Cannot force renew with certbot

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.kyouikulogistics.com

I ran this command: certbot --force-renewal d www.kyouikulogistics.com

It produced this output: Invalid response from
http://www.kyouikulogistics.com/.well-known/acme-challenge/us

My web server is (include version): Apache 2.4.18

The operating system my web server runs on is (include version): Ubuntu 16.04.6

My hosting provider, if applicable, is: Bluehost (for name server only…server is at a different IP and the a record does point to that address)

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): sometimes via command line and sometimes via Webmin

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.31.0

My server was accessible via 443 only but after receiving an error informing me that certbot needs to use 80 to prove the certificate, I changed from 443 to 80…via Webmin…the subsequent error I am receiving is the one posted above.

I have run the command listed under multiple different conditions (different port settings, with internal IP set in my virtual server (initially I had the name only), etc. and all have resulted in the same error. Any help you can provide will be most appreciated.

Jason

2

P.S. Now I’ve fiddled around with my server so much that I’m receiving the following error:

Secure Connection Failed

Error code: SSL_ERROR_RX_RECORD_TOO_LONG

and my site is no longer accessible :frowning:

3

Hi @jlh

that

can't work, the result is expected:

http://www.kyouikulogistics.com/.well-known/acme-challenge/1234

Bad Request

Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.

Apache/2.4.18 (Ubuntu) Server at www.kyouikulogistics.com Port 443

You have only changed the port forward

port 80 extern -> port 443 intern.

You need a real working, second port 80 with http, not https.

And

port 80 extern -> port 80 intern
port 443 extern -> port 443 intern

4

Hmm, ok, thanks. So, I need two virtual servers pointing to the same internal IP each listening on a different port? Or am I totally off?

5

Not really necessary to spin up a whole different virtual server, just re-enable the virtualhost for HTTP in Apache.

It seems you had HTTP on port 80 working previously, as you did manage to get a certificate in the past. Why did you disable HTTP on port 80 anyway?

6

Ok, well I went ahead and created another virtual server…I do not remember having 80 enabled nor disabling it. The cert renewal worked with the new virtual server listening on 80. I will delete it and enable 80 via the main virtual server. Thanks for your time.

7

Now your main configuration is ok.

http://www.kyouikulogistics.com/.well-known/acme-challenge/us

answers with a redirect 301,

https://www.kyouikulogistics.com/.well-known/acme-challenge/us

has a http status 404, Not Found (expected).

PS:

Two servers aren't required. One server with one webserver with two vHosts is easier.

8

Thanks, yes, I only have one server running with two vHosts. The reply from Osiris made me think that I could simply enable both 80 and 443 under one vHost…although I don’t, at the moment, remember exactly how/where to accomplish that…which is why I simply quickly created an identical vHost listening on 80. Maybe that is the easiest route.

Thanks again

9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.