Let’s Encrypt SSL failed to renew certificate

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: nelsontalk.info

I ran this command: certbot renew --force-renewal

It produced this output:
Challenge failed for domain mymail.nelsontalk.info
http-01 challenge for mymail.nelsontalk.info
Cleaning up challenges
Attempting to renew cert (nelsontalk.info) from /etc/letsencrypt/renewal/nelsontalk.info.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/nelsontalk.info/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/nelsontalk.info/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

My web server is (include version): Apache version 2.4.41

The operating system my web server runs on is (include version): Ubuntu Linux 20.04.4

My hosting provider, if applicable, is: Virtualmin

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Virtualmin

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): PuTTY Release 0.77

Regards and thanks for your help.

2

Welcome to the community @nelsonmedina

Can you show us the contents of this file:

4 Likes
3

Please do NOT use this option if you're not familiar with it's function. It does NOT magically resolve validation errors from the side of the ACME server (obviously). Using the --force-renewal function improperly can lead to hitting rate limits.

4 Likes
4

Sure check below

image

5

Thanks. Locate the apache VirtualHost for mymail.nelsontalk.info. Then, is the DocumentRoot still /home/nelsontalk/public_html ?

If you are not sure how to find this, please show result of this command:

apachectl -t -D DUMP_VHOSTS
4 Likes
6

Sure, here you have it.

image
image690×659 12.5 KB

7

Thanks. Now can you show the contents of this file

/etc/apache2/sites-enabled/mymail.nelsontalk.info

Is it possible for you to upload this file or to copy/paste the info? Images of text are harder to work with. If you copy/paste please put 3 backticks before and after the text like this
```
file contents
```

3 Likes
8

Yeah... Check below


<VirtualHost 128.199.50.155:80>
    SuexecUserGroup "#1000" "#1000"
    ServerName mymail.nelsontalk.info
    ServerAlias www.mymail.nelsontalk.info
    ServerAlias mail.mymail.nelsontalk.info
    ServerAlias webmail.mymail.nelsontalk.info
    ServerAlias admin.mymail.nelsontalk.info
    ServerAlias autoconfig.mymail.nelsontalk.info
    ServerAlias autodiscover.mymail.nelsontalk.info
    DocumentRoot /home/mymail/public_html
    ErrorLog /var/log/virtualmin/mymail.nelsontalk.info_error_log
    CustomLog /var/log/virtualmin/mymail.nelsontalk.info_access_log combined
    ScriptAlias /cgi-bin/ /home/mymail/cgi-bin/
    ScriptAlias /AutoDiscover/AutoDiscover.xml /home/mymail/cgi-bin/autoconfig.cgi
    ScriptAlias /Autodiscover/Autodiscover.xml /home/mymail/cgi-bin/autoconfig.cgi
    ScriptAlias /autodiscover/autodiscover.xml /home/mymail/cgi-bin/autoconfig.cgi
    DirectoryIndex index.php index.php4 index.php5 index.htm index.html
    <Directory /home/mymail/public_html>
    Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch +ExecCGI
    allow from all
    AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
    Require all granted
    AddType application/x-httpd-php .php
    AddHandler fcgid-script .php
    AddHandler fcgid-script .php7.4
    FCGIWrapper /home/mymail/fcgi-bin/php7.4.fcgi .php
    FCGIWrapper /home/mymail/fcgi-bin/php7.4.fcgi .php7.4
    </Directory>
    <Directory /home/mymail/cgi-bin>
    allow from all
    AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
    Require all granted
    </Directory>
    RewriteEngine on
    RewriteCond %{HTTP_HOST} =webmail.mymail.nelsontalk.info
    RewriteRule ^(?!/.well-known)(.*) https://mymail.nelsontalk.info:20000/ [R]
    RewriteCond %{HTTP_HOST} =admin.mymail.nelsontalk.info
    RewriteRule ^(?!/.well-known)(.*) https://mymail.nelsontalk.info:10000/ [R]
    RemoveHandler .php
    RemoveHandler .php7.4
    FcgidMaxRequestLen 1073741824
    IPCCommTimeout 31
    Redirect /mail/config-v1.1.xml /cgi-bin/autoconfig.cgi
    Redirect /.well-known/autoconfig/mail/config-v1.1.xml /cgi-bin/autoconfig.cgi
RewriteCond %{SERVER_NAME} =webmail.mymail.nelsontalk.info [OR]
RewriteCond %{SERVER_NAME} =autodiscover.mymail.nelsontalk.info [OR]
RewriteCond %{SERVER_NAME} =mymail.nelsontalk.info [OR]
RewriteCond %{SERVER_NAME} =admin.mymail.nelsontalk.info [OR]
RewriteCond %{SERVER_NAME} =mail.mymail.nelsontalk.info [OR]
RewriteCond %{SERVER_NAME} =www.mymail.nelsontalk.info [OR]
RewriteCond %{SERVER_NAME} =autoconfig.mymail.nelsontalk.info
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<VirtualHost 128.199.50.155:443>
    SuexecUserGroup "#1000" "#1000"
    ServerName mymail.nelsontalk.info
    ServerAlias www.mymail.nelsontalk.info
    ServerAlias mail.mymail.nelsontalk.info
    ServerAlias webmail.mymail.nelsontalk.info
    ServerAlias admin.mymail.nelsontalk.info
    ServerAlias autoconfig.mymail.nelsontalk.info
    ServerAlias autodiscover.mymail.nelsontalk.info
    DocumentRoot /home/mymail/public_html
    ErrorLog /var/log/virtualmin/mymail.nelsontalk.info_error_log
    CustomLog /var/log/virtualmin/mymail.nelsontalk.info_access_log combined
    ScriptAlias /cgi-bin/ /home/mymail/cgi-bin/
    ScriptAlias /AutoDiscover/AutoDiscover.xml /home/mymail/cgi-bin/autoconfig.cgi
    ScriptAlias /Autodiscover/Autodiscover.xml /home/mymail/cgi-bin/autoconfig.cgi
    ScriptAlias /autodiscover/autodiscover.xml /home/mymail/cgi-bin/autoconfig.cgi
    DirectoryIndex index.php index.php4 index.php5 index.htm index.html
    <Directory /home/mymail/public_html>
    Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch +ExecCGI
    allow from all
    AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
    Require all granted
    AddType application/x-httpd-php .php
    AddHandler fcgid-script .php
    AddHandler fcgid-script .php7.4
    FCGIWrapper /home/mymail/fcgi-bin/php7.4.fcgi .php
    FCGIWrapper /home/mymail/fcgi-bin/php7.4.fcgi .php7.4
    </Directory>
    <Directory /home/mymail/cgi-bin>
    allow from all
    AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
    Require all granted
    </Directory>
    RewriteEngine on
    RewriteCond %{HTTP_HOST} =webmail.mymail.nelsontalk.info
    RewriteRule ^(?!/.well-known)(.*) https://mymail.nelsontalk.info:20000/ [R]
    RewriteCond %{HTTP_HOST} =admin.mymail.nelsontalk.info
    RewriteRule ^(?!/.well-known)(.*) https://mymail.nelsontalk.info:10000/ [R]
    RemoveHandler .php
    RemoveHandler .php7.4
    FcgidMaxRequestLen 1073741824
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
IPCCommTimeout 31
Redirect /mail/config-v1.1.xml /cgi-bin/autoconfig.cgi
Redirect /.well-known/autoconfig/mail/config-v1.1.xml /cgi-bin/autoconfig.cgi
SSLCertificateFile /etc/letsencrypt/live/nelsontalk.info/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/nelsontalk.info/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
9

Could you edit your post to use 3 backticks. It looks like you used 3 single quotes instead.

Sometimes apache config items are lost if you don't use backticks

3 Likes
10

The 'backtick' is usually located left from the "1" at the left of the keyboard :slight_smile:

3 Likes
11

The backticks would still be helpful. But, I see a problem. Your Apache DocumentRoot for that domain name is /home/mymail/public_html

But, the webroot path in certbot renewal is /home/nelsontalk/public_html.

These two paths must match. So, to give best instructions on how to fix please show output of the certificates command (with backticks as shown)

```
output of command: certbot certificates
```

3 Likes
12

Here is:

Found the following certs:
  Certificate Name: nelsontalk.info
    Domains: nelsontalk.info mymail.nelsontalk.info
    Expiry Date: 2022-08-10 00:04:06+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/nelsontalk.info/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/nelsontalk.info/privkey.pem
1 Like
13

Thanks. This should renew successfully and update the renewal conf for next time

certbot renew --cert-name nelsontalk.info -w /home/mymail/public_html
3 Likes
14

I typed the command, and it did the update and refresh successfully; however, it is not updated yet.

image

15

You will need to restart Apache to get the new certificate

3 Likes
16

I did it, but nothing happens, still the same.

1 Like
17

That's very strange that restart was not enough. Please show this again

```
output of command: certbot certificates
```

3 Likes
18

Nevermind. I see your server is now sending the current cert. It was not when I checked just before but I am glad you got it sorted.

3 Likes
19

Is done :white_check_mark:

Thank you so much for your help

4 Likes
20

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.