Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for cloud.kisioanalysis.io
http-01 challenge for www.cloud.kisioanalysis.io
Using the webroot path /path/to/webroot for all unmatched domains.
Waiting for verification…
Challenge failed for domain www.cloud.kisioanalysis.io
Challenge failed for domain cloud.kisioanalysis.io
http-01 challenge for www.cloud.kisioanalysis.io
http-01 challenge for cloud.kisioanalysis.io
Cleaning up challenges
Some challenges have failed.
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
My web server is (include version):
nginx version: nginx/1.16.1
The operating system my web server runs on is (include version):
NAME=“Amazon Linux AMI”
VERSION=“2018.03”
My hosting provider, if applicable, is:
amazon web services
I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 1.2.0
Hello everyone,
I’m pretty new to ssl certificates and overall in web administration, and i was wondering why can not i renew an existing certificate using letsencrypt command. I have multiple domains , where i do not have any issues renewing certificates but this one seems to have some. I tried multiple things such as modifying my nginx conf file, but nothing seems to work.
I’m already sorry if it is such a stupid and simple problem, but as i said i’m really new to all this, and still learning.
I would appreciate some support and feedbacks, and thank you for your time reading this.
Hello @schoen
I replaced /path/to/webroot with the real path to my web server , that is /var/www/webserver should have mentionned it sorry!
For the “renew” part, I tried the renew command aswell and it displayed almost the same output. Here it is:
"certbot renew" output
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for cloud.kisioanalysis.io
http-01 challenge for www.cloud.kisioanalysis.io
Using the webroot path /var/www/webserver for all unmatched domains.
Waiting for verification…
Challenge failed for domain www.cloud.kisioanalysis.io
Challenge failed for domain cloud.kisioanalysis.io
http-01 challenge for www.cloud.kisioanalysis.io
http-01 challenge for cloud.kisioanalysis.io
Cleaning up challenges
Attempting to renew cert (www.cloud.kisioanalysis.io-0001) from /etc/letsencrypt/renewal/www.cloud.kisioanalysis.io-0001.conf produced an unexpected error: Some challenges have failed… Skipping.
Traceback (most recent call last):
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/renewal.py”, line 63, in _reconstitute
renewal_candidate = storage.RenewableCert(full_path, config)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/storage.py”, line 465, in init
self._check_symlinks()
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/storage.py”, line 532, in _check_symlinks
“expected {0} to be a symlink”.format(link))
CertStorageError: expected /etc/letsencrypt/live/www.cloud.kisioanalysis.io/cert.pem to be a symlink
Renewal configuration file /etc/letsencrypt/renewal/www.cloud.kisioanalysis.io.conf is broken. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.cloud.kisioanalysis.io-0001/fullchain.pem (failure)
Additionally, the following renewal configurations were invalid:
/etc/letsencrypt/renewal/www.cloud.kisioanalysis.io.conf (parsefail)
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
Finally, I am not sure how did we get the original certificate since it was already there when I started working on the server, but i’m pretty sure the command i posted earlier was also the one used to get the certificate ( /opt/letsencrypt/letsencrypt-auto certonly --webroot -w /var/www/webserver -d www.cloud.kisioanalysis.io -d cloud.kisioanalysis.io
@ZetaRevan do you mean I am running the command under a user not having enough permissions on the server files/directory ? I’ll check the nginx conf file.
Can’t thank you enough for your quick replies, it helps me a lot !
Well looks like the issue came from nginx conf file. After few researches, found out that my server had issues accessing .well-known for the http challenges.
For those interested, I added
location ^~ /.well-known/acme-challenge/ {
location ^~ /.well-known/acme-challenge/ { // the usual settings }
in nginx site-enabled conf file, tried to renew my cert and it worked!
thank you again for your support really appreciated it
