Cannot force renew with certbot

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.kyouikulogistics.com

I ran this command: certbot --force-renewal d www.kyouikulogistics.com

It produced this output: Invalid response from
http://www.kyouikulogistics.com/.well-known/acme-challenge/us…

My web server is (include version): Apache 2.4.18

The operating system my web server runs on is (include version): Ubuntu 16.04.6

My hosting provider, if applicable, is: Bluehost (for name server only…server is at a different IP and the a record does point to that address)

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): sometimes via command line and sometimes via Webmin

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.31.0

My server was accessible via 443 only but after receiving an error informing me that certbot needs to use 80 to prove the certificate, I changed from 443 to 80…via Webmin…the subsequent error I am receiving is the one posted above.

I have run the command listed under multiple different conditions (different port settings, with internal IP set in my virtual server (initially I had the name only), etc. and all have resulted in the same error. Any help you can provide will be most appreciated.

Jason

P.S. Now I’ve fiddled around with my server so much that I’m receiving the following error:

Secure Connection Failed

Error code: SSL_ERROR_RX_RECORD_TOO_LONG

and my site is no longer accessible :frowning:

Hi @jlh

that

can’t work, the result is expected:

http://www.kyouikulogistics.com/.well-known/acme-challenge/1234

Bad Request

Your browser sent a request that this server could not understand.
Reason: You’re speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.

Apache/2.4.18 (Ubuntu) Server at www.kyouikulogistics.com Port 443

You have only changed the port forward

port 80 extern -> port 443 intern.

You need a real working, second port 80 with http, not https.

And

port 80 extern -> port 80 intern
port 443 extern -> port 443 intern

1 Like

Hmm, ok, thanks. So, I need two virtual servers pointing to the same internal IP each listening on a different port? Or am I totally off?

Not really necessary to spin up a whole different virtual server, just re-enable the virtualhost for HTTP in Apache.

It seems you had HTTP on port 80 working previously, as you did manage to get a certificate in the past. Why did you disable HTTP on port 80 anyway?

Ok, well I went ahead and created another virtual server…I do not remember having 80 enabled nor disabling it. The cert renewal worked with the new virtual server listening on 80. I will delete it and enable 80 via the main virtual server. Thanks for your time.

Now your main configuration is ok.

http://www.kyouikulogistics.com/.well-known/acme-challenge/us

answers with a redirect 301,

https://www.kyouikulogistics.com/.well-known/acme-challenge/us

has a http status 404, Not Found (expected).

PS:

Two servers aren’t required. One server with one webserver with two vHosts is easier.

1 Like

Thanks, yes, I only have one server running with two vHosts. The reply from Osiris made me think that I could simply enable both 80 and 443 under one vHost…although I don’t, at the moment, remember exactly how/where to accomplish that…which is why I simply quickly created an identical vHost listening on 80. Maybe that is the easiest route.

Thanks again