Bitnami Apache Ubuntu Server Certbot Renew not working


#1

Hi all,

i installed certbot on my bitnami server that is running apache and ubuntu 16.04.4 LTS.
I received an email telling me that i have to renew my certificates since they only work for 90 days max. But after typing “sudo certbot renew” I get the following errors listed below.

My domain is: https://unraceable-backbone.poa-ds-dev.de

I ran this command: sudo certbot renew

It produced this output:
bitnami@ip-172-26-1-52:/opt/bitnami/apache2/conf/bitnami$ sudo /opt/bitnami/ctlscript.sh stop

Syntax OK
/opt/bitnami/apache2/scripts/ctl.sh : httpd stopped
/opt/bitnami/php/scripts/ctl.sh : php-fpm stopped
/opt/bitnami/mysql/scripts/ctl.sh : mysql stopped
bitnami@ip-172-26-1-52:/opt/bitnami/apache2/conf/bitnami$ sudo certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/unraceable-backbone.poa-ds-dev.de.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for unraceable-backbone.poa-ds-dev.de
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (unraceable-backbone.poa-ds-dev.de) from /etc/letsencrypt/renewal/unraceable-backbone.poa-ds-dev.de.conf produced an unexpected error: Failed authorization procedure. unraceable-backbone.poa-ds-dev.de (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://unraceable-backbone.poa-ds-dev.de/.well-known/acme-challenge/qMMlD0Jcy0GfTec9CgajwHNY2QiwHAu98Jr6HntdyCU: Connection refused. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/unraceable-backbone.poa-ds-dev.de/fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/unraceable-backbone.poa-ds-dev.de/fullchain.pem (failure)


Running post-hook command: /opt/bitnami/ctlscript.sh restart apache
Output from ctlscript.sh:
Unmonitored apache
/opt/bitnami/apache2/scripts/ctl.sh : apache not running
/opt/bitnami/apache2/scripts/ctl.sh : httpd started at port 80
Monitored apache

Error output from ctlscript.sh:
Syntax OK
Syntax OK

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

My web server is (include version): Bitnami, Apache 2.4.33,

The operating system my web server runs on is (include version): Ubuntu 16.04.4 LTS

I can login to a root shell on my machine (yes or no, or I don’t know): yes, via putty

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.26.1


#2

Please show:

And the DocumentRoot path location found in the both HTTP & HTTPS vhost configs.
[http forwards to https]


#3

Hi @lukasffx

you have a curious redirect ( https://check-your-website.server-daten.de/?q=unraceable-backbone.poa-ds-dev.de ):

If you use http-01 validation, Certbot creates a file in /.well-known/acme-challenge, Letsencrypt checks this file.

But there is a redirect to another domain - audi.at. So that can’t work.

You should exclude redirects if the query starts with /.well-known/acme-challenge.


#4

The webroot authenticator won’t work while Apache is stopped :wink:

You may have intended to use the standalone authenticator?


#5

Or this is a shared system?
And some one else put things into the renewal-hooks folder…


#7

Maybe you just need to run sudo certbot renew without stopping Apache first?


#8

Hi @JuergenAuer i tried excluding those redirects.

what i am getting now, running the sudo cerbot renew command is:

bitnami@ip-172-26-1-52:/opt/bitnami/apache2/conf/bitnami$ sudo certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/unraceable-backbone.poa-ds-dev.de.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for unraceable-backbone.poa-ds-dev.de
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (unraceable-backbone.poa-ds-dev.de) from /etc/letsencrypt/renewal/unraceable-backbone.poa-ds-dev.de.conf produced an unexpected error: Failed authorization procedure. unraceable-backbone.poa-ds-dev.de (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://unraceable-backbone.poa-ds-dev.de/.well-known/acme-challenge/AWpSTkwzfE_TvGGsHQ4SY1_49fEbNLg1hAUK0Se-9k4: “\n\n404 Not Found\n\n

Not Found

\n<p”. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/unraceable-backbone.poa-ds-dev.de/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/unraceable-backbone.poa-ds-dev.de/fullchain.pem (failure)


Running post-hook command: /opt/bitnami/ctlscript.sh restart apache
Output from ctlscript.sh:
Unmonitored apache
/opt/bitnami/apache2/scripts/ctl.sh : httpd stopped
/opt/bitnami/apache2/scripts/ctl.sh : httpd started at port 80
Monitored apache

Error output from ctlscript.sh:
Syntax OK
Syntax OK

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: unraceable-backbone.poa-ds-dev.de
    Type: unauthorized
    Detail: Invalid response from
    http://unraceable-backbone.poa-ds-dev.de/.well-known/acme-challenge/AWpSTkwzfE_TvGGsHQ4SY1_49fEbNLg1hAUK0Se-9k4:
    “\n\n404 Not
    Found\n\n

    Not Found

    \n<p”

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.
    bitnami@ip-172-26-1-52:/opt/bitnami/apache2/conf/bitnami$ cd /etc/letsencrypt/
    bitnami@ip-172-26-1-52:/etc/letsencrypt$ ls
    accounts archive cli.ini csr keys live options-ssl-apache.conf renewal renewal-hooks
    bitnami@ip-172-26-1-52:/etc/letsencrypt$ cd renewal
    bitnami@ip-172-26-1-52:/etc/letsencrypt/renewal$ ls
    unraceable-backbone.poa-ds-dev.de.conf
    bitnami@ip-172-26-1-52:/etc/letsencrypt/renewal$ nano unraceable-backbone.poa-ds-dev.de.conf
    bitnami@ip-172-26-1-52:/etc/letsencrypt/renewal$ clear
    bitnami@ip-172-26-1-52:/etc/letsencrypt/renewal$ sudo certbot renew
    Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/unraceable-backbone.poa-ds-dev.de.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for unraceable-backbone.poa-ds-dev.de
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (unraceable-backbone.poa-ds-dev.de) from /etc/letsencrypt/renewal/unraceable-backbone.poa-ds-dev.de.conf produced an unexpected error: Failed authorization procedure. unraceable-backbone.poa-ds-dev.de (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://unraceable-backbone.poa-ds-dev.de/.well-known/acme-challenge/vOTBRwUL1jY9QZmxSC2irq5uH1T6YVU9YvkAaac3FVw: “\n\n404 Not Found\n\n

Not Found

\n<p”. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/unraceable-backbone.poa-ds-dev.de/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/unraceable-backbone.poa-ds-dev.de/fullchain.pem (failure)


Running post-hook command: /opt/bitnami/ctlscript.sh restart apache
Output from ctlscript.sh:
Unmonitored apache
/opt/bitnami/apache2/scripts/ctl.sh : httpd stopped
/opt/bitnami/apache2/scripts/ctl.sh : httpd started at port 80
Monitored apache

Error output from ctlscript.sh:
Syntax OK
Syntax OK

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:


#9

Your redirect is gone, this is good.

http://unraceable-backbone.poa-ds-dev.de/.well-known/acme-challenge/vOTBRwUL1jY9QZmxSC2irq5uH1T6YVU9YvkAaac3FVw

has a 404.

But if that doesn’t work, then

  • your webroot is wrong
  • you have additional definitions so another directory is used

So check your webroot, create there the two subdirectories

/.well-known/acme-challenge

there a file (file name 1234), then try to load this file with

http://unraceable-backbone.poa-ds-dev.de/.well-known/acme-challenge/1234

#10

Try adding:
--no-directory-hooks

Disable running executables found in Certbot’s hook directories during renewal.


#11

I am interpreting this to mean that you stopped apache (via bitnami’s ctlscript.sh) manually, from the shell, before running sudo certbot renew. Which would explain why Apache was stopped, without needing to invoke hook directories…

So I simply suggest: not doing that :slight_smile:


#14

Yes probably, if your webroot is no longer what certbot thinks it is, you can pass the new webroot to the renew command with the -w option e.g.

sudo certbot renew -w /path/to/correct/webroot

(you might try a --dry-run first to confirm that it works, you don’t want to run into the failed validation rate limit even though it’s only an hour)


#15

Yep, then use it:

certbot run -a webroot -i apache -w yourcorrectWebroot -d unraceable-backbone.poa-ds-dev.de

Then you don’t need to stop and start apache.


#16

@JuergenAuer alright, that seemed to work perfectly fine! Thx for your help!


closed #17

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.