Failure to repeatedly generate certificates

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
example.com

I ran this command:
sudo certbot certonly --nginx -d example.com -d www.example.com --non-interactive

It produced this output:

  • The following errors were reported by the server:
    Domain: www.example.com
    Type: unauthorized
    Detail: During secondary validation: Invalid response from
    https://www.example.com/.well-known/acme-challenge/ZM2nut_NjdMUBdf06vYkmvy-jKRJtgFu8SbfEd2L6ho
    [35.226.16.174]: "\n \n \n \n \n Page Not Found\n <style" Domain: example.com Type: unauthorized Detail: Invalid response from https://example.com/.well-known/acme-challenge/IP9WfYFqUsR1sc6PQvejpsjSG3qwb6gNDIIwgr9-xLc [35.226.16.174]: "\n \n \n \n \n Page Not Found\n <style" To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.

My web server is (include version):

The operating system my web server runs on is (include version):

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.31.0

I am trying to create new certificates and renew others. For example, I am renewing certificates for example.com, example1.com, and example3.com. I can renew 2 certificates without issues. Tho, when I go to renew the third certificate, in all cases, the action fails with the same error shown above. In all cases, I can confirm that the DNS is mapped properly because running the commands, dig +short example.com and dig +short www.example.com, return the correct server IP address. Similarly, the sites were initially issued a cert and none of the DNS records changed. In all cases, I must wait between 15 minutes and a few hours before the error for the third certificate goes away and the certificate is renewed. The same error occurs for more than 3 sites, too. The first two will successfully go through, then the rest will get the error above. Slowly, one by one, the errors will go away and certificates will renew.

Edit: Actually, disregard my post below. The "During secondary validation" portion of this error makes me suspect a DNS issue after all.


If your renewals are incrementally succeeding without you changing anything in the nginx configuration, then the solution might be to try use --nginx-sleep-seconds, which defaults to 1 second.

This option was added in Certbot 1.7.0 because nginx was not keeping up with the rate that Certbot was reloading it, in some environments (slow servers or large, complex nginx configurations).

Since you are on 0.31.0, you would need to install a more recent version of Certbot (from snap or pip) to give this a go.

Otherwise, you can try switch over to the --webroot plugin for renewal, which should be more reliable with your version of Certbot.

2 Likes

Thank you for your response! I, too, thought it was a DNS issue because I first noticed this problem when I was trying to generate a few new certificates recently. The same issue occurred where the first two certificates were generated properly but the third failed with the DNS error. I was able to successfully generate the certificate for the third site after waiting some time. I thought the issue was because the DNS did not propagate. After looking into more of our existing certificates, I noticed many of the certificates failed to renew. I stopped all running cron jobs for autorenewal and did not run any certbot commands overnight. The next day I tried to renew failed certificates manually by running sudo certbot certonly --nginx -d example.com -d www.example.com --non-interactive. I was able to renew two certificates but subsequent renewals all failed with the DNS error (I tried 3 different sites). After waiting for a few hours, I was able to renew two more certificates, then all subsequent renewals failed (I again test a few more sites and they all failed with the DNS error).

To give more background, we recently received a warning to increase the server_names_hash_bucket_size and server_names_hash_max_size. We have since fixed the warning and no longer receive it when trying to create/renew certificates, but I thought I would mention it.

1 Like

Hi @apelt9 and welcome to the LE community forum :slight_smile:

Does that IP match the expected?
Can you place a test text file in the expected HTTP challenge location?

1 Like

Hi @rg305! Yes, I can confirm that is the IP address that is expected. We use two upstream nodes to serve our websites, and we currently have a load balancer that manages the certificates and sends requests to the upstream nodes. We also do not use pure HTML files on our server. Our server dynamically serves the website based on the referrer of the incoming request. As such, we don't store our HTML files directly on the server. Tho, this setup has not seemed to cause us issues in the past as we were previously able to obtain new certificates and renew others.

So, you can dynamically create custom pages on the fly...
But you can't:

[it's a simple "yes" or "no" question]

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.