Failed to renew certs sometime

My domain is: pub.inspace.co.kr

I ran this command: sudo certbot renew --dry-run

It produced this output:

Attempting to renew cert (pub.inspace.co.kr) from /etc/letsencrypt/renewal/pub.inspace.co.kr.conf produced an unexpected error: Failed authorization procedure. pub.inspace.co.kr (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://pub.inspace.co.kr/.well-known/acme-challenge/2GyRdr0NHxi0FDc6xaJPXqyIIOzX1MjwYvUKjEx1BKM [222.114.162.4]: "<!doctype html><html lang=\"en\"><head><title>HTTP Status 404 \u2013 Not Found</title><style type=\"text/css\">h1 {font-family:Tahoma,A". Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/pub.inspace.co.kr/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/pub.inspace.co.kr/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: pub.inspace.co.kr
   Type:   unauthorized
   Detail: Invalid response from
   https://pub.inspace.co.kr/.well-known/acme-challenge/2GyRdr0NHxi0FDc6xaJPXqyIIOzX1MjwYvUKjEx1BKM
   [222.114.162.4]: "<!doctype html><html
   lang=\"en\"><head><title>HTTP Status 404 – Not Found</title><style
   type=\"text/css\">h1 {font-family:Tahoma,A"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version): Apache Tomcat 8.5.39

The operating system my web server runs on is (include version): Ubuntu 18.04 LTs

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.31.0

I trying to renew my certificate with certbot, but it fails sometime.
I already checked tomcat8 logs, I could confirm that tomcat8 deploying .well-known after validation fail.
I think some delay is needed before validation, can I add delay manually?

Hello @hansoli68!

Looks like you have resolved your issue. Based on my meager analysis you have a certificate that is valid until October 10, 2020.

https://www.ssllabs.com/ssltest/analyze.html?d=pub.inspace.co.kr

If questions remain please post them, otherwise good luck to you.

Rip

Thanks for reply. But an issue doesn’t resolved.

Making new certs (with certonly command) has no problem. And an issue doesn’t occur always, I could renew when tried it many times.

Usually when you use --webroot, the resource becomes immediately accessible via an HTTP request.

To clarify your issue: are you saying that you are using --webroot, but that you have to wait for Tomcat's auto-deployer to make the file available?

I don't think that Certbot has any way to effect a delay while using the webroot authenticator. You may need to abandon --webroot and use your own authentication hooks instead. Something like:

/etc/letsencrypt/tomcat-auth.sh

#!/usr/bin/env bash
echo "$CERTBOT_VALIDATION" > "/path/to/webroot/.well-known/acme-challenge/${CERTBOT_TOKEN}"
sleep 10

/etc/letsencrypt/tomcat-cleanup.sh

#!/usr/bin/env bash
rm -f "/path/to/webroot/.well-known/acme-challenge/${CERTBOT_TOKEN}"

and:

certbot renew --manual --manual-auth-hook /etc/letsencrypt/tomcat-auth.sh \
--manual-cleanup-hook /etc/letsencrypt/tomcat-cleanup.sh \
--dry-run

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.