Let’s Encrypt SSL failed to renew certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: nelsontalk.info

I ran this command: certbot renew --force-renewal

It produced this output:
Challenge failed for domain mymail.nelsontalk.info
http-01 challenge for mymail.nelsontalk.info
Cleaning up challenges
Attempting to renew cert (nelsontalk.info) from /etc/letsencrypt/renewal/nelsontalk.info.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/nelsontalk.info/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/nelsontalk.info/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: mymail.nelsontalk.info
  Type: unauthorized
  Detail: 128.199.50.155: Invalid response from
  https://mymail.nelsontalk.info/.well-known/acme-challenge/ocNWn-Bq5RxEAnddXBWY23SSeEFUWAMxJjL3cbs2a0Y:
  404

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address.

My web server is (include version): Apache version 2.4.41

The operating system my web server runs on is (include version): Ubuntu Linux 20.04.4

My hosting provider, if applicable, is: Virtualmin

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Virtualmin

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): PuTTY Release 0.77

Regards and thanks for your help.

Welcome to the community @nelsonmedina

Can you show us the contents of this file:

Please do NOT use this option if you're not familiar with it's function. It does NOT magically resolve validation errors from the side of the ACME server (obviously). Using the --force-renewal function improperly can lead to hitting rate limits.

Sure check below

Thanks. Locate the apache VirtualHost for mymail.nelsontalk.info. Then, is the DocumentRoot still /home/nelsontalk/public_html ?

If you are not sure how to find this, please show result of this command:

apachectl -t -D DUMP_VHOSTS

Sure, here you have it.

image690×659 12.5 KB

Thanks. Now can you show the contents of this file

/etc/apache2/sites-enabled/mymail.nelsontalk.info

Is it possible for you to upload this file or to copy/paste the info? Images of text are harder to work with. If you copy/paste please put 3 backticks before and after the text like this
```
file contents
```

Yeah... Check below

<VirtualHost 128.199.50.155:80>
    SuexecUserGroup "#1000" "#1000"
    ServerName mymail.nelsontalk.info
    ServerAlias www.mymail.nelsontalk.info
    ServerAlias mail.mymail.nelsontalk.info
    ServerAlias webmail.mymail.nelsontalk.info
    ServerAlias admin.mymail.nelsontalk.info
    ServerAlias autoconfig.mymail.nelsontalk.info
    ServerAlias autodiscover.mymail.nelsontalk.info
    DocumentRoot /home/mymail/public_html
    ErrorLog /var/log/virtualmin/mymail.nelsontalk.info_error_log
    CustomLog /var/log/virtualmin/mymail.nelsontalk.info_access_log combined
    ScriptAlias /cgi-bin/ /home/mymail/cgi-bin/
    ScriptAlias /AutoDiscover/AutoDiscover.xml /home/mymail/cgi-bin/autoconfig.cgi
    ScriptAlias /Autodiscover/Autodiscover.xml /home/mymail/cgi-bin/autoconfig.cgi
    ScriptAlias /autodiscover/autodiscover.xml /home/mymail/cgi-bin/autoconfig.cgi
    DirectoryIndex index.php index.php4 index.php5 index.htm index.html
    <Directory /home/mymail/public_html>
    Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch +ExecCGI
    allow from all
    AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
    Require all granted
    AddType application/x-httpd-php .php
    AddHandler fcgid-script .php
    AddHandler fcgid-script .php7.4
    FCGIWrapper /home/mymail/fcgi-bin/php7.4.fcgi .php
    FCGIWrapper /home/mymail/fcgi-bin/php7.4.fcgi .php7.4
    </Directory>
    <Directory /home/mymail/cgi-bin>
    allow from all
    AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
    Require all granted
    </Directory>
    RewriteEngine on
    RewriteCond %{HTTP_HOST} =webmail.mymail.nelsontalk.info
    RewriteRule ^(?!/.well-known)(.*) https://mymail.nelsontalk.info:20000/ [R]
    RewriteCond %{HTTP_HOST} =admin.mymail.nelsontalk.info
    RewriteRule ^(?!/.well-known)(.*) https://mymail.nelsontalk.info:10000/ [R]
    RemoveHandler .php
    RemoveHandler .php7.4
    FcgidMaxRequestLen 1073741824
    IPCCommTimeout 31
    Redirect /mail/config-v1.1.xml /cgi-bin/autoconfig.cgi
    Redirect /.well-known/autoconfig/mail/config-v1.1.xml /cgi-bin/autoconfig.cgi
RewriteCond %{SERVER_NAME} =webmail.mymail.nelsontalk.info [OR]
RewriteCond %{SERVER_NAME} =autodiscover.mymail.nelsontalk.info [OR]
RewriteCond %{SERVER_NAME} =mymail.nelsontalk.info [OR]
RewriteCond %{SERVER_NAME} =admin.mymail.nelsontalk.info [OR]
RewriteCond %{SERVER_NAME} =mail.mymail.nelsontalk.info [OR]
RewriteCond %{SERVER_NAME} =www.mymail.nelsontalk.info [OR]
RewriteCond %{SERVER_NAME} =autoconfig.mymail.nelsontalk.info
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<VirtualHost 128.199.50.155:443>
    SuexecUserGroup "#1000" "#1000"
    ServerName mymail.nelsontalk.info
    ServerAlias www.mymail.nelsontalk.info
    ServerAlias mail.mymail.nelsontalk.info
    ServerAlias webmail.mymail.nelsontalk.info
    ServerAlias admin.mymail.nelsontalk.info
    ServerAlias autoconfig.mymail.nelsontalk.info
    ServerAlias autodiscover.mymail.nelsontalk.info
    DocumentRoot /home/mymail/public_html
    ErrorLog /var/log/virtualmin/mymail.nelsontalk.info_error_log
    CustomLog /var/log/virtualmin/mymail.nelsontalk.info_access_log combined
    ScriptAlias /cgi-bin/ /home/mymail/cgi-bin/
    ScriptAlias /AutoDiscover/AutoDiscover.xml /home/mymail/cgi-bin/autoconfig.cgi
    ScriptAlias /Autodiscover/Autodiscover.xml /home/mymail/cgi-bin/autoconfig.cgi
    ScriptAlias /autodiscover/autodiscover.xml /home/mymail/cgi-bin/autoconfig.cgi
    DirectoryIndex index.php index.php4 index.php5 index.htm index.html
    <Directory /home/mymail/public_html>
    Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch +ExecCGI
    allow from all
    AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
    Require all granted
    AddType application/x-httpd-php .php
    AddHandler fcgid-script .php
    AddHandler fcgid-script .php7.4
    FCGIWrapper /home/mymail/fcgi-bin/php7.4.fcgi .php
    FCGIWrapper /home/mymail/fcgi-bin/php7.4.fcgi .php7.4
    </Directory>
    <Directory /home/mymail/cgi-bin>
    allow from all
    AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
    Require all granted
    </Directory>
    RewriteEngine on
    RewriteCond %{HTTP_HOST} =webmail.mymail.nelsontalk.info
    RewriteRule ^(?!/.well-known)(.*) https://mymail.nelsontalk.info:20000/ [R]
    RewriteCond %{HTTP_HOST} =admin.mymail.nelsontalk.info
    RewriteRule ^(?!/.well-known)(.*) https://mymail.nelsontalk.info:10000/ [R]
    RemoveHandler .php
    RemoveHandler .php7.4
    FcgidMaxRequestLen 1073741824
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
IPCCommTimeout 31
Redirect /mail/config-v1.1.xml /cgi-bin/autoconfig.cgi
Redirect /.well-known/autoconfig/mail/config-v1.1.xml /cgi-bin/autoconfig.cgi
SSLCertificateFile /etc/letsencrypt/live/nelsontalk.info/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/nelsontalk.info/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>

Could you edit your post to use 3 backticks. It looks like you used 3 single quotes instead.

Sometimes apache config items are lost if you don't use backticks

The 'backtick' is usually located left from the "1" at the left of the keyboard

The backticks would still be helpful. But, I see a problem. Your Apache DocumentRoot for that domain name is /home/mymail/public_html

But, the webroot path in certbot renewal is /home/nelsontalk/public_html.

These two paths must match. So, to give best instructions on how to fix please show output of the certificates command (with backticks as shown)

```
output of command: certbot certificates
```

Here is:

Found the following certs:
  Certificate Name: nelsontalk.info
    Domains: nelsontalk.info mymail.nelsontalk.info
    Expiry Date: 2022-08-10 00:04:06+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/nelsontalk.info/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/nelsontalk.info/privkey.pem

Thanks. This should renew successfully and update the renewal conf for next time

certbot renew --cert-name nelsontalk.info -w /home/mymail/public_html

I typed the command, and it did the update and refresh successfully; however, it is not updated yet.

You will need to restart Apache to get the new certificate

I did it, but nothing happens, still the same.

That's very strange that restart was not enough. Please show this again

```
output of command: certbot certificates
```

Nevermind. I see your server is now sending the current cert. It was not when I checked just before but I am glad you got it sorted.

Is done

Thank you so much for your help