Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: betschart-it.ch
I ran this command: certbot renew --dry-run
It produced this output:
Attempting to renew cert (betschart-it.ch) from /etc/letsencrypt/renewal/betschart-it.ch.conf produced an unexpected error: Failed authorization procedure. betschart-it.ch (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: 46.231.207.58: Invalid response from http://betschart-it.ch/.well-known/acme-challenge/XTpuVe4K_HWldiCm-ce0NZRyu9SicStkkhmOmZvcwOM: 404. Skipping.
I use this certificate since a long time and had no problem. On the same server I can renew many other certificate but not this one, eg. ldap.betschart-it.ch. I can't remember to change anything at the webserver. The ip address is correct.
My web server is (include version): Apache 2.4.38
The operating system my web server runs on is (include version): Debian GNU/Linux 10 (buster).
My hosting provider, if applicable, is: own VM, hosted by Metanet Switzerland
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.31.0
VirtualHost configuration:
*:8843 pim.betschart-it.ch (/etc/apache2/sites-enabled/pim-apple-adressbook-ssl.conf:2)
*:443 is a NameVirtualHost
default server betschart-it.ch (/etc/apache2/sites-enabled/000-default-ssl.conf:2)
port 443 namevhost betschart-it.ch (/etc/apache2/sites-enabled/000-default-ssl.conf:2)
port 443 namevhost www.betschart-it.ch (/etc/apache2/sites-enabled/001-bit-ssl.conf:2)
port 443 namevhost baikal.betschart-it.ch (/etc/apache2/sites-enabled/baikal-ssl.conf:2)
port 443 namevhost lam.betschart-it.ch (/etc/apache2/sites-enabled/lam-ssl.conf:2)
port 443 namevhost packages.betschart-it.ch (/etc/apache2/sites-enabled/packages-ssl.conf:2)
port 443 namevhost phpldapadmin.betschart-it.ch (/etc/apache2/sites-enabled/phpldapadmin-ssl.conf:2)
port 443 namevhost phpmyadmin.betschart-it.ch (/etc/apache2/sites-enabled/phpmyadmin-ssl.conf:2)
port 443 namevhost pim.betschart-it.ch (/etc/apache2/sites-enabled/pim-ssl.conf:2)
port 443 namevhost www.redabe.ch (/etc/apache2/sites-enabled/redabe-ssl.conf:2)
alias redabe.ch
port 443 namevhost webmail.betschart-it.ch (/etc/apache2/sites-enabled/roundcube-ssl.conf:2)
port 443 namevhost cloud.betschart-it.ch (/etc/apache2/sites-enabled/seafbit-ssl.conf:2)
port 443 namevhost t3t.betschart-it.ch (/etc/apache2/sites-enabled/t3t-ssl.conf:2)
*:80 is a NameVirtualHost
default server betschart-it.ch (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost betschart-it.ch (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost www.betschart-it.ch (/etc/apache2/sites-enabled/001-bit.conf:1)
alias betschart-it.ch:80
port 80 namevhost baikal.betschart-it.ch (/etc/apache2/sites-enabled/baikal.conf:1)
port 80 namevhost lam.betschart-it.ch (/etc/apache2/sites-enabled/lam.conf:1)
port 80 namevhost packages.betschart-it.ch (/etc/apache2/sites-enabled/packages.conf:1)
port 80 namevhost pbx.betschart-it.ch (/etc/apache2/sites-enabled/pbx.conf:1)
port 80 namevhost phpldapadmin.betschart-it.ch (/etc/apache2/sites-enabled/phpldapadmin.conf:1)
port 80 namevhost phpmyadmin.betschart-it.ch (/etc/apache2/sites-enabled/phpmyadmin.conf:1)
port 80 namevhost pim.betschart-it.ch (/etc/apache2/sites-enabled/pim.conf:1)
port 80 namevhost provisioning.betschart-it.ch (/etc/apache2/sites-enabled/provisioning.conf:1)
port 80 namevhost www.redabe.ch (/etc/apache2/sites-enabled/redabe.conf:1)
alias redabe.ch
port 80 namevhost webmail.betschart-it.ch (/etc/apache2/sites-enabled/roundcube.conf:1)
port 80 namevhost cloud.betschart-it.ch (/etc/apache2/sites-enabled/seafbit.conf:1)
port 80 namevhost t3t.betschart-it.ch (/etc/apache2/sites-enabled/t3t.conf:1)
port 80 namevhost betschart-it.ch (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost www.betschart-it.ch (/etc/apache2/sites-enabled/001-bit.conf:1)
alias betschart-it.ch:80
<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
DocumentRoot /var/www/html
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/request.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
</VirtualHost>
Ok, it's your config so you need to wrangle it into shape. Your site is currently using basic authentication for the /.well-known/acme-challenge path and obviously certbot can't read files if that happens.
Your version of certbot is also very old, you should probably update that if you can.
When adding blocks of config/code on the forum try using triple back tick characters at the start and end of long code sections so they get formatted properly and folks will be able to read what you've posted.
I don't know where I set up authentication for /.well-known/acme-challenge.
Does LE follow a redirect to HTTPS? It's not clear to me whether I have to specifically configure a virtual host that doesn't redirect to HTTPS.
That makes no sense.
It can't only do that.
If you don't want the challenge requests to be redirected to HTTPS (I wouldn't either), then you need to handle that within the server block that services those requests [not by creating another conflicting/overlapping service block].