Renewal error of my domain


#1

Hello , this morning I tried to renew my certificate but I got an error of this type.
Thanks for your help :slight_smile:

ludovic@vps181822:/opt/letsencrypt$ ./certbot-auto renew
Requesting to rerun ./certbot-auto with root privileges…
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/theapplefanboy.fr.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate

Attempting to renew cert (theapplefanboy.fr) from /etc/letsencrypt/renewal/theapplefanboy.fr.conf produced an unexpected error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/theapplefanboy.fr/fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/theapplefanboy.fr/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)
ludovic@vps181822:/opt/letsencrypt$


#2

Hi @ludochan

this is an own-hour-limit:

There is a Failed Validation limit of 5 failures per account, per hostname, per hour.

But please share

/var/log/letsencrypt/letsencrypt.log

to find the reason of these failed validations.


#3

Here is the file , thanks , i’m a new user i can’t upload a file :confused:
https://www.dropbox.com/s/mpt5op6ms2ofrjh/letsencrypt.txt?dl=0


#4

Thanks!

Certbot creates a validation file under /.well-known/acme-challenge, but Letsencrypt doesn’t find this file:

      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "Invalid response from http://theapplefanboy.fr/.well-known/acme-challenge/ZaI9G917xtNmoffHLiLbWeEcSCwcbtAa5qCIoZc3fu4: \"\u003c!DOCTYPE html\u003e\u003chtml class=\\\"no-js\\\" lang=\\\"fr-FR\\\" prefix=\\\"og: http://ogp.me/ns#\\\"\u003e\u003chead profile=\\\"http://gmpg.org/xfn/11\\\"\u003e\u003clink rel=\"",
        "status": 403
      },

You are using the apache plugin, your certbot is up to date, this is good. Please find your webroot (the directory, where your website starts), if not exist, create there two directories

/.well-known/acme-challenge

there a file (file name 1234 without extension) and try, if you can load this file via

 http://theapplefanboy.fr/.well-known/acme-challenge/1234

with your browser.

If yes, you have found your correct webroot, so you may use something like

certbot run -a webroot -i apache -w PathToYourWebroot -d theapplefanboy.fr -d www.theapplefanboy.fr

with a splitted authenticator webroot and installer apache.


#5

As far as I know, the apache plugin creates a separate, new and temporary virtualhost with a specific webroot, something like /var/lib/letsencrypt/blahblah or something.


#6

moreover all http requests are redirected to https, you believe that the problem also comes from that ?


#7

That’s true (as I know), but how to debug if it doesn’t work? There is no ipv6, no second ipv4.

It’s possible, but checking with my own redirect check ( https://check-your-website.server-daten.de/?q=theapplefanboy.fr ) I don’t see problems.

The 404 is ok. You see, there is no redirect to https. You have a Strict-Transport-Security header (which is good), so your browser switches to https. But not a direct GET with a tool.

So Letsencrypt doesn’t see this redirect http -> https.


#8

There’s probably some Apache configuration messing with the added Let’s Encrypt configs.

Specifically, Let’s Encrypt adds this to the virtualhosts configuration directory:

le_http_01_challenge_pre.conf:

    RewriteEngine on
    RewriteRule ^/\.well-known/acme-challenge/([A-Za-z0-9-_=]+)$ /var/lib/letsencrypt/http_challenges/$1 [END]

le_http_01_challenge_post.conf:

    <Directory /var/lib/letsencrypt/http_challenges>
        Require all granted
    </Directory>
    <Location /.well-known/acme-challenge>
        Require all granted
    </Location>

As you can see, it’s a very simpel setup.

One can start debugging as follows:

  • add -v and --debug-challenges to the certbot command line
  • check the relevant Apache logs, access as wel as error log

But as you can see, I’m sure you mean well, but advising the topicstarter to make challenge directories in the webroot of the website isn’t going to help.


#9

Ok i see the directorie .well-known on my wordpress folder


#10

Thanks for your help :wink: the command worked


Your existing certificate has been successfully renewed, and the new certificate
has been installed.

The new certificate covers the following domains: https://theapplefanboy.fr and
https://www.theapplefanboy.fr

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=theapplefanboy.fr
https://www.ssllabs.com/ssltest/analyze.html?d=www.theapplefanboy.fr


IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/theapplefanboy.fr/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/theapplefanboy.fr/privkey.pem
    Your cert will expire on 2019-02-17. To obtain a new or tweaked
    version of this certificate in the future, simply run
    letsencrypt-auto again with the “certonly” option. To
    non-interactively renew all of your certificates, run
    “letsencrypt-auto renew”

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le


#11

Yep, now you have a new certificate created with two domain names.

Certificates

CN=theapplefanboy.fr 19.11.2018 17.02.2019 theapplefanboy.fr, www.theapplefanboy.fr - 2 entries
CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 17.03.2016 17.03.2021
CN=DST Root CA X3, O=Digital Signature Trust Co. 30.09.2000 30.09.2021

So the www- and the non-www are secure.

But you should add a redirect of your http://theapplefanboy.fr/to https.

You don’t see this error, because your browser prefers the https version (because of your good HSTS-header).

But users on http://theapplefanboy.fr/ should use the secured version.