Renewal Failure - worked previously

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: aff.homelinux.net (+4 others)

I ran this command: sudo certbot renew

It produced this output: 1st errors observed
Challenge failed for domain aff.homelinux.net
Challenge failed for domain ckpb.in-the-band.net
Challenge failed for domain fosl.homelinux.net
Challenge failed for domain jdb.homelinux.net
Challenge failed for domain lstsrv.homelinux.net
Challenge failed for domain swpd.in-the-band.net

My web server is (include version): Apache version 2.4.46

The operating system my web server runs on is (include version): Ubuntu 21.04

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.12.0

Details:
5 active virtual website all with letsencrypt and used for many years
current cert expires Mar 20
best guess for failure is that one website was password protected. I temporarily removed the protection and reran the certbot renew and still got a lot of errors:
"Failed to renew certificate aff.homelinux.net with error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see Rate Limits - Let's Encrypt"

Full command shell file is available. And log file.

I don't know what is wrong or how to recover. Your help is very much appreciated!

Welcome to the community @codeFarmer

This error is caused by trying and failing to renew a cert too often. You need to wait an hour before trying again. Details at the link in the error msg.

But, you need to figure out why they are failing. My first guess is that you are blocking port 80 and you did not before.

When I started looking at your problem I could see your HTTPS site but HTTP would timeout. But, now HTTPS site is also not reachable.

You need to get HTTP working for the http challenge to work. Try testing with this so you don't run into rate limits. Or, even use --dry-run on the renew command

3 Likes

Thanks for your response. I had turned off port 80 and expected to use only 443. Also I agressively block 400 type errors with Fail2Ban. Do I need to open up everything for the renewal to work?

1 Like

To use http validation you need to respond on port 80, so you need port 80 open. You can redirect to https on port 443, but you must respond on port 80 first. Alternatively you can switch to DNS validation.

2 Likes

Thanks for your help. I re-opened port 80. Is there a penalty for trying again too soon?

1 Like

As per the Let's Encrypt rate limits mentioned in the error message you get 5 failed validations per hostname per hour, so just wait an hour from your previous attempt: Rate Limits - Let's Encrypt

2 Likes

Thanks

1 Like

Success! I tripped myself by blocking port 80 and passwording a site. After temporarily changing that, the Certbot Renew worked.

Thank you for your insight and help!

3 Likes

You should not require a password for the expected challenge location:
http://your.domain/.well-known/acme-challenge/

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.