404 from .well-known/challenge

Hi,
awsdevopro and Juergen - sorry for intrusion. looks like I have same problem. and I am not sure I understand why is that.

My domain is:
stored2ship.com
I ran this command:
certbot --version
certbot 0.29.1
#sh -c “sed -i.bak -e ‘s/^(pref_challs.)tls-sni-01(.)/\1http-01\2/g’ /etc/letsencrypt/renewal/; rm -f /etc/letsencrypt/renewal/.bak”

certbot renew --dry-run

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/stored2ship.com.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for stored2ship.com
http-01 challenge for www.stored2ship.com
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (stored2ship.com) from /etc/letsencrypt/renewal/stored2ship.com.conf produced an unexpected error: Failed authorization procedure. www.stored2ship.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.stored2ship.com/.well-known/acme-challenge/TkuNAp-9ZHYOjq9_sgrBVD7NkGbOpUNfBkrCmwOFxEs: “\n\n404 Not Found\n\n

Not Found

\n<p”, stored2ship.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://stored2ship.com/.well-known/acme-challenge/u9NFrk7UbmNJJXIZKWA61nt3l6zfTLCPYR8HTnk6HJc: “\n\n404 Not Found\n\n

Not Found

\n<p”. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/stored2ship.com/fullchain.pem (failure)

** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/stored2ship.com/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

I can login to a root shell on my machine (yes or no, or I don’t know):
yes.
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot --version
certbot 0.29.1
##################
curl -X GET -I https://www.stored2ship.com
HTTP/1.1 200 OK
Date: Tue, 29 Jan 2019 06:33:57 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16
X-Powered-By: PHP/5.4.16
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

[root@stored2ship log]# curl -X GET -I http://www.stored2ship.com
HTTP/1.1 302 Found
Date: Tue, 29 Jan 2019 06:34:39 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16
Location: https://www.stored2ship.com/index.php
Content-Length: 221
Content-Type: text/html; charset=iso-8859-1

[root@stored2ship log]# curl -X GET -I http://stored2ship.com
HTTP/1.1 302 Found
Date: Tue, 29 Jan 2019 06:34:50 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16
Location: https://www.stored2ship.com/index.php
Content-Length: 221
Content-Type: text/html; charset=iso-8859-1

Thank you.

404 error is good in that http can reach your server.

Now we just need to figure out why the /.well-known/acme-challenge/ requests don’t reach the files created for them.

Please show all the vhost config files for “stored2ship.com”.
grep -Eri 'servername|serveralias' /etc/apache2 | grep stored2ship.com

2 Likes

Hi @stored2ship

your main configuration is ok ( https://check-your-website.server-daten.de/?q=stored2ship.com ):

Redirects http -> https, both of your /.well-known/acme-challenge redirects to https + www, there is the expected status 404.

So try to find your DocumentRoot (in your vHost), then use it:

certbot run -a webroot --dry-run -w yourDocumentRoot -d stored2ship.com -d www.stored2ship.com

The redirection to WWW also inserted "index.php" - that will break almost everything being redirected.

3 Likes

Oh, sorry, not seen - thanks.

@stored2ship - this is bad.

1 Like

Hi Rudy,

could it be because script assumes the directory is /etc/apache2? it’s just my guess.

grep -Eri ‘servername|serveralias’ /etc/httpd | grep stored2ship.com
/etc/httpd/conf/httpd.conf:#ServerName www.stored2ship.com:80
/etc/httpd/conf/httpd.conf:ServerName stored2ship.com
/etc/httpd/conf/httpd.conf: ServerName stored2ship.com
/etc/httpd/conf.d/ssl.conf:#ServerName stored2ship.com:443
/etc/httpd/conf.d/ssl.conf:ServerName www.stored2ship.com:443

[sm@stored2ship ~]$ httpd -v
Server version: Apache/2.4.6 (CentOS)
Server built: Nov 5 2018 01:47:09

Please show:

2 Likes

Hi Juergen,

grep DocumentRoot conf/httpd.conf
DocumentRoot “/var/www/html”
DocumentRoot “/var/www/html”
#DocumentRoot “/var/www/html”
[root@stored2ship httpd]# certbot run -a webroot --dry-run -w /var/www/html -d stored2ship.com -d www.stored2ship.com
–dry-run currently only works with the ‘certonly’ or ‘renew’ subcommands (‘run’)

-The redirection to WWW also inserted “index.php” - that will break almost everything being redirected.

What do you mean? Is it incorrect? Or were you talking about certbot script?

Try:

certbot renew --webroot -w /var/www/html -d stored2ship.com -d www.stored2ship.com --dry-run

Yes, very incorrect.
Please show the redirection statement used (or the complete port 80 & port 443 vhost config files).

2 Likes

Yes, this is very incorrect and the first thing you should fix.

cat httpd.conf
#Include /etc/httpd/conf.d/ssl.conf
#Include /etc/httpd/conf.d/php.conf
ServerRoot “/etc/httpd”
#Listen 104.251.218.64:80 http
#Listen 104.251.218.64:443 https
#Listen 443
Listen 80

Example:

LoadModule foo_module modules/mod_foo.so

ok. Thank you Juergen.

I removed index.php from redirection and ran:

certbot renew --webroot -w /var/www/html -d stored2ship.com -d www.stored2ship.com --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Currently, the renew verb is capable of either renewing all installed certificates that are due to be renewed or renewing a single certificate specified by its name. If you would like to renew specific certificates by their domains, use the certonly command instead. The renew verb may provide other options for selecting certificates to renew in the future.

Is that correct response from certbot?

renew renews, --dry-run tests the renew. So you can't use both subcommands in one command.

Your certificate is new, so use --dry-run.

After this correction to httpd.conf I was trying to run certbot renew --dry-run:

certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/stored2ship.com.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for stored2ship.com
http-01 challenge for www.stored2ship.com
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (stored2ship.com) from /etc/letsencrypt/renewal/stored2ship.com.conf produced an unexpected error: Failed authorization procedure. stored2ship.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://stored2ship.com/.well-known/acme-challenge/waCACq6TbqDwrffhPFQWp1J1OEZVhsDoOfJfKwgTKgQ: “\n\n404 Not Found\n\n

Not Found

\n<p”, www.stored2ship.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.stored2ship.com/.well-known/acme-challenge/_CbuG-8ulQOBpzf4iUC7R-bhDlPKHgw8f_tMqEFZNnE: “\n\n404 Not Found\n\n

Not Found

\n<p”. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/stored2ship.com/fullchain.pem (failure)

** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/stored2ship.com/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

OK replace:
-d stored2ship.com -d www.stored2ship.com
with the certname that covers them.

certbot certificates

2 Likes

certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: stored2ship.com
Domains: stored2ship.com www.stored2ship.com
Expiry Date: 2019-04-20 00:09:05+00:00 (VALID: 80 days)
Certificate Path: /etc/letsencrypt/live/stored2ship.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/stored2ship.com/privkey.pem


Try:
certbot renew --webroot -w /var/www/html --cert-name stored2ship.com --dry-run

2 Likes

is it something wrong with letsencrypt server?

certonly --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?


1: Apache Web Server plugin - Beta (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)


Select the appropriate number [1-3] then [enter] (press ‘c’ to cancel): 1
Plugins selected: Authenticator apache, Installer None
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
An unexpected error occurred:
The server experienced an internal error :: The service is down for maintenance or had an internal error. Check https://letsencrypt.status.io/ for more details.
Please see the logfiles in /var/log/letsencrypt for more details.

it looks like script is dying at the very beginning in _init:frowning:

The command line called for webroot…
Why not chose option #3?

2 Likes