Failed to renew certs sometime

My domain is: pub.inspace.co.kr

I ran this command: sudo certbot renew --dry-run

It produced this output:

Attempting to renew cert (pub.inspace.co.kr) from /etc/letsencrypt/renewal/pub.inspace.co.kr.conf produced an unexpected error: Failed authorization procedure. pub.inspace.co.kr (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://pub.inspace.co.kr/.well-known/acme-challenge/2GyRdr0NHxi0FDc6xaJPXqyIIOzX1MjwYvUKjEx1BKM [222.114.162.4]: "<!doctype html><html lang=\"en\"><head><title>HTTP Status 404 \u2013 Not Found</title><style type=\"text/css\">h1 {font-family:Tahoma,A". Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/pub.inspace.co.kr/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/pub.inspace.co.kr/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: pub.inspace.co.kr
   Type:   unauthorized
   Detail: Invalid response from
   https://pub.inspace.co.kr/.well-known/acme-challenge/2GyRdr0NHxi0FDc6xaJPXqyIIOzX1MjwYvUKjEx1BKM
   [222.114.162.4]: "<!doctype html><html
   lang=\"en\"><head><title>HTTP Status 404 – Not Found</title><style
   type=\"text/css\">h1 {font-family:Tahoma,A"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version): Apache Tomcat 8.5.39

The operating system my web server runs on is (include version): Ubuntu 18.04 LTs

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.31.0

I trying to renew my certificate with certbot, but it fails sometime.
I already checked tomcat8 logs, I could confirm that tomcat8 deploying .well-known after validation fail.
I think some delay is needed before validation, can I add delay manually?

1 Like

Hello @hansoli68!

Looks like you have resolved your issue. Based on my meager analysis you have a certificate that is valid until October 10, 2020.

https://www.ssllabs.com/ssltest/analyze.html?d=pub.inspace.co.kr

If questions remain please post them, otherwise good luck to you.

Rip

1 Like

Thanks for reply. But an issue doesn’t resolved.

Making new certs (with certonly command) has no problem. And an issue doesn’t occur always, I could renew when tried it many times.

1 Like

Usually when you use --webroot, the resource becomes immediately accessible via an HTTP request.

To clarify your issue: are you saying that you are using --webroot, but that you have to wait for Tomcat’s auto-deployer to make the file available?

I don’t think that Certbot has any way to effect a delay while using the webroot authenticator. You may need to abandon --webroot and use your own authentication hooks instead. Something like:

/etc/letsencrypt/tomcat-auth.sh

#!/usr/bin/env bash
echo "$CERTBOT_VALIDATION" > "/path/to/webroot/.well-known/acme-challenge/${CERTBOT_TOKEN}"
sleep 10

/etc/letsencrypt/tomcat-cleanup.sh

#!/usr/bin/env bash
rm -f "/path/to/webroot/.well-known/acme-challenge/${CERTBOT_TOKEN}"

and:

certbot renew --manual --manual-auth-hook /etc/letsencrypt/tomcat-auth.sh \
--manual-cleanup-hook /etc/letsencrypt/tomcat-cleanup.sh \
--dry-run
1 Like