I unable to renew my expired certificate, please help me out


#1

Hi Team,

My domain is:


I ran this command:
sudo certbot --apache -d fankick.io
and
sudo certbot renew --dry-run

It produced this output:

Processing /etc/letsencrypt/renewal/fankick.io.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for fankick.io
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (fankick.io) from /etc/letsencrypt/renewal/fankick.io.conf produced an unexpected error: Failed authorization procedure. fankick.io (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.fankick.io [13.126.107.219]: "<!doctype html><html lang=“en”><meta charset=“utf-8”><meta name=“HandheldFriendly” content=“true”/><meta name=“theme-color”. Skipping.
The following certs could not be renewed:
/etc/letsencrypt/live/fankick.io/fullchain.pem (failure)


** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

The following certs were successfully renewed:
/etc/letsencrypt/live/www.fankick.io/fullchain.pem (success)

The following certs could not be renewed:
/etc/letsencrypt/live/fankick.io/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: fankick.io
    Type: unauthorized
    Detail: Invalid response from http://www.fankick.io
    [13.126.107.219]: "<!doctype html><html lang=“en”><meta
    charset=“utf-8”><meta name=“HandheldFriendly”
    content=“true”/><meta name=“theme-color”

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

My web server is (include version):

Server version: Apache/2.4.18 (Ubuntu)
Server built: 2018-04-18T14:53:04

The operating system my web server runs on is (include version):
Ubuntu

My hosting provider, if applicable, is:
NameCheap
I can login to a root shell on my machine (yes or no, or I don’t know):
Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.21.1


#2

Here is my fankick.io conf file

renew_before_expiry = 30 days

version = 0.21.1
archive_dir = /etc/letsencrypt/archive/fankick.io
cert = /etc/letsencrypt/live/fankick.io/cert.pem
privkey = /etc/letsencrypt/live/fankick.io/privkey.pem
chain = /etc/letsencrypt/live/fankick.io/chain.pem
fullchain = /etc/letsencrypt/live/fankick.io/fullchain.pem

Options used in the renewal process

[renewalparams]
authenticator = apache
installer = apache
account = XXXXXXXXXXXXXXXXXXXXXXX


#3

Hi @Narendar22

looks like your configuration can’t work.

You have two different ip addresses ( https://check-your-website.server-daten.de/?q=fankick.io ):

Host T IP-Address is auth. ∑ Queries ∑ Timeout
fankick.io A 162.255.119.65 yes 1 0
AAAA yes
www.fankick.io C ec2-13-126-107-219.ap-south-1.compute.amazonaws.com yes 1 0
A 13.126.107.219 yes

Your www is hosted via amazon.

But your redirects:

Domainname Http-Status redirect Sec. G
http://fankick.io/
162.255.119.65 302 http://www.fankick.io 0.370 D
http://www.fankick.io 200 0.260 H
http://www.fankick.io/
13.126.107.219 200 0.257 H
https://fankick.io/
162.255.119.65 -2 1.554 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 162.255.119.65:443
https://www.fankick.io/
13.126.107.219 200 1.533 B
http://fankick.io/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
162.255.119.65 302 http://www.fankick.io 0.374 D
Visible Content: Found .
http://www.fankick.io/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
13.126.107.219 200 0.257
Visible Content: You need to enable JavaScript to run this app.

Using http-01 validation Certbot creates a file in /.well-known/acme-challenge, Letsencrypt checks that file.

But your http + non-www + /.well-known/acme-challenge is redirected to your http + www version.

Which ip address use your Certbot? If Certbot uses the 162.* address, Certbot can’t create a file on 13.*.


#4

Hii @JuergenAuer

Thanks for responding!

I am using Certbot on 13.126.107.219 IP.
Can you please help me on configuration.


#5

There answers an application, not your webserver.

You should create something like an exception, so your webserver handles that request, not your app.