Help, certs could not be renewed

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.aooci.com

I ran this command: certbot renew

It produced this output:

Processing /usr/local/etc/letsencrypt/renewal/aooci.com.conf

All renewal attempts failed. The following certs could not be renewed:
/usr/local/etc/letsencrypt/live/aooci.com/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
[297670 refs]
IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: www.aooci.com
  Type: connection
  Detail: Fetching
  https://www.aooci.com.well-known/acme-challenge/x9b_hh-QG01p9wPWBqHskYkfKUczuGdtFPOr2mGoJDY:
  Error getting validation data

  Domain: aooci.com
  Type: connection
  Detail: Fetching
  https://www.aooci.com.well-known/acme-challenge/OMEmHD3fMPG9DvrcLMQQ_XguZ18NJ3OxEh6bDn1oHzI:
  Error getting validation data

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A record(s) for that domain
  contain(s) the right IP address. Additionally, please check that
  your computer has a publicly routable IP address and that no
  firewalls are preventing the server from communicating with the
  client. If you’re using the webroot plugin, you should also verify
  that you are serving files from the webroot path you provided.

My web server is (include version): Apache 24

The operating system my web server runs on is (include version): FreeBSD 11

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

==============================================================================
The error comes out recently, I had a cron task to renew the certificate every day. it’s already working for some days. I can’t remember touched any configuration related. it’s strange that in the detail information. my domain name and the [.well-known/…] path has no separator. maybe it’s the problem, but I don’t know how to fix it. please give me some advices, thanks in advance.

The redirect from HTTP to HTTPS is missing a slash (/), so the validation server is trying to connect to the hostname www.aooci.com.well-known, which doesn’t exist obviously.

Add a slash to your redirect and it will validate properly.

In more detail what is going wrong:

osiris@desktop ~ $ curl -Lv http://www.aooci.com/.well-known/acme-challenge/x9b_hh-QG01p9wPWBqHskYkfKUczuGdtFPOr2mGoJDY
*   Trying 194.78.218.128...
* Connected to www.aooci.com (194.78.218.128) port 80 (#0)
> GET /.well-known/acme-challenge/x9b_hh-QG01p9wPWBqHskYkfKUczuGdtFPOr2mGoJDY HTTP/1.1
> Host: www.aooci.com
> User-Agent: curl/7.49.0
> Accept: */*
> 
< HTTP/1.1 302 Found
< Date: Sun, 28 Oct 2018 13:26:51 GMT
< Server: Apache/2.4.25 (FreeBSD) OpenSSL/1.0.2j-freebsd PHP/7.1.3
< Location: https://www.aooci.com.well-known/acme-challenge/x9b_hh-QG01p9wPWBqHskYkfKUczuGdtFPOr2mGoJDY
< Content-Length: 275
< Content-Type: text/html; charset=iso-8859-1
< 
* Ignoring the response-body
* Connection #0 to host www.aooci.com left intact
* Issue another request to this URL: 'https://www.aooci.com.well-known/acme-challenge/x9b_hh-QG01p9wPWBqHskYkfKUczuGdtFPOr2mGoJDY'
* Could not resolve host: www.aooci.com.well-known
* Closing connection 1
curl: (6) Could not resolve host: www.aooci.com.well-known
osiris@desktop ~ $ 

See the location header, that’s the result of your redirect rule somewhere in your Apache configuration. It is missing the /.

Great, problem fixed! thank you.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.