Not able to renew a certificate

Help
1

My domain is: boinc-multi-pool.info

I ran this command:
certbot renew --dry-run --webroot -w /var/www/html --cert-name boinc.multi-pool.info -v

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/boinc.multi-pool.info.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Simulating renewal of an existing certificate for boinc.multi-pool.info
Performing the following challenges:
http-01 challenge for boinc.multi-pool.info
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Challenge failed for domain boinc.multi-pool.info
http-01 challenge for boinc.multi-pool.info

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: boinc.multi-pool.info
  Type:   unauthorized
  Detail: 78.26.93.125: Invalid response from http://boinc.multi-pool.info/.well-known/acme-challenge/OGZjGBnbXRYEPADWO7WcJW_vU820Y_cQS4560z9dUt4: 404

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Cleaning up challenges
Failed to renew certificate boinc.multi-pool.info with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All simulated renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/boinc.multi-pool.info/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):
apache 2.4.52-1ubuntu4.6

The operating system my web server runs on is (include version):
Ubuntu with kernel 5.15.0-88-generic

My hosting provider, if applicable, is:
godaddy

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.21.0

2

Check your apache config, see if that's the actual webroot for boinc.multi-pool.info

1 Like
3

Using the online tool Let's Debug yields these results https://letsdebug.net/boinc-multi-pool.info/1682421

NoRecords
FATAL
No valid A or AAAA records could be ultimately resolved for boinc-multi-pool.info. This means that Let's Encrypt would not be able to connect to your domain to perform HTTP validation, since it would not know where to connect to.
No A or AAAA records found.

And using the online tool Unbound DNS checker yields these results for A records https://unboundtest.com/m/A/boinc-multi-pool.info/EL7FIBPR

Query results for A boinc-multi-pool.info

Response:
;; opcode: QUERY, status: NXDOMAIN, id: 1194
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version 0; flags: do; udp: 512

;; QUESTION SECTION:
;boinc-multi-pool.info.	IN	 A

;; AUTHORITY SECTION:
info.	0	IN	SOA	a0.info.afilias-nst.info. hostmaster.donuts.email. 1700425289 7200 900 1209600 3600
info.	0	IN	RRSIG	SOA 8 1 3600 20231210202639 20231119192639 42411 info. PYl9jw0Y+4dGJceAN3V+v2pAi9jzLSBnbrfMibRNZSNXa9DPyEuVj76+FfL8dP+sItwHqQAF/LCxBpFpfIrGoIQ++bboyv2i29nODDSS3M1tRFrsvCz+V0N+9ePtfirKpFr32HK4wkuRwZ/TP65DFaHCLAJMggoJp0rYG5eA4mM=
526vog7afjquqdgqpn9o8lm7bn5gape8.info.	0	IN	NSEC3	1 1 100 332539EE7F95C32A 52773GNHC4FIMJ8HCRSHIGOIHQ1EGS2G NS SOA RRSIG DNSKEY NSEC3PARAM
526vog7afjquqdgqpn9o8lm7bn5gape8.info.	0	IN	RRSIG	NSEC3 8 2 3600 20231210202639 20231119192639 42411 info. M+Et25NEzB0ykVRiJuE5jh+aRTTgn1xHKT25JBFyQR65/ZVtKCHuufm4qQXbTpMN6s4VaH8YyGOgSUOHroN/bkvLAOemIAXU0f1UEL6ofLii8ssewqLviP4sHSuXQ+VWN1QYzRlt0fmQRhSTvFDjP/IpmJ6LxXn+M2PTUtXgOa8=
v9hlencfflkstdbqlpr5tvavckk7kmvd.info.	0	IN	NSEC3	1 1 100 332539EE7F95C32A V9HU8DAPN2PT6PT9TR5V18ETAR3GIT9U NS DS RRSIG
v9hlencfflkstdbqlpr5tvavckk7kmvd.info.	0	IN	RRSIG	NSEC3 8 2 3600 20231210031256 20231119021256 42411 info. LzOGM+XgqkOawLo/0t2xhvkBFAfqWB0ghRqrRMY0RLHojyMazAnk71Lxp8ZoN+adm3dwuTNQAcy7OFY7DzqhuUCMxzQdk9vhXpyjH1Y8iMzB/wiAL1n/js+SQNDB7NGPh6Kz9slQCSwDhJMWWVqXXUQ42iotGGLVYuqkNd4DwjE=
ca7mupnamuqfescv3ontos769t2s97vr.info.	0	IN	NSEC3	1 1 100 332539EE7F95C32A CA7Q1NHMJ85VOSBKA84NVE8BLJQJ4HCE NS DS RRSIG
ca7mupnamuqfescv3ontos769t2s97vr.info.	0	IN	RRSIG	NSEC3 8 2 3600 20231210031256 20231119021256 42411 info. SNtjFQRqUIK8j8Jvs5zNXb5MJp3j4wLJHbiYU5dTU9S3daoBipqRbPN3m3AUfIFk6AeOqCY00sJGH57qzQmITCOncmEnydFGad8mj7oCaCZojUVSx2oaLoDW9PrrGfYo3Xn77UbEMBAVGt4IxtLPcbmLecqiNc9wkOpXw1+a2ko=

----- Unbound logs -----
Nov 19 20:34:56 unbound[600358:0] notice: init module 0: validator
Nov 19 20:34:56 unbound[600358:0] notice: init module 1: iterator
Nov 19 20:34:56 unbound[600358:0] info: start of service (unbound 1.16.3).
Nov 19 20:34:57 unbound[600358:0] query: 127.0.0.1 boinc-multi-pool.info. A IN
Nov 19 20:34:57 unbound[600358:0] info: resolving boinc-multi-pool.info. A IN

And using the online tool Unbound DNS checker yields these results for AAAA records https://unboundtest.com/m/AAAA/boinc-multi-pool.info/35NONSML

Query results for AAAA boinc-multi-pool.info

Response:
;; opcode: QUERY, status: NXDOMAIN, id: 49052
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version 0; flags: do; udp: 512

;; QUESTION SECTION:
;boinc-multi-pool.info.	IN	 AAAA

;; AUTHORITY SECTION:
info.	0	IN	SOA	a0.info.afilias-nst.info. hostmaster.donuts.email. 1700425922 7200 900 1209600 3600
info.	0	IN	RRSIG	SOA 8 1 3600 20231210203715 20231119193715 42411 info. GOGIZRj8F1J+GJDyK+Nx3UIdJdGfMedf4ZM9f2AWEF3YdAS1Z2XXrpDL9vxHmyUK0MptzJx1xUdyu5FTz2IGqu/clnOWSj04lia6KPdn7ivmTUHxT+iTtzqtauowEPEK3jfhqy7hrhWOwR32UmpnDP0fICR2vI1AFqIFTk3Lim8=
526vog7afjquqdgqpn9o8lm7bn5gape8.info.	0	IN	NSEC3	1 1 100 332539EE7F95C32A 52773GNHC4FIMJ8HCRSHIGOIHQ1EGS2G NS SOA RRSIG DNSKEY NSEC3PARAM
526vog7afjquqdgqpn9o8lm7bn5gape8.info.	0	IN	RRSIG	NSEC3 8 2 3600 20231210203715 20231119193715 42411 info. H2x4TOSsKlzgapNNNBVwOSmpAMps2WyeZJAw9EKhqkgsOYUsHpO079BvDSpYyErUy1BVvn+fdK+lr0qR7c2jiKeQQWqWgdZjLF0cI2MiU4tKB1vLCWeAEA+yuOYg4Y6b55LKuhkOjpUYXa1FD5yfBACPfAi3wv40kamL5l+30mc=
v9hlencfflkstdbqlpr5tvavckk7kmvd.info.	0	IN	NSEC3	1 1 100 332539EE7F95C32A V9HU8DAPN2PT6PT9TR5V18ETAR3GIT9U NS DS RRSIG
v9hlencfflkstdbqlpr5tvavckk7kmvd.info.	0	IN	RRSIG	NSEC3 8 2 3600 20231210031256 20231119021256 42411 info. LzOGM+XgqkOawLo/0t2xhvkBFAfqWB0ghRqrRMY0RLHojyMazAnk71Lxp8ZoN+adm3dwuTNQAcy7OFY7DzqhuUCMxzQdk9vhXpyjH1Y8iMzB/wiAL1n/js+SQNDB7NGPh6Kz9slQCSwDhJMWWVqXXUQ42iotGGLVYuqkNd4DwjE=
ca7mupnamuqfescv3ontos769t2s97vr.info.	0	IN	NSEC3	1 1 100 332539EE7F95C32A CA7Q1NHMJ85VOSBKA84NVE8BLJQJ4HCE NS DS RRSIG
ca7mupnamuqfescv3ontos769t2s97vr.info.	0	IN	RRSIG	NSEC3 8 2 3600 20231210031256 20231119021256 42411 info. SNtjFQRqUIK8j8Jvs5zNXb5MJp3j4wLJHbiYU5dTU9S3daoBipqRbPN3m3AUfIFk6AeOqCY00sJGH57qzQmITCOncmEnydFGad8mj7oCaCZojUVSx2oaLoDW9PrrGfYo3Xn77UbEMBAVGt4IxtLPcbmLecqiNc9wkOpXw1+a2ko=

----- Unbound logs -----
Nov 19 20:37:44 unbound[600362:0] notice: init module 0: validator
Nov 19 20:37:44 unbound[600362:0] notice: init module 1: iterator
Nov 19 20:37:44 unbound[600362:0] info: start of service (unbound 1.16.3).
Nov 19 20:37:45 unbound[600362:0] query: 127.0.0.1 boinc-multi-pool.info. AAAA IN
Nov 19 20:37:45 unbound[600362:0] info: resolving boinc-multi-pool.info. AAAA IN
1 Like
4

Hi @ice00, and welcome to the LE community forum :slight_smile:

As mentioned:

That is most likely the case.

As you are using Apache I would also check that there are no name:port overlaps, with:

sudo apachectl -t -D DUMP_VHOSTS

3 Likes
5

apachectl -t -D DUMP_VHOSTS

VirtualHost configuration:
78.26.93.125:80        boinc.multi-pool.info (/etc/apache2/sites-enabled/latinsquares.httpd.conf:1)
*:80                   127.0.0.1 (/etc/apache2/sites-enabled/000-default.conf:2)
*:443                  boinc.multi-pool.info (/etc/apache2/sites-enabled/default-ssl.conf:2)

Just to look correctly, for webroot it means the DocumentRoot directive of apache?

6

The domain multi-pool.info is defined with those DNS entries in Godaddy:

A @ 78.26.93.123 600sec
A boinc 78.26.9.125 1h
A boinc-status 78.26.93.124 1h

7

Yes; now it looks better.

IPv4 A Record
https://unboundtest.com/m/A/multi-pool.info/IHY33XYX

Query results for A multi-pool.info

Response:
;; opcode: QUERY, status: NOERROR, id: 39220
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version 0; flags: do; udp: 512

;; QUESTION SECTION:
;multi-pool.info.	IN	 A

;; ANSWER SECTION:
multi-pool.info.	0	IN	A	78.26.93.123

----- Unbound logs -----
Nov 20 17:37:32 unbound[609426:0] notice: init module 0: validator
Nov 20 17:37:32 unbound[609426:0] notice: init module 1: iterator

Currently I see https://letsdebug.net/multi-pool.info/1683573

ANotWorking
ERROR
multi-pool.info has an A (IPv4) record (78.26.93.123) but a request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address.
Get "http://multi-pool.info/.well-known/acme-challenge/letsdebug-test": dial tcp 78.26.93.123:80: connect: no route to host

Trace:
@0ms: Making a request to http://multi-pool.info/.well-known/acme-challenge/letsdebug-test (using initial IP 78.26.93.123)
@0ms: Dialing 78.26.93.123
@3106ms: Experienced error: dial tcp 78.26.93.123:80: connect: no route to host

IssueFromLetsEncrypt
ERROR
A test authorization for multi-pool.info to the Let's Encrypt staging service has revealed issues that may prevent any certificate for this domain being issued.
78.26.93.123: Fetching http://multi-pool.info/.well-known/acme-challenge/ORs5c6Ec1ctvUtzem3i2eR-EWoWtSXIKAViv84JMZHw: Error getting validation data

Using nmap I see your Ports 80 & 443 are filtered;
Port 80 must be accessible for the HTTP-01 challenge
Best Practice - Keep Port 80 Open

$ nmap -Pn -p80,443 multi-pool.info
Starting Nmap 7.80 ( https://nmap.org ) at 2023-11-20 17:40 UTC
Nmap scan report for multi-pool.info (78.26.93.123)
Host is up.
rDNS record for 78.26.93.123: host-7826-93-123.wifi.asdasd.it

PORT    STATE    SERVICE
80/tcp  filtered http
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 3.74 seconds

Here is an online Open Port Check Tool - Test Port Forwarding on Your Router tool.

image
image1067×776 49.2 KB

8

Hi,

just to know, the server at 78.26.93.123 is now stopped, so access to multi-pool.info (like www.multi-pool.info) will not get browser answers.

If this is a problem for boinc.multi-pool.info certificate, I can make the DNS to point to one of the others two working servers.

1 Like
9

Yes.

Show file:

2 Likes
10

/etc/apache2/sites-enabled/000-default.conf

ServerName boinc.multi-pool.info
<VirtualHost *:80>
   ServerAdmin webmaster@localhost
   DocumentRoot /var/www/html
   ErrorLog ${APACHE_LOG_DIR}/error.log
   CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
11

The ServerName directive is outside of the VirtualHost definition.

That said, there might be another system handling HTTP or another vhost.
Where does this redirection happen?:

curl -Ii boinc.multi-pool.info
HTTP/1.1 302 Found
Date: Mon, 20 Nov 2023 19:01:51 GMT
Server: Apache/2.4.52 (Ubuntu)
Location: http://boinc.multi-pool.info/latinsquares/
Content-Type: text/html; charset=iso-8859-1
2 Likes
12

/etc/apache2/sites-enabled/latinsquares.httpd.conf

<VirtualHost boinc.multi-pool.info:80>
    ServerName boinc.multi-pool.info
    ServerAlias www.boinc.multi-pool.info
    ServerAdmin ice00@libero.it

   DocumentRoot /home/boinc/projects/latinsquares/html

    Include sites-available/boinc.inc
</VirtualHost>
13

/etc/apache2/sites-enabled/default-ssl.conf

<IfModule mod_ssl.c>
        <VirtualHost _default_:443>
                ServerAdmin webmaster@localhost
                ServerName boinc.multi-pool.info
                ServerAlias www.boinc.multi-pool.info
DocumentRoot /home/boinc/projects/latinsquares/html
ErrorLog ${APACHE_LOG_DIR}/error.log
       CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile      /etc/letsencrypt/live/boinc.multi-pool.info/cert.pem
                SSLCertificateKeyFile   /etc/letsencrypt/live/boinc.multi-pool.info/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/boinc.multi-pool.info/chain.pem
                <FilesMatch "\.(cgi|shtml|phtml|php)$">
                                SSLOptions +StdEnvVars
                </FilesMatch>
                <Directory /usr/lib/cgi-bin>
                                SSLOptions +StdEnvVars
                </Directory>
                Include sites-available/boinc.inc

        </VirtualHost>
</IfModule>
14

/etc/apache2/sites-available/boinc.inc

    ServerName boinc.multi-pool.info
    ServerAlias www.boinc.multi-pool.info
    ServerAdmin ice00@libero.it
     RedirectMatch ^/$ /latinsquares/

    Alias /latinsquares/download /home/boinc/projects/latinsquares/download
    Alias /latinsquares/stats /home/boinc/projects/latinsquares/html/stats
    Alias /latinsquares/user_profile /home/boinc/projects/latinsquares/html/user_profile
    Alias /latinsquares /home/boinc/projects/latinsquares/html/user

    Alias /latinsquares_ops /home/boinc/projects/latinsquares/html/ops
    ScriptAlias /latinsquares_cgi /home/boinc/projects/latinsquares/cgi-bin

    DocumentRoot /home/boinc/projects/latinsquares/html

then there is all the Directory directived of all alises defined before

15

The same names are being served in two vhost config files.
That's a "name:port" ovelap - as I suspected.

2 Likes
16

Try this again [and show all the output]:

2 Likes
17

sudo apachectl -t -D DUMP_VHOSTS

VirtualHost configuration:
78.26.93.125:80        boinc.multi-pool.info (/etc/apache2/sites-enabled/latinsquares.httpd.conf:1)
*:80                   127.0.0.1 (/etc/apache2/sites-enabled/000-default.conf:2)
*:443                  boinc.multi-pool.info (/etc/apache2/sites-enabled/default-ssl.conf:2)
18

Agreed. Further, they are mixing IP and Name based Virtual hosts. This will likely cause them problems.

In the first one below the name boinc.multi-poo.info in the VirtualHost statement is just converted to an IP by Apache.

3 Likes
19

hi,

after modification as suggested, it goes:

certbot renew --dry-run --webroot -w /var/www/html --cert-name boinc.multi-pool.info -v
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/boinc.multi-pool.info.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Simulating renewal of an existing certificate for boinc.multi-pool.info
Performing the following challenges:
http-01 challenge for boinc.multi-pool.info
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded: 
  /etc/letsencrypt/live/boinc.multi-pool.info/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 Like
20

Looks like a win!

2 Likes