Question

Certbot failed to renew on a domain I no longer use, and now my other two domains on the same droplet are no longer HTTPS

Posted November 23, 2021 97 views
ApacheSecurityUbuntu 20.04

Several weeks ago, I was notified by certbot that one of my unused domains was no longer secure. But, I didn’t think this would affect my two remaining domains, by making them unsecure too, yet it did. So I tried to fix this.

First, I deleted the unused domain from digital ocean.
Next, I used the certbot command,

sudo certbot delete

hoping to delete the unused domain from the list of my other certbot domains (I have one main domain, and one virtual host domain, and both need to be HTTPS).
But after using

sudo certbot renew --dry-run

my two remaining domains are still no longer HTTPS, and, the domain I attempted to delete is STILL listed, even though it should have been deleted.

I saw this article, but only after I already did the above:
https://www.digitalocean.com/community/questions/unable-to-delete-the-dns-of-a-domain-while-deleting-this-domain-it-says-it-would-prevent-the-let-s-encrypt-certificate-renewal

I also tried using the digital ocean control panel, https://docs.digitalocean.com/products/accounts/security/certificates/ to create a secure certificate for my main domain, and hopefully the other one too, but that didn’t work also. My two remaining domains are still no longer HTTPS secure.

So, is there anything else I can do now? Thank you.

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
Submit an Answer
1 answer

Hello, @diane

Would you mind sharing the exact output of the certbot command so that we can check the error messages?

Regards,
Alex

  • Yes, of course. Thank you for your help.
    Also, just to be clear, the dc*** domain was the original main domain for this droplet, and the sg2*** and sg*** domains are virtual hosts that I created later.

    sudo certbot renew --dry-run
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Processing /etc/letsencrypt/renewal/dc***.net.conf
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Cert is due for renewal, auto-renewing...
    Plugins selected: Authenticator apache, Installer apache
    Renewing an existing certificate
    Performing the following challenges:
    http-01 challenge for sg2***.site
    http-01 challenge for www.sg2***.site
    http-01 challenge for dc***.net
    http-01 challenge for sg***.page
    http-01 challenge for www.dc***.net
    http-01 challenge for www.sg***.page
    Waiting for verification...
    Challenge failed for domain sg2***.site
    Challenge failed for domain www.sg2***.site
    http-01 challenge for sg2***.site
    http-01 challenge for www.sg2***.site
    Cleaning up challenges
    Attempting to renew cert (dc***.net) from /etc/letsencrypt/renewal/dc***.net.conf produced an unexpected error: Some challenges have failed.. Skipping.
    
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Processing /etc/letsencrypt/renewal/sg2***.site.conf
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Cert is due for renewal, auto-renewing...
    Plugins selected: Authenticator apache, Installer apache
    Renewing an existing certificate
    Performing the following challenges:
    http-01 challenge for sg2***.site
    http-01 challenge for www.sg2***.site
    Waiting for verification...
    Challenge failed for domain sg2***.site
    Challenge failed for domain www.sg2***.site
    http-01 challenge for sg2***.site
    http-01 challenge for www.sg2***.site
    Cleaning up challenges
    Attempting to renew cert (sg2***.site) from /etc/letsencrypt/renewal/sg2***.site.conf produced an unexpected error: Some challenges have failed.. Skipping.
    All renewal attempts failed. The following certs could not be renewed:
      /etc/letsencrypt/live/dc***.net/fullchain.pem (failure)
      /etc/letsencrypt/live/sg2***.site/fullchain.pem (failure)
    
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    ** DRY RUN: simulating 'certbot renew' close to cert expiry
    **          (The test certificates below have not been saved.)
    
    All renewal attempts failed. The following certs could not be renewed:
      /etc/letsencrypt/live/dc***.net/fullchain.pem (failure)
      /etc/letsencrypt/live/sg2***.site/fullchain.pem (failure)
    ** DRY RUN: simulating 'certbot renew' close to cert expiry
    **          (The test certificates above have not been saved.)
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    2 renew failure(s), 0 parse failure(s)
    
    IMPORTANT NOTES:
     - The following errors were reported by the server:
    
       Domain: sg2***.site
       Type:   unauthorized
       Detail: Invalid response from
       http://sg2***.site/.well-known/acme-challenge/AU_kbDGvO_fnZKxqC3ck1NJMIIvCiBfSnkAjxWsKBhA
       [99.83.154.118]: "<!DOCTYPE html>\n<html
       data-adblockkey=\"MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJca"
    
       Domain: www.sg2***.site
       Type:   unauthorized
       Detail: Invalid response from
       http://www.sg2***.site/.well-known/acme-challenge/UAX5LbM6gY-263COFHpBrsK4fS8UwUnP-W-oS72NfcI
       [99.83.154.118]: "<!DOCTYPE html>\n<html
       data-adblockkey=\"MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJca"
    
       To fix these errors, please make sure that your domain name was
       entered correctly and the DNS A/AAAA record(s) for that domain
       contain(s) the right IP address.
     - The following errors were reported by the server:
    
       Domain: sg2***.site
       Type:   unauthorized
       Detail: Invalid response from
       http://sg2***.site/.well-known/acme-challenge/qpnhvv2bANqGtZnryUzLSPmwacL-h_EPSIaPAgOJS08
       [99.83.154.118]: "<!DOCTYPE html>\n<html
       data-adblockkey=\"MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJca"
    
       Domain: www.sg2***.site
       Type:   unauthorized
       Detail: Invalid response from
       http://www.sg2***.site/.well-known/acme-challenge/xzGT43iHAWoIV02EoUo1o-h5P_RVqhihib6564ygRYc
       [99.83.154.118]: "<!DOCTYPE html>\n<html
       data-adblockkey=\"MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJca"
    
       To fix these errors, please make sure that your domain name was
       entered correctly and the DNS A/AAAA record(s) for that domain
       contain(s) the right IP address.
    
    
  • Hi…how long does it normally take to get an answer?

    I need to know soon, because no one can access my website now without getting a warning message not to go to this website, with Firefox, Chrome and Edge all showing this same message.

    If I don’t get an answer soon, I suppose I will have to upload my websites to GitHub and then get another droplet, because I am not sure how to fix this without making any hidden, unbeknownst errors in Apache.