I wanted to renew my cert and got an error

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: alessandrafuenteswep.cl

I ran this command: sudo certbot renew

It produced this output:

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things: Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/alessandrafuenteswep.cl.conf
g - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for alessandrafuenteswep.cl
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: alessandrafuenteswep.cl
Type: unauthorized
Detail: Invalid response from
https://alessandrafuenteswep.cl/.well-known/acme-challenge/6bM14rVgU0RMBbyfTStUXzLs0ydeLR_71cFVyc6RCyA: 404
Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
Failed to renew certificate alessandrafuenteswep.cl with error: Some challenges have failed.- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/alessandrafuenteswep.cl/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

My web server is (include version):
Server version: Apache/2.4.37 (centos)
Server built: Apr 6 2022 14:54:37

The operating system my web server runs on is (include version):
Centos 8

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): YES

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): NO

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.4.0

The HTTP challenge request was redirected to HTTPS; Where it was not found (error: 404).

I would not redirect the HTTP ACME challenge requests.
I would instead answer the request on that first request.

Has it ever been renewed before [on this server]?
If so, what has changed since that last renewal?
If not, then what changed since that first issuance?


It has to be on HTTP request?
because I've configurated apache redirect http to https

The initial request is always HTTP.
As shown by the failure, that initial HTTP request was redirected to HTTPS.
[where it failed to reply, with error 404]


I think what's going to help the most is if you can post the <VirtualHost *:443> block from your Apache configuration for this domain.

The webroot that Certbot uses needs to match up with the DocumentRoot in the Apache configuration for that domain.

At present, it seems they are mismatched.

FWIW you can definitely respond to Let's Encrypt in HTTPS by using a redirect, but it can cause undue complications when troubleshooting in some circumstances.

<VirtualHost *:80>
    ServerName www.alessandrafuenteswep.cl
    Redirect permanent / https://alessandrafuenteswep.cl/

<VirtualHost *:80>
    ServerName alessandrafuenteswep.cl
    Redirect permanent / https://alessandrafuenteswep.cl/

<VirtualHost *:443>
    ServerName www.alessandrafuenteswep.cl
    RewriteEngine on
    RewriteCond %{HTTP_HOST} ^www.alessandrafuenteswep.cl
    RewriteRule ^(.+[^/])/$ https://alessandrafuenteswep.cl/$1 [R=301,L]

<VirtualHost *:443>
    ServerAdmin MY_EMAIL
    DocumentRoot  /var/www/html/alessandrafuenteswep.cl
    ServerName alessandrafuenteswep.cl
    ErrorLog logs/ssl-alessandrafuenteswep.cl-error_log
    CustomLog logs/ssl-alessandrafuenteswep.cl-access_log common

    <Directory /var/www/html/alessandrafuenteswep.cl>
         Options -Indexes
         AllowOverride all
         Require all granted

    RewriteEngine on
    RewriteRule .* - [F]


It was the path
I change it at /etc/letsencrypt/renewal

Why not do this like the other two?:

<VirtualHost *:443>
    ServerName www.alessandrafuenteswep.cl
    Redirect permanent / https://alessandrafuenteswep.cl/

That said, all secure server blocks also require the use of a certificate.
So, both secure blocks are missing a couple of lines for that.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.