Question

My certbot renewal is failing and I'm not sure how to fix it.

Posted on January 18, 2024
Ubuntu 22.04 Let's Encrypt DigitalOcean Droplets
Asked by FloatingGreenBlueFish

Hey! I’m trying to figure out how to renew my SSL certificate. I ran certbot renew and got the followinng;

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/budgie.eco.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for budgie.eco and www.budgie.eco

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: www.budgie.eco
  Type:   unauthorized
  Detail: 2400:cb00:2049:1::adf5:3a33: Invalid response from http://www.budgie.eco/.well-known/acme-challenge/y2VuDfb1cMfTzb-51udcDMvMZEcgv_QmUdUiZl6gpCE: 409

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Failed to renew certificate budgie.eco with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/budgie.eco/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Any suggestions on how I can fix it?

Thanks so much

Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

KFSys

Site Moderator

• January 18, 2024

Accepted Answer

Heya @floatinggreenbluefish,

When I try and open the website, I get;

# Error 1001

 Ray ID: 847965e18f9c1c2f • 2024-01-18 19:55:51 UTC

## DNS resolution error

## What happened?

You've requested a page on a website (www.budgie.eco) that is on the [Cloudflare](https://www.cloudflare.com/5xx-error-landing/) network. Cloudflare is currently unable to resolve your requested domain (www.budgie.eco). There are two potential causes of this:

-   **Most likely:** if the owner just signed up for Cloudflare it can take a few minutes for the website's information to be distributed to our global network.
-   **Less likely:** something is wrong with this site's configuration. Usually this happens when accounts have been signed up with a partner organization (e.g., a hosting provider) and the provider's DNS fails.

Baiscally, I can’t reach your website and this means Let’s Encrypt cant reach it as well to validate the domain.

Bobby Iliev

Site Moderator

• January 18, 2024

Hey!

Based on the error message you’ve shared, it seems like the main issue is with the domain www.budgie.eco. The error type ‘unauthorized’ and the detail about an invalid response from the .well-known/acme-challenge directory indicate a problem with the domain validation process. Here are a few steps you can follow to troubleshoot this issue:

First, ensure that both budgie.eco and www.budgie.eco are correctly pointing to the IP address of your DigitalOcean Droplet. You can verify this using a DNS lookup tool:

https://www.digitalocean.com/community/tools/dns

Check your Nginx configuration to make sure that it’s correctly serving the .well-known/acme-challenge directory. This is important for Let’s Encrypt to validate your domain ownership, if not it will fail. Specifically, allow access to the /.well-known directory used by Let’s Encrypt for domain validation. You can do this by adding a rule to your Nginx configuration:

location ~ /.well-known {
  allow all;
}

Running Certbot with the -v flag (verbose mode) can also give you more detailed information about the process and where it might be failing.
If you’ve recently changed DNS settings, remember it can take some time for these changes to propagate. You might just need to wait a little longer.

Let me know how it goes!

Best,

Bobby