Renewal is failing with acme challenge 404

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: admin.wizpms.com

I ran this command:sudo certbot renew --debug-challenges

It produced this output: See below

My web server is (include version): Apache

The operating system my web server runs on is (include version): Ubuntu 18.04.5 LTS

My hosting provider, if applicable, is: Justhost

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

ubuntu@ip-172-31-44-194:/var/backups$ sudo certbot renew --debug-challenges
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/admin.wizpms.com.conf

Renewing an existing certificate for admin.wizpms.com and 8 more domains

Challenges loaded. Press continue to submit to CA.
Pass "-v" for more info about challenges.

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: admin.wizpms.com
Type: unauthorized
Detail: Invalid response from https://admin.wizpms.com/.well-known/acme-challenge/2S16kTyynnq2ANO-VAeyoBrxXRvzXoIOTu8sQzDuuCA [52.14.105.212]: 404

Domain: axis.wizpms.com
Type: unauthorized
Detail: Invalid response from https://axis.wizpms.com/.well-known/acme-challenge/x9pK06pxV2zilAEQjmaVzq5JJlXTdsQ9DwsAPgvXNkA [52.14.105.212]: 404

Domain: borrelli.wizpms.com
Type: unauthorized
Detail: Invalid response from http://borrelli.wizpms.com/.well-known/acme-challenge/W6Mw80GXwXMhsBuvAJ85Livxe3HAtqGnSvN2j6agA5w [52.14.105.212]: 404

Domain: capella.wizpms.com
Type: unauthorized
Detail: Invalid response from https://capella.wizpms.com/.well-known/acme-challenge/g_p6YJuOKhIFFkpeiE9Luypy25Zf2iDBLFZ5l2ly4ro [52.14.105.212]: 404

Domain: r2r.wizpms.com
Type: unauthorized
Detail: Invalid response from http://r2r.wizpms.com/.well-known/acme-challenge/gIewdfL4m6tkbKt7QZY8CCRQcUoV6GxEZfy4TSkPfPI [52.14.105.212]: 404

Domain: rajan.wizpms.com
Type: unauthorized
Detail: Invalid response from http://rajan.wizpms.com/.well-known/acme-challenge/aDBI0e-v8Hbv9AzzO90Rtg2QOmilsXhWC-jeJhhZLAM [52.14.105.212]: 404

Domain: ravi.wizpms.com
Type: unauthorized
Detail: Invalid response from http://ravi.wizpms.com/.well-known/acme-challenge/nA19Sbz_7a2sr4jG2X_5pBkmQlLBqjND62h9iT6Q608 [52.14.105.212]: 404

Domain: sas01.wizpms.com
Type: unauthorized
Detail: Invalid response from http://sas01.wizpms.com/.well-known/acme-challenge/m5gQGgLSPrzV-gizndXORSViinyY16v7inpu5Ta1zBA [52.14.105.212]: 404

Domain: sprn.wizpms.com
Type: unauthorized
Detail: Invalid response from https://sprn.wizpms.com/.well-known/acme-challenge/7WJ9ebplKAwM-ZYvLk8hRM9tewGZxiF5wUdVirlVoD8 [52.14.105.212]: 404

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Failed to renew certificate admin.wizpms.com with error: Some challenges have failed.

Processing /etc/letsencrypt/renewal/axis.wizpms.com.conf

Renewing an existing certificate for axis.wizpms.com
Failed to renew certificate axis.wizpms.com with error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see Rate Limits - Let's Encrypt

Processing /etc/letsencrypt/renewal/ravi.wizpms.com.conf

Renewing an existing certificate for ravi.wizpms.com
Failed to renew certificate ravi.wizpms.com with error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see Rate Limits - Let's Encrypt

All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/admin.wizpms.com/fullchain.pem (failure)
/etc/letsencrypt/live/axis.wizpms.com/fullchain.pem (failure)
/etc/letsencrypt/live/ravi.wizpms.com/fullchain.pem (failure)

3 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Any help?

2

What's in there? :slight_smile:

More importantly, what's in /etc/letsencrypt/renewal?

1 Like
3

ubuntu@ip-172-31-44-194:/etc/letsencrypt/renewal$ ls -al
total 20
drwxr-xr-x 2 root root 4096 Jan 30 19:47 .
drwxr-xr-x 9 root root 4096 Apr 14 17:07 ..
-rw-r--r-- 1 root root 539 Jan 30 19:47 admin.wizpms.com.conf
-rw-r--r-- 1 root root 534 Jan 18 13:58 axis.wizpms.com.conf
-rw-r--r-- 1 root root 534 Jan 15 13:55 ravi.wizpms.com.conf

4

Show us those files.

1 Like
5

ubuntu@ip-172-31-44-194:/etc/letsencrypt/renewal$ sudo more admin.wizpms.com.conf

renew_before_expiry = 30 days

version = 1.22.0
archive_dir = /etc/letsencrypt/archive/admin.wizpms.com
cert = /etc/letsencrypt/live/admin.wizpms.com/cert.pem
privkey = /etc/letsencrypt/live/admin.wizpms.com/privkey.pem
chain = /etc/letsencrypt/live/admin.wizpms.com/chain.pem
fullchain = /etc/letsencrypt/live/admin.wizpms.com/fullchain.pem

Options used in the renewal process

[renewalparams]
account = 41f2db8a23fe21b26b0d6b61227011e6
authenticator = apache
server = https://acme-v02.api.letsencrypt.org/directory
installer = apache

6

Ok, apache plugin. But you get a 404. Did you modify your Apache config in the last two months?

1 Like
7

No. I didn't.

8

drwxr-xr-x 2 root root 4096 Apr 14 17:07 .
drwxr-xr-x 8 root root 4096 Apr 14 17:07 ..
-rw-r--r-- 1 root root 1776 Jan 30 19:48 000-default-le-ssl.conf
-rw-r--r-- 1 root root 1616 Sep 9 2020 000-default.conf
-rw-r--r-- 1 root root 6338 Jul 16 2019 default-ssl.conf

ubuntu@ip-172-31-44-194:/etc/apache2/sites-available$ sudo more 000-default-le-ssl.conf

<IfModule mod_ssl.c>
<VirtualHost *:443>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        #ServerName www.example.com

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf


ServerName admin.wizpms.com
Include /etc/letsencrypt/options-ssl-apache.conf
ServerAlias axis.wizpms.com
ServerAlias capella.wizpms.com
ServerAlias sprn.wizpms.com
ServerAlias ravi.wizpms.com
ServerAlias rajan.wizpms.com
ServerAlias r2r.wizpms.com
ServerAlias borrelli.wizpms.com
ServerAlias sas01.wizpms.com
SSLCertificateFile /etc/letsencrypt/live/admin.wizpms.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/admin.wizpms.com/privkey.pem
</VirtualHost>
</IfModule>
9

Show me the output of apachectl -t -D DUMP_VHOSTS

1 Like
10

ubuntu@ip-172-31-44-194:/etc/apache2/sites-available$ sudo apachectl -t -D DUMP_VHOSTS
VirtualHost configuration:
*:443 admin.wizpms.com (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
*:80 ip-172-31-44-194.us-east-2.compute.internal (/etc/apache2/sites-enabled/000-default.conf:1)

11

Show this please :slight_smile:

1 Like
12

ubuntu@ip-172-31-44-194:/etc/apache2/sites-enabled$ sudo more 000-default.conf

<VirtualHost *:80>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        #ServerName www.example.com

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf
RewriteEngine on
RewriteCond %{SERVER_NAME} =axis.wizpms.com [OR]
RewriteCond %{SERVER_NAME} =capella.wizpms.com [OR]
RewriteCond %{SERVER_NAME} =admin.wizpms.com [OR]
RewriteCond %{SERVER_NAME} =sprn.wizpms.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
13

I have no idea what's happening.

Check if dig +short a admin.wizpms.com and curl -4 ifconfig.co give the same output.

Same for dig +short aaaa admin.wizpms.com and curl -6 ifconfig.co

Also check the output of sudo ss -tlpn | grep ':80'

1 Like
15

None of the aliases are listed.
hmm...

And the config ordering seems wonky:

Try moving the Include line down (after the aliases)

2 Likes
16

Then place a test text file in the expected challenge location.
mkdir -p /var/www.html/.well-known/acme-challenge/
echo "test" > /var/www.html/.well-known/acme-challenge/Test_File-1234

Then try accessing it from the Internet.
http://admin.wizpms.com/.well-known/acme-challenge/Test_File-1234

2 Likes
17

Made your changes. Getting not found error

image

18

Is there any way I can delete the old certs and start fresh?

1 Like
19

Yes, but I don't see how that will change anything.
If you can't validate now, after deleting any certs you still won't be able to validate.

3 Likes
20

I started with a couple DNS's and added more. Do you think that might have messed up things?

21

I don't think DNS is part of the problem.

Also: I only see two DNS servers.

1 Like