I am trying to renew my certificate for 2 domains: olimpicos.org.mx and www.olimpicos.org.mx
I am simply executing
/usr/bin/certbot renew and getting authorization errors.
I’ve read a lot of similar reports but I can confirm my case appears quite different from any other report I’ve found. So, please bear with me.
The error goes like this:
Processing /etc/letsencrypt/renewal/olimpicos.org.mx.conf ------------------------------------------------------------------------------- Cert is due for renewal, auto-renewing... Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org Renewing an existing certificate Performing the following challenges: http-01 challenge for olimpicos.org.mx http-01 challenge for www.olimpicos.org.mx Waiting for verification... Cleaning up challenges Attempting to renew cert from /etc/letsencrypt/renewal/olimpicos.org.mx.conf produced an unexpected error: Failed authorization procedure. www.olimpicos.org.mx (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.olimpicos.org.mx/.well-known/acme-challenge/0QnP3v-uJnxYgxeYUPh4ZLURciwuVAFybD1Pzjv6Y_Y: "<html> <head><title>404 Not Found</title></head> <body bgcolor="white"> <center><h1>404 Not Found</h1></center> <hr><center>". Skipping. All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/olimpicos.org.mx/fullchain.pem (failure) 1 renew failure(s), 0 parse failure(s)
The configuration file contents is:
# renew_before_expiry = 30 days version = 0.8.1 cert = /etc/letsencrypt/live/olimpicos.org.mx/cert.pem privkey = /etc/letsencrypt/live/olimpicos.org.mx/privkey.pem chain = /etc/letsencrypt/live/olimpicos.org.mx/chain.pem fullchain = /etc/letsencrypt/live/olimpicos.org.mx/fullchain.pem # Options used in the renewal process [renewalparams] authenticator = webroot installer = None account = XXXXXXX webroot_path = /usr/share/nginx/wordpress, [[webroot_map]] olimpicos.org.mx = /usr/share/nginx/wordpress www.olimpicos.org.mx = /usr/share/ngix/wordpress
However, look at the url that the client is trying to reach:
The access log confirms this file name:
220.127.116.11 - - [03/Feb/2017:20:17:06 -0500] "GET /.well-known/acme-challenge/0QnP3v-uJnxYgxeYUPh4ZLURciwuVAFybD1Pzjv6Y_Y HTTP/1.1" 404 134 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "-"
In previous attempts I noticed that the acme-challenge folder and a file are created when I try to renew the certificate, but the filename didn’t match, it could be that the file was created and removed quite fast and I could not see it, so I set up a watcher and these are the only 2 new files created at the same time I ran the above command:
2017-02-03 20:17:05-05:00: 'acme-challenge' appeared in './' via 'CREATE,ISDIR' 2017-02-03 20:17:05-05:00: 'sr0oxI-dVMRUAbHOveyUs1ATD7soz988zmQKdfOUdeE' appeared in './acme-challenge/' via 'CREATE'
as you can see, certbot is creating a file in the right location, however, its name does not match the file that the server is requesting.
What am I missing? I’ll appreciate your help.