Renew letsencrypt certificate error https

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
I ran this command: sudo certbot renew --dry-run

It produced this output:

Processing /etc/letsencrypt/renewal/

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for
Waiting for verification…
Cleaning up challenges
Attempting to renew cert ( from /etc/letsencrypt/-----/ produced an unexpected error: Failed authorization procedure. (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http:/ / “\n\n404 Not Found\n\n

Not Found

\n<p”. Skipping.
The following certs could not be renewed:
/etc/letsencrypt/live/ (failure)

My web server is (include version): Apache 2.4.29

The operating system my web server runs on is (include version): Ubuntu 18.04LTS
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know): YES
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): YES
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): Cerbot 0.28.0

The thing is that I made my website to automatically redirect to https. So if I create a simple file (1234) in I can see the file. If I create the file in the I cannot access the created file(1234).
For some reasons the renewal seems to use http rather than https.
How can I renew the certificates by keeping my website within the https ?

Thank you.

Hi @letsencryptdeb

your dns settings are bad ( ):

Host T IP-Address is auth. ∑ Queries ∑ Timeout Refused yes 1 0 Refused yes 1 0 A no A no

Your authoritative Nameservers send a Refused, so your domain may be blocked.

An ip is only available via cached values, not direct.

And your DNSSEC settings are inconsistent:

0 DS RR in the parent zone found
	DS-Query in the parent zone has a valide NSEC3 RR as result with the hashed domain name between the hashed NSEC3-owner and the hashed NextOwner. So the parent zone confirmes the non-existence of a DS RR.


Fatal error: DNSKEY 8541 signs DNSKEY RRset, but no confirming DS RR in the parent zone found. No chain of trust created.
Fatal error: DNSKEY 26537 signs DNSKEY RRset, but no confirming DS RR in the parent zone found. No chain of trust created.

Your parent zone says, there is no DNSSEC. Your zone has a DNSKEY.

But "Refused" means: Your domain can't work.

Hi. I just restarted the server.
I’m still not able to renew.

Http as Destination - no encryption

last check:
28.01.2019 00:46:58 Host T IP-Address is auth. ∑ Queries ∑ Timeout A yes 1 0
AAAA yes A yes 1 0
AAAA yes

It doesn't automatically redirect to HTTPS. is some sort of blank HTML page.
Index of /.well-known/acme-challenge is a 404 Not Found error.

If it did redirect to HTTPS -- preserving the path -- that would work.


In addition:
Redirections done in html/java/etc. code will fail.
[they rely on the client interacting with that code - LE will NOT]
Redirections should be done by the web server/service.

I’m using htaccess file for redirecting traffic and ports.

Can you show the file?

Also I don’t get redirected.
[perhaps file is in wrong folder]

And yet no redirection seen:

--2019-01-28 01:54:06--
Resolving (
Connecting to (||:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1485 (1.5K) [text/html]

You are right.I think I have a problem with redirecting.

1 Like

Ah, yep, I see, you have rechecked your domain, the refused is gone.

And you have a valide certificate:
	27.04.2019,, - 3 entries

but (time of your check) only one redirect.

Uhm - looks that the nameservers are very buggy, they send again a refused. Now they have again EDNS-warnings: Two are good, two are bad.

Ok, again rechecked - now there is no refused, it's really a problem of buggy nameservers.

OK. I also have two more, I think old certificates. It is with them that I get the errors. Should I delete them.
one is in /etc/—/---/ and the other one /etc/—/---/
Thank you.

It's a problem of your nameservers from your hoster.

It's not a problem of your old certificates. They may be expired.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.