Please help with certification renewal

My domain is:

I ran this command:
sudo certbot --apache

It produced this output:
"Some challenges have failed."
Although now it does "There were too many requests of a given type"

My web server is (include version):
Apache 2

The operating system my web server runs on is (include version):
Ubuntu 18.04

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no, ssh

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
It was an old version, that worked for several years, but I just now upgraded using these instructions, so now it is 1.20.0. I suspect the reason is that I may have changed the _acme-challenge TXT file in AWS route 53. But now I don't know where to look for what I am supposed to write in that text file. Once the rate-limit expires I want to retry without having any TXT-file, hopefully it'll tell me what to write. But please write here if you have a better suggestion, I'm a bit anxious to not have too much down-time, obviously :slight_smile:

1 Like

Welcome to the community!

I see you issued a wildcard cert today so do you still need help?

Note the most recent cert is only for name * so works for domain names like but will not work for by itself. You may want to add that name to the wildcard cert.

If you still need help let us know what DNS provider you use - is it Route53?

You can learn about rate limits below. Your error was for 5 failed attempts in an hour. You can use --dry-run or --test-cert to use the test system and avoid limits. Then remove that to create a live cert.

Lastly, if you do not need a wildcard cert you could use the HTTP challenge itself. Your past certs were just for your apex and www domain names.


Yes, thanks, I still need help. I just wrote a long post, but that seems to have been caught in a spam-filter, so I'll do it again, with less code-examples. Maybe that's what triggered the spam-filter.

Anyway - yes, I am using route 53 and that DNS-01 setup, and have since 2017. Last week, or so, I had trouble renewing and made some changes I shouldn't have made I think. So now I don't have access to that TXT string. I'm guessing I have to revoke what I have and start over, but any tips would be helpful.

1 Like
sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for and

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
  Type:   unauthorized
  Detail: Invalid response from []: "<html>\n<head>\n  <title>Forbidden</title>\n  <link href=',700,400italic"

  Type:   unauthorized
  Detail: Invalid response from []: "<html>\n<head>\n  <title>Forbidden</title>\n  <link href=',700,400italic"

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Failed to renew certificate with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All simulated renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/ (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

@lassefolkersen I need to be away for a bit but maybe this will be enough for you to figure it out.

The http challenge is being used in this sample (not DNS) which is best I think for this. The Lets Encrypt server is making a request to your server but getting a faulty response. I tested a similar response and get a 403 error same as you see. In my case I should get a 404 (not found) since the file is not there. But, in your case it should have been a 200 (found).

Check your server defs and make sure this request returns a 404. Then try to renew again with --dry-run

curl -Lki

Don't worry about seeing the 301 redirect - that is fine. It is the 403 Forbidden after that we are concerned with.


Ok, Mike --- thanks a lot! I think I managed to fix it, at least the server is running again and certificates check out and https is on. Your points helped me a lot, but feel free to give it a checkup later - I will too myself (and just sent a donation to letsencrypt, thanks for all your work guys!)

1 Like

Glad it worked out. I am seeing a fresh cert from your server:

Looks good

A tip if this comes up again is try --debug-challenges along with --dry-run
It pauses and prompts as it goes thru those steps


FYI: Revoking never does what 99.99% of the requesters want.
To all readers: Please don't REVOKE a cert when troubleshooting issues.


I'd support any official petition to have all future software documentation written as a series of animated gifs.... at least I understood :slight_smile: :+1:


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.