Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: robjvargas.com
I ran this command: certbot renew --preferred-challenges http
It produced this output:
Processing /etc/letsencrypt/renewal/robjvargas.com.conf
Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for robjvargas.com
http-01 challenge for www.robjvargas.com
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (robjvargas.com) from /etc/letsencrypt/renewal/robjvargas.com.conf produced an unexpected error: Failed authorization procedure. www.robjvargas.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.robjvargas.com/.well-known/acme-challenge/4nQ0udJvcGBlAXx6ed8kR1xi_i3korg9ZujqsFT-l-8: "
Not Found
<p", robjvargas.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://robjvargas.com/.well-known/acme-challenge/I2gwsWt6ILS0ZV_RmYToYfq9hNHTs5Kjf08xX_kKaSA: " 404 Not FoundNot Found
<p". Skipping. All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/robjvargas.com/fullchain.pem (failure)All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/robjvargas.com/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
-
The following errors were reported by the server:
Domain: www.robjvargas.com
404 Not Found
Type: unauthorized
Detail: Invalid response from
http://www.robjvargas.com/.well-known/acme-challenge/4nQ0udJvcGBlAXx6ed8kR1xi_i3korg9ZujqsFT-l-8:
"Not Found
<p"Domain: robjvargas.com
404 Not Found
Type: unauthorized
Detail: Invalid response from
http://robjvargas.com/.well-known/acme-challenge/I2gwsWt6ILS0ZV_RmYToYfq9hNHTs5Kjf08xX_kKaSA:
"Not Found
<p"To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
My web server is (include version): Apache
The operating system my web server runs on is (include version):
Server version: Apache/2.4.6 (CentOS)
My hosting provider, if applicable, is:
CentOS 7 VPS
I can login to a root shell on my machine (yes or no, or I don’t know): Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No
Okay, the actual truth is not that I must. My issue is that renewal fails until I turn off HTTPS redirect. I have redirect enabled in httpd.conf thus:
# HTTP to HTTPS redirect
RewriteEngine On
RewriteCond %{HTTPS} off
# RewriteCond %{Request_URI} !^http://www.robjvargas.com/.well-known/acme-challenge/test.txt
# RewriteCond %{REQUEST_URI} !^\/\.well-known\/.*$
RewriteRule (.*) https://www.robjvargas.com$1 [R,L]
I included the commented lines because I think that was part of my troubleshooting last time. With that enabled, I get the results listed above. If I turn off redirect, like so, the renewal has (twice) worked.
# HTTP to HTTPS redirect
# RewriteEngine On
# RewriteCond %{HTTPS} off
# RewriteCond %{Request_URI} !^http://www.robjvargas.com/.well-known/acme-challenge/test.txt
# RewriteCond %{REQUEST_URI} !^\/\.well-known\/.*$
# RewriteRule (.*) https://www.robjvargas.com$1 [R,L]
I just now successfully renewed with HTTP to HTTPS redirect disabled. All seems well with the redirect turned back on.
Just to be explicit, I am performing
systemctl restart httpd.service
after each change of httpd.conf.