Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: datastore.ro
I ran this command: sudo certbot renew --dry-run
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.datastore.ro
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (www.datastore.ro-0001) from /etc/letsencrypt/-----/www.datastore.ro-0001.conf produced an unexpected error: Failed authorization procedure. www.datastore.ro (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http:/ /www.datastore.ro/.well-known/acme-challenge/-lU1wsuFnQEa1QKa3Gbx71HY4HS8tPFEKrvaCZpNZ8k: “\n\n404 Not Found\n\n
Not Found
\n<p”. Skipping.
The following certs could not be renewed:
/etc/letsencrypt/live/www.datastore.ro-0001/fullchain.pem (failure)
My web server is (include version): Apache 2.4.29
The operating system my web server runs on is (include version): Ubuntu 18.04LTS
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know): YES
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): YES
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): Cerbot 0.28.0
The thing is that I made my website to automatically redirect to https. So if I create a simple file (1234) in https://www.datastore.ro/.well-known/acme-challenge I can see the file. If I create the file in the http://www.datastore.ro/.well-known/acme-challenge I cannot access the created file(1234).
For some reasons the renewal seems to use http rather than https.
How can I renew the certificates by keeping my website within the https ?
Your authoritative Nameservers send a Refused, so your domain may be blocked.
An ip is only available via cached values, not direct.
And your DNSSEC settings are inconsistent:
0 DS RR in the parent zone found
DS-Query in the parent zone has a valide NSEC3 RR as result with the hashed domain name between the hashed NSEC3-owner and the hashed NextOwner. So the parent zone confirmes the non-existence of a DS RR.
versus
Fatal error: DNSKEY 8541 signs DNSKEY RRset, but no confirming DS RR in the parent zone found. No chain of trust created.
Fatal error: DNSKEY 26537 signs DNSKEY RRset, but no confirming DS RR in the parent zone found. No chain of trust created.
Your parent zone says, there is no DNSSEC. Your zone has a DNSKEY.
In addition:
Redirections done in html/java/etc. code will fail.
[they rely on the client interacting with that code - LE will NOT]
Redirections should be done by the web server/service.
OK. I also have two more, I think old certificates. It is with them that I get the errors. Should I delete them.
one is in /etc/—/---/www.datastore.ro-002.conf and the other one /etc/—/---/www.datastore.ro-001.conf.
Thank you.