FYI: dry-run fails while normal request is honored seconds later

Maybe you want to have a look why a dry run is failing and a normal request for the same domain is honored only seconds later. (time in CEST)

"http://domain.tld/.well-known/acme-challenge/SfHqoldRoAtR850KAjx1LNN3vY1qhJXo8SZVWdwFd9Q: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p". Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/wm.domain.tld/fullchain.pem (failure)

-------------------------------------------------------------------------------
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/wm.domain.tld/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
-------------------------------------------------------------------------------
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: domain.tld
   Type:   unauthorized
   Detail: Invalid response from
   http://domain.tld/.well-known/acme-challenge/SfHqoldRoAtR850KAjx1LNN3vY1qhJXo8SZVWdwFd9Q:
   "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
[@ ~]# certbot renew --cert-name wm.domain.tld
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/wm.domain.tld.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for wm.domain.tld
http-01 challenge for domain.tld
Waiting for verification...
Cleaning up challenges

-------------------------------------------------------------------------------
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/wm.domain.tld/fullchain.pem
-------------------------------------------------------------------------------
Plugins selected: Authenticator webroot, Installer None

-------------------------------------------------------------------------------

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/wm.domain.tld/fullchain.pem (success)
-------------------------------------------------------------------------------


 1001  0910 14:14:28 certbot renew --cert-name wm.domain.tld --dry-run
 1002  0910 14:14:49 certbot renew --cert-name wm.domain.tld

What’s the domain?

Can you post /var/log/letsencrypt/letsencrypt.log from both runs?

It’s unusual but not impossible for production to succeed and staging to fail, or vice versa.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.