Hello,

I had renewed last 3 times with this method but this time I am unable to do. I am posting my domain name as "example.com" instead of actual domain name. Please help me out if you can.

My domain is: example.com

I ran this command: /usr/bin/certbot renew

It produced this output:

[root@ip-172-31-14-130 /]# /usr/bin/certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/example.com.conf

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Simulating renewal of an existing certificate for subdomain.example.com and 3 more domains
Performing the following challenges:
http-01 challenge for subdomain.example.com
http-01 challenge for www.subdomain.example.com
http-01 challenge for example.com
http-01 challenge for www.example.com
Waiting for verification...
Challenge failed for domain subdomain.example.com
Challenge failed for domain www.subdomain.example.com
http-01 challenge for subdomain.example.com
http-01 challenge for www.subdomain.example.com
Cleaning up challenges
Failed to renew certificate example.com with error: Some challenges have failed.

All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/example.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: subdomain.example.com
  Type: unauthorized
  Detail: The key authorization file from the server did not match
  this challenge. Expected
  "BGhayPEmTkBXH4_GtCUy4P66aRQnPZwf_1_HB7ipPI8.glxV6wehIZ878lzgca09O_0nEEa33A1ACmJbrQcAfgU"
  (got
  "z0wbRWvXAM1liHkXKXz3IyPwAH3CwB3Xodv_59bi6hQ.glxV6wehIZ878lzgca09O_0nEEa33A1ACmJbrQcAfgU")

  Domain: www.subdomain.example.com
  Type: unauthorized
  Detail: The key authorization file from the server did not match
  this challenge. Expected
  "ihZUwPomu3azGllagZtC4J1ko4XkkHVbc0aXErO6x4w.glxV6wehIZ878lzgca09O_0nEEa33A1ACmJbrQcAfgU"
  (got
  "z0wbRWvXAM1liHkXKXz3IyPwAH3CwB3Xodv_59bi6hQ.glxV6wehIZ878lzgca09O_0nEEa33A1ACmJbrQcAfgU")

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address.
  =====================

My web server is (include version): Apache/2.4.55

The operating system my web server runs on is (include version): Amazon Linux 2

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.11.0

Hi @systemtn, and welcome to the LE community forum

Without the actual domain, our help will be rather limited.

That said, let's have a look at this file - so that we can better understand what certbot was doing:

Also, since we are dealing with Apache, I always start with this step to review the name:port assignments:
sudo apachectl -t -D DUMP_VHOSTS

Thank you for the prompt response. Really appreciated.

Here is the output of the file /etc/letsencrypt/renewal/example.com.conf

[root@ip-172-31-14-130 /]# cat /etc/letsencrypt/renewal/example.com.conf

# renew_before_expiry = 30 days
version = 1.11.0
archive_dir = /etc/letsencrypt/archive/example.com
cert = /etc/letsencrypt/live/example.com/cert.pem
privkey = /etc/letsencrypt/live/example.com/privkey.pem
chain = /etc/letsencrypt/live/example.com/chain.pem
fullchain = /etc/letsencrypt/live/example.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = apache
installer = apache
account = a12cf73a26667a15865bbd8f9a4996d1
manual_public_ip_logging_ok = None
server = https://acme-v02.api.letsencrypt.org/directory

=================
And output of the apachectl -t -D DUMP_VHOSTS

[root@ip-172-31-14-130 /]# apachectl -t -D DUMP_VHOSTS

VirtualHost configuration:
*:80                   is a NameVirtualHost
         port 80 namevhost example.com (/etc/httpd/sites-enabled/examplecom.conf:1)
                 alias www.example.com
*:443                  is a NameVirtualHost
         default server ip-172-31-14-130.ap-south-1.compute.internal (/etc/httpd/conf.d/ssl.conf:56)
         port 443 namevhost ip-172-31-14-130.ap-south-1.compute.internal (/etc/httpd/conf.d/ssl.conf:56)
         port 443 namevhost subdomain.example.com (/etc/httpd/sites-enabled/subdomainexamplecom443.conf:1)
                 alias www.subdomain.example.com
         port 443 namevhost example.com (/etc/httpd/sites-enabled/examplecom443.conf:1)
                 alias www.example.com

=================
Thank you.

Looks like you lost the VirtualHost config for these two names for port 80. You only have port 443 VHosts.

Requests to port 80 would then be handed by your default VHost which is often not right.

Thank you so much for the update.

Please note that there is another domain hosted and that domain is using PAID SSL by COMODO. I have removed that line before posting here. Posting full output again:

[root@ip-172-31-14-130 /]# apachectl -t -D DUMP_VHOSTS

VirtualHost configuration:
*:80                   is a NameVirtualHost
         default server anotherdomain.com (/etc/httpd/sites-enabled/anotherdomaincom.conf:1)
         port 80 namevhost anotherdomain.com (/etc/httpd/sites-enabled/anotherdomaincom.conf:1)
                 alias www.anotherdomain.com
         port 80 namevhost example.com (/etc/httpd/sites-enabled/examplecom.conf:1)
                 alias www.example.com
*:443                  is a NameVirtualHost
         default server ip-172-31-14-130.ap-south-1.compute.internal (/etc/httpd/conf.d/ssl.conf:56)
         port 443 namevhost ip-172-31-14-130.ap-south-1.compute.internal (/etc/httpd/conf.d/ssl.conf:56)
         port 443 namevhost subdomain.example.com (/etc/httpd/sites-enabled/subdomainexamplecom443.conf:1)
                 alias www.subdomain.example.com
         port 443 namevhost anotherdomain.com (/etc/httpd/sites-enabled/anotherdomaincom443.conf:1)
                 alias www.anotherdomain.com
         port 443 namevhost example.com (/etc/httpd/sites-enabled/teainntechin443.conf:1)
                 alias www.example.com

========================
Facing issue with only subdomain.example.com and www.subdomain.example.com

Yes, and why doesn't your DUMP_VHOSTS show those names in the *:80 section?

As I said before, it looks like you lost a VirtualHost config file for those two names.

It is really hard to help diagnose an issue with so much redacted information. Seriously, when your website is live, everyone including all the search engines and "script kiddies" will have your "number" (so to speak)... At least "PM" one of the volunteers that are helping you with your concerns so we/they/he/she can help you resolve your issue. We are here to help but we do not have a crystal ball!

@MikeMcQ Yes, there was the issue with VHost and we have rectified as you suggested. Now its working. Thank you so much for the time and support. Really appreciated.

Thank you for the reply as well @Rip

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.