Unable to renew SSL certificate using certbot

Question

I'm trying to renew my SSL certificate in my AWS EC2 server, but I'm getting the following error so after a lot of research I couldn't find the solution.

The command I run:

$ sudo certbot renew --dry-run

Error:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/mydomain.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for mydomain.com
Using default addresses 80 and [::]:80 ipv6only=on for authentication.
Waiting for verification...
Challenge failed for domain mydomain.com
http-01 challenge for mydomain.com
Cleaning up challenges
Attempting to renew cert (mydomain.com) from /etc/letsencrypt/renewal/prod-mydomain.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/mydomain.com/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/mydomain.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: mydmain.com
   Type:   unauthorized
   Detail: 2.211.168.8: Invalid response from
   http://mydoamin.com/.well-known/acme-challenge/ov6EBHInETwkZZ-oqLNI908jFXvN7PFK86ZCJYcdrtA:
   404

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

Answer 1

Based on the error given, you need to ensure that the domain that you are trying to create the certificate for is pointing to the server.

You probably need a A DNS entry for mydmain.com pointing to your server IP.

I believe this is how LetsEncrypt ensure ownership of the domain. https://letsencrypt.org/getting-started/

Answer 2

In my case I use default as a filename inside /etc/nginx/sites-enabled folder. After I changed it to yoursite.com, where yoursite.com is you site address. The sudo certbot renew --dry-run started to work fine. Maybe it helps to somebody:

# Rename file
cd /etc/nginx/sites-enabled
mv ./default ./yoursite.com
# Update certs, don't forget to replace yoursite.com with your address
sudo certbot --nginx -d yoursite.com -d www.yoursite.com
# Check nginx config
nginx -t
# Restart nginx to apply certs
sudo systemctl reload nginx
# Check renew
sudo certbot renew --dry-run

Answer 3

If you have just added the certs and you are testing the renewal process, you will need to restart the webserver to activate/apply the new certs before you attempt to renew.