Botched macOS (High Sierra) Server → Mojave migration + renewal

I established SSL certificates for two domains through Let’s Encrypt back when my Mac mini was running macOS and Apple’s “Server” product. I upgraded to Mojave without (stupidly) following their insanely complex instructions for “migrating” to a standard Apache installation, and now it’s time to renew the certificates and things Just Aren’t Working. I have the sites running on port 80 just fine, but whenever I try to use certbot to get the certificate files so I can put them somewhere httpd-ssl.conf will find them, I get the dreaded "urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Connection refused” error while it tries to renew the existing certificate. This happens whether I run sudo certbot --apache or sudo certbot certonly --apache.

I’m at a loss for how to proceed here and would appreciate any suggestions.

Hi,

What’s your domain name?

The connection refused mostly means either the software responsible for handling web server (in this case Apache) is refused to work (stopped) or there’s a firewall (blockage) in place that Let’s Encrypt can’t connect to Port 80 of your IP / machine.

If you are using the server / Mac at home, be sure to check if the port-forwarding is correctly setup.

Thank you

add:
--preferred-challenges http

Domain names: fates.org, sevardin.com (I don’t have a reconstructed SSL entry for the latter yet, as I wanted to test with the former.)

My mini has its own fixed IP, no port forwarding needed. DNS records haven’t changed.

Connections to port 443 are not being allowed: https://letsdebug.net/fates.org/8654
Try:
certbot --apache --preferred-challenges http

Hi @Sevardin

your first domain is ok. /.well-known/ works as expected.

http://fates.org/ 200 0.364 H
http://www.fates.org/ 200 0.330 H
https://fates.org/ -2 1.337 V
ConnectFailure - Unable to connect to the remote server
https://www.fates.org/ -2 1.320 V
ConnectFailure - Unable to connect to the remote server
http://fates.org/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 404 0.117 A
Not Found
http://www.fates.org/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 404 0.116 A
Not Found

There is no blocking firewall. Port 443 doesn't work, but I don't see a redirect, so this isn't a problem.

Same with your second domain.

So I don't see a reason "Connection refused".

Perhaps share

/var/log/letsencrypt/letsencrypt.log

I concur. We need the full output of certbot, not just one single line.

While this could be the case if the apache plugin opts for the tls-sni-01 challenge, this shouldn't happen, right?

PS: If you use --apache and standalone, then your current webserver may be stopped.

So the output I found may be not relevant.

But then (later) is the webroot option better.

When using the apache authenticator or installer plugin, Apache would be reloaded, NOT stopped! (Also called "Graceful Restart".) While an Apache reload does make the child processes stop, de facto there will be no downtime, because the main process will be reloaded first.

The renewal config file should tell us more.

I'm not sure if diving into renewal configurations is warrented yet. Let's just wait for the full output and/or letsencrypt.log of certbot first.

I am agreed that not enough information was provided up front; And that is the biggest problem here.
But since we are into it…
I just don’t see how else can this action be explained.

I’ll just have to wait and see.

The output of /var/log/letsencrypt/letsencrypt.log follows:

2018-11-19 15:47:26,940:DEBUG:certbot.main:certbot version: 0.27.1
2018-11-19 15:47:26,941:DEBUG:certbot.main:Arguments: [’–apache’, ‘–preferred-challenges’, ‘http’]
2018-11-19 15:47:26,941:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2018-11-19 15:47:26,984:DEBUG:certbot.log:Root logging level set at 20
2018-11-19 15:47:26,985:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2018-11-19 15:47:26,986:DEBUG:certbot.plugins.selection:Requested authenticator apache and installer apache
2018-11-19 15:47:27,226:DEBUG:certbot_apache.configurator:Apache version is 2.4.34
2018-11-19 15:47:27,632:DEBUG:certbot.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server plugin - Beta
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT
Initialized: <certbot_apache.override_darwin.DarwinConfigurator object at 0x110bd8048>
Prep: True
2018-11-19 15:47:27,633:DEBUG:certbot.plugins.selection:Selected authenticator <certbot_apache.override_darwin.DarwinConfigurator object at 0x110bd8048> and installer <certbot_apache.override_darwin.DarwinConfigurator object at 0x110bd8048>
2018-11-19 15:47:27,633:INFO:certbot.plugins.selection:Plugins selected: Authenticator apache, Installer apache
2018-11-19 15:47:27,638:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x110da3a20>)>), contact=(‘mailto:david@davidbodonnell.com’,), agreement=‘https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf’, status=None, terms_of_service_agreed=None, only_return_existing=None), uri=‘https://acme-v01.api.letsencrypt.org/acme/reg/14049942’, new_authzr_uri=‘https://acme-v01.api.letsencrypt.org/acme/new-authz’, terms_of_service=‘https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf’), db5941828c69c6080173db3f4c8e6a19, Meta(creation_dt=datetime.datetime(2017, 5, 6, 21, 3, 26, tzinfo=), creation_host=‘mothership.fates.org’))>
2018-11-19 15:47:27,652:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2018-11-19 15:47:27,675:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2018-11-19 15:47:27,932:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 “GET /directory HTTP/1.1” 200 658
2018-11-19 15:47:27,933:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 658
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Mon, 19 Nov 2018 20:47:27 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 19 Nov 2018 20:47:27 GMT
Connection: keep-alive

{
“PP2AzhKWWNQ”: “Adding random entries to the directory”,
“keyChange”: “https://acme-v02.api.letsencrypt.org/acme/key-change”,
“meta”: {
“caaIdentities”: [
letsencrypt.org
],
“termsOfService”: “https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf”,
“website”: “https://letsencrypt.org
},
“newAccount”: “https://acme-v02.api.letsencrypt.org/acme/new-acct”,
“newNonce”: “https://acme-v02.api.letsencrypt.org/acme/new-nonce”,
“newOrder”: “https://acme-v02.api.letsencrypt.org/acme/new-order”,
“revokeCert”: “https://acme-v02.api.letsencrypt.org/acme/revoke-cert
}
2018-11-19 15:47:32,783:DEBUG:certbot.storage:Should renew, less than 30 days before certificate expiry 2018-12-09 00:32:07 UTC.
2018-11-19 15:47:32,783:INFO:certbot.renewal:Cert is due for renewal, auto-renewing…
2018-11-19 15:47:32,784:INFO:certbot.main:Renewing an existing certificate
2018-11-19 15:47:32,837:DEBUG:certbot.crypto_util:Generating key (2048 bits): /etc/letsencrypt/keys/0022_key-certbot.pem
2018-11-19 15:47:32,840:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0022_csr-certbot.pem
2018-11-19 15:47:32,840:DEBUG:acme.client:Requesting fresh nonce
2018-11-19 15:47:32,840:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-order.
2018-11-19 15:47:32,980:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 “HEAD /acme/new-order HTTP/1.1” 405 0
2018-11-19 15:47:32,981:DEBUG:acme.client:Received response:
HTTP 405
Server: nginx
Content-Type: application/problem+json
Content-Length: 103
Allow: POST
Replay-Nonce: K13tReA41VLkjMEY4PmaWRhLFln5zZd0qhN8kEvw1Ew
Expires: Mon, 19 Nov 2018 20:47:32 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 19 Nov 2018 20:47:32 GMT
Connection: keep-alive

2018-11-19 15:47:32,981:DEBUG:acme.client:Storing nonce: K13tReA41VLkjMEY4PmaWRhLFln5zZd0qhN8kEvw1Ew
2018-11-19 15:47:32,981:DEBUG:acme.client:JWS payload:
b’{\n “identifiers”: [\n {\n “type”: “dns”,\n “value”: “fates.org”\n }\n ],\n “status”: “pending”,\n “resource”: “new-order”\n}’
2018-11-19 15:47:32,984:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
“protected”: “eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDEuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL3JlZy8xNDA0OTk0MiIsICJub25jZSI6ICJLMTN0UmVBNDFWTGtqTUVZNFBtYVdSaExGbG41elpkMHFoTjhrRXZ3MUV3IiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9uZXctb3JkZXIifQ”,
“signature”: “UpI4hYdkWO3EFxEizSQqBnLM6tDdCgl3_ew-KPfRz37kxdCh6BBwphU9MRyPZWUSd8XkVekjtcUuiwHuT-w2wbPriIRiyts8GFCIckbyIZfu8EGb9fjI8mzutYcTQOe6WA4m1PeL8T8gxUhpets82qeqFitfmvY1d6NQzikSp0Modc2VyXDyNj9eQxRSTv360qH69YoS7yJMM9_Kpucxd9ODvGwsHiV3B6Dknn-BdSCAr5uhrQfRe4oQKl8AmsiIasTIC2tsLzssCYzf0d0205MhcEfy5KM3-KjJ0zvhbHSUvfdsfwWcCJSsc__aElQ1SJN5sjNoUn-0ZPdnPqe9kg”,
“payload”: “ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogImZhdGVzLm9yZyIKICAgIH0KICBdLAogICJzdGF0dXMiOiAicGVuZGluZyIsCiAgInJlc291cmNlIjogIm5ldy1vcmRlciIKfQ”
}
2018-11-19 15:47:33,145:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 “POST /acme/new-order HTTP/1.1” 201 368
2018-11-19 15:47:33,146:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Content-Type: application/json
Content-Length: 368
Boulder-Requester: 14049942
Location: https://acme-v02.api.letsencrypt.org/acme/order/14049942/182628119
Replay-Nonce: xMj3gx6v8l-1aZWya3zQNEF0o6ipfMTD-E6xTdUr7a8
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Mon, 19 Nov 2018 20:47:33 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 19 Nov 2018 20:47:33 GMT
Connection: keep-alive

{
“status”: “pending”,
“expires”: “2018-11-26T20:47:33.071060129Z”,
“identifiers”: [
{
“type”: “dns”,
“value”: “fates.org
}
],
“authorizations”: [
https://acme-v02.api.letsencrypt.org/acme/authz/IUw4OhdyUJkcEIOwLwrY1UYskbFCYfkEGWkVSkQUA20
],
“finalize”: “https://acme-v02.api.letsencrypt.org/acme/finalize/14049942/182628119
}
2018-11-19 15:47:33,146:DEBUG:acme.client:Storing nonce: xMj3gx6v8l-1aZWya3zQNEF0o6ipfMTD-E6xTdUr7a8
2018-11-19 15:47:33,146:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/acme/authz/IUw4OhdyUJkcEIOwLwrY1UYskbFCYfkEGWkVSkQUA20.
2018-11-19 15:47:33,286:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 “GET /acme/authz/IUw4OhdyUJkcEIOwLwrY1UYskbFCYfkEGWkVSkQUA20 HTTP/1.1” 200 1153
2018-11-19 15:47:33,287:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1153
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Mon, 19 Nov 2018 20:47:33 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 19 Nov 2018 20:47:33 GMT
Connection: keep-alive

{
“identifier”: {
“type”: “dns”,
“value”: “fates.org
},
“status”: “pending”,
“expires”: “2018-11-26T20:47:33Z”,
“challenges”: [
{
“type”: “dns-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/IUw4OhdyUJkcEIOwLwrY1UYskbFCYfkEGWkVSkQUA20/9452133221”,
“token”: “2jeWIwnPP6UHpxEi78NRPq9JQO1xTNnJOpCR5nCmJX4”
},
{
“type”: “tls-alpn-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/IUw4OhdyUJkcEIOwLwrY1UYskbFCYfkEGWkVSkQUA20/9452133222”,
“token”: "bUxCXa8Yi7ZxMHezTCqvC-nPKISYcecZm5uwJLCAww"
},
{
“type”: “tls-sni-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/IUw4OhdyUJkcEIOwLwrY1UYskbFCYfkEGWkVSkQUA20/9452133223”,
“token”: “kUaEV3_Q5nrAx9UaZozWJrJAimjQ_tTyy5eCatekTR8”
},
{
“type”: “http-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/IUw4OhdyUJkcEIOwLwrY1UYskbFCYfkEGWkVSkQUA20/9452133224”,
“token”: “TpLEnP7sjsd3dde9NlhyMd1WqkXFHS2o0oq4l6tPVcI”
}
]
}
2018-11-19 15:47:33,288:INFO:certbot.auth_handler:Performing the following challenges:
2018-11-19 15:47:33,288:INFO:certbot.auth_handler:http-01 challenge for fates.org
2018-11-19 15:47:33,296:DEBUG:certbot_apache.http_01:Adding a temporary challenge validation Include for name: http://fates.org:80 in: /private/etc/apache2/extra/httpd-vhosts.conf
2018-11-19 15:47:33,297:DEBUG:certbot_apache.http_01:writing a pre config file with text:
RewriteEngine on
RewriteRule ^/.well-known/acme-challenge/([A-Za-z0-9-
=]+)$ /var/lib/letsencrypt/http_challenges/$1 [END]

2018-11-19 15:47:33,297:DEBUG:certbot_apache.http_01:writing a post config file with text:
<Directory /var/lib/letsencrypt/http_challenges>
Require all granted

<Location /.well-known/acme-challenge>
Require all granted

2018-11-19 15:47:33,322:DEBUG:certbot.reverter:Creating backup of /private/etc/apache2/extra/httpd-vhosts.conf
2018-11-19 15:47:36,484:INFO:certbot.auth_handler:Waiting for verification…
2018-11-19 15:47:36,485:DEBUG:acme.client:JWS payload:
b’{\n “resource”: “challenge”,\n “keyAuthorization”: “TpLEnP7sjsd3dde9NlhyMd1WqkXFHS2o0oq4l6tPVcI.Dd3aMuqIv-7FXwv9iqU1PWgNc1aSBmFq4l7BWAvqtSo”,\n “type”: “http-01”\n}’
2018-11-19 15:47:36,487:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/challenge/IUw4OhdyUJkcEIOwLwrY1UYskbFCYfkEGWkVSkQUA20/9452133224:
{
“protected”: “eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDEuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL3JlZy8xNDA0OTk0MiIsICJub25jZSI6ICJ4TWozZ3g2djhsLTFhWld5YTN6UU5FRjBvNmlwZk1URC1FNnhUZFVyN2E4IiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9jaGFsbGVuZ2UvSVV3NE9oZHlVSmtjRUlPd0x3clkxVVlza2JGQ1lma0VHV2tWU2tRVUEyMC85NDUyMTMzMjI0In0”,
“signature”: “rgYuDwa9gYWDyl50iGpN8XEJE4_2FDQ4OMSyRcJbGrj0kCkvokDo0t-2vfbd3KMfhRDIua5LIimJssTgoIMDXIlaKBWt6SZ39sNw6LXWV31TWrS4ACredYte4ASzX2vfgnVqjPjIV9VGJ5R2wpavlxyiOU-0a_rgJxaKRPgjrFEo1yXGCay1poEOrFvRgTu3RUuTAkSjm0JHgwWCn90f3YKcoSzfvfwihyxrXRaQYCPqcbutFk-VVT7q1hGPYMwyK71RRMiFJeeTE3zdmGMmNNomkf9UEAzBWU9a9f60yydKXr_uDvTraSsk162Rkay1lAhbToLtgxv5sx_p6AfQmg”,
“payload”: “ewogICJyZXNvdXJjZSI6ICJjaGFsbGVuZ2UiLAogICJrZXlBdXRob3JpemF0aW9uIjogIlRwTEVuUDdzanNkM2RkZTlObGh5TWQxV3FrWEZIUzJvMG9xNGw2dFBWY0kuRGQzYU11cUl2LTdGWHd2OWlxVTFQV2dOYzFhU0JtRnE0bDdCV0F2cXRTbyIsCiAgInR5cGUiOiAiaHR0cC0wMSIKfQ”
}
2018-11-19 15:47:36,614:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 “POST /acme/challenge/IUw4OhdyUJkcEIOwLwrY1UYskbFCYfkEGWkVSkQUA20/9452133224 HTTP/1.1” 200 223
2018-11-19 15:47:36,615:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 223
Boulder-Requester: 14049942
Link: https://acme-v02.api.letsencrypt.org/acme/authz/IUw4OhdyUJkcEIOwLwrY1UYskbFCYfkEGWkVSkQUA20;rel=“up”
Location: https://acme-v02.api.letsencrypt.org/acme/challenge/IUw4OhdyUJkcEIOwLwrY1UYskbFCYfkEGWkVSkQUA20/9452133224
Replay-Nonce: SPHiXL93UbSx2Uf-mD4_cu5RpxkAWNpeN0oHsjzyHjg
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Mon, 19 Nov 2018 20:47:36 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 19 Nov 2018 20:47:36 GMT
Connection: keep-alive

{
“type”: “http-01”,
“status”: “pending”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/IUw4OhdyUJkcEIOwLwrY1UYskbFCYfkEGWkVSkQUA20/9452133224”,
“token”: “TpLEnP7sjsd3dde9NlhyMd1WqkXFHS2o0oq4l6tPVcI”
}
2018-11-19 15:47:36,615:DEBUG:acme.client:Storing nonce: SPHiXL93UbSx2Uf-mD4_cu5RpxkAWNpeN0oHsjzyHjg
2018-11-19 15:47:39,621:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/acme/authz/IUw4OhdyUJkcEIOwLwrY1UYskbFCYfkEGWkVSkQUA20.
2018-11-19 15:47:39,757:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 “GET /acme/authz/IUw4OhdyUJkcEIOwLwrY1UYskbFCYfkEGWkVSkQUA20 HTTP/1.1” 200 1977
2018-11-19 15:47:39,758:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1977
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Mon, 19 Nov 2018 20:47:39 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 19 Nov 2018 20:47:39 GMT
Connection: keep-alive

{
“identifier”: {
“type”: “dns”,
“value”: “fates.org
},
“status”: “invalid”,
“expires”: “2018-11-26T20:47:33Z”,
“challenges”: [
{
“type”: “dns-01”,
“status”: “invalid”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/IUw4OhdyUJkcEIOwLwrY1UYskbFCYfkEGWkVSkQUA20/9452133221”,
“token”: “2jeWIwnPP6UHpxEi78NRPq9JQO1xTNnJOpCR5nCmJX4”
},
{
“type”: “tls-alpn-01”,
“status”: “invalid”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/IUw4OhdyUJkcEIOwLwrY1UYskbFCYfkEGWkVSkQUA20/9452133222”,
“token”: “_bUxCXa8Yi7ZxMHezTCqvC-nPKISYcecZm5uwJLCAww”
},
{
“type”: “tls-sni-01”,
“status”: “invalid”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/IUw4OhdyUJkcEIOwLwrY1UYskbFCYfkEGWkVSkQUA20/9452133223”,
“token”: “kUaEV3_Q5nrAx9UaZozWJrJAimjQ_tTyy5eCatekTR8”
},
{
“type”: “http-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:ietf:params:acme:error:unauthorized”,
“detail”: “Invalid response from http://fates.org/.well-known/acme-challenge/TpLEnP7sjsd3dde9NlhyMd1WqkXFHS2o0oq4l6tPVcI: “\u003c!DOCTYPE HTML PUBLIC \”-//IETF//DTD HTML 2.0//EN\”\u003e\n\u003chtml\u003e\u003chead\u003e\n\u003ctitle\u003e404 Not Found\u003c/title\u003e\n\u003c/head\u003e\u003cbody\u003e\n\u003ch1\u003eNot Found\u003c/h1\u003e\n\u003cp"",
“status”: 403
},
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/IUw4OhdyUJkcEIOwLwrY1UYskbFCYfkEGWkVSkQUA20/9452133224”,
“token”: “TpLEnP7sjsd3dde9NlhyMd1WqkXFHS2o0oq4l6tPVcI”,
“validationRecord”: [
{
“url”: “http://fates.org/.well-known/acme-challenge/TpLEnP7sjsd3dde9NlhyMd1WqkXFHS2o0oq4l6tPVcI”,
“hostname”: “fates.org”,
“port”: “80”,
“addressesResolved”: [
“71.126.144.101”
],
“addressUsed”: “71.126.144.101”
}
]
}
]
}
2018-11-19 15:47:39,759:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: fates.org
Type: unauthorized
Detail: Invalid response from http://fates.org/.well-known/acme-challenge/TpLEnP7sjsd3dde9NlhyMd1WqkXFHS2o0oq4l6tPVcI: “\n\n404 Not Found\n\n

Not Found

\n<p”

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
2018-11-19 15:47:39,760:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
File “/usr/local/Cellar/certbot/0.27.1/libexec/lib/python3.7/site-packages/certbot/auth_handler.py”, line 82, in handle_authorizations
self._respond(aauthzrs, resp, best_effort)
File “/usr/local/Cellar/certbot/0.27.1/libexec/lib/python3.7/site-packages/certbot/auth_handler.py”, line 155, in _respond
self._poll_challenges(aauthzrs, chall_update, best_effort)
File “/usr/local/Cellar/certbot/0.27.1/libexec/lib/python3.7/site-packages/certbot/auth_handler.py”, line 226, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. fates.org (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://fates.org/.well-known/acme-challenge/TpLEnP7sjsd3dde9NlhyMd1WqkXFHS2o0oq4l6tPVcI: “\n\n404 Not Found\n\n

Not Found

\n<p”

2018-11-19 15:47:39,760:DEBUG:certbot.error_handler:Calling registered functions
2018-11-19 15:47:39,760:INFO:certbot.auth_handler:Cleaning up challenges
2018-11-19 15:47:40,004:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/usr/local/bin/certbot”, line 11, in
load_entry_point(‘certbot==0.27.1’, ‘console_scripts’, ‘certbot’)()
File “/usr/local/Cellar/certbot/0.27.1/libexec/lib/python3.7/site-packages/certbot/main.py”, line 1364, in main
return config.func(config, plugins)
File “/usr/local/Cellar/certbot/0.27.1/libexec/lib/python3.7/site-packages/certbot/main.py”, line 1124, in run
certname, lineage)
File “/usr/local/Cellar/certbot/0.27.1/libexec/lib/python3.7/site-packages/certbot/main.py”, line 115, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File “/usr/local/Cellar/certbot/0.27.1/libexec/lib/python3.7/site-packages/certbot/renewal.py”, line 305, in renew_cert
new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
File “/usr/local/Cellar/certbot/0.27.1/libexec/lib/python3.7/site-packages/certbot/client.py”, line 334, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File “/usr/local/Cellar/certbot/0.27.1/libexec/lib/python3.7/site-packages/certbot/client.py”, line 370, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File “/usr/local/Cellar/certbot/0.27.1/libexec/lib/python3.7/site-packages/certbot/auth_handler.py”, line 82, in handle_authorizations
self._respond(aauthzrs, resp, best_effort)
File “/usr/local/Cellar/certbot/0.27.1/libexec/lib/python3.7/site-packages/certbot/auth_handler.py”, line 155, in _respond
self._poll_challenges(aauthzrs, chall_update, best_effort)
File “/usr/local/Cellar/certbot/0.27.1/libexec/lib/python3.7/site-packages/certbot/auth_handler.py”, line 226, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. fates.org (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://fates.org/.well-known/acme-challenge/TpLEnP7sjsd3dde9NlhyMd1WqkXFHS2o0oq4l6tPVcI: “\n\n404 Not Found\n\n

Not Found

\n<p”

It seems it is trying via port 80 (http).
But for some reason the added rewrite rule still fails...

Maybe we should have a look at:
/private/etc/apache2/extra/httpd-vhosts.conf

There is the 404 - not found error.

So please find your webroot, then the two directories /.well-known/acme-challenge. If these don't exist, create them.

Then add a file (file name 1234, without extension) and try to load this file via

http://fates.org/.well-known/acme-challenge/1234

If this works, you have found your correct webroot.

So use

certbot run -a webroot -i apache -w PathToYourWebroot -d fates.org -d www.fates.org

I basically copied the orphaned entry from Apple’s old Server files into /etc/apache2/extra/httpd-vhosts.conf, then removed the parts that referenced Server-only modules and directories. I haven’t fiddled around with conf files in ages, but this looked okay to me:

<VirtualHost *:80>
ServerName http://fates.org:80
ServerAdmin david@davidbodonnell.com
DocumentRoot "/Users/atropos/Sites/fates.org"
DirectoryIndex index.html index.php default.html
CustomLog /var/log/apache2/fates.org.access_log combinedvhost
ErrorLog /var/log/apache2/fates.org.error_log
<Directory "/Users/atropos/Sites/fates.org">
Options All -Indexes -ExecCGI -Includes +MultiViews
AllowOverride None
<IfModule mod_dav.c>
DAV Off
</IfModule>
</Directory>
</VirtualHost>

Aha! Thank you—I forgot I needed to explicitly set the -w argument.

That is not required at all. It's a different approach. Now, you're using two different plugins. While I agree sometimes a workaround is the better option, the real reason why your apache authenticator failed still exists.

You mentioned /etc/apache2/. But the apache plugin thought your Apache configuration exists at /private/etc/apache2/. Is that path being used at all currently? Any idea why the apache plugin would make use of that path?

There is a new leaf certificate.

https://crt.sh/?id=960170958

:wink:

/etc is linked to /private/etc on macOS. As far as I’m aware, it shouldn’t matter whether /private is explicitly prefixed to /etc.