Re: Your certificate (or certificates) for the names listed below will expire in 17 days (on 20 Sep 22 01:23 +0000)

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
ingber.com

I ran this command:
/usr/bin/certbot certonly -v -d blog.ingber.com,default.ingber.com,lester.ingber.com,lin.ingber.com,lin6.ingber.com,www.ingber.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log

It produced this output:

12:25:38 ingber@linode# ~: /usr/bin/certbot certonly -v -d blog.ingber.com,default.ingber.com,lester.ingber.com,lin.ingber.com,lin6.ingber.com,www.ingber.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Apache Web Server plugin (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator apache, Installer apache
Requesting a certificate for blog.ingber.com and 5 more domains
Performing the following challenges:
http-01 challenge for blog.ingber.com
http-01 challenge for default.ingber.com
http-01 challenge for lester.ingber.com
http-01 challenge for lin.ingber.com
http-01 challenge for lin6.ingber.com
http-01 challenge for www.ingber.com
Waiting for verification...
Challenge failed for domain blog.ingber.com
Challenge failed for domain default.ingber.com
Challenge failed for domain lester.ingber.com
Challenge failed for domain lin6.ingber.com
Challenge failed for domain www.ingber.com
Challenge failed for domain lin.ingber.com
http-01 challenge for blog.ingber.com
http-01 challenge for default.ingber.com
http-01 challenge for lester.ingber.com
http-01 challenge for lin6.ingber.com
http-01 challenge for www.ingber.com
http-01 challenge for lin.ingber.com

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
  Domain: blog.ingber.com
  Type:   unauthorized
  Detail: 2600:3c01::f03c:91ff:fe93:e6f3: Invalid response from http://blog.ingber.com/.well-known/acme-challenge/2V1LHKiG-67OdeMICitxTqhCoSmroXcGK7rhiXguTiQ: 403

  Domain: default.ingber.com
  Type:   unauthorized
  Detail: 2600:3c01::f03c:91ff:fe93:e6f3: Invalid response from http://default.ingber.com/.well-known/acme-challenge/C9eo-shK1-Y-dqqLG1XWVMOV0QifVRazSpKpH6OG9GQ: 403

  Domain: lester.ingber.com
  Type:   unauthorized
  Detail: 2600:3c01::f03c:91ff:fe93:e6f3: Invalid response from http://lester.ingber.com/.well-known/acme-challenge/JsgZ4JaJ1q7hP2aN53vnregSthXPBJjfyi62tQDwBxE: 403

  Domain: lin6.ingber.com
  Type:   unauthorized
  Detail: 2600:3c01::f03c:91ff:fe93:e6f3: Invalid response from http://lin6.ingber.com/.well-known/acme-challenge/caET_DIds3MLS8bqNJkecZGmcX_RayERBh2hoMZXsC4: 403

  Domain: www.ingber.com
  Type:   unauthorized
  Detail: 2600:3c01::f03c:91ff:fe93:e6f3: Invalid response from http://www.ingber.com/.well-known/acme-challenge/dnBmPK04ZpkpPC5w-gdsl8YyZyVP-molTfooxgsMN7k: 403

  Domain: lin.ingber.com
  Type:   unauthorized
  Detail: 2600:3c01::f03c:91ff:fe93:e6f3: Invalid response from http://lin.ingber.com/.well-known/acme-challenge/DciIXnzP3_ucncPXmdCRnC5zK2FoCvpBptFNxdsX_7g: 403

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):
Linode.com

The operating system my web server runs on is (include version):
Linux lin 5.19.2-x86_64-linode156 #1 SMP PREEMPT_DYNAMIC Thu Aug 18 15:51:13 EDT 2022 x86_64 x86_64 x86_64 GNU/Linux

My hosting provider, if applicable, is:
N/A

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.29.0

I can't replicate the "403" error.
I get only "302" redirect [then the expected "404" via HTTPS].
Which leads me to believe that something is treating the LE IPs differently than it treated mine.

curl -Ii6 http://blog.ingber.com/.well-known/acme-challenge/Test_File-1234 -A "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
HTTP/1.1 302 Found
Date: Fri, 02 Sep 2022 20:13:34 GMT
Server: Apache
Location: https://blog.ingber.com/.well-known/acme-challenge/Test_File-1234
Content-Type: text/html; charset=iso-8859-1

Perhaps the entry from letsencrypt.org might help?

2022-09-02 12:26:38,671:DEBUG:certbot._internal.display.obj:Notifying user:
Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
  Domain: blog.ingber.com
  Type:   unauthorized
  Detail: 2600:3c01::f03c:91ff:fe93:e6f3: Invalid response from http://blog.ingber.com/.well-known/acme-challenge/2V1LHKiG-67OdeMICitxTqhCoSmroXcGK7rhiXguTiQ: 403

  Domain: default.ingber.com
  Type:   unauthorized
  Detail: 2600:3c01::f03c:91ff:fe93:e6f3: Invalid response from http://default.ingber.com/.well-known/acme-challenge/C9eo-shK1-Y-dqqLG1XWVMOV0QifVRazSpKpH6OG9GQ: 403

  Domain: lester.ingber.com
  Type:   unauthorized
  Detail: 2600:3c01::f03c:91ff:fe93:e6f3: Invalid response from http://lester.ingber.com/.well-known/acme-challenge/JsgZ4JaJ1q7hP2aN53vnregSthXPBJjfyi62tQDwBxE: 403

  Domain: lin6.ingber.com
  Type:   unauthorized
  Detail: 2600:3c01::f03c:91ff:fe93:e6f3: Invalid response from http://lin6.ingber.com/.well-known/acme-challenge/caET_DIds3MLS8bqNJkecZGmcX_RayERBh2hoMZXsC4: 403

  Domain: www.ingber.com
  Type:   unauthorized
  Detail: 2600:3c01::f03c:91ff:fe93:e6f3: Invalid response from http://www.ingber.com/.well-known/acme-challenge/dnBmPK04ZpkpPC5w-gdsl8YyZyVP-molTfooxgsMN7k: 403

  Domain: lin.ingber.com
  Type:   unauthorized
  Detail: 2600:3c01::f03c:91ff:fe93:e6f3: Invalid response from http://lin.ingber.com/.well-known/acme-challenge/DciIXnzP3_ucncPXmdCRnC5zK2FoCvpBptFNxdsX_7g: 403

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

2022-09-02 12:26:38,673:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/snap/certbot/2192/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 106, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/snap/certbot/2192/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 206, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2022-09-02 12:26:38,673:DEBUG:certbot._internal.error_handler:Calling registered functions
2022-09-02 12:26:38,673:INFO:certbot._internal.auth_handler:Cleaning up challenges
2022-09-02 12:26:38,889:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/snap/certbot/2192/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/snap/certbot/2192/lib/python3.8/site-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
  File "/snap/certbot/2192/lib/python3.8/site-packages/certbot/_internal/main.py", line 1744, in main
    return config.func(config, plugins)
  File "/snap/certbot/2192/lib/python3.8/site-packages/certbot/_internal/main.py", line 1591, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/snap/certbot/2192/lib/python3.8/site-packages/certbot/_internal/main.py", line 141, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/snap/certbot/2192/lib/python3.8/site-packages/certbot/_internal/client.py", line 530, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/snap/certbot/2192/lib/python3.8/site-packages/certbot/_internal/client.py", line 442, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/snap/certbot/2192/lib/python3.8/site-packages/certbot/_internal/client.py", line 510, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
  File "/snap/certbot/2192/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 106, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/snap/certbot/2192/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 206, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2022-09-02 12:26:38,896:ERROR:certbot._internal.log:Some challenges have failed.

Those logs still show "403" [permissions problem]
Try this (and show the log entries it creates):

/usr/bin/certbot certonly -v -d blog.ingber.com,default.ingber.com,lester.ingber.com,lin.ingber.com,lin6.ingber.com,www.ingber.com --dry-run

Please do the command as rg305 showed.

This problem seems a pattern with your cert requests. You posted a similar problem 10 days ago and before that in May.

Do you still have your VirtualHosts setup like you showed in Feb here? Because you had IPv4 and IPv6 VHosts separate and I can't help wonder whether that is contributing to this.

The run below was done with the one suggested.
I see postings of similar problems. Has LetsEncrypt changed some formats?

08:08:23 ingber@linode# ~: /usr/bin/certbot certonly -v -d blog.ingber.com,default.ingber.com,lester.ingber.com,lin.ingber.com,lin6.ingber.com,www.ingber.com --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?

1: Apache Web Server plugin (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)

Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator apache, Installer apache
Simulating a certificate request for blog.ingber.com and 5 more domains
Performing the following challenges:
http-01 challenge for blog.ingber.com
http-01 challenge for default.ingber.com
http-01 challenge for lester.ingber.com
http-01 challenge for lin.ingber.com
http-01 challenge for lin6.ingber.com
http-01 challenge for www.ingber.com
Waiting for verification...
Challenge failed for domain blog.ingber.com
Challenge failed for domain default.ingber.com
Challenge failed for domain lester.ingber.com
Challenge failed for domain lin.ingber.com
Challenge failed for domain lin6.ingber.com
Challenge failed for domain www.ingber.com
http-01 challenge for blog.ingber.com
http-01 challenge for default.ingber.com
http-01 challenge for lester.ingber.com
http-01 challenge for lin.ingber.com
http-01 challenge for lin6.ingber.com
http-01 challenge for www.ingber.com

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: blog.ingber.com
Type: unauthorized
Detail: 2600:3c01::f03c:91ff:fe93:e6f3: Invalid response from http://blog.ingber.com/.well-known/acme-challenge/aPSp66184mYq5F636Jj_DYsDwNMekCjjq2oE-ZZWj0M: 403

Domain: default.ingber.com
Type: unauthorized
Detail: 2600:3c01::f03c:91ff:fe93:e6f3: Invalid response from http://default.ingber.com/.well-known/acme-challenge/KGu_eUgTKD4jgeJ7HDwtdG3fKay3ILUUQ8QYqZ-Oz90: 403

Domain: lester.ingber.com
Type: unauthorized
Detail: 2600:3c01::f03c:91ff:fe93:e6f3: Invalid response from http://lester.ingber.com/.well-known/acme-challenge/1YdfMNYv14uhnaaxqF-kvqfUjeOUnEj8oOWRidbfDAo: 403

Domain: lin.ingber.com
Type: unauthorized
Detail: 2600:3c01::f03c:91ff:fe93:e6f3: Invalid response from http://lin.ingber.com/.well-known/acme-challenge/RFJS08c-HHifMqcwjN2lfnIldHCLYK2iFlBOh02QcA8: 403

Domain: lin6.ingber.com
Type: unauthorized
Detail: 2600:3c01::f03c:91ff:fe93:e6f3: Invalid response from http://lin6.ingber.com/.well-known/acme-challenge/WPOgslK3pphHXQEUp318GbYzx_me60ON9ICgRit_FM8: 403

Domain: www.ingber.com
Type: unauthorized
Detail: 2600:3c01::f03c:91ff:fe93:e6f3: Invalid response from http://www.ingber.com/.well-known/acme-challenge/dN3qXsAnmzkLquqHYibm_mDGNf2-71_fLd1uUNYZFHc: 403

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

/var/log/letsencrypt/letsencrypt.log

Can you upload the log file from the failed run? You may need to copy it to a .txt to upload.

If copy/paste is easier (it is very long though), please place 3 backticks before and after the output like:
```
log data
```

I now see:

Processing /etc/letsencrypt/renewal/www.ingber.com.conf

Certificate not yet due for renewal

The following certificates are not due for renewal yet:
/etc/letsencrypt/live/www.ingber.com/fullchain.pem expires on 2022-10-30 (skipped)
No renewals were attempted.

Saving debug log to /var/log/letsencrypt/letsencrypt.log

I guess I have to wait to see if the cert is OK.

Thanks.

Lester

If you add --dry-run it should test them now just like you tried in post #6

This fails:

08:48:24 ingber@linode# ~: /usr/bin/certbot renew -v --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/www.ingber.com.conf

Certificate not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Simulating renewal of an existing certificate for www.ingber.com and 6 more domains
Performing the following challenges:
http-01 challenge for blog.ingber.com
http-01 challenge for default.ingber.com
http-01 challenge for lester.ingber.com
http-01 challenge for lin.ingber.com
http-01 challenge for lin6.ingber.com
http-01 challenge for www.ingber.com
http-01 challenge for ingber.com
Using the webroot path /var/www-ssl for all unmatched domains.
Cleaning up challenges
Encountered exception during recovery: FileNotFoundError: [Errno 2] No such file or directory: '/var/www-ssl/.well-known/acme-challenge/vC5OuXtor5sJYWiAS07XOiMkV7-SR8Yk7BOHF1Rp6SI'
Failed to renew certificate www.ingber.com with error: Couldn't create root for blog.ingber.com http-01 challenge responses: [Errno 17] File exists: '/var/www-ssl/.well-known'

All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/www.ingber.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Does this mean that only "blog" is failing? I could delete that one.

Note that this latest failure is using a different Certbot method than earlier. This is using webroot authenticator where earlier you tried apache plugin. That's fine. Just wanting to point out why the symptoms are changing.

Still, need to see more details. Still want to see a log file as described here:

Hi. I attach letsencrypt.txt (letsencrypt.log -> letsencrypt.txt).

Lester
letsencrypt.txt (105.3 KB)

I also attach the previous log file (letsencrypt.log.1 -> letsencrypt_1.txt).
letsencrypt_1.txt (137.2 KB)

File exists: '/var/www-ssl/.well-known'

hmm...

What shows?:
ls -l /var/www-ssl/

19:26:23 ingber@linode# /var/www-ssl: ls -laR .well-known
.well-known:
total 24
drwx--S--- 2 root www-data 4096 Sep 11 19:25 .
drwxr-sr-x 4 root www-data 20480 Sep 11 19:24 ..

after trying again:

19:25:14 ingber@linode# ~: /usr/bin/certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/www.ingber.com.conf

Simulating renewal of an existing certificate for www.ingber.com and 6 more domains

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority rep:
Domain: lin6.ingber.com
Type: unauthorized
Detail: 2600:3c01::f03c:91ff:fe93:e6f3: Invalid response from https://lin6.ingber.com/.well-known3

Domain: blog.ingber.com
Type: unauthorized
Detail: 2600:3c01::f03c:91ff:fe93:e6f3: Invalid response from https://blog.ingber.com/.well-known3

Domain: default.ingber.com
Type: unauthorized
Detail: 2600:3c01::f03c:91ff:fe93:e6f3: Invalid response from https://default.ingber.com/.well-kn3

Domain: lester.ingber.com
Type: unauthorized
Detail: 2600:3c01::f03c:91ff:fe93:e6f3: Invalid response from https://lester.ingber.com/.well-kno3

Domain: lin.ingber.com
Type: unauthorized
Detail: 173.255.212.226: Invalid response from https://lin.ingber.com/.well-known/acme-challenge/3

Domain: www.ingber.com
Type: unauthorized
Detail: 173.255.212.226: Invalid response from https://www.ingber.com/.well-known/acme-challenge/3

Domain: ingber.com
Type: unauthorized
Detail: 2600:3c01::f03c:91ff:fe93:e6f3: Invalid response from https://ingber.com/.well-known/acme3

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot.

Failed to renew certificate www.ingber.com with error: Some challenges have failed.

All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/www.ingber.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log.

The .well-known folder was linked to a ../www/.well-known folder that did not exist. I deleted the www/ folder a few days ago to start over. I just re-created that .well-known folder.

In light of my test with .well-known/ I rebooted and ran:

19:40:25 ingber@linode# ~: /usr/bin/certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/www.ingber.com.conf

Simulating renewal of an existing certificate for www.ingber.com and 6 more domains

Congratulations, all simulated renewals succeeded:
/etc/letsencrypt/live/www.ingber.com/fullchain.pem (success)

I do not know if this means all is OK, since I see no entries under .well-known
19:42:59 ingber@linode# /var/www-ssl: ls -laR .well-known/
.well-known/:
total 24
drwxr-sr-x 2 root www-data 4096 Sep 11 19:40 .
drwxr-sr-x 4 root www-data 20480 Sep 11 19:24 ..

What shows?:
ls -la /var/www-ssl/ | grep well

19:59:31 ingber@linode# /var/www-ssl: ls -la /var/www-ssl/ | grep well
drwxr-sr-x 2 root www-data 4096 Sep 11 19:40 .well-known

Same result from any directory:

20:09:37 ingber@linode# ~: !ls
ls -la /var/www-ssl/ | grep well
drwxr-sr-x 2 root www-data 4096 Sep 11 19:40 .well-known