Unable to renew certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: portal.atg-nexus.com

I ran this command: /usr/bin/certbot renew

It produced this output: Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: portal.atg-x.com
Type: unauthorized
Detail: 175.139.231.105: Invalid response from http://portal.atg-x.com/.well-known/acme-challenge/VFgF3_ZknQ41Xmo4WuDFc_j0tg48IFi0gYjRXRF8sdg: 404

My web server is (include version): Apache/2.4.37 (Oracle Linux Server)

The operating system my web server runs on is (include version): Oracle Linux 8.9

My hosting provider, if applicable, is: local (Exabytes)

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): yes cpanel
124.0.21

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

1 Like

The "404" says your Apache did not find the challenge token file that Certbot placed in the --webroot-path folder. You set this folder when you originally got your cert.

Would you show output of this

sudo certbot certificates

and this

sudo apachectl -t -D DUMP_VHOSTS

You may need httpd or apache2ctl instead of apachectl. I don't remember which one Oracle Linux uses.

2 Likes

Supplemental information:
The certificate chain being served https://decoder.link/sslchecker/portal.atg-nexus.com/443
reports " Chain Issues: close The chain doesn't contain any intermediate certificates".
And here too SSL Server Test: portal.atg-nexus.com (Powered by Qualys SSL Labs)

Hi @MikeMcQ
My response below

  1. sudo certbot certificates
    [root@atgcert ~]# sudo certbot certificates
    Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: intranet.atg-nexus.com
Serial Number: 3032b980cebfefdb8bb5849a6c1752c7c9b
Key Type: ECDSA
Domains: intranet.atg-nexus.com
Expiry Date: 2025-01-11 15:12:14+00:00 (VALID: 2 days)
Certificate Path: /etc/letsencrypt/live/intranet.atg-nexus.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/intranet.atg-nexus.com/privkey.pem
Certificate Name: portal.atg-nexus.com
Serial Number: 43b10e15678d9575b9c1b59a65a4519baf5
Key Type: ECDSA
Domains: portal.atg-nexus.com
Expiry Date: 2025-01-11 21:59:15+00:00 (VALID: 2 days)
Certificate Path: /etc/letsencrypt/live/portal.atg-nexus.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/portal.atg-nexus.com/privkey.pem
Certificate Name: portal.atg-x.com
Serial Number: 49b1b75b7a23e9957ae648aa229689b45fd
Key Type: ECDSA
Domains: portal.atg-x.com
Expiry Date: 2025-01-10 15:40:10+00:00 (VALID: 1 day)
Certificate Path: /etc/letsencrypt/live/portal.atg-x.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/portal.atg-x.com/privkey.pem


  1. sudo httpd -t -D DUMP_VHOSTS
    [Thu Jan 09 14:49:36.142047 2025] [so:warn] [pid 66691:tid 140128022276416] AH01574: module proxy_module is already loaded , skipping
    [Thu Jan 09 14:49:36.142098 2025] [so:warn] [pid 66691:tid 140128022276416] AH01574: module proxy_http_module is already l oaded, skipping
    [Thu Jan 09 14:49:36.142112 2025] [so:warn] [pid 66691:tid 140128022276416] AH01574: module headers_module is already load ed, skipping
    AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 192.168.1.82. Set the 'Server Name' directive globally to suppress this message
    VirtualHost configuration:
    *:80 atgcert (/etc/httpd/conf.d/portal.atg-nexus.com.conf:20)
    *:443 atgcert (/etc/httpd/conf.d/ssl.conf:3)

Would you now show contents of this

/etc/letsencrypt/renewal/portal.atg-x.com.conf

And this one

/etc/httpd/conf.d/portal.atg-nexus.com.conf
1 Like
  1. /etc/letsencrypt/renewal/portal.atg-x.com.conf
# renew_before_expiry = 30 days
version = 2.11.0
archive_dir = /etc/letsencrypt/archive/portal.atg-x.com
cert = /etc/letsencrypt/live/portal.atg-x.com/cert.pem
privkey = /etc/letsencrypt/live/portal.atg-x.com/privkey.pem
chain = /etc/letsencrypt/live/portal.atg-x.com/chain.pem
fullchain = /etc/letsencrypt/live/portal.atg-x.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = 110dc02ffc01472ec4d0e1a5f483ce51
authenticator = webroot
webroot_path = /var/www/html,
server = https://acme-v02.api.letsencrypt.org/directory
key_type = ecdsa
[[webroot_map]]
  1. /etc/httpd/conf.d/portal.atg-nexus.com.conf
# Timeout: The number of seconds before receives and sends time out.
#
Timeout 120

# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to "Off" to deactivate.
KeepAlive Off

# MaxKeepAliveRequests: The maximum number of requests to allow
# during a persistent connection. Set to 0 to allow an unlimited amount.
# We recommend you leave this number high, for maximum performance.
MaxKeepAliveRequests 100

# KeepAliveTimeout: Number of seconds to wait for the next request from the
# same client on the same connection.
KeepAliveTimeout 15

Listen *:80

<VirtualHost *:80>

  ServerName atgcert
  ServerAlias portal.atg-nexus.com
  
  DocumentRoot /var/www/portal.atg-nexus.com/html/

  ErrorLog /var/log/httpd/portal.atg-nexus.com_error.log
  CustomLog /var/log/httpd/portal.atg-nexus.com.log combined
  
  # Enable the rewrite engine for HTTPS redirection
  RewriteEngine on
  
  # Redirect all requests to HTTPS if they are for portal.atg-nexus.com
  RewriteCond %{SERVER_NAME} =portal.atg-nexus.com
  RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [L,NE,R=permanent]

</VirtualHost>

LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule headers_module modules/mod_headers.so

# Enable Reverse Proxy
ProxyPreserveHost On

# Removes the Origin header to avoid potential CORS restrictions.
RequestHeader unset Origin

ProxyPass /redmine http://192.168.1.20/redmine
ProxyPassReverse /redmine http://192.168.1.20/redmine

ProxyPass /eClaim http://192.168.1.38/eClaim
ProxyPassReverse /eClaim http://192.168.1.38/eClaim

ProxyPass /eLeave http://192.168.1.38/eLeave
ProxyPassReverse /eLeave http://192.168.1.38/eLeave

# For APEX Sales
ProxyPass /sales/login http://192.168.1.85:8089/ords/sales/r/sales/login
ProxyPassReverse /sales/login http://192.168.1.85:8089/ords/sales/r/sales/login

# For APEX Source Tracking File
ProxyPass /source-file-tracking/login http://192.168.1.85:8089/ords/sourcecode/r/source-file-tracking/login
ProxyPassReverse /source-file-tracking/login http://192.168.1.85:8089/ords/sourcecode/r/source-file-tracking/login

# For ORDS file
ProxyPass /ords http://192.168.1.85:8089/ords
ProxyPassReverse /ords http://192.168.1.85:8089/ords

# For Images
ProxyPass /i http://192.168.1.85:8089/i
ProxyPassReverse /i http://192.168.1.85:8089/i

# For APEX Opportunity Tracker
#ProxyPass /opportunity_tracker/login http://192.168.1.68:8080/ords/development/r/opportunity_tracker/login
#ProxyPassReverse /opportunity_tracker/login http://192.168.1.68:8080/ords/development/r/opportunity_tracker/login

#ProxyPass /ords http://192.168.1.68:8080/ords
#ProxyPassReverse /ords http://192.168.1.68:8080/ords

#ProxyPass /i http://192.168.1.68:8080/i
#ProxyPassReverse /i http://192.168.1.68:8080/i

#Include conf.d/opportunity_tracker.atg-nexus.com.conf

The reason for the 404 (HTTP Not Found) is the --webroot-path does not match the DocumentRoot for the VirtualHost handling incoming HTTP requests on port 80.

Usually there is one VirtualHost for each related set of domain names for the same port. Yet, in your Apache there is only one VirtualHost for port 80 and it names portal.atg-nexus.com. This is not the same as the domain name renewal that fails. Since you have only one this becomes the default VHost for all requests (per Apache rules).

It is technically allowed to have just one VHost and act as default for various (un-named) domains but it is usually poor practice. And, all domains handled by that Apache now get processed by that same VirtualHost code. Including the DocumentRoot (which we can see does not match what you had before).

What has changed about your Apache config since you last got a good cert? Because from what I see this could never have worked to get your first cert (or a prior renewal).

I am logging off the for the night but hopefully this is enough for you to figure out what changed with your system.

2 Likes

Hi @MikeMcQ

Actually I have multiple name such as portal.atg-nexus.com, portal.atg-x.com and intranet.atg-nexus.com. It was due to no having a proper knowledge about managing web server with multiple name. I just thought by doing this, it allow me to troubleshooting easily. This is more like try and error I would say.

Oh ya! I didn't realize there is another config on renewal directory.

Let me check on that.

Thanks again!

Hi @MikeMcQ

TQ SO MUCHHH for your help.

Yes that is exactly the issue. I didn't know for the renewal directory need to change the webroot path.

Thanks a lot mate. Have a great weekends !!

[root@atgcert ~]# /usr/bin/certbot renew --cert-name portal.atg-nexus.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/portal.atg-nexus.com.conf


Renewing an existing certificate for portal.atg-nexus.com


Congratulations, all renewals succeeded:
/etc/letsencrypt/live/portal.atg-nexus.com/fullchain.pem (success)


2 Likes