-edu.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://gs-management.arca-edu.com/.well-known/acme-challenge/xOiPmxEoy3bm8SZkNOskBj83OPOCmRHN6vvIQFSL-8I: Error getting validation data. Skipping.

Processing /etc/letsencrypt/renewal/user-test.arca-edu.com.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for user-test.arca-edu.com
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (user-test.arca-edu.com) from /etc/letsencrypt/renewal/user-test.arca-edu.com.conf produced an unexpected error: Failed authorization procedure. user-test.arca-edu.com (http-01): urn:ietf:params:acme:error:connection :: Theserver could not connect to the client to verify the domain :: Fetching http://user-test.arca-edu.com/.well-known/acme-challenge/ZgyyC0MT_acLAfWD_IRsMalrKn1mJuIxjgRfLADKI_0: Error getting validation data. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/gs-test.arca-edu.com/fullchain.pem (failure)
/etc/letsencrypt/live/gs-management.arca-edu.com/fullchain.pem (failure)
/etc/letsencrypt/live/user-test.arca-edu.com/fullchain.pem (failure)

** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/gs-test.arca-edu.com/fullchain.pem (failure)
/etc/letsencrypt/live/gs-management.arca-edu.com/fullchain.pem (failure)
/etc/letsencrypt/live/user-test.arca-edu.com/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)

3 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: gs-management.arca-edu.com
    Type: connection
    Detail: Fetching
    http://gs-management.arca-edu.com/.well-known/acme-challenge/xOiPmxEoy3bm8SZkNOskBj83OPOCmRHN6vvIQFSL-8I:
    Error getting validation data

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

My web server is (include version): Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.0.31

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

2

There's your problem, and it's the same problem for all three domains. Let's Encrypt is unable to connect to any of them, and as such can't validate the domain.

1 Like
3

can you give some assistance to solve this problem, I’m new to this kind of things. :frowning:

4

Check your firewall settings, maybe? Let’s Encrypt must be able to connect to your domains in order to issue or renew a cert. Right now, they can’t (neither can I). If that system has its own firewall, you’ll need to see if it’s blocking connections. If it’s behind another firewall, the same.

1 Like
5

i check it, and right now the error change when i use this command again certbot renew --dry-run

aving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/gs-test.arca-edu.com.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for gs-test.arca-edu.com
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (gs-test.arca-edu.com) from /etc/letsencrypt/renewal/gs-test.arca-edu.com.conf produced an unexpected error: Failed authorization procedure.gs-test.arca-edu.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://gs-test.arca-edu.com/.well-known/acme-challenge/Fe7eC9ntUKRxY9MO1l4PTYEWivkvhRispnFX-jEbzzs: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p". Skipping.

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/gs-management.arca-edu.com.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for gs-management.arca-edu.com
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (gs-management.arca-edu.com) from /etc/letsencrypt/renewal/gs-management.arca-edu.com.conf produced an unexpected error: Failed authorization procedure. gs-management.arca-edu.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://gs-management.arca-edu.com/.well-known/acme-challenge/wnwUwX94j01b_CBSHIfkrYIYK0gZWpzMwQd4anVftr0: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p". Skipping.

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/user-test.arca-edu.com.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for user-test.arca-edu.com
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (user-test.arca-edu.com) from /etc/letsencrypt/renewal/user-test.arca-edu.com.conf produced an unexpected error: Failed authorization procedure. user-test.arca-edu.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://user-test.arca-edu.com/.well-known/acme-challenge/U3Mh7y9z8MxbNX302zWmCJaGrpTo-68Q7mmZ9x7TYVU: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p". Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/gs-test.arca-edu.com/fullchain.pem (failure)
  /etc/letsencrypt/live/gs-management.arca-edu.com/fullchain.pem (failure)
  /etc/letsencrypt/live/user-test.arca-edu.com/fullchain.pem (failure)

-------------------------------------------------------------------------------
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/gs-test.arca-edu.com/fullchain.pem (failure)
  /etc/letsencrypt/live/gs-management.arca-edu.com/fullchain.pem (failure)
  /etc/letsencrypt/live/user-test.arca-edu.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
-------------------------------------------------------------------------------
3 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: gs-management.arca-edu.com
   Type:   unauthorized
   Detail: Invalid response from
   http://gs-management.arca-edu.com/.well-known/acme-challenge/wnwUwX94j01b_CBSHIfkrYIYK0gZWpzMwQd4anVftr0:
   "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
 - The following errors were reported by the server:

   Domain: gs-test.arca-edu.com
   Type:   unauthorized
   Detail: Invalid response from
   http://gs-test.arca-edu.com/.well-known/acme-challenge/Fe7eC9ntUKRxY9MO1l4PTYEWivkvhRispnFX-jEbzzs:
   "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
 - The following errors were reported by the server:

   Domain: user-test.arca-edu.com
   Type:   unauthorized
   Detail: Invalid response from
   http://user-test.arca-edu.com/.well-known/acme-challenge/U3Mh7y9z8MxbNX302zWmCJaGrpTo-68Q7mmZ9x7TYVU:
   "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
6

The sites are returning 404 errors.
So they seem to be “reachable” via http.
Can you place a test.txt file within the /.well-known/acme-challenge/ folder(s)?
and ensure the Internet can reach them:
http://gs-management.arca-edu.com/.well-known/acme-challenge/test.txt
http://gs-test.arca-edu.com/.well-known/acme-challenge/test.txt
http://user-test.arca-edu.com/.well-known/acme-challenge/test.txt

1 Like
7

thank you for the advice and clue, I finally fix it :slight_smile:
I put some file in wrong directory because of that the internet can’t reach them and returning 404 errors.
Thanks so much.
love you guys :heart_eyes:

2 Likes
8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.