New certs and renewals fail

[davidlesicnik]

Hello, I am facing an issue where I can't seem to create new LE certs or renew existing ones.

This is a snippet of the log where NPM attempted to automatically renew certs (I replaced the domain name with examples)

[12/11/2019] [11:28:29 AM] [SSL      ] › ℹ  info      Renewing SSL certs close to expiry...
[12/11/2019] [11:28:54 AM] [SSL      ] › ✖  error     Error: Command failed: /usr/bin/certbot renew -q
Attempting to renew cert (npm-10) from /etc/letsencrypt/renewal/npm-10.conf produced an unexpected error: Failed authorization procedure. domain1.example.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://domain1.example.com/.well-known/acme-challenge/4rRnZ2cdt5ehCAsoDs2QaoYCZgjC5Wbz5hH2Q2xpyy4 [5.32.143.57]: "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\"\"http://www.w3.org/TR/html4/strict.dtd\">\r\n<HTML><HEAD><TITLE>Not Found</TITLE>\r". Skipping.
Attempting to renew cert (npm-11) from /etc/letsencrypt/renewal/npm-11.conf produced an unexpected error: Failed authorization procedure. domain2.example.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://domain2.example.com/.well-known/acme-challenge/QH7bZcLQKuIa9uU5MQ6LrtjJFueieCis_cxInDWs5oI [5.32.143.57]: "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\"\"http://www.w3.org/TR/html4/strict.dtd\">\r\n<HTML><HEAD><TITLE>Not Found</TITLE>\r". Skipping.
Attempting to renew cert (npm-12) from /etc/letsencrypt/renewal/npm-12.conf produced an unexpected error: Failed authorization procedure. domain3.example.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://domain3.example.com/.well-known/acme-challenge/DrMMVI5igvk6u6WF3x3G_DbIZgJndv9nQtnMWoTFbwk [5.32.143.57]: "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\"\"http://www.w3.org/TR/html4/strict.dtd\">\r\n<HTML><HEAD><TITLE>Not Found</TITLE>\r". Skipping.
Attempting to renew cert (npm-13) from /etc/letsencrypt/renewal/npm-13.conf produced an unexpected error: Failed authorization procedure. domain3.example.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://domain3.example.com/.well-known/acme-challenge/B3X3IptmwdZ_fpSMvoEWHhHVS2u_FnwSmv_yZ2f0cDQ [5.32.143.57]: 404. Skipping.
Attempting to renew cert (npm-14) from /etc/letsencrypt/renewal/npm-14.conf produced an unexpected error: Failed authorization procedure. domain4.example.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://domain4.example.com/.well-known/acme-challenge/O-5lUrY2-MHJ52YgFRKrAs6I9expoaN9cG9xwihAH4M [5.32.143.57]: "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\"\"http://www.w3.org/TR/html4/strict.dtd\">\r\n<HTML><HEAD><TITLE>Not Found</TITLE>\r". Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/npm-10/fullchain.pem (failure)
  /etc/letsencrypt/live/npm-11/fullchain.pem (failure)
  /etc/letsencrypt/live/npm-12/fullchain.pem (failure)
  /etc/letsencrypt/live/npm-13/fullchain.pem (failure)
  /etc/letsencrypt/live/npm-14/fullchain.pem (failure)
5 renew failure(s), 0 parse failure(s)

On the web interface creating/renewin certs pops up an "Internal Error" code and looking into the logs I get the same error

[12/11/2019] [12:24:41 PM] [SSL      ] › ℹ  info      Renewing Let'sEncrypt certificates for Cert #14: domain2.example.com
[12/11/2019] [12:24:47 PM] [Express  ] › ⚠  warning   Command failed: /usr/bin/certbot renew -n --force-renewal --disable-hook-validation --cert-name "npm-14"
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for domain2.example.com
Using the webroot path /data/letsencrypt-acme-challenge for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (npm-14) from /etc/letsencrypt/renewal/npm-14.conf produced an unexpected error: Failed authorization procedure. domain2.example.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://domain2.example.com/.well-known/acme-challenge/oZSEFJ5wDV5xhuguhWjHbIHlPGjWrnuki3M1iXkDSmc [5.32.143.57]: "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN\"\"http://www.w3.org/TR/html4/strict.dtd\">\r\n<HTML><HEAD><TITLE>Not Found</TITLE>\r". Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/npm-14/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

[s4b3rt0oth]

Is your server publicly accessible?

[NeoMatrixJR]

Anyone sort this out? I'm having the EXACT same issue...and yes, the server is publicly accessible. When I try to reach one of my URLs I've got setup in NginxProxyManager I get a cert error, it shows my old LE cert that's out of date. Strangely, it says my site's setup for HSTS, so I can't even bypass it....but I never set that up.

[dariusateik]

I had problem with renewal; in my case was: I had testing proxy host; later I delete it (proxy host); but somehow old file was not removed from /letsencrypt/renewal directory; I just delete old (unused) npm-x.conf file and all certs renewed without any problems; may be it is your case too ? check all files in /letsencrypt/renewal directory - if you find old / unused hosts in there ; just delete not needed file and check if problem solved

[ghost]

I got the same issue.

[SDekkers]

Same issue here.

[github-actions[bot]]

Issue is now considered stale. If you want to keep it open, please comment :+1: