Problem renew a certificate


My domain is:

I ran this command: certbot renew

It produced this output:

My web server is: nginx

The operating system my web server runs on is (include version): Debian 9

The version of my client is: certbot 0.28.0

The other subdomains renew perfectly but my main one doesn’t :frowning:


Hi @SrPeter

you have a “not so good” setting.

A lot of ip addresses:

Host T IP-Address is auth. ∑ Queries ∑ Timeout A yes 1 0
A yes 1 0
AAAA 2606:4700:30::681c:1e6a yes
AAAA 2606:4700:30::681c:1f6a yes A yes 1 0
A yes 1 0
AAAA 2606:4700:30::681c:1e6a yes
AAAA 2606:4700:30::681c:1f6a yes

You have a DNSKEY, but no DS key in the parent zone, so your DNSSEC is incomplete:

Fatal error: DNSKEY 2371 signs DNSKEY RRset, but no confirming DS RR in the parent zone found. No chain of trust created.

And checking your urls is bad -

too much to copy.

There are redirects http -> https, but your https doesn’t work, so Cloudflare throws an error and the validation can’t work.

If you’re the owner of this website:

The SSL certificate presented by the server did not pass validation. This could indicate an expired SSL certificate or a certificate that does not include the requested domain name. Please contact your hosting provider to ensure that an up-to-date and valid SSL certificate issued by a Certificate Authority is configured for this domain name on the origin server. Additional troubleshooting information here.

If you use Cloudflare you need a valide certificate so Cloudflare can load your site.

Perhaps remove the redirect http -> https, so that validation works.



I havent activated DNSKEY in cloudflare or even on my domain seller…
So I have to delete some IPs? IN Cloudflare they are all poiting to my VPS IP
They only thing I see is that I have some IPs on “IP Access Rules” but nothing


Do you know why Cloudflare considers the certificate on your origin to be invalid?

Can you provide the rest of Certbot’s output?

You’ve activated DNSSEC at Cloudflare but not at your domain registrar.



Just checked on CloudFlare and domain:




So Certbot is using the webroot plugin, but Nginx is redirecting HTTP requests to HTTPS, which would be fine, except HTTPS doesn’t work because Cloudflare considers your origin’s current certificate to be invalid.

You can get certificate renewal to succeed by excluding Let’s Encrypt’s requests from the HTTP to HTTPS redirect, or by fixing HTTPS.

Out of curiosity, could you provide the output of “sudo certbot certificates”?


Interesting! You really don’t have DNSSEC enabled at Cloudflare! But it is enabled.

Maybe you just turned it off recently?

Are you sure you’re looking at the correct Cloudflare account? Does the main page say the domain is “Active” without any issues?


Your dns server sends DNSKEY. Same with this tool:

Analyzing DNSSEC problems for

. Found 3 DNSKEY records for .
DS=20326/SHA-256 verifies DNSKEY=20326/SEP
Found 2 RRSIGs over DNSKEY RRset
RRSIG=20326 and DNSKEY=20326/SEP verifies the DNSKEY RRset
com Found 1 DS records for com in the . zone
DS=30909/SHA-256 has algorithm RSASHA256
Found 1 RRSIGs over DS RRset
RRSIG=16749 and DNSKEY=16749 verifies the DS RRset
Found 2 DNSKEY records for com
DS=30909/SHA-256 verifies DNSKEY=30909/SEP
Found 1 RRSIGs over DNSKEY RRset
RRSIG=30909 and DNSKEY=30909/SEP verifies the DNSKEY RRset No DS records found for in the com zone
Found 2 DNSKEY records for
Found 1 RRSIGs over DNSKEY RRset
RRSIG=2371 and DNSKEY=2371/SEP verifies the DNSKEY RRset A RR has value
Found 1 RRSIGs over A RRset
RRSIG=34505 and DNSKEY=34505 verifies the A RRset

Remove the redirect http -> https, then try, if you can load a test file via /.well-known/acme-challenge, that should be enough to create a new certificate.

If that doesn’t work, create a new certificate manual using dns-validation.


The first one sounds complicated lol
On the certificates only the “” appears like is expired

Checked around CloudFlare and yes, its actives and no errors :confused:


I tried to check doing: cd /var/www/peter/.well-known/acme-challenge
And it appears that it doesnt even exist… Probably thats the problem? Is there a solution? :frowning:


Is this

your webroot? Then create there the two subdirectories


there a file (file name 1234) and try to load it via

Then you can use

certbot run -a webroot -i apache -w /var/www/peter/ -d

or same with nginx, I don’t see your server, I see the cloudflare answer.


Can you provide the output?

The .well-known directory would be expected to exist, but Certbot will create it if it doesn’t. The acme-challenge directory doesn’t normally exist when Certbot isn’t running.

That’s not the problem.


I tried that command and still the same error :confused:


Yep! Here you go :slight_smile:


doesn’t work. So the error is ok.


Thank you. :slightly_smiling_face:

It looks like you’ve turned off the HTTP to HTTPS redirect. Does “sudo certbot renew” work now?


Nope, still the same :frowning:


Exactly the same? The HTML hasn’t changed?


Same error :confused:


Not quite – it’s a 404 Not Found error from Before it was a Cloudflare 525 Origin Certificate something error from

It seems the web root setting in /etc/letsencrypt/renewal/ isn’t correct.

You can:

  • Update the Nginx configuration
  • Run the Certbot command to issue a certificate, with the arguments you used originally, and the new path, e.g. “sudo certbot certonly --webroot -w /new/root -d -d
  • Edit the Certbot .conf file in a text editor.


Here is the config:

Where can I find the certbot .conf file?

Thanks for your time!