Try ERPNext Buy Support Partners Foundation

Let's Encrypt Cert Renewal Failing

Hello all,

I hopped onto my bench today to attempt to renew my cert only for it to fail. I would greatly appreciate any help!!!

bench renew-lets-encrypt

Running this will stop the nginx service temporarily causing your sites to go offline

Do you want to continue? [y/N]: y
INFO:bench.utils:sudo systemctl stop nginx
INFO:bench.utils:/opt/certbot-auto renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/group.maxvogel.me.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for group.maxvogel.me
Waiting for verification…
Challenge failed for domain group.maxvogel.me
http-01 challenge for group.maxvogel.me
Cleaning up challenges
Attempting to renew cert (group.maxvogel.me) from /etc/letsencrypt/renewal/group.maxvogel.me.conf produced an unexpected error: Some challenges have failed… Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/group.maxvogel.me/fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/group.maxvogel.me/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: group.maxvogel.me
    Type: unauthorized
    Detail: Invalid response from
    https://group.maxvogel.me/.well-known/acme-challenge/D069XoYor9jt1AEtEAMalZbRmNeIOv37PrJN8Cl1VTI
    [104.28.31.170]: "\n\n<!–[if IE
    7]> <html class="no-js "

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.
    Traceback (most recent call last):
    File “/usr/local/bin/bench”, line 11, in
    load_entry_point(‘bench’, ‘console_scripts’, ‘bench’)()
    File “/home/admin/.bench/bench/cli.py”, line 40, in cli
    bench_command()
    File “/usr/local/lib/python2.7/dist-packages/click/core.py”, line 764, in call
    return self.main(*args, **kwargs)
    File “/usr/local/lib/python2.7/dist-packages/click/core.py”, line 717, in main
    rv = self.invoke(ctx)
    File “/usr/local/lib/python2.7/dist-packages/click/core.py”, line 1137, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
    File “/usr/local/lib/python2.7/dist-packages/click/core.py”, line 956, in invoke
    return ctx.invoke(self.callback, **ctx.params)
    File “/usr/local/lib/python2.7/dist-packages/click/core.py”, line 555, in invoke
    return callback(*args, **kwargs)
    File “/home/admin/.bench/bench/commands/utils.py”, line 89, in renew_lets_encrypt
    renew_certs()
    File “/home/admin/.bench/bench/config/lets_encrypt.py”, line 117, in renew_certs
    exec_cmd("{path} renew".format(path=get_certbot_path()))
    File “/home/admin/.bench/bench/utils.py”, line 159, in exec_cmd
    raise CommandFailedError(cmd)
    bench.utils.CommandFailedError: /opt/certbot-auto renew

I am running my instance behind Cloudflare. After doing some research, the ACME changenge wouldn’t work. I will have to explore using webroot authentication to renew my certificate.

Very often, certbot fails because of port issues/mismatches and port blocks at the firewall (internal or external)

My client’s site is on Digital Ocean and I got the same problem as well. After scrambling a bit I decided to check the firewall rules and discovered that Port 80 was not open. I opened it and the renewal went through without any issues.

1 Like