@Helmikku, thanks for the report! Could you email me your log (redacted as necessary) so I could look into this? Relevant nginx config files would help as well (for the particular site and nginx.conf). My email is erica@eff.org.
Apache ā¦ i get this:
Do you want to expand and replace this existing certificate with the new
certificate?
(E)xpand/Ā©ancel: E
Renewing an existing certificate
An unexpected error occurred:
There were too many requests of a given type :: Error creating new authz :: too many currently pending authorizations: see https://letsencrypt.org/docs/rate-limits/
##############
What can i do?
I tested this again as of 7e463bc and it worked for me. I had no problems getting a new certificate.
I also updated my configs to exclude HTTPS redirects for /.well-known/acme-challenge/ and ran a ācertbot renew --dry-runā which looked good. Two of my domains that are due for renewal the soonest simulated a successful tls-sni-01 renewal while the rest automatically simulated http-01 renewals. I assume the two domains that were allowed to simulate tls-sni-01 renewal are on the whitelist.
Iām using Apache as a reverse proxy to terminate SSL. Itās pretty much the simplest config you can imagine, but, at least for my simple setup, everything appears to be working.
Thanks for the quick response to the issue.
Thanks for everyoneās help testing this. We really appreciate it.
A version of Certbot was just released with support for HTTP-01 in the Apache and Nginx plugins. See Certbot 0.21.0 Release for more info.
1 Like
Itās working like a charm! Many, many thanks and great work 
Works fine for me using ubuntu 10.4, nginx for a new domain.
Works fine for me using CentOS Linux release 7.4.1708, nginx. Thanks
WORKS ā butā¦ it uses TSL-SNI-01 (???)
strangeā¦ when issuing:
./certbot-auto --apache --staging
it went like: HTTP-01 challengesā¦
but next, without āāstagingā ā¦
it would go TLS-SNI-01ā¦
here is what I saw on the screen: https://creach.eu/LE-log/screen.txt
and here is the log file: https://creach.eu/LE-log/le.txt
TLS-SNI-01 is still enabled for now, for renewals from the same account. Staging used HTTP-01 probably because you have a different account there. If you want to force HTTP-01 I believe you can use --preferred-challenges http-01
2 Likes
I have tried with --preferred-challenges http-01 but it shows following message
None of the preferred challenges are supported by the selected plugin
What version of Certbot? What command was run?
I have tried following command, used example.com instead of my domain for privacy.
sudo certbot --apache --preferred-challenges http-01 -d example.com -d www.example.com
My comment was intended for jepe who is using certbot-auto. Youāre probably using an older version. You can use certbot -a webroot -i apache or switch to certbot-auto.
Currently, --preferred-challenges only has an effect on plugins that support multiple challenge types. The Apache plugin hasnāt traditionally been one of those. So @jmorahanās suggestion is the right way to use HTTP-01 with older Certbot releases if you still want the Apache installer.
For people who have been using --standalone, the --preferred-challenges http-01 will make the standalone plugin use HTTP-01 instead of TLS-SNI-01, but it canāt do so in combination with --apache because of the Apache pluginās previous lack of support for HTTP-01 authentication.
1 Like
FYI: Iām Running Raspbian Debian Jessie on a RPi 3 with Apache. Unmet dependency for libffi6 v3.2.1-6. Jessie version of this package is 3.1-2+deb8u1
Thanks for everyoneās hard work.
Worked perfectly on my 17 domains with Debian 9.3 with Apache 2.4.25-3+deb9u3 (while adding the 17th).
Thanks a lot!
Iām in the same boat here, and donāt know the proper config to make this work again. We have port 80 returning a 301 to https as above, and with the latest certbot-auto Iām geting
Could not automatically find a matching server block. Set the server_name directive to use the Nginx installer..
the server_name is set for both 80 and 443 (ipv4 and ipv6)
@mikedotexe, would you be able to post the configuration file containing these server blocks here? And are you sure that youāre running the most recent released version of Certbot (in this case probably via certbot-auto)?
@erica, this is the new potential nginx parser bug that I mentioned to youāhopefully weāll have some more details from @mikedotexe soon.
1 Like
Really appreciate your response @schoen. I believe there was a perfect storm for us, leading me to believe it was TLS-SNI related, but it was our client changing to Incapsula at the same time. This forced me to make new certs using the webroot option. We can disregard my request. It took me a while to this track down, so I wanted to follow up. Again, really appreciate the Certbot team being responsive on these forums. 