Problem with renewing a certifcate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command: certbot renew --dry-run

It produced this output:
Attempting to renew cert ( from /etc/letsencrypt/renewal/ produced an unexpected error: Failed authorization procedure. (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from 404. Skipping.

I use this certificate since a long time and had no problem. On the same server I can renew many other certificate but not this one, eg. I can't remember to change anything at the webserver. The ip address is correct.

My web server is (include version): Apache 2.4.38

The operating system my web server runs on is (include version): Debian GNU/Linux 10 (buster).

My hosting provider, if applicable, is: own VM, hosted by Metanet Switzerland

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.31.0

Take nothing for granted; Especially with Apache.

Something must have changed since your last renewal.
Let's try to unravel that mystery with the output of:
apachectl -t -D DUMP_VHOSTS

VirtualHost configuration:
*:8843        (/etc/apache2/sites-enabled/pim-apple-adressbook-ssl.conf:2)
*:443                  is a NameVirtualHost
         default server (/etc/apache2/sites-enabled/000-default-ssl.conf:2)
         port 443 namevhost (/etc/apache2/sites-enabled/000-default-ssl.conf:2)
         port 443 namevhost (/etc/apache2/sites-enabled/001-bit-ssl.conf:2)
         port 443 namevhost (/etc/apache2/sites-enabled/baikal-ssl.conf:2)
         port 443 namevhost (/etc/apache2/sites-enabled/lam-ssl.conf:2)
         port 443 namevhost (/etc/apache2/sites-enabled/packages-ssl.conf:2)
         port 443 namevhost (/etc/apache2/sites-enabled/phpldapadmin-ssl.conf:2)
         port 443 namevhost (/etc/apache2/sites-enabled/phpmyadmin-ssl.conf:2)
         port 443 namevhost (/etc/apache2/sites-enabled/pim-ssl.conf:2)
         port 443 namevhost (/etc/apache2/sites-enabled/redabe-ssl.conf:2)
         port 443 namevhost (/etc/apache2/sites-enabled/roundcube-ssl.conf:2)
         port 443 namevhost (/etc/apache2/sites-enabled/seafbit-ssl.conf:2)
         port 443 namevhost (/etc/apache2/sites-enabled/t3t-ssl.conf:2)
*:80                   is a NameVirtualHost
         default server (/etc/apache2/sites-enabled/000-default.conf:1)
         port 80 namevhost (/etc/apache2/sites-enabled/000-default.conf:1)
         port 80 namevhost (/etc/apache2/sites-enabled/001-bit.conf:1)
         port 80 namevhost (/etc/apache2/sites-enabled/baikal.conf:1)
         port 80 namevhost (/etc/apache2/sites-enabled/lam.conf:1)
         port 80 namevhost (/etc/apache2/sites-enabled/packages.conf:1)
         port 80 namevhost (/etc/apache2/sites-enabled/pbx.conf:1)
         port 80 namevhost (/etc/apache2/sites-enabled/phpldapadmin.conf:1)
         port 80 namevhost (/etc/apache2/sites-enabled/phpmyadmin.conf:1)
         port 80 namevhost (/etc/apache2/sites-enabled/pim.conf:1)
         port 80 namevhost (/etc/apache2/sites-enabled/provisioning.conf:1)
         port 80 namevhost (/etc/apache2/sites-enabled/redabe.conf:1)
         port 80 namevhost (/etc/apache2/sites-enabled/roundcube.conf:1)
         port 80 namevhost (/etc/apache2/sites-enabled/seafbit.conf:1)
         port 80 namevhost (/etc/apache2/sites-enabled/t3t.conf:1)
1 Like

This appears to be a name:port conflict/overlap:

port 80 namevhost (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost (/etc/apache2/sites-enabled/001-bit.conf:1)

We should have a look at both of those files.



<VirtualHost *:80>
	# The ServerName directive sets the request scheme, hostname and port that
	# the server uses to identify itself. This is used when creating
	# redirection URLs. In the context of virtual hosts, the ServerName
	# specifies what hostname must appear in the request's Host: header to
	# match this virtual host. For the default virtual host (this file) this
	# value is not decisive as it is used as a last resort host regardless.
	# However, you must set it for any further virtual host explicitly.

	DocumentRoot /var/www/html

	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular
	# modules, e.g.
	#LogLevel info ssl:warn

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/request.log combined

	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf



<VirtualHost _default_:80>
	Include conf-available/bit-default.conf
	Redirect permanent /

	ErrorLog ${APACHE_LOG_DIR}/bit_error.log
	CustomLog ${APACHE_LOG_DIR}/bit_access.log combined

000-default.conf is only there to ensure that LE does not get a redirect to https.

Ok, it's your config so you need to wrangle it into shape. Your site is currently using basic authentication for the /.well-known/acme-challenge path and obviously certbot can't read files if that happens.

Your version of certbot is also very old, you should probably update that if you can.

When adding blocks of config/code on the forum try using triple back tick characters at the start and end of long code sections so they get formatted properly and folks will be able to read what you've posted.


I don't know where I set up authentication for /.well-known/acme-challenge.
Does LE follow a redirect to HTTPS? It's not clear to me whether I have to specifically configure a virtual host that doesn't redirect to HTTPS.

Yes, LE can follow https redirects.


That makes no sense.
It can't only do that.
If you don't want the challenge requests to be redirected to HTTPS (I wouldn't either), then you need to handle that within the server block that services those requests [not by creating another conflicting/overlapping service block].


Thank you, I have adjusted the Apache configuration. Everything works as desired again.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.