Hello, I checked https://www.howtoforge.com/community/threads/lets-encrypt-error-faq.74179/ and still don't understand why my working SSL cert did not renew after expiring today. Below, I'm pasting the last section of my letsencrypt.log (I've change the domain name and ip address for security reasons, but can make that info available privately upon request). 2020-09-29 12:13:05,265EBUG:certbot.error_handler:Calling registered functions 2020-09-29 12:13:05,265:INFO:certbot.auth_handler:Cleaning up challenges 2020-09-29 12:13:05,266EBUG:certbot.plugins.webroot:Removing /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/_GvGuW4nCfjlRxPSvPGeDq8FnqTBNZoBua7sUCIF8Pw 2020-09-29 12:13:05,266EBUG:certbot.plugins.webroot:All challenges cleaned up 2020-09-29 12:13:05,266:WARNING:certbot.renewal:Attempting to renew cert (mysubdomain.mydomain.com) from /etc/letsencrypt/renewal/mysubdomain.mydomain.com.conf produced an unexpected error: Failed authorization procedure. mysubdomain.mydomain.com (http-01): urn:ietfarams:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mysubdomain.mydomain.com/.we...e/_GvGuW4nCfjlRxPSvPGeDq8FnqTBNZoBua7sUCIF8Pw [199.99.99.99]: "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3.2 Final//EN\">\r\n<html dir=ltr>\r\n\r\n<head>\r\n<style>\r\na:link\t\t\t{font:8pt/11pt verdana; col". Skipping. 2020-09-29 12:13:05,274EBUG:certbot.renewal:Traceback was: Traceback (most recent call last): File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 430, in handle_renewal_request main.renew_cert(lineage_config, plugins, renewal_candidate) File "/usr/lib/python3/dist-packages/certbot/main.py", line 1197, in renew_cert renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage) File "/usr/lib/python3/dist-packages/certbot/main.py", line 115, in _get_and_save_cert renewal.renew_cert(config, domains, le_client, lineage) File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 305, in renew_cert new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key) File "/usr/lib/python3/dist-packages/certbot/client.py", line 334, in obtain_certificate orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names) File "/usr/lib/python3/dist-packages/certbot/client.py", line 370, in _get_order_and_authorizations authzr = self.auth_handler.handle_authorizations(orderr, best_effort) File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations self._respond(aauthzrs, resp, best_effort) File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 155, in _respond self._poll_challenges(aauthzrs, chall_update, best_effort) File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 226, in _poll_challenges raise errors.FailedChallenges(all_failed_achalls) certbot.errors.FailedChallenges: Failed authorization procedure. mysubdomain.mydomain.com (http-01): urn:ietfarams:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mysubdomain.mydomain..com/.w...e/_GvGuW4nCfjlRxPSvPGeDq8FnqTBNZoBua7sUCIF8Pw [199.99.99.99]: "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3.2 Final//EN\">\r\n<html dir=ltr>\r\n\r\n<head>\r\n<style>\r\na:link\t\t\t{font:8pt/11pt verdana; col" 2020-09-29 12:13:05,276:ERROR:certbot.renewal:All renewal attempts failed. The following certs could not be renewed: 2020-09-29 12:13:05,280:ERROR:certbot.renewal: /etc/letsencrypt/live/mysubdomain.mydomain..com/fullchain.pem (failure) 2020-09-29 12:13:05,281EBUG:certbot.log:Exiting abnormally: Traceback (most recent call last): File "/usr/bin/certbot", line 11, in <module> load_entry_point('certbot==0.27.0', 'console_scripts', 'certbot')() File "/usr/lib/python3/dist-packages/certbot/main.py", line 1364, in main return config.func(config, plugins) File "/usr/lib/python3/dist-packages/certbot/main.py", line 1276, in renew renewal.handle_renewal_request(config) File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 455, in handle_renewal_request len(renew_failures), len(parse_failures))) certbot.errors.Error: 1 renew failure(s), 0 parse failure(s) I'm hoping the above provides sufficient info for you to reply with a suggested solution or further diagnostics to perform. Thank you.
That's the error, your subdomain failed authorization. There are numerous reasons that can happen, many in the faq you linked to. What version of ISPConfig are you using? That sounds old, you might try updating certbot (though I don't remember exactly what version is required).
This is a 3 month old VPS (Server running Ubuntu 18.04 with NGINX). I used the automated script referenced at HowToForge.com ( https://www.howtoforge.com/tutorial/ubuntu-ispconfig-automated-install-script/ )to install MariaDb, Nginx, PHP... and the then current ISPconfig. So this server is running the latest non-beta version of ISPconfig. So, I expect the "certbot" is correct, as long as the install script is correct. I'm checking into the other possible reasons in the FAQ, but I'm stumped.
At /var/www/clients/client1/web1/ssl/ There are three files: mysubdomain.mydomain.com-le.bundle, mysubdomain.mydomain.com-le.crt, and mysubdomain.mydomain.com-le.key All three files have a lastModified data of 2020-06-30. The cert is expired as of September 28, 2020. I thought SSL certificates were supposed to last 1 year. Anyway, it's failing to renew the cert. In ISPconfig, under Website in the domain tab, this domain mysubdomain.mydomain.com had the "WWW" selected in the drop-list just above the SSL and LetsEncrypt checkboxes. I added an A Record in my DNS (at Godaddy) as follows: Type: A, Name: www.mysubdomain, Value: 199.99.99.99 TT: 600 seconds. Eventually, I removed the "WWW" in the ISPconfig drop-list. I need only mysubdomain.mydomain.com to function. And, this A Record is also set for 600 seconds. It's been more than 4 hours since these DNS changes. I'm not using Bind in the VPS so the Godaddy DNS records should be valid. This is a live eCommerce site that's down so really need to fix this as my top priority. Any further suggestions leading to a fix would be appreciated. Thank you.
Let's Encrypt certificates are valid for 90 days, and are renewed 30 days before they expire. So, your current site is set up under "Websites" as subdomain.example.com? What do you have selected for subdomain on that site? If you sent me a PM with the hostname I can check the DNS records.
These are symlinks, the symlink do not change when you renew an SSL cert, only the cert itself changes. Try disabling the Let#s encrypt checkbox of the website, press save, edit the site settings again and re-enable let's encrypt. if you still get no new SSL cert, then check letsencrypt.log again as the error with the non-existing subdomain should be fixed now after you turned off the www subdomain.