404 error during renewal


#1

I’ve seen other errors like this but none with solutions that seem relevant. As far as I know, I don’t have an AAAA record in my DNS config. So I think I’m doing this all over IPv4.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: academictree.org

I ran this command: /root/certbot-auto renew # as root

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/www.academictree.org.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/academictree.org.conf


Cert is due for renewal, auto-renewing…

Plugins selected: Authenticator apache, Installer apache

Renewing an existing certificate

Attempting to renew cert (academictree.org) from /etc/letsencrypt/renewal/academictree.org.conf produced an unexpected error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/. Skipping.


Processing /etc/letsencrypt/renewal/neurotree.org.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/www.neurotree.org.conf


Cert not yet due for renewal

All renewal attempts failed. The following certs could not be renewed:

/etc/letsencrypt/live/academictree.org/fullchain.pem (failure)


The following certs are not due for renewal yet:

/etc/letsencrypt/live/www.academictree.org/fullchain.pem expires on 2019-01-15 (skipped)

/etc/letsencrypt/live/neurotree.org/fullchain.pem expires on 2019-01-22 (skipped)

/etc/letsencrypt/live/www.neurotree.org/fullchain.pem expires on 2019-01-15 (skipped)

All renewal attempts failed. The following certs could not be renewed:

/etc/letsencrypt/live/academictree.org/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)

root@ip-172-31-23-211:~# ./certbot-auto renew

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/www.academictree.org.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/academictree.org.conf


Cert is due for renewal, auto-renewing…

Plugins selected: Authenticator apache, Installer apache

Renewing an existing certificate

Performing the following challenges:

http-01 challenge for academictree.org

Waiting for verification…

Cleaning up challenges

Attempting to renew cert (academictree.org) from /etc/letsencrypt/renewal/academictree.org.conf produced an unexpected error: Failed authorization procedure. academictree.org (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://academictree.org/.well-known/acme-challenge/l1QmUOXlrn2zxhSqDcYhWaJkU47EZfJDp0qStM8z3OI: “<!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”>\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p”. Skipping.


Processing /etc/letsencrypt/renewal/neurotree.org.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/www.neurotree.org.conf


Cert not yet due for renewal

All renewal attempts failed. The following certs could not be renewed:

/etc/letsencrypt/live/academictree.org/fullchain.pem (failure)


The following certs are not due for renewal yet:

/etc/letsencrypt/live/www.academictree.org/fullchain.pem expires on 2019-01-15 (skipped)

/etc/letsencrypt/live/neurotree.org/fullchain.pem expires on 2019-01-22 (skipped)

/etc/letsencrypt/live/www.neurotree.org/fullchain.pem expires on 2019-01-15 (skipped)

All renewal attempts failed. The following certs could not be renewed:

/etc/letsencrypt/live/academictree.org/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

Domain: academictree.org

Type: unauthorized

Detail: Invalid response from

http://academictree.org/.well-known/acme-challenge/l1QmUOXlrn2zxhSqDcYhWaJkU47EZfJDp0qStM8z3OI:

"<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML

2.0//EN">\n<html><head>\n<title>404 Not

Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

To fix these errors, please make sure that your domain name was

entered correctly and the DNS A/AAAA record(s) for that domain

contain(s) the right IP address.

My web server is (include version):
Server version: Apache/2.4.18 (Ubuntu)
Server built: 2018-06-07T19:43:03

The operating system my web server runs on is (include version):
Linux version 4.4.0-135-generic (buildd@lcy01-amd64-020) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.10) ) #161-Ubuntu SMP Mon Aug 27 10:45:01 UTC 2018

My hosting provider, if applicable, is: Amazon EC2

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no


#2

Hi,

Could you please try to place a file under $document_root/.well-known/acme-challenge/ ?

Just use a test file in that directory and share us the result please.

Thank you


#3

Sure, I think I’ve already tested that. You can try:
https://academictree.org/.well-known/acme-challenge/test.txt

Returns:
“test”


#4

FYI, a couple other points that may be useful. I have three other addresses pointing to this server with identical DNS configuration. (www.academictree.org, neurotree.org, www.neurotree.org) A ‘dry run’ works fine for these three others. All domains have nearly identical configs saved in /etc/letsencrypt/renewal/XXX.conf

Maybe also of note, the certificate for academictree.org has already expired.

The other certs don’t expire for another month though, so I don’t know if there’s a probably that won’t show up in the dry run. I’m noticing now that the archive folder shows that certs have been updated for the other domains in October, last update for the problem one was in September. Could something have changed in the system between Sept and Oct?

From looking at the log file, it looks like letsencrypt redirected apache to look in a special place for the challenge files:

     RewriteEngine on
    RewriteRule ^/\.well-known/acme-challenge/([A-Za-z0-9-_=]+)$ /var/lib/letsencrypt/http_challenges/$1 [END]

I can’t see where it copies the special file that presumably the letsencrypt server is looking for.


#5

What do your virtualhosts look like?

apachectl -t -D DUMP_VHOSTS

On the face of it, Certbot shouldn’t be getting confused with a setup like yours, but it looks like it might be.


#6

Don’t think I’m doing anything fancy, but I’m definitely not an expert:

apachectl -t -D DUMP_VHOSTS

VirtualHost configuration:
*:80 is a NameVirtualHost
default server kamzik.org (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost kamzik.org (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost academictree.org (/etc/apache2/sites-enabled/002-academictree.conf:2)
alias www.academictree.org
port 80 namevhost academictree.org (/etc/apache2/sites-enabled/006-academictree.conf:2)
port 80 namevhost neurotree.org (/etc/apache2/sites-enabled/007-neurotree.conf:2)
alias www.neurotree.org
port 80 namevhost www.academictree.org (/etc/apache2/sites-enabled/008-wwwacademictree.conf:2)
*:443 is a NameVirtualHost
default server academictree.org (/etc/apache2/sites-enabled/002-academictree-le-ssl.conf:3)
port 443 namevhost academictree.org (/etc/apache2/sites-enabled/002-academictree-le-ssl.conf:3)
port 443 namevhost www.academictree.org (/etc/apache2/sites-enabled/003-wwwacademictree-le-ssl.conf:3)
port 443 namevhost neurotree.org (/etc/apache2/sites-enabled/004-neurotree-le-ssl.conf:3)
port 443 namevhost www.neurotree.org (/etc/apache2/sites-enabled/005-wwwneurotree-le-ssl.conf:3)
port 443 namevhost kamzik.org (/etc/apache2/sites-enabled/default-ssl.conf:2)

If I pause in the middle of the run, I see that these lines have been added to the appropriate apache config (/etc/apache2/sites-enabled/006-academictree.conf):
below “<VirtualHost *:80>”:
Include /etc/apache2/le_http_01_challenge_pre.conf
and above :
Include /etc/apache2/le_http_01_challenge_post.conf


#7

So, based on that output, it appears to me that you have a bunch of duplicate port 80 VirtualHosts that have

ServerName academictree.org

Since only one of these can actually work at once, it might be a case of Certbot choosing the “wrong one” to insert its validation rules into.

It’s basically not a valid Apache configuration (even though it appears to work).

Ideally you should only have one port 80 VirtualHost per ServerName, so perhaps you can try to remove the duplicates/consolidate them into a single one.

My suggestion is to combine all of the academictree port 80 ones into something like:

<VirtualHost *:80>
  ServerName academictree.org
  ServerAlias www.academictree.org
  # Then the rest of your configuration
</VirtualHost>

and comment out the others.

When you issue a certificate, issue it for both domains at once:

-d academictree.org -d www.academictree.org

#8

Aha! I understand! And yes, that was exactly the problem. Somehow the virtualhost was configured twice.

Deleted the redundant apache virtualhost file and the certificate updated just fine.

Thanks so much!


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.