Renewal failure with apache on ubuntu dockerized environment


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

citadel.finconsgroup.com

I ran this command:

certbot renew

It produced this output:

Root logging level set at 10
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/citadel.finconsgroup.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Requested authenticator <certbot.cli._Default object at 0x7f837ac022b0> and installer <certbot.cli._Default object at 0x7f837ac022b0>
Should renew, less than 30 days before certificate expiry 2018-12-11 11:30:49 UTC.
Cert is due for renewal, auto-renewing...
Requested authenticator webroot and installer None
Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
Initialized: <certbot.plugins.webroot.Authenticator object at 0x7f837ac021d0>
Prep: True
Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x7f837ac021d0> and installer None
Plugins selected: Authenticator webroot, Installer None
Picked account: <Account(RegistrationResource(new_authzr_uri=None, body=Registration(only_return_existing=None, terms_of_service_agreed=None, contact=(), status=None, key=None, agreement=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/41976204', terms_of_service=None), 5d9d24d73e557d8a0653f8a8e0e79f17, Meta(creation_dt=datetime.datetime(2018, 9, 12, 12, 13, 12, tzinfo=<UTC>), creation_host='f560ab5b297a'))>
Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 658
Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 658
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Thu, 06 Dec 2018 12:32:46 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 06 Dec 2018 12:32:46 GMT
Connection: keep-alive

{
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert",
  "ysjS5S8Yz-g": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417"
}
Renewing an existing certificate
Generating key (2048 bits): /etc/letsencrypt/keys/0059_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0059_csr-certbot.pem
Requesting fresh nonce
Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-order.
https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-order HTTP/1.1" 405 0
Received response:
HTTP 405
Server: nginx
Content-Type: application/problem+json
Content-Length: 103
Allow: POST
Replay-Nonce: RvUbzsIN0r8KTBAqIFRjsI_CC7ueTVsIotJHM6LgHQE
Expires: Thu, 06 Dec 2018 12:32:47 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 06 Dec 2018 12:32:47 GMT
Connection: keep-alive


Storing nonce: RvUbzsIN0r8KTBAqIFRjsI_CC7ueTVsIotJHM6LgHQE
JWS payload:
b'{\n  "status": "pending",\n  "resource": "new-order",\n  "identifiers": [\n    {\n      "value": "citadel.finconsgroup.com",\n      "type": "dns"\n    }\n  ]\n}'
Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "eyJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvbmV3LW9yZGVyIiwgIm5vbmNlIjogIlJ2VWJ6c0lOMHI4S1RCQXFJRlJqc0lfQ0M3dWVUVnNJb3RKSE02TGdIUUUiLCAiYWxnIjogIlJTMjU2IiwgImtpZCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hY2N0LzQxOTc2MjA0In0",
  "payload": "ewogICJzdGF0dXMiOiAicGVuZGluZyIsCiAgInJlc291cmNlIjogIm5ldy1vcmRlciIsCiAgImlkZW50aWZpZXJzIjogWwogICAgewogICAgICAidmFsdWUiOiAiY2l0YWRlbC5maW5jb25zZ3JvdXAuY29tIiwKICAgICAgInR5cGUiOiAiZG5zIgogICAgfQogIF0KfQ",
  "signature": "Ofs4jNYIt6wMI7LBQwnJg3ZdFBtiBMTwhFkFTUiu34Nhce1GFVqudfsSM1H6XxtmE2KtNgxdvnLEDpuDXTpiXGsi8x1xyppDkWwMPYoleNkkGX3gR_x_Aus-GmMWraCOe9CvuO2r8slUWsI0A2raFdiFy3kJUSjaHp6H4W_35r-jJ5HzkWfQzrw5Q961mLsukcE09QjDQRo6E_DUg_9jmvJIm320Tzg16rJ4kdWlCywYcA1lt_9k3UrhPic5rODb1B6jTjLQp84v-16JHsHqAPWpwb5gqKP6j3-lOFjXQoWq8UI86vZ7Q4hFGeXY_7Pkw-iY8QvaP4_39lpTOwUs2A"
}
https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 381
Received response:
HTTP 201
Server: nginx
Content-Type: application/json
Content-Length: 381
Boulder-Requester: 41976204
Location: https://acme-v02.api.letsencrypt.org/acme/order/41976204/208465317
Replay-Nonce: eeCRsEs1oSceGQl45SiPqM92rGBgsL0G6y9fDFFZgE8
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Thu, 06 Dec 2018 12:32:47 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 06 Dec 2018 12:32:47 GMT
Connection: keep-alive

{
  "status": "pending",
  "expires": "2018-12-13T12:32:47.1454432Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "citadel.finconsgroup.com"
    }
  ],
  "authorizations": [
    "https://acme-v02.api.letsencrypt.org/acme/authz/6hMYjayRuxqTMv9R5iD7Yy1HdHcs632eqKgKe3wYl6g"
  ],
  "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/41976204/208465317"
}
Storing nonce: eeCRsEs1oSceGQl45SiPqM92rGBgsL0G6y9fDFFZgE8
Sending GET request to https://acme-v02.api.letsencrypt.org/acme/authz/6hMYjayRuxqTMv9R5iD7Yy1HdHcs632eqKgKe3wYl6g.
https://acme-v02.api.letsencrypt.org:443 "GET /acme/authz/6hMYjayRuxqTMv9R5iD7Yy1HdHcs632eqKgKe3wYl6g HTTP/1.1" 200 1172
Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1172
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Thu, 06 Dec 2018 12:32:47 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 06 Dec 2018 12:32:47 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "citadel.finconsgroup.com"
  },
  "status": "pending",
  "expires": "2018-12-13T12:32:47Z",
  "challenges": [
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/6hMYjayRuxqTMv9R5iD7Yy1HdHcs632eqKgKe3wYl6g/10021109090",
      "token": "G322GHQxX44udtUUr9KWFLHhFgmkZAByqwyJ9JYs080"
    },
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/6hMYjayRuxqTMv9R5iD7Yy1HdHcs632eqKgKe3wYl6g/10021109091",
      "token": "dlaO1hV90LWgSc36a8xCd0WxOWAexQV7YgsTzQCtohU"
    },
    {
      "type": "tls-sni-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/6hMYjayRuxqTMv9R5iD7Yy1HdHcs632eqKgKe3wYl6g/10021109092",
      "token": "BZmWEf5UmDENTU2MTwTu15pIphIOJHU1SvKNJEYQtKA"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/6hMYjayRuxqTMv9R5iD7Yy1HdHcs632eqKgKe3wYl6g/10021109093",
      "token": "TumOpBpVk3GHokNjSiYf5ioirv-7yVsoEMz4sXw12g4"
    }
  ]
}
Performing the following challenges:
http-01 challenge for citadel.finconsgroup.com
Creating root challenges validation dir at /app/cip/.well-known/acme-challenge
Attempting to save validation to /app/cip/.well-known/acme-challenge/dlaO1hV90LWgSc36a8xCd0WxOWAexQV7YgsTzQCtohU
Waiting for verification...
JWS payload:
b'{\n  "type": "http-01",\n  "resource": "challenge",\n  "keyAuthorization": "dlaO1hV90LWgSc36a8xCd0WxOWAexQV7YgsTzQCtohU.7ORQfQVmFD5yLfWwXMexDz8iXHZZjt465Uup0QC6ACU"\n}'
Sending POST request to https://acme-v02.api.letsencrypt.org/acme/challenge/6hMYjayRuxqTMv9R5iD7Yy1HdHcs632eqKgKe3wYl6g/10021109091:
{
  "protected": "eyJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvY2hhbGxlbmdlLzZoTVlqYXlSdXhxVE12OVI1aUQ3WXkxSGRIY3M2MzJlcUtnS2Uzd1lsNmcvMTAwMjExMDkwOTEiLCAibm9uY2UiOiAiZWVDUnNFczFvU2NlR1FsNDVTaVBxTTkyckdCZ3NMMEc2eTlmREZGWmdFOCIsICJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNDE5NzYyMDQifQ",
  "payload": "ewogICJ0eXBlIjogImh0dHAtMDEiLAogICJyZXNvdXJjZSI6ICJjaGFsbGVuZ2UiLAogICJrZXlBdXRob3JpemF0aW9uIjogImRsYU8xaFY5MExXZ1NjMzZhOHhDZDBXeE9XQWV4UVY3WWdzVHpRQ3RvaFUuN09SUWZRVm1GRDV5TGZXd1hNZXhEejhpWEhaWmp0NDY1VXVwMFFDNkFDVSIKfQ",
  "signature": "dkhq-w67deRbwgLyZQyv823Ve8cfAxsQVUWgoOqCur9BZQGzNphdFND2lOWJcA33tLB5B6SOTj9D2ym_LI4UxbJ21snYsVlyZDcZ0d5bCZeRwkeObn7TE6uaX346g1Ve9SQWt3f7suQ81J3nVypACn4UNuj8jkOrHvr3bOiI6lc8tRqSQA8-3nSaK2z1iR2O1zP8qW94cjarfKe_EiUJspoQJFaNFFgLDXJ3zEAzLWDOr-pN14urHfg4KoRBzcOnvJzX4R3t8iqhK8CmE_ZSCwb2Rds89b4odh8VwLmOp-6peKPaz3U3ZbsVXn6_snhJx5stVSUIADoRhYl1TSYAuA"
}
https://acme-v02.api.letsencrypt.org:443 "POST /acme/challenge/6hMYjayRuxqTMv9R5iD7Yy1HdHcs632eqKgKe3wYl6g/10021109091 HTTP/1.1" 200 224
Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 224
Boulder-Requester: 41976204
Link: <https://acme-v02.api.letsencrypt.org/acme/authz/6hMYjayRuxqTMv9R5iD7Yy1HdHcs632eqKgKe3wYl6g>;rel="up"
Location: https://acme-v02.api.letsencrypt.org/acme/challenge/6hMYjayRuxqTMv9R5iD7Yy1HdHcs632eqKgKe3wYl6g/10021109091
Replay-Nonce: NVUBs407_dQag2t8q_3GDTG_iCTGPNssq6uj20pn5iI
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Thu, 06 Dec 2018 12:32:47 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 06 Dec 2018 12:32:47 GMT
Connection: keep-alive

{
  "type": "http-01",
  "status": "pending",
  "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/6hMYjayRuxqTMv9R5iD7Yy1HdHcs632eqKgKe3wYl6g/10021109091",
  "token": "dlaO1hV90LWgSc36a8xCd0WxOWAexQV7YgsTzQCtohU"
}
Storing nonce: NVUBs407_dQag2t8q_3GDTG_iCTGPNssq6uj20pn5iI
Sending GET request to https://acme-v02.api.letsencrypt.org/acme/authz/6hMYjayRuxqTMv9R5iD7Yy1HdHcs632eqKgKe3wYl6g.
https://acme-v02.api.letsencrypt.org:443 "GET /acme/authz/6hMYjayRuxqTMv9R5iD7Yy1HdHcs632eqKgKe3wYl6g HTTP/1.1" 200 2378
Received response:
HTTP 200
Server: nginx
Content-Type: application/json
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Content-Length: 2378
Expires: Thu, 06 Dec 2018 12:32:50 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 06 Dec 2018 12:32:50 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "citadel.finconsgroup.com"
  },
  "status": "invalid",
  "expires": "2018-12-13T12:32:47Z",
  "challenges": [
    {
      "type": "tls-alpn-01",
      "status": "invalid",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/6hMYjayRuxqTMv9R5iD7Yy1HdHcs632eqKgKe3wYl6g/10021109090",
      "token": "G322GHQxX44udtUUr9KWFLHhFgmkZAByqwyJ9JYs080"
    },
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "Invalid response from http://citadel.finconsgroup.com/.well-known/acme-challenge/dlaO1hV90LWgSc36a8xCd0WxOWAexQV7YgsTzQCtohU: \"\u003c!DOCTYPE HTML PUBLIC \\\"-//IETF//DTD HTML 2.0//EN\\\"\u003e\\n\u003chtml\u003e\u003chead\u003e\\n\u003ctitle\u003e404 Not Found\u003c/title\u003e\\n\u003c/head\u003e\u003cbody\u003e\\n\u003ch1\u003eNot Found\u003c/h1\u003e\\n\u003cp\"",
        "status": 403
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/6hMYjayRuxqTMv9R5iD7Yy1HdHcs632eqKgKe3wYl6g/10021109091",
      "token": "dlaO1hV90LWgSc36a8xCd0WxOWAexQV7YgsTzQCtohU",
      "validationRecord": [
        {
          "url": "http://citadel.finconsgroup.com/.well-known/acme-challenge/dlaO1hV90LWgSc36a8xCd0WxOWAexQV7YgsTzQCtohU",
          "hostname": "citadel.finconsgroup.com",
          "port": "80",
          "addressesResolved": [
            "34.241.198.137"
          ],
          "addressUsed": "34.241.198.137"
        },
        {
          "url": "https://citadel.finconsgroup.com/.well-known/acme-challenge/dlaO1hV90LWgSc36a8xCd0WxOWAexQV7YgsTzQCtohU",
          "hostname": "citadel.finconsgroup.com",
          "port": "443",
          "addressesResolved": [
            "34.241.198.137"
          ],
          "addressUsed": "34.241.198.137"
        }
      ]
    },
    {
      "type": "tls-sni-01",
      "status": "invalid",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/6hMYjayRuxqTMv9R5iD7Yy1HdHcs632eqKgKe3wYl6g/10021109092",
      "token": "BZmWEf5UmDENTU2MTwTu15pIphIOJHU1SvKNJEYQtKA"
    },
    {
      "type": "dns-01",
      "status": "invalid",
      "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/6hMYjayRuxqTMv9R5iD7Yy1HdHcs632eqKgKe3wYl6g/10021109093",
      "token": "TumOpBpVk3GHokNjSiYf5ioirv-7yVsoEMz4sXw12g4"
    }
  ]
}
Reporting to user: The following errors were reported by the server:

Domain: citadel.finconsgroup.com
Type:   unauthorized
Detail: Invalid response from http://citadel.finconsgroup.com/.well-known/acme-challenge/dlaO1hV90LWgSc36a8xCd0WxOWAexQV7YgsTzQCtohU: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
    self._respond(aauthzrs, resp, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 155, in _respond
    self._poll_challenges(aauthzrs, chall_update, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 226, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. citadel.finconsgroup.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://citadel.finconsgroup.com/.well-known/acme-challenge/dlaO1hV90LWgSc36a8xCd0WxOWAexQV7YgsTzQCtohU: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

Calling registered functions
Cleaning up challenges
Removing /app/cip/.well-known/acme-challenge/dlaO1hV90LWgSc36a8xCd0WxOWAexQV7YgsTzQCtohU
All challenges cleaned up
Attempting to renew cert (citadel.finconsgroup.com) from /etc/letsencrypt/renewal/citadel.finconsgroup.com.conf produced an unexpected error: Failed authorization procedure. citadel.finconsgroup.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://citadel.finconsgroup.com/.well-known/acme-challenge/dlaO1hV90LWgSc36a8xCd0WxOWAexQV7YgsTzQCtohU: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p". Skipping.
Traceback was:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 430, in handle_renewal_request
    main.renew_cert(lineage_config, plugins, renewal_candidate)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1197, in renew_cert
    renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 115, in _get_and_save_cert
    renewal.renew_cert(config, domains, le_client, lineage)
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 305, in renew_cert
    new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 334, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 370, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
    self._respond(aauthzrs, resp, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 155, in _respond
    self._poll_challenges(aauthzrs, chall_update, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 226, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. citadel.finconsgroup.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://citadel.finconsgroup.com/.well-known/acme-challenge/dlaO1hV90LWgSc36a8xCd0WxOWAexQV7YgsTzQCtohU: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/citadel.finconsgroup.com/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/citadel.finconsgroup.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.26.1', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1364, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1276, in renew
    renewal.handle_renewal_request(config)
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 455, in handle_renewal_request
    len(renew_failures), len(parse_failures)))
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: citadel.finconsgroup.com
   Type:   unauthorized
   Detail: Invalid response from
   http://citadel.finconsgroup.com/.well-known/acme-challenge/dlaO1hV90LWgSc36a8xCd0WxOWAexQV7YgsTzQCtohU:
   "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version):

Apache/2.4.18 (Ubuntu)

The operating system my web server runs on is (include version):

Ubuntu 16.04.5 LTS

My hosting provider, if applicable, is:

Amazon

I can login to a root shell on my machine (yes or no, or I don’t know):

yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

no


#2

You appear to be using the webroot plugin with the webroot path set to /app/cip so as a first guess I’d suggest checking if that’s really the place where Apache serves static files from.

Could your Apache be misconfigured perhaps? Visiting https://citadel.finconsgroup.com I see a directory listing which I don’t think is intentional - and one of the subdirectories is cip so maybe Apache is serving from the directory above the one you may have intended (/app)? That would break Certbot’s webroot plugin which it seems you currently have pointed at /app/cip if so.

If that’s not helpful, I think we would need to know a bit more about your Docker setup. What containers do you have? Where are the certificates (/etc/letsencrypt/...) stored - in a container or volume, or on the host? And where are you running the certbot command from?


#3

Thanks jmorahan, you were right,
I changed the configuration of the Certbot webroot plugin in order to make it pointing to the upper directory, and the renewl succeeded.