Apache2 http redirect to https makes certbot renew produce errors

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
https://italimporta.nl
I ran this command:
certbot renew --dry-run
It produced this output:

The following errors were reported by the server:

   Domain: italimporta.nl
   Type:   connection
   Detail: Fetching
   http://italimporta.nl/.well-known/acme-challenge/JnRRpRVg67WczeEKezwo1XfwgZD4stQyEBMrf9Qs914:
   Connection refused

My web server is (include version):
Apache2
The operating system my web server runs on is (include version):
Debian
My hosting provider, if applicable, is:
my own vps
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no, command line
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.28.0

I think the fact that the renew is not working is due to the fact that there is a redirect to https in my config-file for the apache2 config. Which seems strange since this has been working fine until recently?

<VirtualHost *:80>
DocumentRoot "/var/www/www.italimporta.nl/www"
ServerName italimporta.nl
ServerAlias italimporta.nl  www.italimporta.nl  http://www.italimporta.nl http://italimporta.nl
<Directory "/var/www/www.italimporta.nl/www">
Options -Indexes +FollowSymLinks +MultiViews
AllowOverride all
</Directory>
Redirect permanent / https://italimporta.nl/
</VirtualHost>

So how to deal with this and make certbot perform the renewal again?
The renewal seems to work on some virtual host though?

The following certs were successfully renewed:
  /etc/letsencrypt/live/pizzajollyovens.nl/fullchain.pem (success)
  /etc/letsencrypt/live/pizzaworkshop.nl/fullchain.pem (success)
  /etc/letsencrypt/live/hocom-advies.nl/fullchain.pem (success)
  /etc/letsencrypt/live/server.hooghwinkel.com/fullchain.pem (success)

The following certs could not be renewed:
  /etc/letsencrypt/live/italimporta.nl/fullchain.pem (failure)
  /etc/letsencrypt/live/pizzajolly.nl/fullchain.pem (failure)
  /etc/letsencrypt/live/italimporta.nl-0001/fullchain.pem (failure)

Dis some more investigation and found out that there was a double cert. which I have removed now.

/etc/letsencrypt/live/italimporta.nl-0001/fullchain.pem (failure)

Also have an error on an other domain (which is a subdomain of the one which is not renewing) the error lays in that domains .conf file and is caused by a "#" in front of a line. Will get that line out and see what happens

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/storage.py", line 429, in __init__
    self.configfile = configobj.ConfigObj(config_filename)
  File "/usr/lib/python3/dist-packages/configobj.py", line 1229, in __init__
    self._load(infile, configspec)
  File "/usr/lib/python3/dist-packages/configobj.py", line 1318, in _load
    raise error
  File "<string>", line None
configobj.ParseError: Invalid line (' /var/www/www.italimporta.nl/www') (matched as neither section nor keyword) at line 16.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 65, in _reconstitute
    renewal_candidate = storage.RenewableCert(full_path, config)
  File "/usr/lib/python3/dist-packages/certbot/storage.py", line 432, in __init__
    "error parsing {0}".format(config_filename))
certbot.errors.CertStorageError: error parsing /etc/letsencrypt/renewal/leukvanpizzajolly.nl.conf
Renewal configuration file /etc/letsencrypt/renewal/leukvanpizzajolly.nl.conf is broken. Skipping.
The following certs could not be renewed:
  /etc/letsencrypt/live/italimporta.nl/fullchain.pem (failure)
  /etc/letsencrypt/live/pizzajolly.nl/fullchain.pem (failure)

So appearantly there is a problem with the two domains which belog to the same "webroot". The domains are part of a TYPO3 CMS and accessable through the same site. They do not have a different webroot. Since TYPO3 takes care of the routing/ publishing of the sites/ pages.

Schermafbeelding 2021-09-10 om 12.36.262104×526 67.9 KB

this is in the config files both domains need to be accessible on there own:
/etc/letsencrypt/renewal/italimporta.nl.conf:

# renew_before_expiry = 30 days
version = 0.28.0
archive_dir = /etc/letsencrypt/archive/italimporta.nl
cert = /etc/letsencrypt/live/italimporta.nl/cert.pem
privkey = /etc/letsencrypt/live/italimporta.nl/privkey.pem
chain = /etc/letsencrypt/live/italimporta.nl/chain.pem
fullchain = /etc/letsencrypt/live/italimporta.nl/fullchain.pem

# Options used in the renewal process
[renewalparams]
webroot_path = /var/www/www.italimporta.nl/www,
authenticator = webroot
server = https://acme-v02.api.letsencrypt.org/directory
account = 652ae9e8b10a86d6224509c055dff326
[[webroot_map]]
www.italimporta.nl = /var/www/www.italimporta.nl/www
italimporta.nl = /var/www/www.italimporta.nl/www

and this is in the
/etc/letsencrypt/renewal/leukvanpizzajolly.nl.conf:

# renew_before_expiry = 30 days
version = 0.28.0
archive_dir = /etc/letsencrypt/archive/leukvanpizzajolly.nl
cert = /etc/letsencrypt/live/leukvanpizzajolly.nl/cert.pem
privkey = /etc/letsencrypt/live/leukvanpizzajolly.nl/privkey.pem
chain = /etc/letsencrypt/live/leukvanpizzajolly.nl/chain.pem
fullchain = /etc/letsencrypt/live/leukvanpizzajolly.nl/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = 652ae9e8b10a86d6224509c055dff326
authenticator = webroot
server = https://acme-v02.api.letsencrypt.org/directory
[[webroot_map]]
www.leukvanpizzajolly.nl =
 /var/www/www.italimporta.nl/www
#leukvanpizzajolly.nl = /var/www/www.italimporta.nl/www

How did that "#" get there?
[it shouldn't be there]

This my imply some sort of firewall type block in place; as I'm able to reach that site:

curl -Iki http://italimporta.nl/.well-known/acme-challenge/Test-File-1234
HTTP/1.1 301 Moved Permanently
Date: Fri, 10 Sep 2021 12:08:28 GMT
Server: Apache/2.4.25 (Debian)
Location: https://italimporta.nl/.well-known/acme-challenge/Test-File-1234

Thanks for your reply. I still do not understand where the fault is?
I now run certbot --standalone renew --dry-run instead of certbot renew --dry-run That produces less errors. I'm not sure if this is a correct way offcourse. Still one error left for italimporta.nl
I'v put the output in a pastebin maybe it helps. certbot_renew_erros - Pastebin.com
If I look in both the certificates in detail I can see some differences. The one for Italimporta.nl has also references to leukvanpizzajolly.nl the other certficate has only leukvanpizajolly.nl mentioned? Is that ok?

--standalone will try to run a web service to answer the challenge requests.
You already have a web server, so that is not the way to go.

Ok ran it again without standalone:
this is the result in pastebin:

So this part is maybe important?
Attempting to renew cert (italimporta.nl) from /etc/letsencrypt/renewal/italimporta.nl.conf produced an unexpected error: Missing command line flag or config entry for this setting:
Select the webroot for leukvanpizzajolly.nl:
Choices: ['Enter a new webroot', '/var/www/www.italimporta.nl/www']

(You can set this with the --webroot-path flag). Skipping.

But if I look at the
/etc/letsencrypt/renewal/italimporta.nl.conf file it holds the correct webroot?

Try removing this line:

I removed that line and run renew again.

leaving me still with only this error:

Attempting to renew cert (italimporta.nl) from /etc/letsencrypt/renewal/italimporta.nl.conf produced an unexpected error: Missing command line flag or config entry for this setting:
Select the webroot for leukvanpizzajolly.nl:
Choices: ['Enter a new webroot', '/var/www/www.italimporta.nl/www']

(You can set this with the --webroot-path flag). Skipping.

Ok, we use a BIGGER hammer!

certbot renew --cert-name italimporta.nl \
--webroot -w /var/www/www.italimporta.nl/www

Thanks this made it work. Seems to be ok now. No complaints about unsafe certificate any-more.

Please show this file now:
/etc/letsencrypt/renewal/italimporta.nl.conf

[so we can see how it likes it]

# renew_before_expiry = 30 days
version = 0.28.0
archive_dir = /etc/letsencrypt/archive/italimporta.nl
cert = /etc/letsencrypt/live/italimporta.nl/cert.pem
privkey = /etc/letsencrypt/live/italimporta.nl/privkey.pem
chain = /etc/letsencrypt/live/italimporta.nl/chain.pem
fullchain = /etc/letsencrypt/live/italimporta.nl/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = 652ae9e8b10a86d6224509c055dff326
authenticator = webroot
server = https://acme-v02.api.letsencrypt.org/directory
webroot_path = /var/www/www.italimporta.nl/www,
[[webroot_map]]
italimporta.nl = /var/www/www.italimporta.nl/www
leukvanpizzajolly.nl = /var/www/www.italimporta.nl/www
www.leukvanpizzajolly.nl = /var/www/www.italimporta.nl/www
www.italimporta.nl = /var/www/www.italimporta.nl/www

I fail to see any significant difference.
But sometimes the can't see all that is there.

The running command added tree lines to the config:

webroot_path = /var/www/www.italimporta.nl/www,
leukvanpizzajolly.nl = /var/www/www.italimporta.nl/www
www.leukvanpizzajolly.nl = /var/www/www.italimporta.nl/www

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.