Renewal certificates failed - Docker & Digital Ocean

Hi everyone!
I'm new to certificates and never used to set or update certs on the website.

We had developer who was doing this before but he left us and doesn't answer to help us to update certs.

My domain is:
qoovee.co
This is the demo server we are trying to get up.

I ran this command:
certbot renew --webroot --webroot-path /home/.../letsencrypt/www/certbot --agree-tos
This comand left behind by the previous developer and it was working before.

It produced this output:
Renewing an existing certificate for qoovee.co and 4 more domains

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: billing.qoovee.co
Type: unauthorized
Detail: 2606:4700::6810:f34e: Invalid response from http://billing.qoovee.co/.well-known/acme-challenge/DptLLHAcQytJRiiU_B--lgtp1XB_2GOPDQs7_MPGpZY: 404

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Failed to renew certificate qoovee.co with error: Some challenges have failed.


The following certificates are not due for renewal yet:
/etc/letsencrypt/live/affiliate.qoovee.co/fullchain.pem expires on 2023-03-20 (skipped)
/etc/letsencrypt/live/m.qoovee.co/fullchain.pem expires on 2023-02-23 (skipped)
All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/qoovee.co/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)

I checked log and see that there's no connection to old services:
Server: nginx
Date: Wed, 04 Jan 2023 16:17:02 GMT
Content-Type: application/json
Content-Length: 1151
Connection: keep-alive
Boulder-Requester: 34056034
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: F977igevOGfk4_4IPHqypJm41ARv0u4L5ZkqHBCohAO5Xwg
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"identifier": {
"type": "dns",
"value": "billing.qoovee.co" <--- this is the old application, but I don't see why it's trying to reach this
},
"status": "invalid",
"expires": "2023-01-11T16:17:00Z",
"challenges": [
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "2606:4700::6810:f44e: Invalid response from http://billing.qoovee.co/.well-known/acme-challenge/ESM03NOSHyoWmgjm2vy1m-QcfkrHrJWL8VpmHqW7Q98: 404",
"status": 403
},
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/192515810437/gQgZPg",
"token": "ESM03NOSHyoWmgjm2vy1m-QcfkrHrJWL8VpmHqW7Q98",
"validationRecord": [
{
"url": "http://billing.qoovee.co/.well-known/acme-challenge/ESM03NOSHyoWmgjm2vy1m-QcfkrHrJWL8VpmHqW7Q98",
"hostname": "billing.qoovee.co",
"port": "80",
"addressesResolved": [
"104.16.243.78",
"104.16.244.78",
"2606:4700::6810:f44e",
"2606:4700::6810:f34e"
],
"addressUsed": "2606:4700::6810:f44e"
}
],
"validated": "2023-01-04T16:17:01Z"
}
]
}

My web server is (include version):
nginx version: nginx/1.18.0
built by gcc 9.2.0 (Alpine 9.2.0)

The operating system my web server runs on is (include version):
Linux 4.4.0-148-generic #174~14.04.1-Ubuntu SMP
2019 x86_64 x86_64 x86_64 GNU/Linux

My hosting provider, if applicable, is:
digital ocean

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
version is 1.32.2

Probably because it's part of the current certificate you're trying to renew. See sudo certbot certificates to list all certificates known to Certbot and their hostnames.

5 Likes

You are right, I've got this output, but how do I delete old application from this certificate:
Certificate Name: qoovee.co
Serial Number: 37f370cc8371cbfd5772
Key Type: RSA
Domains: qoovee.co accounts.qoovee.co billing.qoovee.co notification.qoovee.co www.qoovee.co Expiry Date: 2022-12-25 12:25:13+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/qoovee.co/fullchain.pem
Private Key Path: /etc/letsencrypt/live/qoovee.co/privkey.pem

Or I should delete current certificate and try to create new one?

1 Like

There are two ways:

  • Make sure that every hostname you do want included does successfully validate and only the one you want removed fails, then run sudo certbot renew again but include the --allow-subset-of-names option on the command line (just once). See Re-creating and Updating Existing Certificates for more info.
  • Or, use the command you've originally used to get the certificate but only include the hostnames using -d you actually want a cert for (thus leaving out the hostname you don't want included) and add the proper --cert-name option and value so you won't get multiple certs.
7 Likes

Thank you very much for your assistance @Osiris!

I ran first command, waited a bit and everything works now! Thank you very much!

5 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.