Sudo cerbot renew error:

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain

I ran this command:sudo certbot renew

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for
Waiting for verification...
Challenge failed for domain
http-01 challenge for
Cleaning up challenges
Attempting to renew cert ( from /etc/letsencrypt/renewal/ produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/ (failure)
1 renew failure(s), 0 parse failure(s)

My web server is (include version):apache2 2.4.9

The operating system my web server runs on is (include version):
Ubuntu 18.04.5 LTS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): version 1.9.0

Attempting to renew cert ( from /etc/letsencrypt/renewal/ produced an unexpected error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/ (failure)

1 Like

Is there any hint of a problem either in the letsencrypt.log or in the apache error log (names vary by distribution; you can find the name in /etc/httpd/httpd.conf)? If you dig into the apache error log, look for "well-known" as part of a URL. If that request produces an error, you may have found the problem.


i looked at logs in letsencrypt and apache and nothing jumps out

1 Like

Welcome to the Let's Encrypt Community, William :slightly_smiling_face:

Can you please provide the full output of certbot?

Certificate History

1 Like

The basic sequence for HTTP-01 challenge is

  1. certbot makes a renewal request to the certificate issuing service, which responds with a random-ish looking string
  2. certbot uses this to satisfy the challenge (proving that it has control of the server for which it is requesting the certificate). The challenge results are stored in the HTTP server's directory so that a URL like{incomprehensible_string} will fetch the proper result and verify that certbot is making a valid request.
  3. Once that test is passed, the issuing service renews the certificate, and passes it to certbot, which installs it where it needs to go.

Since the challenge failed, either there is not a .well-known/ folder, or certbot didn't put the correct stuff in it, or something else got in the way of allowing the certificate authority to fetch the challenge response.

So, first, check if the .well-known folder is in your web-server's root directory.
Second, make sure that there is not some sort of firewall blockage between your server and the public internet.

If both of those are OK, you should be able to see the GET requests in your HTTPD access_log for .well-known/{incomprehensible_string}. Those requests ought to return a status code of 200. If, instead, they return a 4xx or 5xx status, you'll have to figure out why the web server is returning that status.

BTW, I just found and ran a check using the site It thinks your server is set up correctly, so maybe I've just given you TMI.



You're on the right track. :slightly_smiling_face:

Without the full error message, there are several error paths to consider.

I suspect a nonstandard webroot too.

The 404 on port 80 for is a great start though.

Curiously, a newer Let's Encrypt certificate (that is also expired) was previously generated, but is not currently installed. I also wonder about the Amazon certificate.

1 Like

Hi @huntw000

if you use that authenticator and if that doesn't work, Certbot doesn't understand your configuration.

What says

apachectl -S
1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.