I unable to renew my expired certificate, please help me out

Hi Team,

My domain is:


I ran this command:
sudo certbot --apache -d fankick.io
and
sudo certbot renew --dry-run

It produced this output:

Processing /etc/letsencrypt/renewal/fankick.io.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for fankick.io
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (fankick.io) from /etc/letsencrypt/renewal/fankick.io.conf produced an unexpected error: Failed authorization procedure. fankick.io (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.fankick.io [13.126.107.219]: "<!doctype html><html lang=“en”><meta charset=“utf-8”><meta name=“HandheldFriendly” content=“true”/><meta name=“theme-color”. Skipping.
The following certs could not be renewed:
/etc/letsencrypt/live/fankick.io/fullchain.pem (failure)


** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

The following certs were successfully renewed:
/etc/letsencrypt/live/www.fankick.io/fullchain.pem (success)

The following certs could not be renewed:
/etc/letsencrypt/live/fankick.io/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: fankick.io
    Type: unauthorized
    Detail: Invalid response from http://www.fankick.io
    [13.126.107.219]: "<!doctype html><html lang=“en”><meta
    charset=“utf-8”><meta name=“HandheldFriendly”
    content=“true”/><meta name=“theme-color”

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

My web server is (include version):

Server version: Apache/2.4.18 (Ubuntu)
Server built: 2018-04-18T14:53:04

The operating system my web server runs on is (include version):
Ubuntu

My hosting provider, if applicable, is:
NameCheap
I can login to a root shell on my machine (yes or no, or I don’t know):
Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.21.1

Here is my fankick.io conf file

renew_before_expiry = 30 days

version = 0.21.1
archive_dir = /etc/letsencrypt/archive/fankick.io
cert = /etc/letsencrypt/live/fankick.io/cert.pem
privkey = /etc/letsencrypt/live/fankick.io/privkey.pem
chain = /etc/letsencrypt/live/fankick.io/chain.pem
fullchain = /etc/letsencrypt/live/fankick.io/fullchain.pem

Options used in the renewal process

[renewalparams]
authenticator = apache
installer = apache
account = XXXXXXXXXXXXXXXXXXXXXXX

Hi @Narendar22

looks like your configuration can’t work.

You have two different ip addresses ( https://check-your-website.server-daten.de/?q=fankick.io ):

Host T IP-Address is auth. ∑ Queries ∑ Timeout
fankick.io A 162.255.119.65 yes 1 0
AAAA yes
www.fankick.io C ec2-13-126-107-219.ap-south-1.compute.amazonaws.com yes 1 0
A 13.126.107.219 yes

Your www is hosted via amazon.

But your redirects:

Domainname Http-Status redirect Sec. G
http://fankick.io/
162.255.119.65 302 http://www.fankick.io 0.370 D
http://www.fankick.io 200 0.260 H
http://www.fankick.io/
13.126.107.219 200 0.257 H
https://fankick.io/
162.255.119.65 -2 1.554 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 162.255.119.65:443
https://www.fankick.io/
13.126.107.219 200 1.533 B
http://fankick.io/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
162.255.119.65 302 http://www.fankick.io 0.374 D
Visible Content: Found .
http://www.fankick.io/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
13.126.107.219 200 0.257
Visible Content: You need to enable JavaScript to run this app.

Using http-01 validation Certbot creates a file in /.well-known/acme-challenge, Letsencrypt checks that file.

But your http + non-www + /.well-known/acme-challenge is redirected to your http + www version.

Which ip address use your Certbot? If Certbot uses the 162.* address, Certbot can’t create a file on 13.*.

Hii @JuergenAuer

Thanks for responding!

I am using Certbot on 13.126.107.219 IP.
Can you please help me on configuration.

There answers an application, not your webserver.

You should create something like an exception, so your webserver handles that request, not your app.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.