Auto Renewing Not working with Google Cloud hosting

joebarnoske · January 25, 2018, 3:59am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.empowermentday.info

I ran this command: ./certbot-auto renew --dry-run

It produced this output: Requesting to rerun ./certbot-auto with root privileges…
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/empowermentday.info.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for empowermentday.info
http-01 challenge for www.empowermentday.info
Waiting for verification…

Attempting to renew cert (empowermentday.info) from /etc/letsencrypt/renewal/empowermentday.info.conf produced an unexpected error: Failed authorization procedure. empowermentday.info (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://www.empowermentday.info.well-known/ac
me-challenge/6uB-TGcQAjuomRT9TxhedtJkXm2SUMmPg4WP159cqrA: Error getting validation data, www.empowermentday.info (h
ttp-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching h
ttps://www.empowermentday.info.well-known/acme-challenge/dV6hsQosMtqLb_igT8mTN3rVC48pNY0gLAEjfAE4RpU: Error getting
validation data. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/empowermentday.info/fullchain.pem (failure)

DRY RUN: simulating ‘certbot renew’ close to cert expiry
(The test certificates below have not been saved.)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/empowermentday.info/fullchain.pem (failure)
DRY RUN: simulating ‘certbot renew’ close to cert expiry
(The test certificates above have not been saved.)

1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:

The following errors were reported by the server:
Domain: empowermentday.info
Type: connection
Detail: Fetching
https://www.empowermentday.info.well-known/acme-challenge/6uB-TGcQAjuomRT9TxhedtJkXm2SUMmPg4WP159cqrA:
Error getting validation data
Domain: www.empowermentday.info
Type: connection
Detail: Fetching
https://www.empowermentday.info.well-known/acme-challenge/dV6hsQosMtqLb_igT8mTN3rVC48pNY0gLAEjfAE4RpU:
Error getting validation data
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
joseph_barnoske@empowermentday-website-vm:~$

My web server is (include version): Apache

The operating system my web server runs on is (include version): Virtual Machine Bitnami

My hosting provider, if applicable, is: Google Cloud

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

_az · January 25, 2018, 4:02am

You have a bad redirect on your website.

$ curl -k -X GET -i http://www.empowermentday.info/.well-known/acme-challenge/dV6hsQosMtqLb_igT8mTN3rVC48pNY0gLAEjfAE4RpU
HTTP/1.1 302 Found
Date: Thu, 25 Jan 2018 04:01:33 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Location: https://www.empowermentday.info.well-known/acme-challenge/dV6hsQosMtqLb_igT8mTN3rVC48pNY0gLAEjfAE4RpU

Location: https://www.empowermentday.info.well-known/acme-challenge

joebarnoske · January 25, 2018, 4:04am

How would I fix this?

I have 3 websites and they are all having the same issue with not autorenewing.

_az · January 25, 2018, 4:06am

Fix your HTTPS redirect to include a trailing slash, whichever way you do it (.htaccess or Apache configuration).

This doesn’t just affect your SSL renewals, it plainly breaks any URL on your website, e.g.: http://empowermentday.info/register/

joebarnoske · January 25, 2018, 4:08am

Thank you.

So, I can hold my own on coding, but I am not a professional - how would I do that? Could you give me a step by step?

_az · January 25, 2018, 4:11am

It will depend on what the person who made these websites in the first place did.

Maybe open up the .htaccess file in the document root of your website and paste it here. In my experience that is the most likely place the mistake will be.

You can post it in a code block like this:

```
paste the contents in between two lines like this
```

joebarnoske · January 25, 2018, 4:33am

What specifically am I looking for in that file

_az · January 25, 2018, 4:34am

The HTTPS redirect. I don’t know exactly what it will look like. If you can’t identify it, just paste the whole file here.

joebarnoske · January 25, 2018, 4:39am

I Took out top itheme security because there were too many characters

_az · January 25, 2018, 4:41am

You can save it as a .txt file and attach it if you can’t fit it all in in one post. Or clone .htaccess to htaccess.txt on your website.

The parts that you pasted were not relevant.

joebarnoske · January 25, 2018, 4:46am

I am a new user and it wont let me attach files

joebarnoske · January 25, 2018, 4:47am

https://empowermentday.info/wp-content/uploads/2018/01/htaccess.txt

_az · January 25, 2018, 4:51am

Looks like the redirect isn’t coming from your .htaccess file .

Can you try run the following to find the source of the redirect:

grep -Ri https /etc/{apache2,httpd}/conf*

joebarnoske · January 25, 2018, 4:53am

grep: /etc/httpd/conf*: No such file or directory

_az · January 25, 2018, 4:55am

Running out of ideas .

What does this show:

apachectl -S

edit: Actually, I just noticed you are using Bitnami. What does this show:

grep -Ri https /opt/bitnami/apache2/

joebarnoske · January 25, 2018, 4:56am

AH00526: Syntax error on line 52 of /opt/bitnami/apache2/conf/bitnami/bitnami.conf:
SSLCertificateFile: file ‘/etc/letsencrypt/live/empowermentday.info/cert.pem’ does not exist or is empty

_az · January 25, 2018, 5:00am

Take a look at https://docs.bitnami.com/aws/components/apache/#how-to-force-https-for-all-applications

You are looking for rules that look like that one. The problem you need to fix is that you will have a rule that vaguely looks something like:

  RewriteRule ^/(.*) https://%{SERVER_NAME}$1

but needs to include a slash before the $1:

  RewriteRule ^/(.*) https://%{SERVER_NAME}/$1

Otherwise try the grep command I added to my previous post.

joebarnoske · January 25, 2018, 5:08am

This is the file of the command.

_az · January 25, 2018, 5:18am

Great. Looks like /opt/bitnami/apache2/conf/bitnami/bitnami.conf contains this line:

Redirect / https://www.empowermentday.info

but it should be:

Redirect / https://www.empowermentday.info/

Once you change that, you need to reload your Apache configuration. However, because of the error in your earlier post, I am not sure whether you are going to be successfully able to reload Apache's configuration:

AH00526: Syntax error on line 52 of /opt/bitnami/apache2/conf/bitnami/bitnami.conf:
SSLCertificateFile: file ‘/etc/letsencrypt/live/empowermentday.info/cert.pem’ does not exist or is empty

joebarnoske · January 25, 2018, 4:30pm

Thank you for help. It did not work so I am trying to set up a new vm.