Let's Encrypt keep failing to renew/issue for one specific domain (Even when I changed the server)

I’ve multiple domains all working fine on the same VPS. One of the domains gave an alert for SSL expiry. So I forced SSL renewal but kept getting an error. This domain was working, and it’s SSL was renewing automatically for around 2 years without any problem!

My domain registrar is Namecheap and my NS is served over Cloudflare. I return the NS to Namecheap to eliminate the problem, but nothing changed.

I’ve another VPS which is also hosting many domains without a problem. I moved the website and changed the NS back to Cloudflare and I set up the DNS very carefully. All domain and related subdomains are pinged to the VPS IP without a problem. Let’s encrypt still not able to issue the certificate.

The log error is as follows:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for admin.DOMAIN.li
http-01 challenge for autoconfig.DOMAIN.li
http-01 challenge for autodiscover.DOMAIN.li
http-01 challenge for DOMAIN.li
http-01 challenge for mail.DOMAIN.li
http-01 challenge for webmail.DOMAIN.li
http-01 challenge for www.DOMAIN.li
Using the webroot path /home/DOMAIN/public_html for all unmatched domains.
Waiting for verification...
Challenge failed for domain admin.DOMAIN.li
Challenge failed for domain autoconfig.DOMAIN.li
Challenge failed for domain autodiscover.DOMAIN.li
Challenge failed for domain DOMAIN.li
Challenge failed for domain mail.DOMAIN.li
Challenge failed for domain webmail.DOMAIN.li
Challenge failed for domain www.DOMAIN.li
http-01 challenge for admin.DOMAIN.li
http-01 challenge for autoconfig.DOMAIN.li
http-01 challenge for autodiscover.DOMAIN.li
http-01 challenge for DOMAIN.li
http-01 challenge for mail.DOMAIN.li
http-01 challenge for webmail.DOMAIN.li
http-01 challenge for www.DOMAIN.li
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: admin.DOMAIN.li
   Type:   connection
   Detail: VPS-IP-ADDRESS: Fetching https://DOMAIN.li:10000/: Invalid
   port in redirect target. Only ports 80 and 443 are supported, not
   10000

   Domain: webmail.DOMAIN.li
   Type:   connection
   Detail: VPS-IP-ADDRESS: Fetching https://DOMAIN.li:20000/: Invalid
   port in redirect target. Only ports 80 and 443 are supported, not
   20000

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.
 - The following errors were reported by the server:

   Domain: autoconfig.DOMAIN.li
   Type:   unauthorized
   Detail: VPS-IP-ADDRESS: Invalid response from
   http://autoconfig.DOMAIN.li/.well-known/acme-challenge/VW-YYK7nLCSm7Ta38DfSt16qVoGmgZa6sDqOuI6M9go:
   404

   Domain: autodiscover.DOMAIN.li
   Type:   unauthorized
   Detail: VPS-IP-ADDRESS: Invalid response from
   http://autodiscover.DOMAIN.li/.well-known/acme-challenge/kj5Ft3u04GC0Hd3jscnyK7xjCOn60UfJXN9Q4BNkc7o:
   404

   Domain: DOMAIN.li
   Type:   unauthorized
   Detail: VPS-IP-ADDRESS: Invalid response from
   http://DOMAIN.li/.well-known/acme-challenge/LbHSjqbLKoBXQSOhMkAWw8CUKKqlEkEwE5ttzmJb6MA:
   404

   Domain: mail.DOMAIN.li
   Type:   unauthorized
   Detail: VPS-IP-ADDRESS: Invalid response from
   http://mail.DOMAIN.li/.well-known/acme-challenge/eTYCEdeuRBwqAu8oM9WPqUy4FfMRNAPk0HxSZBnjlBM:
   404

   Domain: www.DOMAIN.li
   Type:   unauthorized
   Detail: VPS-IP-ADDRESS: Invalid response from
   http://www.DOMAIN.li/.well-known/acme-challenge/Z9z-K_SfJhhmKobwZ_EG_EenU8XoEuC8jc3Yd9VwqkQ:
   404

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
   DNS-based validation failed :

*Note: *
My domain’s TLD is “.li”, and just to be sure, I’d another domain with the same TLD. I created a new virtual server for it, and I was able to generate it’s Let’s Encrypt SSL certificate on the same VPS without any problem.

Please help me to fix this problem

@ewanly,

Read the error posted, it’s quite clear why the cert isn’t being issued.

Thank you for your reply. I double-checked everything. The domain and subdomains are pointing to the server IP. At the same server, I’ve no problem issuing the SSL certificate for another domain.

What else am I missing? I’ll be glad if you could explain where it’s clear for you.

You have domain records for all of these? You’re asking for a cert for all of these.

If you don’t have records for them, you shouldn’t be asking for a cert for them.

This…! Your redirects are the problem.

More correctly, are A problem, possibly not THE only problem.

Yes I have all of the records of all the listed domain and subdomains.

But I also tested to request only the main domain cert, and I’m still getting the same error

I noticed that, but I made no change in that regard. (For that I don’t know how to fix)

As I said, at the same VPS I tested with another domain, and all certs were issued without any problem.

This problematic domain gives the same errors in the two VPSs I tested.

I did everything the same as I did for over 30 other domains. And as I mentioned, even this domain was auto-renewed fine for around 2 years till it’s started to generate these errors this month.

There are only three possible problems. You have one of them.

1. DNS is wrong. Are you sure Let’s Encrypt is hitting the right server?
2. The wrong site is showing up for that domain on http (this would indicate a misconfiguration of the IP:port combinations in the Apache config).
3. Something is sucking up the request to .well-known directory.

Someone earlier in the thread, suggested it is number 3, and since we seem to have ruled out DNS, I’m inclined to agree.

Prove it by creating a file in /home/yourdomain/public_html/.well-known/test.html and using your browser to visit http://yourdomain.tld/.well-known/test.html. Do you get the test file? I’ll assume you don’t…so fix that. You either have redirect rules that are not ignoring .well-known paths, or proxy rules, or something else. Could be in the Apache config file, could be in the htaccess file.

Thank you @Joe, you nailed it

I created the file as you said, and it was not accessible (404).
So I moved all the website’s files to a subdirectory, then I was able to access the test.html

I requested the cert and all went well

Then I moved the site’s files back, and it’s working just fine.

I think I’ll be facing the same problem at the cert renewal if I didn’t change/fix the following .htaccess (and the website it’s not functioning without these rules)

the content of the .htaccess file is this:

<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteRule ^(.*)$ public/$1 [L]
</IfModule>

I’ll be grateful if I got any guidance on that!

I think you need to exclude the path to .well-known/acme-challenge from your rewrite rule, perhaps like:

RewriteRule ^.well-known/acme-challenge/ - [L]

or:

RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/.*

This also applies for an http → https redirect where you must not redirect certbot.

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.