Some challenges have failed when trying to renew certificate

Help
1

My domain is: psxtrophies.com.br

I ran this command: sudo certbot renew --force-renewal --cert-name psxtrophies.com.br

It produced this output: Saving debug log to /var/log/letsencrypt/letsencrypt.log
No certificate found with name psxtrophies.com.br (expected /etc/letsencrypt/renewal/psxtrophies.com.br.conf).
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): nginx 1.18

The operating system my web server runs on is (include version): ubuntu 22

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.21

I do not have the domain in renewal folder. I tried to recreate without success.

Also, when I run "certbot certificates" the domain's certificate is not listed despite the fact that I do have one valid certificate currently.

Please, any help.

2

Welcome to the Let's Encrypt Community.

Can you show is the output of which certbot and snap list | grep certbot?

3 Likes
3

which certbot => /usr/bin/certbot

snap list => command not found

4

That rules out my theory that you may have had mutliple conflicting certbot installations.

It is best to avoid that option. It is a good way to run into rate limits.

On your live site, I am seeing a certificate from Google Trust Services not Let's Encrypt. Is that the server you are working on?

4 Likes
5

It looks like your DNS has the wrong IP addresses.

The IPv6 (AAAA record) address looks like it was setup by Hostinger for one of their services.

Your IPv4 (A record) address does not respond on either HTTP (port 80) or (port 443)

You must have a working server to get a cert with an HTTP Challenge. And, as @linkp noted you recently got a cert from Google CA too. That might have been for the Hostinger service.

Would you explain more about what you are doing?

Here is some extra info about Hostinger DNS and IPv6: How to manage AAAA records | Hostinger Help Center

And use this site to test connections
https://letsdebug.net

This response on your IPv6 address is why I know Hostinger is involved

curl -I6 -m8 http://psxtrophies.com.br
HTTP/1.1 301 Moved Permanently
server: LiteSpeed
location: https://psxtrophies.com.br/
platform: hostinger
panel: hpanel
5 Likes
6

Please show the output of the command:

sudo certbot certificates
1 Like
7

It not responded cause I needed to turn nginx off to run certbot commands.

I turned on now and tested using the letsdebug and got this.

image
image1077×880 41.5 KB

about the hostinger, I got this domain by hostinger, and the domain was set by default to their servers, then I changed the dns to point to my VPS.

8

only appears the .tech domain, not .com.br

image
image706×145 54.8 KB

9

This is most likely coming from the hostinger services, where I have my VPS and domain.

10

No, if you have a working webserver like nginx it is best to use the --nginx or --webroot methods. This allows you to keep nginx running for Certbot command. It sounds like you used the --standalone option which requires nginx to be stopped. But --standalone is not the best way for your situation.

I see you fixed your DNS so now only have an A IPv4 address. And, I also see your .com.br and .tech domains are using a current Let's Encrypt cert for HTTPS.

So, it all seems to be working. Is there anything else you need help with?

5 Likes
11

Yeah, you're right. I removed the AAAA which was pointing to hostinger standard server and causing the issue. Thanks for the support guys!

One last question, can I keep the domain without AAAA? Are there any disadvantages?

2 Likes
12

Only that you don't support people wanting to use IPv6. So, you could see if Hostinger supports that for your nginx setup. Then set the AAAA record for your nginx and configure nginx to listen for IPv6 connections. And lastly ensure you have a way to test IPv6 connections. Sometimes people only test IPv4 and don't notice if something has gone wrong with their IPv6 config.

While IPv6 is a good thing to support many sites still only support IPv4

5 Likes
13

Thanks. That was very helpful!

3 Likes
14

Then it doesn't make much sense to run a renew command with a --cert-name that does not exist. :slight_smile:

Also, please do not use --force-renewal to magically "force" something that's not really forcable.

15

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.