Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
Warning: I'm an amateur. I am running running virtual hosts and, strangely, only one of the virtual hosts (photos.kieranpr.com) has the error.
My domain is:
I ran this command:
sudo certbot renew --dry-run
It produced this output:
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (kieranpr.com) from /etc/letsencrypt/renewal/kieranpr.com.conf produced an unexpected error: Failed authorization procedure. www.photos.kieranpr.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: 3.236.133.116: Invalid response from http://www.photos.kieranpr.com/.well-known/acme-challenge/bF1lkvh6FVXyGSlcYi6HU-i3ir1Nxv_wLoy-7Pc3iVA: 404, photos.kieranpr.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: 3.236.133.116: Invalid response from http://photos.kieranpr.com/.well-known/acme-challenge/SVRNUhxTGkaZQw9ngol8TbrGVbkzZ9IjC9RmVgSUrTo: 404. Skipping.
The following certs could not be renewed:
/etc/letsencrypt/live/kieranpr.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
The following certs were successfully renewed:
/etc/letsencrypt/live/kieranpr.com-0001/fullchain.pem (success)
The following certs could not be renewed:
/etc/letsencrypt/live/kieranpr.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: www.photos.kieranpr.com
Type: unauthorized
Detail: 3.236.133.116: Invalid response from
http://www.photos.kieranpr.com/.well-known/acme-challenge/bF1lkvh6FVXyGSlcYi6HU-i3ir1Nxv_wLoy-7Pc3iVA:
404
Domain: photos.kieranpr.com
Type: unauthorized
Detail: 3.236.133.116: Invalid response from
http://photos.kieranpr.com/.well-known/acme-challenge/SVRNUhxTGkaZQw9ngol8TbrGVbkzZ9IjC9RmVgSUrTo:
404
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
My web server is (include version):
Apache/2.4.29
The operating system my web server runs on is (include version):
Ubuntu 18.04
My hosting provider, if applicable, is:
AWS
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
Can you show the result of this? It should match your DNS entry 3.236.133.116
curl -4 ifconfig.co
If you don't have an Elastic IP AWS may assign new IP after instance restarts.
If that matches can you show result of this command for any certs related to that domain?
sudo certbot certificates
Because it looks like you have used two different methods to create the cert and one of them is failing. Hopefully the one you are not using.
The following certs were successfully renewed:
/etc/letsencrypt/live/kieranpr.com-0001/fullchain.pem (success)
The following certs could not be renewed:
/etc/letsencrypt/live/kieranpr.com/fullchain.pem (failure)
OK. Checking your server it is sending the cert that expires in 32 days and includes the photos domain.
So, you should delete the unused cert to avoid confusion (and unneeded work by LE). Did you create this while debugging the failing photos domain?
sudo certbot delete --cert-name kieranpr.com-0001
The photos domain must have worked ~60 days ago to get in the cert expiring in 32. Can you show the contents of this file? Blackout the account id if you wish:
Thanks Mike. I deleted the one I created in debugging. And you're right that the cert worked before for all three 'domains' - I also don't think I've changed the photos 'domain' config since; but could be wrong.
Output of sudo cat /etc/letsencrypt/renewal/kieranpr.com.conf:
version = 0.27.0
archive_dir = /etc/letsencrypt/archive/kieranpr.com
cert = /etc/letsencrypt/live/kieranpr.com/cert.pem
privkey = /etc/letsencrypt/live/kieranpr.com/privkey.pem
chain = /etc/letsencrypt/live/kieranpr.com/chain.pem
fullchain = /etc/letsencrypt/live/kieranpr.com/fullchain.pem
# Options used in the renewal process
[renewalparams]
account =
authenticator = apache
installer = apache
server = https://acme-v02.api.letsencrypt.org/directory
Output of sudo apachectl -S:
VirtualHost configuration:
*:80 is a NameVirtualHost
default server kieranpr.com (/etc/apache2/sites-enabled/000-kieranpr.conf:1)
port 80 namevhost kieranpr.com (/etc/apache2/sites-enabled/000-kieranpr.conf:1)
alias www.kieranpr.com
port 80 namevhost data.kieranpr.com (/etc/apache2/sites-enabled/data.kieranpr-le-ssl.conf:17)
alias www.data.kieranpr.com
port 80 namevhost data.kieranpr.com (/etc/apache2/sites-enabled/data.kieranpr.conf:1)
alias www.data.kieranpr.com
port 80 namevhost kieranpr.com (/etc/apache2/sites-enabled/kieranpr-le-ssl.conf:17)
alias www.kieranpr.com
port 80 namevhost photos.kieranpr.com (/etc/apache2/sites-enabled/photos.kieranpr-le-ssl.conf:17)
alias www.photos.kieranpr.com
port 80 namevhost photos.kieranpr.com (/etc/apache2/sites-enabled/photos.kieranpr.conf:1)
alias www.photos.kieranpr.com
*:443 is a NameVirtualHost
default server kieranpr.com (/etc/apache2/sites-enabled/000-kieranpr.conf:14)
port 443 namevhost kieranpr.com (/etc/apache2/sites-enabled/000-kieranpr.conf:14)
alias www.kieranpr.com
port 443 namevhost data.kieranpr.com (/etc/apache2/sites-enabled/data.kieranpr-le-ssl.conf:2)
alias www.data.kieranpr.com
port 443 namevhost data.kieranpr.com (/etc/apache2/sites-enabled/data.kieranpr.conf:14)
alias www.data.kieranpr.com
port 443 namevhost kieranpr.com (/etc/apache2/sites-enabled/kieranpr-le-ssl.conf:2)
alias www.kieranpr.com
port 443 namevhost photos.kieranpr.com (/etc/apache2/sites-enabled/photos.kieranpr-le-ssl.conf:2)
alias www.photos.kieranpr.com
port 443 namevhost photos.kieranpr.com (/etc/apache2/sites-enabled/photos.kieranpr.conf:14)
alias www.photos.kieranpr.com
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex watchdog-callback: using_defaults
@kieran2 Rudy beat me to it! If you need help resolving it please show the contents of each of the apache conf files. Start with just the photos domain files as a similar fix will probably apply to data
I am stepping away for a while but works best to put three backticks before and after each group. Add some regular text between consecutive such blocks. Like:
```
text here
```
And more:
```
second part
```
<IfModule mod_ssl.c>
<VirtualHost *:80>
ServerAdmin admin@kieranpr.com
ServerName photos.kieranpr.com
ServerAlias www.photos.kieranpr.com
DocumentRoot /var/www/photos.kieranpr
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
# Some rewrite rules in this file were disabled on your HTTPS site,
# because they have the potential to create redirection loops.
# RewriteCond %{SERVER_NAME} =photos.kieranpr.com [OR]
# RewriteCond %{SERVER_NAME} =www.photos.kieranpr.com
# RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
</IfModule>
And, from:
/etc/apache2/sites-enabled/photos.conf
Remove this VirtualHost entirely:
<VirtualHost *:443>
ServerName photos.kieranpr.com
ServerAlias www.photos.kieranpr.com
ServerAdmin admin@kieranpr.com
DocumentRoot /var/www/photos.kieranpr
SSLEngine on
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/kieranpr.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/kieranpr.com/privkey.pem
</VirtualHost>
