Renewal attempts, http01 challenge failed for all domains

Hi everyone. I’m trying to renew certificates for several sites, and I’m getting the same errors on all of them. I’ve tried following the guide (How to stop using TLS-SNI-01 with Certbot) to no avail. Other posts in this forum suggesting stopping Apache give no result.

I’m hoping someone can help me, thanks in advance.

Here are the details for one of the servers.


My domain is: dartstudie.nl, www.dartstudie.nl, dartstudie.meditrials.nl

I ran this command: certbot-auto renew --dry-run

It produced this output:

root@dartstudie:/etc/apache2/sites-enabled# certbot-auto renew --dry-run
/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/cryptography/hazmat/primitives/constant_time.py:26: CryptographyDeprecationWarning: Support for your Python version is deprecated. The next version of cryptography will remove support. Please upgrade to a 2.7.x release that supports hmac.compare_digest as soon as possible.
  utils.DeprecatedIn23,
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/dartstudie.meditrials.nl.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for dartstudie.meditrials.nl
Waiting for verification...
Challenge failed for domain dartstudie.meditrials.nl
http-01 challenge for dartstudie.meditrials.nl
Cleaning up challenges
Attempting to renew cert (dartstudie.meditrials.nl) from /etc/letsencrypt/renewal/dartstudie.meditrials.nl.conf produced an unexpected error: Some challenges have failed.. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/dartstudie.nl.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for dartstudie.nl
http-01 challenge for www.dartstudie.nl
Waiting for verification...
Challenge failed for domain www.dartstudie.nl
Challenge failed for domain dartstudie.nl
http-01 challenge for www.dartstudie.nl
http-01 challenge for dartstudie.nl
Cleaning up challenges
Attempting to renew cert (dartstudie.nl) from /etc/letsencrypt/renewal/dartstudie.nl.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/dartstudie.meditrials.nl/fullchain.pem (failure)
  /etc/letsencrypt/live/dartstudie.nl/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/dartstudie.meditrials.nl/fullchain.pem (failure)
  /etc/letsencrypt/live/dartstudie.nl/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: dartstudie.meditrials.nl
   Type:   unauthorized
   Detail: Invalid response from
   http://dartstudie.meditrials.nl/.well-known/acme-challenge/pyFbA4geEfSthXUoGjaYVir1WcQlPlftqPheOPYBDpM
   [185.110.174.167]: 403

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
 - The following errors were reported by the server:

   Domain: www.dartstudie.nl
   Type:   unauthorized
   Detail: Invalid response from
   http://www.dartstudie.nl/.well-known/acme-challenge/-mZ_sB92eYnCOzrVb7i4ZxRuw6niKJPWwpTRVXqvnRQ
   [185.110.174.167]: 403

   Domain: dartstudie.nl
   Type:   unauthorized
   Detail: Invalid response from
   http://dartstudie.nl/.well-known/acme-challenge/Q64wM6JQLjgbb_FdYd3hwhkHju6uNm_-DtsCe90syG8
   [185.110.174.167]: 403

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version): Apache HTTP 2.4

The operating system my web server runs on is (include version): Ubuntu 14.04.2 LTS (Trusty)

My hosting provider, if applicable, is: cloudvps.nl

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.32.0


Here are the contents of /etc/letsencrypt/renewal/dartstudie.nl.conf:

# renew_before_expiry = 30 days
version = 0.24.0
archive_dir = /etc/letsencrypt/archive/dartstudie.nl
cert = /etc/letsencrypt/live/dartstudie.nl/cert.pem
privkey = /etc/letsencrypt/live/dartstudie.nl/privkey.pem
chain = /etc/letsencrypt/live/dartstudie.nl/chain.pem
fullchain = /etc/letsencrypt/live/dartstudie.nl/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = apache
installer = apache
account = 2533b5d9a01e216f637c740c3a85cb81
root@dartstudie:/etc/apache2/sites-enabled#

Hi @finfiles-dev

checking your domain (via https://check-your-website.server-daten.de/?q=dartstudie.nl ) most looks good.

Port 80 is open, there are no wrong redirects, checking a not existing file in /.well-known/acme-challenge produces the expected result http status 404 - Not Found.

Domainname Http-Status redirect Sec. G
http://dartstudie.nl/
185.110.174.167 200 0.106 H
http://www.dartstudie.nl/
185.110.174.167 200 0.073 H
https://dartstudie.nl/
185.110.174.167 -4 0.060 W
SendFailure - The underlying connection was closed: An unexpected error occurred on a send. The handshake failed due to an unexpected packet format.
https://www.dartstudie.nl/
185.110.174.167 -4 0.057 W
SendFailure - The underlying connection was closed: An unexpected error occurred on a send. The handshake failed due to an unexpected packet format.
http://dartstudie.nl:443/
185.110.174.167 403 0.033 Q
Forbidden
Visible Content: 403 - Forbidden
http://www.dartstudie.nl:443/
185.110.174.167 403 0.034 Q
Forbidden
Visible Content: 403 - Forbidden
404 Not Found
185.110.174.167 404 0.097 A
Not Found

Your port 443 sends http content, that's wrong. But you don't have redirects http -> https, so this problem isn't critical.

So try to find your DocumentRoot in your vHost, then use it:

certbot run -a webroot -i apache -w yourDocumentRoot -d dartstudie.nl -d www.dartstudie.nl

Hi Juergen,

the command worked, thank you very much for this.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.