Can we run sudo certbot --apache and setup auto renew while having a running HTTPS configured via Certbot using DNS challenge?

I previously used the DNS challenge to setup my first SSL with Certbot. But now that I want to use the HTTP one to take advantage of the auto-renew possibilities, the command sudo certbot --apache --debug-challenge seems to not work. The acme-challenge folder files are accessible. Here is an example, https://salvomag.com/.well-known/acme-challenge/G28T9ScQU1szGFOZWGRyZhl5jIoWziBarr8MxreQDok

My domain is: salvomag.com

I ran this command: sudo certbot --apache --debug-challenge

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Plugins selected: Authenticator apache, Installer apache

Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

Which names would you like to activate HTTPS for?

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

1: salvomag.com

2: www.salvomag.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Select the appropriate numbers separated by commas and/or spaces, or leave input

blank to select all options shown (Enter ‘c’ to cancel): 1 2

Obtaining a new certificate

Performing the following challenges:

http-01 challenge for salvomag.com

http-01 challenge for www.salvomag.com

Waiting for verification…

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Challenges loaded. Press continue to submit to CA. Pass “-v” for more info about

challenges.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Press Enter to Continue

Cleaning up challenges

Failed authorization procedure. salvomag.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://salvomag.com/.well-known/acme-challenge/i5A8wcpKIh-X09bvFNvpLEty0WousJdXI8fWhy5f_Cs [167.99.158.70]: “<!doctype html>\n<html class=“no-js” lang=“en”>\n <head>\n <meta charset=“utf-8” />\n <meta name=“viewport” content”, www.salvomag.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://www.salvomag.com/.well-known/acme-challenge/cNlc3bzilIDKL87xosBf_GY545IND3aGcxuK0BQt3nA [167.99.158.70]: “<!doctype html>\n<html class=“no-js” lang=“en”>\n <head>\n <meta charset=“utf-8” />\n <meta name=“viewport” content”

IMPORTANT NOTES:

    • The following errors were reported by the server:*

Domain: salvomag.com

Type: unauthorized

Detail: Invalid response from

https://salvomag.com/.well-known/acme-challenge/i5A8wcpKIh-X09bvFNvpLEty0WousJdXI8fWhy5f_Cs

[167.99.158.70]: "<!doctype html>\n<html class=“no-js”

lang=“en”>\n <head>\n <meta charset=“utf-8” />\n

<meta name=“viewport” content"

Domain: www.salvomag.com

Type: unauthorized

Detail: Invalid response from

https://www.salvomag.com/.well-known/acme-challenge/cNlc3bzilIDKL87xosBf_GY545IND3aGcxuK0BQt3nA

[167.99.158.70]: "<!doctype html>\n<html class=“no-js”

lang=“en”>\n <head>\n <meta charset=“utf-8” />\n

<meta name=“viewport” content"

To fix these errors, please make sure that your domain name was

entered correctly and the DNS A/AAAA record(s) for that domain

contain(s) the right IP address.

My web server is (include version): Apache2

The operating system my web server runs on is (include version): Ubuntu 16.04.6 LTS

My hosting provider, if applicable, is: Digital Ocean

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.28.0

Hi @oscarouedraogo

first: It isn’t relevant which challenge method you have used earlier. That doesn’t affect your current command.

Checked your domain there is a problem (via https://check-your-website.server-daten.de/?q=salvomag.com ):

Domainname Http-Status redirect Sec. G
http://salvomag.com/
167.99.158.70 302 https://salvomag.com/ 0.220 A
http://www.salvomag.com/
167.99.158.70 302 https://www.salvomag.com/ 0.217 A
https://salvomag.com/
167.99.158.70 200 7.137 I
https://www.salvomag.com/
167.99.158.70 200 6.887 I
http://salvomag.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
167.99.158.70 302 https://salvomag.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.213 A
Visible Content: Found The document has moved here . Apache/2.4.18 (Ubuntu) Server at salvomag.com Port 80
http://www.salvomag.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
167.99.158.70 302 https://www.salvomag.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.213 A
Visible Content: Found The document has moved here . Apache/2.4.18 (Ubuntu) Server at www.salvomag.com Port 80
https://salvomag.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 200 6.226
Visible Content: Salvo Login 404 This page either moved or does not exist. Try browsing our current issue or search our archives . Are you looking to renew your subscription? Click here . Back to Home Welcome, friend. Sign-in to read every article [or subscribe .] Guest Login Welcome back. Your username and password, please? Subscriber Login Salvo A MAGAZINE OF SOCIETY, SEX, & SCIENCE Subscribe Topics Departments Authors Fake Ads About Salvo Contact Privacy Policy Current Issue Past Issues Subscribe Renew Student Subscription Gift Salvo Donate Facebook Twitter Newsletters Login All material Ⓒ 2019 Salvo is published by The Fellowship of St. James. Designed by Beck & Stone, Inc. Login Topics Departments Authors Fake Ads About Salvo Current Issue Past Issues Gift Salvo Donate Privacy Policy Subscribe Renew Student Subscription Newsletters Facebook Twitter Contact
https://www.salvomag.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 200 6.237

Port 80 is open and answers, that’s good (and required). If you use http-01 validation, Certbot creates a file in /.well-known/acme-challenge, Letsencrypt checks that file.

The redirect http -> https is ok, Letsencrypt follows that redirect (and ignores invalid certificates).

But then your server answers with a http status 200 and a lot of content.

So it looks that there is a content management system or something else. Expected is the http status 404 (not found), not the http status 200 / ok.

It may be difficult to change that.

Perhaps it’s easier to find your port 80 vHost, there the rewrite rule http -> https, then create an exception, so /.well-known/acme-challenge isn’t redirected to https.

2 Likes

Thanks @JuergenAuer. I have excluded the well-known path and it worked. Strange that the well known link that I have specified in my post description was working.

Now when I run sudo certbot renew --dry-run, I get 0 renew failure(s), 1 parse failure(s).

Below is the full output
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/salvomag.com-0002.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for salvomag.com
http-01 challenge for www.salvomag.com
Waiting for verification…
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/salvomag.com-0002/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/salvomag.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Traceback (most recent call last):

  • File “/usr/lib/python3/dist-packages/certbot/renewal.py”, line 64, in _reconstitute*
  • renewal_candidate = storage.RenewableCert(full_path, config)*
  • File “/usr/lib/python3/dist-packages/certbot/storage.py”, line 441, in init*
  • “file reference”.format(self.configfile))*
    certbot.errors.CertStorageError: renewal config file {} is missing a required file reference
    Renewal configuration file /etc/letsencrypt/renewal/salvomag.com.conf is broken. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
*** DRY RUN: simulating ‘certbot renew’ close to cert expiry*
*** (The test certificates below have not been saved.)*

Congratulations, all renewals succeeded. The following certs have been renewed:

  • /etc/letsencrypt/live/salvomag.com-0002/fullchain.pem (success)*

*Additionally, the following renewal configurations were invalid: *

  • /etc/letsencrypt/renewal/salvomag.com.conf (parsefail)*
    *** DRY RUN: simulating ‘certbot renew’ close to cert expiry*
    *** (The test certificates above have not been saved.)*
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    0 renew failure(s), 1 parse failure(s)

Wondering if the renewal cronjob will work at the renewal time.

You have created a new certificate:

CN=salvomag.com
	12.03.2019
	10.06.2019
expires in 90 days	salvomag.com, www.salvomag.com - 2 entries

So that works. And now you have two config files:

etc/letsencrypt/renewal/salvomag.com-0002.conf
/etc/letsencrypt/renewal/salvomag.com.conf

The first may be your new certificate, the second may be your old.

But you need only one certificate.

So check your config with

certbot certificates

if the 002 has the correct certificate, remove the other certificate with

certbot delete certificate-name

PS: First make a backup.

1 Like

It all worked out. Thanks @JuergenAuer!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.