nginx-proxy-manager icon indicating copy to clipboard operation
nginx-proxy-manager copied to clipboard
Published 3 months ago verified publisher icon NginxProxyManager

can not renew certs

Open SvenPausH opened this issue 1 year ago • 2 comments

Checklist

  • Have you pulled and found the error with jc21/nginx-proxy-manager:latest docker image?
    • Yes
  • Are you sure you're not using someone else's docker image?
    • Yes
  • Have you searched for similar issues (both open and closed)?
    • Yes

Describe the bug

Renew a Cert show a error "Internal Error"

Nginx Proxy Manager Version

v2.11.3 © 2024

To Reproduce Steps to reproduce the behavior:

  1. Go to 'SSL Certificates'
  2. Click on 'Renew Certificate'
  3. See error -> Internal Error

Expected behavior

`2024-08-08 14:59:15,467:DEBUG:certbot._internal.main:certbot version: 2.11.0 2024-08-08 14:59:15,467:DEBUG:certbot._internal.main:Location of certbot entry point: /opt/certbot/bin/certbot 2024-08-08 14:59:15,467:DEBUG:certbot._internal.main:Arguments: ['--force-renewal', '--config', '/etc/letsencrypt.ini', '--work-dir', '/tmp/letsencrypt-lib', '--logs-dir', '/tmp/letsencrypt-log', '--cert-name', 'npm-23', '--preferred-challenges', 'dns,http', '--no-random-sleep-on-renew', '--disable-hook-validation'] 2024-08-08 14:59:15,468:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot) 2024-08-08 14:59:15,503:DEBUG:certbot._internal.log:Root logging level set at 30 2024-08-08 14:59:15,505:DEBUG:certbot._internal.display.obj:Notifying user: Processing /etc/letsencrypt/renewal/npm-23.conf 2024-08-08 14:59:15,508:DEBUG:certbot.configuration:Var pref_challs=['dns-01', 'http-01'] (set by user). 2024-08-08 14:59:15,509:DEBUG:certbot._internal.plugins.selection:Requested authenticator None and installer None 2024-08-08 14:59:15,509:DEBUG:certbot.configuration:Var preferred_chain=ISRG Root X1 (set by user). 2024-08-08 14:59:15,509:DEBUG:certbot.configuration:Var key_type=ecdsa (set by user). 2024-08-08 14:59:15,509:DEBUG:certbot.configuration:Var elliptic_curve=secp384r1 (set by user). 2024-08-08 14:59:15,509:DEBUG:certbot.configuration:Var webroot_path=['/data/letsencrypt-acme-challenge'] (set by user). 2024-08-08 14:59:15,510:DEBUG:certbot.configuration:Var webroot_map={'webroot_path'} (set by user). 2024-08-08 14:59:15,510:DEBUG:certbot.configuration:Var webroot_path=['/data/letsencrypt-acme-challenge'] (set by user). 2024-08-08 14:59:15,542:DEBUG:certbot._internal.renewal:Auto-renewal forced with --force-renewal... 2024-08-08 14:59:15,542:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer None 2024-08-08 14:59:15,542:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * webroot Description: Saves the necessary validation files to a .well-known/acme-challenge/ directory within the nominated webroot path. A seperate HTTP server must be running and serving files from the webroot path. HTTP challenge only (wildcards not supported). Interfaces: Authenticator, Plugin Entry point: EntryPoint(name='webroot', value='certbot._internal.plugins.webroot:Authenticator', group='certbot.plugins') Initialized: <certbot._internal.plugins.webroot.Authenticator object at 0x7f7f612590> Prep: True 2024-08-08 14:59:15,543:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot._internal.plugins.webroot.Authenticator object at 0x7f7f612590> and installer None 2024-08-08 14:59:15,543:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator webroot, Installer None 2024-08-08 14:59:15,861:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/773988146', new_authzr_uri=None, terms_of_service=None), f55afaae3cb6f26118163d6b0d80a4ac, Meta(creation_dt=datetime.datetime(2022, 10, 13, 8, 45, 59, tzinfo=<UTC>), creation_host='384d937800d8', register_to_eff=None))> 2024-08-08 14:59:15,863:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory. 2024-08-08 14:59:15,867:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443 2024-08-08 14:59:16,344:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 746 2024-08-08 14:59:16,345:DEBUG:acme.client:Received response: HTTP 200 Server: nginx Date: Thu, 08 Aug 2024 14:59:16 GMT Content-Type: application/json Content-Length: 746 Connection: keep-alive Cache-Control: public, max-age=0, no-cache X-Frame-Options: DENY Strict-Transport-Security: max-age=604800

{ "1CzWEwQ2nt8": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417", "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change", "meta": { "caaIdentities": [ "letsencrypt.org" ], "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf", "website": "https://letsencrypt.org" }, "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct", "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce", "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order", "renewalInfo": "https://acme-v02.api.letsencrypt.org/draft-ietf-acme-ari-03/renewalInfo", "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert" } 2024-08-08 14:59:16,347:DEBUG:certbot._internal.display.obj:Notifying user: Renewing an existing certificate for pic.mydomain.de 2024-08-08 14:59:16,354:DEBUG:acme.client:Requesting fresh nonce 2024-08-08 14:59:16,354:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce. 2024-08-08 14:59:16,498:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0 2024-08-08 14:59:16,499:DEBUG:acme.client:Received response: HTTP 200 Server: nginx Date: Thu, 08 Aug 2024 14:59:16 GMT Connection: keep-alive Cache-Control: public, max-age=0, no-cache Link: https://acme-v02.api.letsencrypt.org/directory;rel="index" Replay-Nonce: Cb9-D9qJ4P2deq23MlUwfzuu9Y9Pliu_chLUtoHw3tazw6JkgUU X-Frame-Options: DENY Strict-Transport-Security: max-age=604800

2024-08-08 14:59:16,499:DEBUG:acme.client:Storing nonce: Cb9-D9qJ4P2deq23MlUwfzuu9Y9Pliu_chLUtoHw3tazw6JkgUU 2024-08-08 14:59:16,499:DEBUG:acme.client:JWS payload: b'{\n "identifiers": [\n {\n "type": "dns",\n "value": "pic.mydomain.de"\n }\n ]\n}' 2024-08-08 14:59:16,508:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order: { "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNzczOTg4MTQ2IiwgIm5vbmNlIjogIkNiOS1EOXFKNFAyZGVxMjNNbFV3Znp1dTlZOVBsaXVfY2hMVXRvSHczdGF6dzZKa2dVVSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvbmV3LW9yZGVyIn0", "signature": "e9U7fr0RjlsPMRV1ZxyLfO32kyEb1ISEjykFfFvbvoCRlTLhBjIxy1QJFtkz08OL2fkKW4eDwCT0kBuvhRpn0g7JZjTUHDfWYral32Xpqn8bO4ulVDMPYGH8tlKjRd9j6Z3eKDvZjxnPF2-YCn3rf7V2V_-wF_qh5bIk5wt-Sr7h9vM87k3ZvRNNjvvWJp9-8EutQG9s2VKUXO4NwF3TxbQS6WOBOSBGLxIgYDydKU1r6fG5iC-kEsgOLkNZQBu25porAHMZC_P3BJvOFMJQ17NaBN_48YvUwnhLbMJSp_0XUga19ytVMoLXHOmTG68sqJKsjhRrimd2pZZvbOztzg", "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogInBpYy5wYXN0b3Jpay5kZSIKICAgIH0KICBdCn0" } 2024-08-08 14:59:17,291:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 340 2024-08-08 14:59:17,292:DEBUG:acme.client:Received response: HTTP 201 Server: nginx Date: Thu, 08 Aug 2024 14:59:17 GMT Content-Type: application/json Content-Length: 340 Connection: keep-alive Boulder-Requester: 773988146 Cache-Control: public, max-age=0, no-cache Link: https://acme-v02.api.letsencrypt.org/directory;rel="index" Location: https://acme-v02.api.letsencrypt.org/acme/order/773988146/294531182696 Replay-Nonce: Cb9-D9qJq9X-m9loBjTfktREkxVlejzK8xo9hsq8i101hJg6jIQ X-Frame-Options: DENY Strict-Transport-Security: max-age=604800

{ "status": "pending", "expires": "2024-08-15T14:59:16Z", "identifiers": [ { "type": "dns", "value": "pic.mydomain.de" } ], "authorizations": [ "https://acme-v02.api.letsencrypt.org/acme/authz-v3/387696897956" ], "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/773988146/294531182696" } 2024-08-08 14:59:17,292:DEBUG:acme.client:Storing nonce: Cb9-D9qJq9X-m9loBjTfktREkxVlejzK8xo9hsq8i101hJg6jIQ 2024-08-08 14:59:17,292:DEBUG:acme.client:JWS payload: b'' 2024-08-08 14:59:17,298:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/387696897956: { "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNzczOTg4MTQ2IiwgIm5vbmNlIjogIkNiOS1EOXFKcTlYLW05bG9CalRma3RSRWt4VmxlanpLOHhvOWhzcThpMTAxaEpnNmpJUSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHotdjMvMzg3Njk2ODk3OTU2In0", "signature": "hB3VgDBvOkCTG067FG7i7UfJY1-FgS9cQHGzjlZPshdcRs3N-8eAa977dIKZd5ZwSyxprl4Gz8ZU7cHkBVAnWjiFmsRqkDsgJOH45KZnyvJl4jiWEHo89-TZGlR_mSr3Cs-oKwt0Env9C7KOjjHAhEkSY7fioeeK4Mgay5arijxslHbljmagnLVEqlJDx9fOYRcnythvVBCONhrdnn1LDsaY-co7rcOAIjm_vJ1xCBn6pSP5aeGMHpIun9WTE3FYKLNK2dh1eeCxCtWhBh4otb0weY9C07SCfboViTBlZeJ5QkO0tiB12IWxw7v-J67e0Ac-x5l22wghFdgLuAt2fQ", "payload": "" } 2024-08-08 14:59:17,447:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/387696897956 HTTP/1.1" 200 799 2024-08-08 14:59:17,448:DEBUG:acme.client:Received response: HTTP 200 Server: nginx Date: Thu, 08 Aug 2024 14:59:17 GMT Content-Type: application/json Content-Length: 799 Connection: keep-alive Boulder-Requester: 773988146 Cache-Control: public, max-age=0, no-cache Link: https://acme-v02.api.letsencrypt.org/directory;rel="index" Replay-Nonce: 5Y8sbQiPbs06_cbJFqdsLCY7-zvMjXmOpcUjvCJxKm8o2hoALA0 X-Frame-Options: DENY Strict-Transport-Security: max-age=604800

{ "identifier": { "type": "dns", "value": "pic.mydomain.de" }, "status": "pending", "expires": "2024-08-15T14:59:16Z", "challenges": [ { "type": "http-01", "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/387696897956/LrWWnQ", "status": "pending", "token": "SestVymotDQQxtKxeg7GYzfsedse8xJlZRFstS1BVck" }, { "type": "dns-01", "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/387696897956/dWfSPQ", "status": "pending", "token": "SestVymotDQQxtKxeg7GYzfsedse8xJlZRFstS1BVck" }, { "type": "tls-alpn-01", "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/387696897956/QdlG1w", "status": "pending", "token": "SestVymotDQQxtKxeg7GYzfsedse8xJlZRFstS1BVck" } ] } 2024-08-08 14:59:17,448:DEBUG:acme.client:Storing nonce: 5Y8sbQiPbs06_cbJFqdsLCY7-zvMjXmOpcUjvCJxKm8o2hoALA0 2024-08-08 14:59:17,449:INFO:certbot._internal.auth_handler:Performing the following challenges: 2024-08-08 14:59:17,449:INFO:certbot._internal.auth_handler:http-01 challenge for pic.mydomain.de 2024-08-08 14:59:17,450:INFO:certbot._internal.plugins.webroot:Using the webroot path /data/letsencrypt-acme-challenge for all unmatched domains. 2024-08-08 14:59:17,450:DEBUG:certbot._internal.plugins.webroot:Creating root challenges validation dir at /data/letsencrypt-acme-challenge/.well-known/acme-challenge 2024-08-08 14:59:17,452:DEBUG:certbot._internal.plugins.webroot:Attempting to save validation to /data/letsencrypt-acme-challenge/.well-known/acme-challenge/SestVymotDQQxtKxeg7GYzfsedse8xJlZRFstS1BVck 2024-08-08 14:59:17,452:DEBUG:acme.client:JWS payload: b'{}' 2024-08-08 14:59:17,459:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/387696897956/LrWWnQ: { "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNzczOTg4MTQ2IiwgIm5vbmNlIjogIjVZOHNiUWlQYnMwNl9jYkpGcWRzTENZNy16dk1qWG1PcGNVanZDSnhLbThvMmhvQUxBMCIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvY2hhbGwtdjMvMzg3Njk2ODk3OTU2L0xyV1duUSJ9", "signature": "EJ2vQeoOnoQk2t9eeOzJ6mrP3iT7os4Yc3yq2jvCYuyMD-M7LZj1Vpj9YtAAf2P5KBEW-24AjApTiL0ry6oOUO_QujqWA6gcrPjhsG9_Dcoq9tPCp8_ZiGutiznyHinfz1IvNE3fiNTI-djSx8agV-7pdv4L_WF--53zzYUOxgTNplXY0K7BtzXvfk_fmxgzwBTZMt9XRFhNu-5f8f2-ncXehD5GZOLD-Sm5q7FfCaMZ4lsUVMh_I7CtEH3rGkKpaapcFHA26s5mE_9q6AgRURG1cgj-Mb3QUBjOLiU73wb1GekCwygXNfGEC5PnLJcPUkafnnTQiqcrlBXbY7jzJw", "payload": "e30" } 2024-08-08 14:59:17,608:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/387696897956/LrWWnQ HTTP/1.1" 200 187 2024-08-08 14:59:17,608:DEBUG:acme.client:Received response: HTTP 200 Server: nginx Date: Thu, 08 Aug 2024 14:59:17 GMT Content-Type: application/json Content-Length: 187 Connection: keep-alive Boulder-Requester: 773988146 Cache-Control: public, max-age=0, no-cache Link: https://acme-v02.api.letsencrypt.org/directory;rel="index", https://acme-v02.api.letsencrypt.org/acme/authz-v3/387696897956;rel="up" Location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/387696897956/LrWWnQ Replay-Nonce: Cb9-D9qJ4WUuIMjnH_4Uro9L9Z9FTps9RIO5FyMyEIoWv7LaidY X-Frame-Options: DENY Strict-Transport-Security: max-age=604800

{ "type": "http-01", "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/387696897956/LrWWnQ", "status": "pending", "token": "SestVymotDQQxtKxeg7GYzfsedse8xJlZRFstS1BVck" } 2024-08-08 14:59:17,609:DEBUG:acme.client:Storing nonce: Cb9-D9qJ4WUuIMjnH_4Uro9L9Z9FTps9RIO5FyMyEIoWv7LaidY 2024-08-08 14:59:17,609:INFO:certbot.internal.auth_handler:Waiting for verification... 2024-08-08 14:59:18,610:DEBUG:acme.client:JWS payload: b'' 2024-08-08 14:59:18,616:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/387696897956: { "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNzczOTg4MTQ2IiwgIm5vbmNlIjogIkNiOS1EOXFKNFdVdUlNam5IXzRVcm85TDlaOUZUcHM5UklPNUZ5TXlFSW9XdjdMYWlkWSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHotdjMvMzg3Njk2ODk3OTU2In0", "signature": "oFbOEqQ6thizrT0RYbF_ig3Ibe_vWD7zobP-ljLInwIklSTbhFi0XK2xyBowCapN_c9Kn3tvjhVLlAuMeqyRYYWhC1n6L35z7adWL9TvmciLq54DBW3SgJ-f8gxc70ReSUVS3Sjw-Oup7XD_7YjIsO-MUAim0fGAkNvwYfxDxAhQecV8mclDqkzK01vAiyjfEVn4CqHeyV4l_FKwlo6UhNC59bxFGk0Gwre1ys7CgyWNtGVVA9h-VXpTZTLkNF_X0LTO-WR4iqYUj0Qsny8KvtKZ_P-emgyjnXvnp7MrbzCNC4CfFQ6H5OJgjqOnVtfQFnjOz2UGvsjdpCyoG_f_g", "payload": "" } 2024-08-08 14:59:18,765:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/387696897956 HTTP/1.1" 200 1028 2024-08-08 14:59:18,765:DEBUG:acme.client:Received response: HTTP 200 Server: nginx Date: Thu, 08 Aug 2024 14:59:18 GMT Content-Type: application/json Content-Length: 1028 Connection: keep-alive Boulder-Requester: 773988146 Cache-Control: public, max-age=0, no-cache Link: https://acme-v02.api.letsencrypt.org/directory;rel="index" Replay-Nonce: 5Y8sbQiPXfHnKzyC4rIF7UbAQNWuqPOxQcLnx1c8HhSBUlwnLr8 X-Frame-Options: DENY Strict-Transport-Security: max-age=604800

{ "identifier": { "type": "dns", "value": "pic.mydomain.de" }, "status": "invalid", "expires": "2024-08-15T14:59:16Z", "challenges": [ { "type": "http-01", "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/387696897956/LrWWnQ", "status": "invalid", "validated": "2024-08-08T14:59:17Z", "error": { "type": "urn:ietf:params:acme:error:connection", "detail": "93.236.129.34: Fetching http://pic.mydomain.de/.well-known/acme-challenge/SestVymotDQQxtKxeg7GYzfsedse8xJlZRFstS1BVck: Connection refused", "status": 400 }, "token": "SestVymotDQQxtKxeg7GYzfsedse8xJlZRFstS1BVck", "validationRecord": [ { "url": "http://pic.mydomain.de/.well-known/acme-challenge/SestVymotDQQxtKxeg7GYzfsedse8xJlZRFstS1BVck", "hostname": "pic.mydomain.de", "port": "80", "addressesResolved": [ "93.236.129.34" ], "addressUsed": "93.236.129.34" } ] } ] } 2024-08-08 14:59:18,766:DEBUG:acme.client:Storing nonce: 5Y8sbQiPXfHnKzyC4rIF7UbAQNWuqPOxQcLnx1c8HhSBUlwnLr8 2024-08-08 14:59:18,766:INFO:certbot._internal.auth_handler:Challenge failed for domain pic.mydomain.de 2024-08-08 14:59:18,767:INFO:certbot._internal.auth_handler:http-01 challenge for pic.mydomain.de 2024-08-08 14:59:18,767:DEBUG:certbot._internal.display.obj:Notifying user: Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems: Domain: pic.mydomain.de Type: connection Detail: 93.236.129.34: Fetching http://pic.mydomain.de/.well-known/acme-challenge/SestVymotDQQxtKxeg7GYzfsedse8xJlZRFstS1BVck: Connection refused

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

2024-08-08 14:59:18,769:DEBUG:certbot._internal.error_handler:Encountered exception: Traceback (most recent call last): File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort) File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations raise errors.AuthorizationError('Some challenges have failed.') certbot.errors.AuthorizationError: Some challenges have failed.

2024-08-08 14:59:18,769:DEBUG:certbot._internal.error_handler:Calling registered functions 2024-08-08 14:59:18,769:INFO:certbot._internal.auth_handler:Cleaning up challenges 2024-08-08 14:59:18,769:DEBUG:certbot._internal.plugins.webroot:Removing /data/letsencrypt-acme-challenge/.well-known/acme-challenge/SestVymotDQQxtKxeg7GYzfsedse8xJlZRFstS1BVck 2024-08-08 14:59:18,770:DEBUG:certbot._internal.plugins.webroot:All challenges cleaned up 2024-08-08 14:59:18,770:ERROR:certbot._internal.renewal:Failed to renew certificate npm-23 with error: Some challenges have failed. 2024-08-08 14:59:18,774:DEBUG:certbot._internal.renewal:Traceback was: Traceback (most recent call last): File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/renewal.py", line 540, in handle_renewal_request main.renew_cert(lineage_config, plugins, renewal_candidate) File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/main.py", line 1550, in renew_cert renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/main.py", line 131, in _get_and_save_cert renewal.renew_cert(config, domains, le_client, lineage) File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/renewal.py", line 399, in renew_cert new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/client.py", line 428, in obtain_certificate orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/client.py", line 496, in _get_order_and_authorizations authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort) File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations raise errors.AuthorizationError('Some challenges have failed.') certbot.errors.AuthorizationError: Some challenges have failed.

2024-08-08 14:59:18,779:DEBUG:certbot._internal.display.obj:Notifying user:

2024-08-08 14:59:18,780:ERROR:certbot._internal.renewal:All renewals failed. The following certificates could not be renewed: 2024-08-08 14:59:18,781:ERROR:certbot._internal.renewal: /etc/letsencrypt/live/npm-23/fullchain.pem (failure) 2024-08-08 14:59:18,781:DEBUG:certbot._internal.display.obj:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2024-08-08 14:59:18,781:DEBUG:certbot._internal.log:Exiting abnormally: Traceback (most recent call last): File "/opt/certbot/bin/certbot", line 8, in sys.exit(main()) ^^^^^^ File "/opt/certbot/lib/python3.11/site-packages/certbot/main.py", line 19, in main return internal_main.main(cli_args) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/main.py", line 1894, in main return config.func(config, plugins) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/main.py", line 1642, in renew renewed_domains, failed_domains = renewal.handle_renewal_request(config) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/renewal.py", line 568, in handle_renewal_request raise errors.Error( certbot.errors.Error: 1 renew failure(s), 0 parse failure(s) 2024-08-08 14:59:18,784:ERROR:certbot._internal.log:1 renew failure(s), 0 parse failure(s)`

logifle /tmp/letsencrypt-log

Operating System

Rpi4 raspbian x64

Additional context

SvenPausH avatar Aug 08 '24 15:08 SvenPausH

Hello, after reboot my Router certs can be created .WTF

SvenPausH avatar Aug 10 '24 05:08 SvenPausH

facing same problem. renewal fails. reboot of router/nginx doesn't fix the problem

EDIT: By chance found this: https://letsencrypt.org/docs/duplicate-certificate-limit/

was able to renew certs for duckdns-aliases in a bunch of new-cert-request (add aliases for 1 certificate) After that I reassigned renewed certificate-collections to each host and deleted the old close-to-expiring certs

franconianmetal avatar Aug 12 '24 16:08 franconianmetal

Hello got same issue, which DNS are you using ? If its cloudflare, desactivate cloudflare proxy (test but wait a few minutes), get your ssl certs and put cloudlfare proxy again. Otherwise for other DNS use nslookup <your_domain> and verify its your ip.

jo-pouradier avatar Nov 04 '24 14:11 jo-pouradier

We encountered the same issue as described above. The root cause was that Let's Encrypt performs challenge requests from various global locations, and our geoblocking firewall rule was causing these requests to time out.

Since the IP addresses used by Let's Encrypt can change without notice, whitelisting specific addresses isn’t a viable solution. If your firewall allows path-based whitelisting (e.g., */.well-known/acme-challenge), that could resolve the issue, as noted here. Unfortunately, solutions like FortiGate only support this approach with some workarounds.

An alternative is to use a DNS-01 challenge, which involves setting a TXT record. However, for automated certificate renewal, you’d need to automate the DNS updates. If neither option works, you might need to temporarily disable geoblocking during certificate renewal.

ThomasW2005 avatar Nov 19 '24 10:11 ThomasW2005

Issue is now considered stale. If you want to keep it open, please comment :+1:

github-actions[bot] avatar Jun 30 '25 02:06 github-actions[bot]