Failure to Renew Let'sencrypt Certificate for domain with error: Some challenges have failed

jonestracy · February 8, 2022, 2:35pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: seocentraltools.com and siteinspecta.com

I ran this command: doms=virtualmin list-domains --name-only --with-feature letsencrypt_renew ; for dom in $doms; do virtualmin generate-letsencrypt-cert --domain $dom --renew ; done

It produced this output:

Requesting SSL certificate for seocentraltools.com www.seocentraltools.com mail.seocentraltools.com admin.seocentraltools.com webmail.seocentraltools.com ..
.. failed : Web-based validation failed : Renewing an existing certificate for seocentraltools.com and 4 more domains

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: admin.seocentraltools.com
  Type:   connection
  Detail: Fetching https://seocentraltools.com:10000/: Invalid port in redirect target. Only ports 80 and 443 are supported, not 10000

  Domain: webmail.seocentraltools.com
  Type:   connection
  Detail: Fetching https://seocentraltools.com:20000/: Invalid port in redirect target. Only ports 80 and 443 are supported, not 20000

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
   DNS-based validation failed : Renewing an existing certificate for seocentraltools.com and 4 more domains

Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
  Domain: admin.seocentraltools.com
  Type:   dns
  Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.admin.seocentraltools.com - check that a DNS record exists for this domain

  Domain: webmail.seocentraltools.com
  Type:   dns
  Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.webmail.seocentraltools.com - check that a DNS record exists for this domain

Hint: The Certificate Authority failed to verify the DNS TXT records created by the --manual-auth-hook. Ensure that this hook is functioning correctly and that it waits a sufficient duration of time for DNS propagation. Refer to "certbot --help manual" and the Certbot User Guide.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.


Requesting SSL certificate for blog.seocentraltools.com www.blog.seocentraltools.com mail.blog.seocentraltools.com admin.blog.seocentraltools.com webmail.blog.seocentraltools.com ..
.. failed : Web-based validation failed : Renewing an existing certificate for blog.seocentraltools.com and 4 more domains

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: admin.blog.seocentraltools.com
  Type:   connection
  Detail: Fetching https://blog.seocentraltools.com:10000/: Invalid port in redirect target. Only ports 80 and 443 are supported, not 10000

  Domain: webmail.blog.seocentraltools.com
  Type:   connection
  Detail: Fetching https://blog.seocentraltools.com:20000/: Invalid port in redirect target. Only ports 80 and 443 are supported, not 20000

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
   DNS-based validation failed : Renewing an existing certificate for blog.seocentraltools.com and 4 more domains

Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
  Domain: admin.blog.seocentraltools.com
  Type:   unauthorized
  Detail: No TXT record found at _acme-challenge.admin.blog.seocentraltools.com

  Domain: webmail.blog.seocentraltools.com
  Type:   unauthorized
  Detail: No TXT record found at _acme-challenge.webmail.blog.seocentraltools.com

Hint: The Certificate Authority failed to verify the DNS TXT records created by the --manual-auth-hook. Ensure that this hook is functioning correctly and that it waits a sufficient duration of time for DNS propagation. Refer to "certbot --help manual" and the Certbot User Guide.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.


Requesting SSL certificate for siteinspecta.com www.siteinspecta.com mail.siteinspecta.com admin.siteinspecta.com webmail.siteinspecta.com ..
.. failed : Web-based validation failed : Renewing an existing certificate for siteinspecta.com and 4 more domains

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: admin.siteinspecta.com
  Type:   connection
  Detail: Fetching https://siteinspecta.com:10000/: Invalid port in redirect target. Only ports 80 and 443 are supported, not 10000

  Domain: webmail.siteinspecta.com
  Type:   connection
  Detail: Fetching https://siteinspecta.com:20000/: Invalid port in redirect target. Only ports 80 and 443 are supported, not 20000

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
   DNS-based validation failed : Renewing an existing certificate for siteinspecta.com and 4 more domains

Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
  Domain: admin.siteinspecta.com
  Type:   dns
  Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.admin.siteinspecta.com - check that a DNS record exists for this domain

  Domain: webmail.siteinspecta.com
  Type:   dns
  Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.webmail.siteinspecta.com - check that a DNS record exists for this domain

Hint: The Certificate Authority failed to verify the DNS TXT records created by the --manual-auth-hook. Ensure that this hook is functioning correctly and that it waits a sufficient duration of time for DNS propagation. Refer to "certbot --help manual" and the Certbot User Guide.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.


Requesting SSL certificate for blog.siteinspecta.com www.blog.siteinspecta.com mail.blog.siteinspecta.com admin.blog.siteinspecta.com webmail.blog.siteinspecta.com ..
.. failed : Web-based validation failed : Renewing an existing certificate for blog.siteinspecta.com and 4 more domains

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: admin.blog.siteinspecta.com
  Type:   dns
  Detail: DNS problem: NXDOMAIN looking up A for admin.blog.siteinspecta.com - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for admin.blog.siteinspecta.com - check that a DNS record exists for this domain

  Domain: mail.blog.siteinspecta.com
  Type:   dns
  Detail: DNS problem: NXDOMAIN looking up A for mail.blog.siteinspecta.com - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for mail.blog.siteinspecta.com - check that a DNS record exists for this domain

  Domain: webmail.blog.siteinspecta.com
  Type:   dns
  Detail: DNS problem: NXDOMAIN looking up A for webmail.blog.siteinspecta.com - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for webmail.blog.siteinspecta.com - check that a DNS record exists for this domain

  Domain: www.blog.siteinspecta.com
  Type:   dns
  Detail: DNS problem: NXDOMAIN looking up A for www.blog.siteinspecta.com - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for www.blog.siteinspecta.com - check that a DNS record exists for this domain

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
   DNS-based validation failed : Renewing an existing certificate for blog.siteinspecta.com and 4 more domains

Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
  Domain: admin.blog.siteinspecta.com
  Type:   dns
  Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.admin.blog.siteinspecta.com - check that a DNS record exists for this domain

  Domain: mail.blog.siteinspecta.com
  Type:   dns
  Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.mail.blog.siteinspecta.com - check that a DNS record exists for this domain

  Domain: webmail.blog.siteinspecta.com
  Type:   dns
  Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.webmail.blog.siteinspecta.com - check that a DNS record exists for this domain

  Domain: www.blog.siteinspecta.com
  Type:   dns
  Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.www.blog.siteinspecta.com - check that a DNS record exists for this domain

Hint: The Certificate Authority failed to verify the DNS TXT records created by the --manual-auth-hook. Ensure that this hook is functioning correctly and that it waits a sufficient duration of time for DNS propagation. Refer to "certbot --help manual" and the Certbot User Guide.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): |Webmin version 1.984 | Virtualmin version 6.17-3

The operating system my web server runs on is (include version): Ubuntu Linux 20.04.3

My hosting provider, if applicable, is: Contabo VPS

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Using Latest Certbot

...........................................

I can't seem to be able to renew the certificate. I need help, thanks

MikeMcQ · February 8, 2022, 3:16pm

Welcome @jonestracy

Yes, you have a number of config problems. I cannot address them all right now but your admin.seocentraltools.com and the webmail.seocentraltools.com are failing because it is redirecting the HTTP challenge requests to a port other than 80 or 443 (10000, 20000). See here for redirect requirements for this challenge type.

If you want to use the HTTP challenge for those you need to fix that.

But, you are also using DNS challenge which are failing but you will need to wait for someone else to advise on those.

jonestracy · February 8, 2022, 8:17pm

@MikeMcQ Really appreciate that. I will go through that link and see what i can do.

I will still appreciate any more help from anyone who has experience this. Thanks

rg305 · February 8, 2022, 9:03pm

@jonestracy
You should be able to correct the failing HTTP-01 challenges (forwarded to high ports).
Start by finding the vhost files for those names, with:
apachectl -t -D DUMP_VHOSTS
[use sudo, if needed]

jonestracy · February 8, 2022, 9:56pm

@rg305 This is what i got when i tried to search for the apache -t -D DUMP_VHOSTS.


VirtualHost configuration:
[fe80::250:56ff:fe44:11b1]:80 is a NameVirtualHost
         default server blog.seocentraltools.com (/etc/apache2/sites-enabled/blog.seocentraltools.com.conf:1)
         port 80 namevhost blog.seocentraltools.com (/etc/apache2/sites-enabled/blog.seocentraltools.com.conf:1)
                 alias www.blog.seocentraltools.com
                 alias mail.blog.seocentraltools.com
                 alias webmail.blog.seocentraltools.com
                 alias admin.blog.seocentraltools.com
         port 80 namevhost blog.siteinspecta.com (/etc/apache2/sites-enabled/blog.siteinspecta.com.conf:1)
                 alias www.blog.siteinspecta.com
                 alias mail.blog.siteinspecta.com
                 alias webmail.blog.siteinspecta.com
                 alias admin.blog.siteinspecta.com
         port 80 namevhost seocentraltools.com (/etc/apache2/sites-enabled/seocentraltools.com.conf:1)
                 alias www.seocentraltools.com
                 alias mail.seocentraltools.com
                 alias webmail.seocentraltools.com
                 alias admin.seocentraltools.com
         port 80 namevhost siteinspecta.com (/etc/apache2/sites-enabled/siteinspecta.com.conf:1)
                 alias www.siteinspecta.com
                 alias mail.siteinspecta.com
                 alias webmail.siteinspecta.com
                 alias admin.siteinspecta.com
[fe80::250:56ff:fe44:11b1]:443 is a NameVirtualHost
         default server blog.seocentraltools.com (/etc/apache2/sites-enabled/blog.seocentraltools.com.conf:75)
         port 443 namevhost blog.seocentraltools.com (/etc/apache2/sites-enabled/blog.seocentraltools.com.conf:75)
                 alias www.blog.seocentraltools.com
                 alias mail.blog.seocentraltools.com
                 alias webmail.blog.seocentraltools.com
                 alias admin.blog.seocentraltools.com
         port 443 namevhost blog.siteinspecta.com (/etc/apache2/sites-enabled/blog.siteinspecta.com.conf:75)
                 alias www.blog.siteinspecta.com
                 alias mail.blog.siteinspecta.com
                 alias webmail.blog.siteinspecta.com
                 alias admin.blog.siteinspecta.com
         port 443 namevhost seocentraltools.com (/etc/apache2/sites-enabled/seocentraltools.com.conf:60)
                 alias www.seocentraltools.com
                 alias mail.seocentraltools.com
                 alias webmail.seocentraltools.com
                 alias admin.seocentraltools.com
         port 443 namevhost siteinspecta.com (/etc/apache2/sites-enabled/siteinspecta.com.conf:60)
                 alias www.siteinspecta.com
                 alias mail.siteinspecta.com
                 alias webmail.siteinspecta.com
                 alias admin.siteinspecta.com
185.193.66.16:80       is a NameVirtualHost
         default server blog.seocentraltools.com (/etc/apache2/sites-enabled/blog.seocentraltools.com.conf:1)
         port 80 namevhost blog.seocentraltools.com (/etc/apache2/sites-enabled/blog.seocentraltools.com.conf:1)
                 alias www.blog.seocentraltools.com
                 alias mail.blog.seocentraltools.com
                 alias webmail.blog.seocentraltools.com
                 alias admin.blog.seocentraltools.com
         port 80 namevhost blog.siteinspecta.com (/etc/apache2/sites-enabled/blog.siteinspecta.com.conf:1)
                 alias www.blog.siteinspecta.com
                 alias mail.blog.siteinspecta.com
                 alias webmail.blog.siteinspecta.com
                 alias admin.blog.siteinspecta.com
         port 80 namevhost seocentraltools.com (/etc/apache2/sites-enabled/seocentraltools.com.conf:1)
                 alias www.seocentraltools.com
                 alias mail.seocentraltools.com
                 alias webmail.seocentraltools.com
                 alias admin.seocentraltools.com
         port 80 namevhost siteinspecta.com (/etc/apache2/sites-enabled/siteinspecta.com.conf:1)
                 alias www.siteinspecta.com
                 alias mail.siteinspecta.com
                 alias webmail.siteinspecta.com
                 alias admin.siteinspecta.com
185.193.66.16:443      is a NameVirtualHost
         default server blog.seocentraltools.com (/etc/apache2/sites-enabled/blog.seocentraltools.com.conf:75)
         port 443 namevhost blog.seocentraltools.com (/etc/apache2/sites-enabled/blog.seocentraltools.com.conf:75)
                 alias www.blog.seocentraltools.com
                 alias mail.blog.seocentraltools.com
                 alias webmail.blog.seocentraltools.com
                 alias admin.blog.seocentraltools.com
         port 443 namevhost blog.siteinspecta.com (/etc/apache2/sites-enabled/blog.siteinspecta.com.conf:75)
                 alias www.blog.siteinspecta.com
                 alias mail.blog.siteinspecta.com
                 alias webmail.blog.siteinspecta.com
                 alias admin.blog.siteinspecta.com
         port 443 namevhost seocentraltools.com (/etc/apache2/sites-enabled/seocentraltools.com.conf:60)
                 alias www.seocentraltools.com
                 alias mail.seocentraltools.com
                 alias webmail.seocentraltools.com
                 alias admin.seocentraltools.com
         port 443 namevhost siteinspecta.com (/etc/apache2/sites-enabled/siteinspecta.com.conf:60)
                 alias www.siteinspecta.com
                 alias mail.siteinspecta.com
                 alias webmail.siteinspecta.com
                 alias admin.siteinspecta.com

I don't know if that's what you want me to find out, but thats what i got..

rg305 · February 9, 2022, 12:03am

Yes, that is the output we needed.

We'll go one at a time, and I'll walk you through the first one:

Looking through that output, we see that is an alias found in file:
/etc/apache2/sites-enabled/seocentraltools.com.conf

Let's have a look at that file.

jonestracy · February 9, 2022, 7:54pm

@rg305 Sorry for replying late and thanks for your help. I got so frustrated with this, i had to temporarily get past the issue by just not requesting the cert for the admin and webmail subdomains on the Let’s Encrypt page. I chose to only request the other three domains and didn't list the problematic ones. I was able to renew it.

I don't know if i will have some issues later on. Is there anything else i can do to prevent something like this in the future?

Thanks

rg305 · February 9, 2022, 7:56pm

I don't think I can answer that question: I don't really know what the problem was/is.

jonestracy · February 9, 2022, 8:25pm

@rg305 Anyway thanks. I have the site showing for now and will learn more about how this works before it's set to renew again.

system · March 11, 2022, 8:26pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.