Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: cloudpooch.com

I ran this command:
sudo apachectl stop
sudo certbot certonly --standalone --expand -d cloudpooch.com -d oac.cloudpooch.com

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate for cloudpooch.com and oac.cloudpooch.com
Performing the following challenges:
http-01 challenge for oac.cloudpooch.com
Waiting for verification...
Challenge failed for domain oac.cloudpooch.com
http-01 challenge for oac.cloudpooch.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: oac.cloudpooch.com
  Type: unauthorized
  Detail: During secondary validation: Invalid response from
  http://oac.cloudpooch.com/.well-known/acme-challenge/U5TwdJDJNZVoLUI4eSCuXgsRDdGYLNq-LW4ioTSQ-Hw
  [129.146.211.43]: "\n404 Not Found\n

  Not
  Found

  \n

  The requested URL was"

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address.

My web server is (include version):
gunicorn (version 20.0.4)

The operating system my web server runs on is (include version):
cat /etc/os-release
NAME="Oracle Linux Server"
VERSION="7.9"
ID="ol"
ID_LIKE="fedora"
VARIANT="Server"

cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.9 (Maipo)

My hosting provider, if applicable, is: oracle cloud

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No. My webserver is behind a public load balancer which already has a certificate generated by certbot. It works. I want to expand my cert and that is what is not working

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
sudo certbot --version
certbot 1.13.0

Hi @galactic_hitchhiker,

Interestingly, it seems like you have two different servers answering there, maybe behind some kind of load balancer? When I try to connect to your server with curl, it seems to alternate between one machine that says Welcome to Metrics Dashboard and one that says This is Web Server 1, and the two of them seem to be running different server software. If so, I'd guess that that's the reason for the failed challenge—when the Let's Encrypt CA tried to connect to your server to confirm your control over the domain name, it worked sometimes (because sometimes it connected to the machine running certbot --standalone) and failed sometimes (because sometimes it connected to another machine). This could also explain why it failed in secondary rather than primary validation.

OMG! You hit it on the head!
Of course, now I see it. Thanks for the second set of eyes.
I was shutting down Apache but not gunicorn.
My load balancer was still redirecting port 80 traffic to port 5000 after SSL termination and that ended up being handled by the gunicorn server so the certbot could not see it.
Once I stopped gunicorn too, everything worked like a charm.

Thank you @schoen

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.