Can not renew / expand Certificate


#1

Hello! Hope I am not annoying with the umptieth topic of this kind.
After enabling and setting up IPv6 i checked that certbot could still renew my certificates, and it worked fine. But now after trying to add another subdomain i always get the unauthorized error. Any help would be appreciated.

The resolving IPv4 and IPv6 adresses are correct and should be completely functional.

Also isn’t certbot supposed to temporarily create the folders needed for impressum?

If i forgot any information, please just ask! :slight_smile:

My domain is: sauerecloud.net (and www. files. mail. mailadm. and new impressum)

I ran this command: certbot --apache

It produced this output:

Failed authorization procedure. www.sauercloud.net (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 60b97a704df029deed3e9cdccd887c3e.b5b06848fccdd2d24350c1d4405e8eaa.acme.invalid from [2a03:4000:17:b2::]:443. Received 2 certificate(s), first certificate had names “files.sauercloud.net, mail.sauercloud.net, mailadm.sauercloud.net, sauercloud.net, www.sauercloud.net”, mail.sauercloud.net (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge.
Requested impressum.sauercloud.net (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://impressum.sauercloud.net/.well-known/acme-challenge/EJOQE50NfC7M1av2ACae17pXu9nuYf2__VokGRiZokk: "

404 Not Found

Not Found

IMPORTANT NOTES:

My web server is (include version):

apache2/xenial-updates,now 2.4.18-2ubuntu3.9 amd64 [installiert]

The operating system my web server runs on is (include version):

Ubuntu 16.04.4 LTS (GNU/Linux 4.4.0-130-generic x86_64)

My hosting provider, if applicable, is:

Rented Rootserver with netcup

I can login to a root shell on my machine (yes or no, or I don’t know):

yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

no, SSH

Best Regards!
(snipped some due to 20 link limit? The other SNI challenges all had the same results.)

Edit: Completely forgot certbot version: 0.25.0, installed through PPA


#3

This reminds me of some past issues involving unusual virtual host configurations.

It might be useful to see the output of sudo apachectl -S


#4

Hello jmorahan,

below you see the output of apachectl -S. A short info about my setup: i deliver my sites both via ipv4 and ipv6, the http requests are redirected to https on both (redirect permanent / https://…)

VirtualHost configuration:
[2a03:4000:17:b2::]:443 is a NameVirtualHost
         default server www.sauercloud.net (/etc/apache2/sites-enabled/cloud-le-ssl.conf:38)
         port 443 namevhost www.sauercloud.net (/etc/apache2/sites-enabled/cloud-le-ssl.conf:38)
                 alias sauercloud.net
         port 443 namevhost files.sauercloud.net (/etc/apache2/sites-enabled/files.sauercloud-le-ssl.conf:34)
         port 443 namevhost mail.sauercloud.net (/etc/apache2/sites-enabled/mail-ssl.conf:17)
         port 443 namevhost mailadm.sauercloud.net (/etc/apache2/sites-enabled/postadm-le-ssl.conf:17)
[2a03:4000:17:b2::]:80 is a NameVirtualHost
         default server www.sauercloud.net (/etc/apache2/sites-enabled/cloud.conf:32)
         port 80 namevhost www.sauercloud.net (/etc/apache2/sites-enabled/cloud.conf:32)
                 alias sauercloud.net
         port 80 namevhost files.sauercloud.net (/etc/apache2/sites-enabled/files.sauercloud.conf:30)
         port 80 namevhost impressum.sauercloud.net (/etc/apache2/sites-enabled/impressum.conf:36)
         port 80 namevhost mail.sauercloud.net (/etc/apache2/sites-enabled/mail.conf:14)
         port 80 namevhost mailadm.sauercloud.net (/etc/apache2/sites-enabled/postadm.conf:16)
188.68.40.188:443      is a NameVirtualHost
         default server www.sauercloud.net (/etc/apache2/sites-enabled/cloud-le-ssl.conf:3)
         port 443 namevhost www.sauercloud.net (/etc/apache2/sites-enabled/cloud-le-ssl.conf:3)
                 alias sauercloud.net
         port 443 namevhost files.sauercloud.net (/etc/apache2/sites-enabled/files.sauercloud-le-ssl.conf:3)
         port 443 namevhost mail.sauercloud.net (/etc/apache2/sites-enabled/mail-ssl.conf:3)
         port 443 namevhost mailadm.sauercloud.net (/etc/apache2/sites-enabled/postadm-le-ssl.conf:3)
188.68.40.188:80       is a NameVirtualHost
         default server www.sauercloud.net (/etc/apache2/sites-enabled/cloud.conf:1)
         port 80 namevhost www.sauercloud.net (/etc/apache2/sites-enabled/cloud.conf:1)
                 alias sauercloud.net
         port 80 namevhost files.sauercloud.net (/etc/apache2/sites-enabled/files.sauercloud.conf:1)
         port 80 namevhost impressum.sauercloud.net (/etc/apache2/sites-enabled/impressum.conf:1)
         port 80 namevhost mail.sauercloud.net (/etc/apache2/sites-enabled/mail.conf:1)
         port 80 namevhost mailadm.sauercloud.net (/etc/apache2/sites-enabled/postadm.conf:1)

Best regards!


#5

Okay, I think I have an idea of what might be happening, and I think it may be a bug in Certbot.

You have your IPv4 and IPv6 configuration split into separate <VirtualHost> blocks. Certbot looks through your configuration to find the best <VirtualHost> to add its temporary configuration to complete the validation, but if there are multiple matches that it considers equally good, it seems to stop at the first one; moreover I don’t see that it prefers IPv6 over IPv4 in determining what’s a good match, while Let’s Encrypt does prefer IPv6 over IPv4. However your IPv4 <VirtualHost>s are before the IPv6 ones in your configuration, so Certbot will configure the wrong ones.

If I’m right, you could work around the problem either by swapping the IPv4 and IPv6 <VirtualHost>s in your configuration files, or by combining them into a single <VirtualHost *:80> and <VirtualHost *:443> for both IPv4 and IPv6 (assuming they are otherwise identical).


#6

That might be a great idea. Why haven’t i thought about that?

Will check as soon as I am home! :slight_smile:

Will edit this Post with results.

So, here’s the edit: jmorahans solution worked. Thank you very much!
I just had in mind that it’s a better option to declare IP Adresses in the vhost!

Again, thank you very much!

And i wish you all a nice day!