Automate cert renewal from different server


#1

Hi
I got a cert for my domain by using the below command and I provided the webroot for authentication
./certbot-auto certonly

Now I am trying to renew the certificates from different machine (other than server points to domain name). I am getting the below error. Please suggest me is there a way I can renew the certs from different machine automatically

./certbot-auto renew --debug
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/regonce-dev.autodesk.com.conf

Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for regonce-dev.autodesk.com
Waiting for verification…
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/regonce-dev.autodesk.com.conf produced an unexpected error: Failed authorization procedure. regonce-dev.autodesk.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://regonce-dev.autodesk.com/.well-known/acme-challenge/dRdraJ2ZT9MFGVMdGvshnn4kDGVKo2eQGHqOAoxBQXQ: "

Error Page <input class="button"". Skipping.

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/regonce-dev.autodesk.com/fullchain.pem (failure)
Traceback (most recent call last):
File “/root/.local/share/letsencrypt/bin/letsencrypt”, line 11, in
sys.exit(main())
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py”, line 896, in main
return config.func(config, plugins)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py”, line 702, in renew
renewal.handle_renewal_request(config)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/renewal.py”, line 435, in handle_renewal_request
len(renew_failures), len(parse_failures)))
Error: 1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:


#2

Hi @chandrakala,

In order to get a certificate, you have to prove to the CA that you control the domain name(s) that you requested the certificate for. In order to do that, you have to make changes to the web site as requested by the CA.

The Certbot client works by making these changes for you automatically. But normally it can only do so on the machine that actually hosts the web site. If run on a different machine, it has no way of proving that you control the domain name. That’s what you’re seeing here. So generally, Certbot is intended to be run directly on the server that hosts the sites you want a certificate for.

There is a way to do what you want using an HTTP 301 redirect. Suppose you have two machines, which I’ll call site.example.com and auth.example.com. You want to get a cert for site.example.com (or a cert that includes that name alongside other names).

If you want to run Certbot on auth.example.com instead of site.example.com, you need to configure site.example.com's web server to generate a 301 redirect from everything within

http://site.example.com/.well-known/acme-challenge/

to the corresponding URL within

http://auth.example.com/.well-known/acme-challenge/

The certificate authority will accept this redirect as evidence that auth.example.com can “speak for” site.example.com for verification purposes, and then a client like Certbot running on auth.example.com will be able to obtain the requested certificate.

This method requires using the HTTP-01 verification method, which it appears you are already using in this example. The most common way to request and use this method with Certbot is by specifying --webroot (and then you’ll also need to indicate a directory where Certbot can place files in order for those files to appear on your web site, called a webroot directory).


#3

Thank you Schoen for the quick response.
I will try the approach and update how it goes.


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.