Fullchain.pem (failure)


#1

Hello.
Error while renewing the certificate.
What am I doing wrong?
Every time a certificate is renewed, dances with a tambourine begin!

certbot -q renew --allow-subset-of-names

Challenge failed for domain my_domain.ru
Challenge failed for domain www.my_domain.ru
Attempting to renew cert (my_domain.ru) from /usr/local/etc/letsencrypt/renewal/my_domain.ru.conf produced an unexpected error: Challenges failed for all domains. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/usr/local/etc/letsencrypt/live/my_domain.ru/fullchain.pem (failure)

ls -al /usr/local/etc/letsencrypt/live/my_domain.ru/fullchain.pem

lrwxr-xr-x 1 root wheel 38 Dec 1 08:55 /usr/local/etc/letsencrypt/live/my_domain.ru/fullchain.pem -> …/…/archive/my_domain.ru/fullchain1.pem

ls -al /usr/local/etc/letsencrypt/archive/my_domain.ru/

total 24
drwxr-xr-x 2 root wheel 512 Sep 10 21:42 .
drwx------ 3 root wheel 512 Sep 10 21:42 …
-rw-r–r-- 1 root wheel 2159 Sep 10 21:42 cert1.pem
-rw-r–r-- 1 root wheel 1647 Sep 10 21:42 chain1.pem
-rw-r–r-- 1 root wheel 3806 Sep 10 21:42 fullchain1.pem
-rw-r–r-- 1 root wheel 1704 Sep 10 21:42 privkey1.pem


#2

Can you show us the output of “certbot certificates”, including the real domain?

And also:


My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:


#4

What does “certbot renew” output if you run it just like that, without “-q” or “--allow-subset-of-names”?


#6

Well, that’s just a rate limit error, it doesn’t tell you why authorizations have actually been failing.

That rate limit is only 1 hour.

You can try to figure out the real issue by examining earlier logs from /var/log/letsencrypt/, or by using “certbot renew --dry-run” (which can sometimes fail for different reasons), or just wait a while and try “certbot renew” again.


#9

What version of certbot are you running?
certbot --version


#10

Hi @bagas,

Using --allow-subset-of-names is also obscuring the specific problem here. It would be more helpful to see the Certbot output or a log file when you try to renew without --allow-subset-of-names.

The --allow-subset-of-names causes validation failures to be ignored, which is not necessarily what you want normally, and definitely not what you want for debugging purposes!


#11

Problem solved.
The problem was solved by itself, at the next certificate renewal request.