Trying to Renew Certificate Challenges Failed

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: breakoutwatch.com

I ran this command: Renew Certificate in Virtualmin

It produced this output:Validating configuration for breakoutwatch.com ..
.. no problems found

Checking hostnames for resolvability ..
.. all hostnames can be resolved

Requesting a certificate for breakoutwatch.com, www.breakoutwatch.com, mail.breakoutwatch.com, admin.breakoutwatch.com, webmail.breakoutwatch.com, autoconfig.breakoutwatch.com, autodiscover.breakoutwatch.com from Let's Encrypt ..
.. request failed : Web-based validation failed :

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Reusing existing private key from /etc/letsencrypt/live/breakoutwatch.com/privkey.pem.
Performing the following challenges:
http-01 challenge for admin.breakoutwatch.com
http-01 challenge for autoconfig.breakoutwatch.com
http-01 challenge for autodiscover.breakoutwatch.com
http-01 challenge for breakoutwatch.com
http-01 challenge for mail.breakoutwatch.com
http-01 challenge for webmail.breakoutwatch.com
http-01 challenge for www.breakoutwatch.com
Using the webroot path /home/breakoutwatch/public_html for all unmatched domains.
Waiting for verification...
Challenge failed for domain admin.breakoutwatch.com
Challenge failed for domain autoconfig.breakoutwatch.com
Challenge failed for domain autodiscover.breakoutwatch.com
Challenge failed for domain breakoutwatch.com
Challenge failed for domain mail.breakoutwatch.com
Challenge failed for domain webmail.breakoutwatch.com
Challenge failed for domain www.breakoutwatch.com
http-01 challenge for admin.breakoutwatch.com
http-01 challenge for autoconfig.breakoutwatch.com
http-01 challenge for autodiscover.breakoutwatch.com
http-01 challenge for breakoutwatch.com
http-01 challenge for mail.breakoutwatch.com
http-01 challenge for webmail.breakoutwatch.com
http-01 challenge for www.breakoutwatch.com
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: admin.breakoutwatch.com
    Type: unauthorized
    Detail: 72.1.32.14: Invalid response from
    http://admin.breakoutwatch.com/.well-known/acme-challenge/r7Qsl4wnqvy7k2Ht602ugCXWiSFv4Hx85VoRPzhHdM0: "<!DOCTYPE html>\n<html>\n <head>\n <meta charset=\"utf-8\">\n <style type=\"text/css\">\n html, body, #partne"

    Domain: autoconfig.breakoutwatch.com
    Type: unauthorized
    Detail: 18.210.31.118: Invalid response from
    http://autoconfig.breakoutwatch.com/.well-known/acme-challenge/rNPHi8KwJVhK4m50OvaWnPW48vH7uLMWUGqEUVJjaBE: "<!DOCTYPE html>\n<html>\n <head>\n <meta charset=\"utf-8\">\n <style type=\"text/css\">\n html, body, #partne"

    Domain: autodiscover.breakoutwatch.com
    Type: unauthorized
    Detail: 72.1.32.14: Invalid response from
    http://autodiscover.breakoutwatch.com/.well-known/acme-challenge/zpGeI6PZ5BWKjFRbaU28dczomeHUZe82P4P0jytdr84: "<!DOCTYPE html>\n<html>\n <head>\n <meta charset=\"utf-8\">\n <style type=\"text/css\">\n html, body, #partne"

    Domain: breakoutwatch.com
    Type: unauthorized
    Detail: 72.1.32.14: Invalid response from
    http://breakoutwatch.com/.well-known/acme-challenge/2M_Ju-YuF5xR28Ogagh6KPha0PP1T-gL5nfPSiel7Fk: "<!DOCTYPE html>\n<html>\n <head>\n <meta charset=\"utf-8\">\n <style type=\"text/css\">\n html, body, #partne"

    Domain: mail.breakoutwatch.com
    Type: unauthorized
    Detail: 72.1.32.14: Invalid response from
    http://mail.breakoutwatch.com/.well-known/acme-challenge/OoDLL6ORVmBBMCaTgIjIdEmi2CZuQnkypM2zec_MHso: "<!DOCTYPE html>\n<html>\n <head>\n <meta charset=\"utf-8\">\n <style type=\"text/css\">\n html, body, #partne"

    Domain: webmail.breakoutwatch.com
    Type: unauthorized
    Detail: 18.210.31.118: Invalid response from
    http://webmail.breakoutwatch.com/.well-known/acme-challenge/jdU_EbkfwTlzZ5qUwykKKrqiY3uwB5f_uo3cP8mWkGE:
    "\n\n \n <meta
    charset="utf-8">\n <style type="text/css">\n
    html, body, #partne"

    Domain: www.breakoutwatch.com
    Type: unauthorized
    Detail: 18.210.31.118: Invalid response from
    http://www.breakoutwatch.com/.well-known/acme-challenge/cWMpPW-IzssNrNCelDqDws1pEGFMCtCn5wA9P71zQcM:
    "\n\n \n <meta
    charset="utf-8">\n <style type="text/css">\n
    html, body, #partne"

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

My web server is (include version):Apache version 2.4.41

The operating system my web server runs on is (include version):Ubuntu 20.04.6 LTS

My hosting provider, if applicable, is: IOFLOOD

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): VirtualminVersion 7.20.2 Pro, master admin mode

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

2

Welcome @MikeGibbons

UPDATE: Your domain name(s) may also be expired. See: ICANN Lookup

A couple things. The first is that these domain names have two IP addresses as A records in the DNS. That is very difficult to make work with Certbot --webroot method. The reason is that the Let's Encrypt server may choose either of those IP and expects the correct response. The --webroot option usually only updates the server that Certbot runs on so half the time the LE requests won't get a valid response. You can see the different IP addresses in the series of error messages. Or, check your DNS settings.

The second problem is the HTTP challenge request is not getting the correct response ever. I tried a similar HTTP and get a "parking" page. Is your hosting account still in good standing? You should ask your hosting company why you get this parking page.

The below request should get an HTTP 404 Not Found error. Note the beginning of the error message from Certbot is the same as this so likely Let's Encyrpt is being given this same response.

curl -i http://breakoutwatch.com/.well-known/acme-challenge/Test404

HTTP/1.1 200 OK
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Fri, 04 Sep 2020 16:15:54 GMT

<!DOCTYPE html>
<html>
    <head>
        <meta charset="utf-8">
        <style type="text/css">
            html, body, #partner, iframe {
                height:100%;
(... trimmed ...)
      <script type="text/javascript">
       document.write(
              '<script type="text/javascript" language="JavaScript"'
                 + 'src="//sedoparking.com/frmpark/'
                 + window.location.host + '/'
                 + 'tierraexpired'
                 + '/park.js">'
                 + '<\/scr
2 Likes
3

Hello Mike
thank you for your response.
The first thing I noticed was that Firefox was denying access to my domain breakoutwatch.com because the certificate had expired.
I then went to my Virtualmin control panel and saw that automatic renewal had failed due to failed challenges. the first suggestion was that there was no IPV6 dns entry which I corrected and retried the renewal which failed again.
Several renewal attempts later I saw that letsencrypt had inserted some dns records which I should have taken note of but didn't.

After that I could no longer access breakoutwatch.com (a virtual server under the proactech.com main server) and saw the proactech.com page you refer to.

Now my Virtualmin control panel shows my dns records have disappeared and my resolve.conf is empty.

I am now in the process of rebuilding a new server hence the dealy in responding to you.
regards,
Mike Gibbons

1 Like
4

Who / what made the suggestion you had a missing IPv6 DNS entry? While Let's Encrypt supports IPv6 it is not required.

Without knowing exactly the error messages it is hard to say. It is possible if IPv6 was not setup properly you got a different error than originally.

First, Let's Encrypt is an ACME Server that issues certs. It does not modify your DNS ever. Now, an ACME Client, like Certbot may add / delete DNS records as part of a DNS Challenge when it requests a cert. But, I didn't see any Certbot command that used a DNS Challenge.

Again, would need more detail to say such as the Certbot command you tried and the exact error.

The DNS records used in the DNS Challenge would not affect access to the website or server. Those records have distinct subdomain parts not related to HTTP(S) access. Specifically, they start with _acme-challenge

That is something to take up with your hosting company and or VirtualMin provider.

We'll wait to hear when you recover. Please show any command tried and the error message like you did in your first post. Thanks

2 Likes
5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.