I am trying to renew my certificate for 2 domains: olimpicos.org.mx and www.olimpicos.org.mx
I am simply executing /usr/bin/certbot renew
and getting authorization errors.
I’ve read a lot of similar reports but I can confirm my case appears quite different from any other report I’ve found. So, please bear with me.
The error goes like this:
Processing /etc/letsencrypt/renewal/olimpicos.org.mx.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for olimpicos.org.mx
http-01 challenge for www.olimpicos.org.mx
Waiting for verification...
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/olimpicos.org.mx.conf produced an unexpected error:
Failed authorization procedure. www.olimpicos.org.mx (http-01): urn:acme:error:unauthorized ::
The client lacks sufficient authorization :: Invalid response from
http://www.olimpicos.org.mx/.well-known/acme-challenge/0QnP3v-uJnxYgxeYUPh4ZLURciwuVAFybD1Pzjv6Y_Y: "<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>". Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/olimpicos.org.mx/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
The configuration file contents is:
# renew_before_expiry = 30 days
version = 0.8.1
cert = /etc/letsencrypt/live/olimpicos.org.mx/cert.pem
privkey = /etc/letsencrypt/live/olimpicos.org.mx/privkey.pem
chain = /etc/letsencrypt/live/olimpicos.org.mx/chain.pem
fullchain = /etc/letsencrypt/live/olimpicos.org.mx/fullchain.pem
# Options used in the renewal process
[renewalparams]
authenticator = webroot
installer = None
account = XXXXXXX
webroot_path = /usr/share/nginx/wordpress,
[[webroot_map]]
olimpicos.org.mx = /usr/share/nginx/wordpress
www.olimpicos.org.mx = /usr/share/ngix/wordpress
I have verified that I can retrieve files on this directory over http, e.g.
http://olimpicos.org.mx/.well-known/test/test or http://www.olimpicos.org.mx/.well-known/test/test
However, look at the url that the client is trying to reach:
www.olimpicos.org.mx/.well-known/acme-challenge/ 0QnP3v-uJnxYgxeYUPh4ZLURciwuVAFybD1Pzjv6Y_Y
The access log confirms this file name:
66.133.109.36 - - [03/Feb/2017:20:17:06 -0500] "GET /.well-known/acme-challenge/0QnP3v-uJnxYgxeYUPh4ZLURciwuVAFybD1Pzjv6Y_Y HTTP/1.1" 404 134 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "-"
In previous attempts I noticed that the acme-challenge folder and a file are created when I try to renew the certificate, but the filename didn’t match, it could be that the file was created and removed quite fast and I could not see it, so I set up a watcher and these are the only 2 new files created at the same time I ran the above command:
2017-02-03 20:17:05-05:00: 'acme-challenge' appeared in './' via 'CREATE,ISDIR'
2017-02-03 20:17:05-05:00: 'sr0oxI-dVMRUAbHOveyUs1ATD7soz988zmQKdfOUdeE' appeared in './acme-challenge/' via 'CREATE'
as you can see, certbot is creating a file in the right location, however, its name does not match the file that the server is requesting.
What am I missing? I’ll appreciate your help.