I read the sticky but am not sure that's my problem. My renewals have been fine until now but now have the error - The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80
My domain is:13qw@duckdns.org
I ran this command:
sudo systemctl stop wire-pod # to stop a server which uses port 80
[no output]
sudo certbot renew --force-renewal
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/13qw.duckdns.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for 13qw.duckdns.org
Failed to renew certificate 13qw.duckdns.org with error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/failed-validation-limit/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/13qw.duckdns.org/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
My web server is (include version):
I don't run a standalone server
The operating system my web server runs on is (include version):
Debian 11 (PiOS)
My hosting provider, if applicable, is:
Duckdns
I can login to a root shell on my machine (yes or no, or I don't know):
Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 2.10.0
Maybe not
Please stop trying --force-renewal. It usually causes more problems than it helps which is what has happened now. It is useful only in special circumstances and then used only once not over and over.
You are now blocked from LE production for an hour due to too many failures.
We need to know why it failed the first time. Once you get a failure the best way to test is with this. It uses the Let's Encrypt Staging system which allows more such failures and will not affect your existing production cert.
sudo certbot renew --dry-run
You can try that now and show us the result
4 Likes
Got it - I have no idea where I picked that up from. My renewal procedure is saved in org-Roam, so I use the same commands each time.
Result of that is:
$ sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/13qw.duckdns.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Account registered.
Simulating renewal of an existing certificate for 13qw.duckdns.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded:
/etc/letsencrypt/live/13qw.duckdns.org/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
rg305
May 2, 2024, 4:10pm
4
What shows?:certbot certificates
2 Likes
sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: 13qw.duckdns.org
Serial Number: 4d4f2e964d3633792a8cad54d478f1a634f
Key Type: ECDSA
Domains: 13qw.duckdns.org
Expiry Date: 2024-05-08 21:43:02+00:00 (VALID: 6 days)
Certificate Path: /etc/letsencrypt/live/13qw.duckdns.org/fullchain.pem
Private Key Path: /etc/letsencrypt/live/13qw.duckdns.org/privkey.pem
rg305
May 2, 2024, 4:19pm
6
Let's have a look at this file:
2 Likes
sudo cat /etc/letsencrypt/renewal/13qw.duckdns.org.conf
# renew_before_expiry = 30 days
version = 2.8.0
archive_dir = /etc/letsencrypt/archive/13qw.duckdns.org
cert = /etc/letsencrypt/live/13qw.duckdns.org/cert.pem
privkey = /etc/letsencrypt/live/13qw.duckdns.org/privkey.pem
chain = /etc/letsencrypt/live/13qw.duckdns.org/chain.pem
fullchain = /etc/letsencrypt/live/13qw.duckdns.org/fullchain.pem
# Options used in the renewal process
[renewalparams]
account = d2c97bbcc94183660d9efd6859debac9
authenticator = standalone
server = https://acme-v02.api.letsencrypt.org/directory
key_type = ecdsa
rg305
May 2, 2024, 4:25pm
8
It is difficult to break standalone...
Let's review the whole LE logfile and see what happened exactly./var/log/letsencrypt/letsencrypt.log
1 Like
sudo cat /var/log/letsencrypt/letsencrypt.log
2024-05-02 17:14:44,172:DEBUG:urllib3.connectionpool:http://localhost:None "GET /v2/connections?snap=certbot&interface=content HTTP/1.1" 200 97
2024-05-02 17:14:44,838:DEBUG:certbot._internal.main:certbot version: 2.10.0
2024-05-02 17:14:44,839:DEBUG:certbot._internal.main:Location of certbot entry point: /snap/certbot/3698/bin/certbot
2024-05-02 17:14:44,839:DEBUG:certbot._internal.main:Arguments: ['--preconfigured-renewal']
2024-05-02 17:14:44,840:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2024-05-02 17:14:44,976:DEBUG:certbot._internal.log:Root logging level set at 30
2024-05-02 17:14:45,024:DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): r3.o.lencr.org:80
2024-05-02 17:14:45,089:DEBUG:urllib3.connectionpool:http://r3.o.lencr.org:80 "POST / HTTP/1.1" 200 503
2024-05-02 17:14:45,094:DEBUG:certbot.ocsp:OCSP response for certificate /etc/letsencrypt/live/13qw.duckdns.org/cert.pem is signed by the certificate's issuer.
2024-05-02 17:14:45,095:DEBUG:certbot.ocsp:OCSP certificate status for /etc/letsencrypt/live/13qw.duckdns.org/cert.pem is: OCSPCertStatus.GOOD
2024-05-02 17:14:45,107:DEBUG:certbot._internal.display.obj:Notifying user: Found the following certs:
Certificate Name: 13qw.duckdns.org
Serial Number: 4d4f2e964d3633792a8cad54d478f1a634f
Key Type: ECDSA
Domains: 13qw.duckdns.org
Expiry Date: 2024-05-08 21:43:02+00:00 (VALID: 6 days)
Certificate Path: /etc/letsencrypt/live/13qw.duckdns.org/fullchain.pem
Private Key Path: /etc/letsencrypt/live/13qw.duckdns.org/privkey.pem
rg305
May 2, 2024, 4:36pm
10
Surely, there is [much] more to that log file [than just 19 lines].
1 Like
You can see the command I ran sudo cat /var/log/letsencrypt/letsencrypt.log and the result?
Is that just the log of the dry run perhaps?
rg305
May 2, 2024, 5:10pm
12
perhaps...
1 Like
So I renewed again - (to try and generate a log file) and it worked
sudo certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/13qw.duckdns.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for 13qw.duckdns.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all renewals succeeded:
/etc/letsencrypt/live/13qw.duckdns.org/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Must've been a glitch somewhere
1 Like
rg305
May 2, 2024, 5:11pm
14
hmm...helped [tried to help]
2 Likes
No worries, thanks a lot (from England)#
2 Likes
weird i have the same exact problem but mine still gives the same error sadly
rg305
May 2, 2024, 5:36pm
17
Please open a new topic to discuss your specific problem.
4 Likes
