Fullchain.pem (failure)

Error while renewing the certificate.
What am I doing wrong?
Every time a certificate is renewed, dances with a tambourine begin!

certbot -q renew --allow-subset-of-names

Challenge failed for domain my_domain.ru
Challenge failed for domain www.my_domain.ru
Attempting to renew cert (my_domain.ru) from /usr/local/etc/letsencrypt/renewal/my_domain.ru.conf produced an unexpected error: Challenges failed for all domains. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/usr/local/etc/letsencrypt/live/my_domain.ru/fullchain.pem (failure)

ls -al /usr/local/etc/letsencrypt/live/my_domain.ru/fullchain.pem

lrwxr-xr-x 1 root wheel 38 Dec 1 08:55 /usr/local/etc/letsencrypt/live/my_domain.ru/fullchain.pem -> …/…/archive/my_domain.ru/fullchain1.pem

ls -al /usr/local/etc/letsencrypt/archive/my_domain.ru/

total 24
drwxr-xr-x 2 root wheel 512 Sep 10 21:42 .
drwx------ 3 root wheel 512 Sep 10 21:42 …
-rw-r–r-- 1 root wheel 2159 Sep 10 21:42 cert1.pem
-rw-r–r-- 1 root wheel 1647 Sep 10 21:42 chain1.pem
-rw-r–r-- 1 root wheel 3806 Sep 10 21:42 fullchain1.pem
-rw-r–r-- 1 root wheel 1704 Sep 10 21:42 privkey1.pem

Can you show us the output of “certbot certificates”, including the real domain?

And also:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

What does “certbot renew” output if you run it just like that, without “-q” or “--allow-subset-of-names”?

Well, that's just a rate limit error, it doesn't tell you why authorizations have actually been failing.

That rate limit is only 1 hour.

You can try to figure out the real issue by examining earlier logs from /var/log/letsencrypt/, or by using "certbot renew --dry-run" (which can sometimes fail for different reasons), or just wait a while and try "certbot renew" again.

What version of certbot are you running?
certbot --version

Hi @bagas,

Using --allow-subset-of-names is also obscuring the specific problem here. It would be more helpful to see the Certbot output or a log file when you try to renew without --allow-subset-of-names.

The --allow-subset-of-names causes validation failures to be ignored, which is not necessarily what you want normally, and definitely not what you want for debugging purposes!

Problem solved.
The problem was solved by itself, at the next certificate renewal request.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.