Failure renewing one certificate on a CentOS 7.9

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:www.deuconcept.de

I ran this command: certbot renew --debug-challenges

It produced this output in the logfile:
2022-05-06 15:09:35,224:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/105720558386:
{
"protected": "eyJub25jZSI6ICIwMTAyNVVFSEdZTnRwbnNXYUtMQlJwRGpkcnp6SlJQM01WMGhHOXRzZGtmLTJpayIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHotdjMvMTA1NzIwNTU4Mzg2IiwgImtpZCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnl
wdC5vcmcvYWNtZS9hY2N0LzQ1MjkwNzEwIiwgImFsZyI6ICJSUzI1NiJ9",
"payload": "",
"signature": "qHIfPNyp43qMU4mr0wDxhabZvoRvWKPW3srrP4-a0l8Cwpi6shWiTkBFA0WIUSxGOK65CTA-9H7sJjtSieb2hg4dTTZtoyJrTuM1gkedkNrFdwiyK-Kf-oReLKdzWp9kYruocUeIEgLWhmmYqJhEDH-5GqwgFa71hZFatqUlad3DUQr0Coe9yoxMdmcoNdZWshrxkdYDYMeo25K-hSsfZhYKSGvPWi_lxHYNS0a
WZS4mQsXdmT0LY5TU8U6HYmKrLN7U9ywjOKVSLsFQazXtVd2H-4M_26JdcS49z1zmTO5wEP49gKRUmP3r8ENMkgJKI7Z7JP_8Ee3uOW_InrUHbQ"
}
2022-05-06 15:09:35,363:DEBUG:urllib3.connectionpool:"POST /acme/authz-v3/105720558386 HTTP/1.1" 200 1405
2022-05-06 15:09:35,364:DEBUG:acme.client:Received response:
HTTP 200
content-length: 1405
cache-control: public, max-age=0, no-cache
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
boulder-requester: 45290710
date: Fri, 06 May 2022 13:09:35 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: 01026voxHK6hvG0dg9s1vrHyemUn5DG8ZBSe_9WIPIkeRto

{
"identifier": {
"type": "dns",
"value": "www.deuconcept.de"
},
"status": "invalid",
"expires": "2022-05-13T13:09:29Z",
"challenges": [
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "217.9.113.247: Invalid response from https://www.deuconcept.de: "\u003c!DOCTYPE HTML PUBLIC \"-//SQ//DTD HTML 2.0 + all extensions//EN\" \"hmpro3.dtd\"\u003e\n\u003cHTML\u003e\n\u003cHEAD\u003e\n\u003cTITLE\u003eDEUC
ONCEPT Gesellschaft f�r "",
"status": 403
},
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/105720558386/Sq4sWw",
"token": "RcM41jrmQG86dDVg5fkIfrWfhE2X0iBPLQ7lDuEgM5k",
"validationRecord": [
{
"url": "DEUCONCEPT Gesellschaft für Konzeption und Vermittlung von Finanzdienstleistungen mbH",
"hostname": "www.deuconcept.de",
"port": "80",
"addressesResolved": [
"217.9.113.247"
],
"addressUsed": "217.9.113.247"
},
{
"url": "https://www.deuconcept.de",
"hostname": "www.deuconcept.de",
"port": "443",
"addressesResolved": [
"217.9.113.247"
],
"addressUsed": "217.9.113.247"
}
],
"validated": "2022-05-06T13:09:30Z"
}
]
}
2022-05-06 15:09:35,364:DEBUG:acme.client:Storing nonce: 01026voxHK6hvG0dg9s1vrHyemUn5DG8ZBSe_9WIPIkeRto
2022-05-06 15:09:35,365:WARNING:certbot._internal.auth_handler:Challenge failed for domain deuconcept.de
2022-05-06 15:09:35,365:WARNING:certbot._internal.auth_handler:Challenge failed for domain www.deuconcept.de
2022-05-06 15:09:35,365:INFO:certbot._internal.auth_handler:http-01 challenge for deuconcept.de
2022-05-06 15:09:35,366:INFO:certbot._internal.auth_handler:http-01 challenge for www.deuconcept.de
2022-05-06 15:09:35,366:DEBUG:certbot._internal.reporter:Reporting to user: The following errors were reported by the server:

Domain: deuconcept.de
Type: unauthorized
Detail: 217.9.113.247: Invalid response from https://www.deuconcept.de: "\n\n\nDEUCONCEPT Gesellschaft f�r "

Domain: www.deuconcept.de
Type: unauthorized
Detail: 217.9.113.247: Invalid response from https://www.deuconcept.de: "\n\n\nDEUCONCEPT Gesellschaft f�r "

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
2022-05-06 15:09:35,367:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.py", line 91, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.py", line 180, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
AuthorizationError: Some challenges have failed.

2022-05-06 15:09:35,367:DEBUG:certbot._internal.error_handler:Calling registered functions
2022-05-06 15:09:35,367:INFO:certbot._internal.auth_handler:Cleaning up challenges
2022-05-06 15:09:35,367:DEBUG:certbot._internal.plugins.webroot:Removing /var/www/html/deuconcept_de/www/.well-known/acme-challenge/tvBDqguiWDQktn1a_aHf2qYP5q9mTF6tfPU0pTgix14
2022-05-06 15:09:35,368:DEBUG:certbot._internal.plugins.webroot:Removing /var/www/html/deuconcept_de/www/.well-known/acme-challenge/RcM41jrmQG86dDVg5fkIfrWfhE2X0iBPLQ7lDuEgM5k
2022-05-06 15:09:35,368:DEBUG:certbot._internal.plugins.webroot:All challenges cleaned up
2022-05-06 15:09:35,368:ERROR:certbot._internal.renewal:Failed to renew certificate www.deuconcept.de with error: Some challenges have failed.
2022-05-06 15:09:35,370:DEBUG:certbot._internal.renewal:Traceback was:
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/certbot/_internal/renewal.py", line 471, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File "/usr/lib/python2.7/site-packages/certbot/_internal/main.py", line 1235, in renew_cert
renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
File "/usr/lib/python2.7/site-packages/certbot/_internal/main.py", line 124, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File "/usr/lib/python2.7/site-packages/certbot/_internal/renewal.py", line 331, in renew_cert
new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
File "/usr/lib/python2.7/site-packages/certbot/_internal/client.py", line 374, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/usr/lib/python2.7/site-packages/certbot/_internal/client.py", line 421, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File "/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.py", line 91, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.py", line 180, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
AuthorizationError: Some challenges have failed.

My web server is (include version):httpd-2.4.6-97.el7.centos.5.x86_64

The operating system my web server runs on is (include version): CentOS 7.9

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.11.0

As far as I understand, the certbot thinks that domain/IP adress is not right, but they are ok.

please help, any suggestions are welcome

best regards

fatcharly

This is a proper 404 now. I think you might retry.

I retried it a few times, I even tried to start it as a new certificate, but allways the same error, so you suggest it's a 404 and the server from lets'encrypt can't reach the server ?

Show us the error you get now. Use the proper button for preformatted text in the post-editing interface, please.

All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/www.deuconcept.de/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: deuconcept.de
   Type:   unauthorized
   Detail: 217.9.113.247: Invalid response from
   https://www.deuconcept.de: "<!DOCTYPE HTML PUBLIC \"-//SQ//DTD HTML
   2.0 + all extensions//EN\"
   \"hmpro3.dtd\">\n<HTML>\n<HEAD>\n<TITLE>DEUCONCEPT Gesellschaft f�r
   "

   Domain: www.deuconcept.de
   Type:   unauthorized
   Detail: 217.9.113.247: Invalid response from
   https://www.deuconcept.de: "<!DOCTYPE HTML PUBLIC \"-//SQ//DTD HTML
   2.0 + all extensions//EN\"
   \"hmpro3.dtd\">\n<HTML>\n<HEAD>\n<TITLE>DEUCONCEPT Gesellschaft f�r
   "

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

The error is still the same.

Did you make some changes to your Apache config recently?

In /etc/letsencrypt/renewal there's a config file for this certificate, show us.

# renew_before_expiry = 30 days
version = 1.11.0
archive_dir = /etc/letsencrypt/archive/www.deuconcept.de
cert = /etc/letsencrypt/live/www.deuconcept.de/cert.pem
privkey = /etc/letsencrypt/live/www.deuconcept.de/privkey.pem
chain = /etc/letsencrypt/live/www.deuconcept.de/chain.pem
fullchain = /etc/letsencrypt/live/www.deuconcept.de/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = 83b80ca423a8cbcea5b6f1bf037fdd15
manual_public_ip_logging_ok = None
server = https://acme-v02.api.letsencrypt.org/directory
authenticator = webroot
webroot_path = /var/www/html/deuconcept_de/www,
[[webroot_map]]
deuconcept.de = /var/www/html/deuconcept_de/www
www.deuconcept.de = /var/www/html/deuconcept_de/www

Is that webroot still correct?

Check any edits to your Apache config, or any .htaccess files.

<VirtualHost *:80>
        ServerAdmin root@localhost
        DocumentRoot /var/www/html/deuconcept_de/www
        ServerName www.deuconcept.de
        ServerAlias deuconcept.de deuconcept.eu www.deuconcept.eu
        ErrorLog /var/log/httpd/deuconcept_de_error.log
        RewriteEngine On
        RewriteCond %{REQUEST_METHOD} ^(HEAD|GET) [NC]
        RewriteCond %{HTTP:Range} ([0-9]*-[0-9]*)(\s*,\s*[0-9]*-[0-9]*)+
        RewriteRule .* - [F]

        RewriteRule ^.*$ https://www.deuconcept.de [R=301,L]
</VirtualHost>

<VirtualHost *:443>
ServerAdmin root@localhost
DocumentRoot /var/www/html/deuconcept_de/www
ServerName www.deuconcept.de
ServerAlias deuconcept.de
ErrorLog logs/https__deuconcept_de_error_log
TransferLog logs/https_deuconcept_de_access_log
LogLevel warn
SSLEngine on
SSLHonorCipherOrder On
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
#SSLUseStapling on
#SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
## Requires Apache >= 2.4.11
#SSLSessionTickets Off
CustomLog logs/deuconcept_ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(HEAD|GET) [NC]
RewriteCond %{HTTP:Range} ([0-9]*-[0-9]*)(\s*,\s*[0-9]*-[0-9]*)+
RewriteRule .* - [F]
SSLCertificateFile /etc/letsencrypt/live/www.deuconcept.de/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.deuconcept.de/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/www.deuconcept.de/chain.pem
</VirtualHost>

it is.

[root@umbachi2 www]# ls -la
insgesamt 36
drwxrwxr-x 2 winmedia root      4096  9. Mai 10:55 .
drwxrwxr-x 3 winmedia root      4096 19. Apr 2007  ..
-rw-rw-r-- 1 winmedia winmedia 19346  3. Mär 11:09 dc_logo_01.jpg
-rw-rw-r-- 1 winmedia winmedia  1616  3. Mär 14:40 index.html
-rw-rw-r-- 1 winmedia winmedia  1774 23. Feb 12:25 x_index.html
[root@umbachi2 www]# pwd
/var/www/html/deuconcept_de/www

no .htaccess files

I see no issues here. What about the rest of the Apache config? httpd.conf and whatever it includes, usually.

there was no change since the last first renew.
I try to understand:

Detail: 217.9.113.247: Invalid response from
   https://www.deuconcept.de: "<!DOCTYPE HTML PUBLIC \"-//SQ//DTD HTML
   2.0 + all extensions//EN\"
   \"hmpro3.dtd\">\n<HTML>\n<HEAD>\n<TITLE>DEUCONCEPT Gesellschaft f�r
   "

what is invalid- it's the right page as you can see, who replys ?

I got it. Your redirect is broken. It redirects every http page to the https homepage. It should redirect each page to its https version.

Should become

RewriteRule ^(.*)$ https://www.deuconcept.de$1 [R=301,L]

(Or something like that, check the documentation -- I'm always surprised by how much I can break an Apache rewrite rule)

Yes, you are right it should be:

 RewriteRule ^/(.*)$ https://www.deuconcept.de/$1 [R=301,L]

somebody must have changed this after the first renew we did.
Now it works, thank you very very much !

The slash shouldn't be there.

That rule right now is matching everything but http://www.deuconcept.de.

It matches http://www.deuconcept.de/ but not without the /

ok, I remove it.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.