Renewal attempts failed, obtaining failed unless nginx restart

My domain is:

I ran this command: sudo certbot renew --cert-name

It produced this output:

Challenge failed for domain
Attempting to renew cert ( from /etc/letsencrypt/renewal/ produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/ (failure)

My web server is (include version): nginx/1.20.2

The operating system my web server runs on is (include version): Ubuntu 20.04.4 LTS

My hosting provider, if applicable, is: it's a dedicated server

I can login to a root shell on my machine: yes

I'm using a control panel to manage my site: no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.40.0

Since a couple of months I started to have problems obtaining and verifying new certificates on this server. The problem was that was impossibile to have the temporary well-known directive loaded by nginx and the challenges always failed.
I solved with a simple workaround using
--debug-challenges -v
directive and, using another terminal, restarting nginx before confirm to check for the .well-known nginx config to be created. nginx reload was not enough.

I think now I have the very same problem but on renewal process...can I use a sort of --debug-challanges on renewal to restart nginx just before the challenge?

Or do you have any advice on how to solve the problem at the source? When I had less domains I was able to renew certificates and to obtains new one simply using

sudo certbot --nginx --non-interactive --redirect -d "URL"

but when the number of domains increased I started to have to restart nginx in the middle of obtaining process, and looks like I now have the same on renewal process.

This is almost certainly a case of nginx not reloading quickly enough for Certbot's tastes.

We added an --nginx-sleep-seconds parameter to Certbot in version v1.7.0 which allows you to increase the duration for which Certbot will wait for nginx to finish reloading. I highly recommend upgrading Certbot and using that flag.

You can use the snap or pip instructions to get a newer Certbot on Ubuntu 20.04.

You could also upgrade to Ubuntu 22.04, where the apt package for Certbot is v1.21.0.


Thanks for your suggestion.
Waiting to update safely certbot version using snap on production server, is there any chance to use something like --debug-challenges on renewal process? So that I can restart nginx during the process and keep the renewal process waiting longer?

1 Like

I don’t think there’s a way to do what you want, sorry. We added the flag because there was no workaround (other than changing authenticator).


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.