Cannot renew cert - Invalid response

Hi, searched and tried several solutions. Cannot renew my cert. DNS is resolvable.

My domain is:
woidcloud.de
I ran this command:
certbot renew --dry-run --debug-challenges -v

It produced this output:
"identifier": {
"type": "dns",
"value": "woidcloud.de"
},
"status": "invalid",
"expires": "2024-09-03T07:44:22Z",
"challenges": [
{
"type": "http-01",
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/13754007003/gyDH3w",
"status": "invalid",
"validated": "2024-08-27T07:44:26Z",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "88.133.124.148: Invalid response from http://woidcloud.de/.well-known/acme-challenge/Ifbeas0oHGCFF6EtIjtW40WP_eFQULSoiZMRI-Cffzw: 404",
"status": 403
},
"token": "Ifbeas0oHGCFF6EtIjtW40WP_eFQULSoiZMRI-Cffzw",
"validationRecord": [
{
"url": "http://woidcloud.de/.well-known/acme-challenge/Ifbeas0oHGCFF6EtIjtW40WP_eFQULSoiZMRI-Cffzw",
"hostname": "woidcloud.de",
"port": "80",
"addressesResolved": [
"88.133.124.148"
],
"addressUsed": "88.133.124.148"
}
]

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.27.0

My guess is something has changed in your OpenResty server config that no longer matches how you request your cert.

Would you show the contents of the config file for this domain from this folder?

/etc/letsencrypt/renewal
2 Likes

I think the mistake was to trie to create a new one, with this command:

certbot --manual --preferred-challenges dns certonly

Then i realized renewing would be the solution and got errors.

cat /etc/letsencrypt/renewal/woidcloud.de.conf

renew_before_expiry = 30 days

version = 0.27.0
archive_dir = /etc/letsencrypt/archive/woidcloud.de
cert = /etc/letsencrypt/live/woidcloud.de/cert.pem
privkey = /etc/letsencrypt/live/woidcloud.de/privkey.pem
chain = /etc/letsencrypt/live/woidcloud.de/chain.pem
fullchain = /etc/letsencrypt/live/woidcloud.de/fullchain.pem

Options used in the renewal process

[renewalparams]
account = 8ada4f7d4b5d27148acb4a30e4774055
authenticator = apache
installer = apache
server = https://acme-v02.api.letsencrypt.org/directory

Domain: woidcloud.de
Type: unauthorized
Detail: 88.133.124.148: Invalid response from http://woidcloud.de/.well-known/acme-challenge/Mw85_eyWLLw4duQbPjaPR7Y7tTB16_IR0dTtSaM0bz8: 404

Domain: www.woidcloud.de
Type: unauthorized
Detail: 88.133.124.148: Invalid response from http://www.woidcloud.de/.well-known/acme-challenge/tbvioykkzdk_Rg1T4KJukRSk_xsXzk5JcdPF37T7rJM: 404

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
Encountered exception:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
self._respond(aauthzrs, resp, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 155, in _respond
self._poll_challenges(aauthzrs, chall_update, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 226, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. woidcloud.de (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: 88.133.124.148: Invalid response from http://woidcloud.de/.well-known/acme-challenge/Mw85_eyWLLw4duQbPjaPR7Y7tTB16_IR0dTtSaM0bz8: 404, www.woidcloud.de (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: 88.133.124.148: Invalid response from http://www.woidcloud.de/.well-known/acme-challenge/tbvioykkzdk_Rg1T4KJukRSk_xsXzk5JcdPF37T7rJM: 404

Calling registered functions
Cleaning up challenges
Attempting to renew cert (woidcloud.de) from /etc/letsencrypt/renewal/woidcloud.de.conf produced an unexpected error: Failed authorization procedure. woidcloud.de (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: 88.133.124.148: Invalid response from http://woidcloud.de/.well-known/acme-challenge/Mw85_eyWLLw4duQbPjaPR7Y7tTB16_IR0dTtSaM0bz8: 404, www.woidcloud.de (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: 88.133.124.148: Invalid response from http://www.woidcloud.de/.well-known/acme-challenge/tbvioykkzdk_Rg1T4KJukRSk_xsXzk5JcdPF37T7rJM: 404. Skipping.

What happens with:

certbot renew

Please also show:

sudo apachectl -t -D DUMP_VHOSTS

1 Like

Keep in mind this trying to mix with --apache

Request to: woidcloud.de/88.133.124.148, Result: [Address=88.133.124.148,Address Type=IPv4,Server=openresty

1 Like

Supplemental information; there is a new version of Certbot 2.11.0 Release

1 Like
Attempting to renew cert (woidcloud.de) from /etc/letsencrypt/renewal/woidcloud.de.conf produced an unexpected error: Failed authorization procedure. woidcloud.de (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: 88.133.124.148: Invalid response from http://woidcloud.de/.well-known/acme-challenge/DccLvEwqhzpkWcISADCXyruh6zSH908K3gcrq7Vfwsc: 404, www.woidcloud.de (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: 88.133.124.148: Invalid response from http://www.woidcloud.de/.well-known/acme-challenge/z8eEl3RZo1DbaHPu81RqXsCBmZg8XfsE2653rtX0GmE: 404. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/woidcloud.de/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/woidcloud.de/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: woidcloud.de
   Type:   unauthorized
   Detail: 88.133.124.148: Invalid response from
   http://woidcloud.de/.well-known/acme-challenge/DccLvEwqhzpkWcISADCXyruh6zSH908K3gcrq7Vfwsc:
   404

   Domain: www.woidcloud.de
   Type:   unauthorized
   Detail: 88.133.124.148: Invalid response from
   http://www.woidcloud.de/.well-known/acme-challenge/z8eEl3RZo1DbaHPu81RqXsCBmZg8XfsE2653rtX0GmE:
   404

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

root@cNexttcloud03:/var/www/nextcloud# apachectl -t -D DUMP_VHOSTS

VirtualHost configuration:
*:80                   is a NameVirtualHost
         default server cNexttcloud03.wtz (/etc/apache2/sites-enabled/000-default.conf:1)
         port 80 namevhost cNexttcloud03.wtz (/etc/apache2/sites-enabled/000-default.conf:1)
         port 80 namevhost woidcloud.de (/etc/apache2/sites-enabled/001-nextcloud.conf:2)
                 alias 192.168.178.90
                 alias 88.133.124.148
                 alias www.woidcloud.de
*:443                  is a NameVirtualHost
         default server woidcloud.de (/etc/apache2/sites-enabled/001-nextcloud-le-ssl.conf:2)
         port 443 namevhost woidcloud.de (/etc/apache2/sites-enabled/001-nextcloud-le-ssl.conf:2)
                 alias 192.168.178.90
                 alias 88.133.124.148
                 alias www.woidcloud.de
         port 443 namevhost woidcloud.de (/etc/apache2/sites-enabled/001-nextcloud.conf:36)

i am using an proxmox container, which is up to date. how to upgrade to a newer version?

Instructions can be found here https://certbot.eff.org/

We should have a look at this file:

1 Like

/var/www/nextcloud# cat /etc/apache2/sites-enabled/001-nextcloud.conf

    <VirtualHost *:80>

      DocumentRoot /var/www/nextcloud/
      ServerName woidcloud.de

      ServerAlias 192.168.178.90
      ServerAlias 88.133.124.148
      ServerAlias www.woidcloud.de


      <Directory /var/www/nextcloud/>
        Require all granted
        Options +FollowSymlinks
        AllowOverride All
        Options FollowSymLinks MultiViews

        <IfModule mod_dav.c>
          Dav off
        </IfModule>
        SetEnv Home /var/www/nextcloud
        SetEnv HTTP_HOME /var/www/nextcloud
      </Directory>
 
RewriteEngine on
RewriteCond %{SERVER_NAME} =192.168.178.90 [OR]
RewriteCond %{SERVER_NAME} =88.133.124.148 [OR]
RewriteCond %{SERVER_NAME} =woidcloud.de [OR]
RewriteCond %{SERVER_NAME} =www.woidcloud.de
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
    </VirtualHost>

<VirtualHost *:443>
  ServerName woidcloud.de
    <IfModule mod_headers.c>
      Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
    </IfModule>


 SSLCertificateFile /etc/letsencrypt/live/woidcloud.de/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/woidcloud.de/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>

There is either:

  • some missing content from that file output
  • there are globally included sections

Something is handling the challenge requests differently than expected:
[I'd expect everything to be redirected to HTTPS]

curl -Ii www.woidcloud.de/.well-known/acme-challenge/Test_File-1234
HTTP/1.1 404 Not Found       <<<<<<<<<<<<<<<<<<<<< redirect expected
Server: openresty
Date: Tue, 27 Aug 2024 20:22:25 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 5215
Connection: keep-alive
Referrer-Policy: no-referrer
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-Robots-Tag: noindex, nofollow
X-XSS-Protection: 1; mode=block
Set-Cookie: ocjkjzdohd9e=g6843f32c6mdva5v7vuobku5ta; path=/; secure; HttpOnly; SameSite=Lax
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Set-Cookie: oc_sessionPassphrase=lxAkJNbmuZJ3G7qKQnFSDp6CpFFV7DQaEuKbFDsyXwYrBxCRaAXD9qkA%2FcmnseEIIIlzVRCeqrxuOk8sgXcN2CwCttXo1Nvo5S6ZKGHpkGnR%2BiQIPi0YOeqtMFLfOHlx; path=/; secure; HttpOnly; SameSite=Lax
Set-Cookie: ocjkjzdohd9e=g6843f32c6mdva5v7vuobku5ta; path=/; secure; HttpOnly; SameSite=Lax
Content-Security-Policy: default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' blob:;style-src 'self' 'unsafe-inline';img-src 'self' data: blob: https://*.tile.openstreetmap.org https://www.woidcloud.de;font-src 'self' data:;connect-src 'self' blob: stun.nextcloud.com:443;media-src 'self' blob:;frame-src 'self' nc: https://www.woidcloud.de;child-src blob: 'self';frame-ancestors 'self' https://www.woidcloud.de;worker-src blob: 'self';form-action 'self' https://www.woidcloud.de
Set-Cookie: __Host-nc_sameSiteCookielax=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
Set-Cookie: __Host-nc_sameSiteCookiestrict=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
Set-Cookie: ocjkjzdohd9e=g6843f32c6mdva5v7vuobku5ta; path=/; secure; HttpOnly; SameSite=Lax
X-Request-Id: r3Sh7RdpAJvMyQNNjBHV
Feature-Policy: autoplay 'self';camera 'self';fullscreen 'self' https://www.woidcloud.de;geolocation 'self';microphone 'self';payment 'none'
1 Like

sorry, missed to use preformatted function.
changed nothing on my config files. simply want to renew.

think my redirect for 443 is ok. isn´t it?

    <VirtualHost *:80>
      DocumentRoot /var/www/nextcloud/
      ServerName woidcloud.de

      ServerAlias 192.168.178.90
      ServerAlias 88.133.124.148
      ServerAlias www.woidcloud.de


      <Directory /var/www/nextcloud/>
        Require all granted
        Options +FollowSymlinks
        AllowOverride All
        Options FollowSymLinks MultiViews

        <IfModule mod_dav.c>
          Dav off
        </IfModule>
        SetEnv Home /var/www/nextcloud
        SetEnv HTTP_HOME /var/www/nextcloud
      </Directory>

RewriteEngine on
RewriteCond %{SERVER_NAME} =192.168.178.90 [OR]
RewriteCond %{SERVER_NAME} =88.133.124.148 [OR]
RewriteCond %{SERVER_NAME} =woidcloud.de [OR]
RewriteCond %{SERVER_NAME} =www.woidcloud.de
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
    </VirtualHost>

<VirtualHost *:443>
  ServerName woidcloud.de
    <IfModule mod_headers.c>
      Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
    </IfModule>


 SSLCertificateFile /etc/letsencrypt/live/woidcloud.de/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/woidcloud.de/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>

also find this file, but can´t remember the reason for creating.

root@cNexttcloud03:/etc/apache2/sites-enabled# cat /etc/apache2/sites-available/001-nextcloud-le-ssl.conf 
<IfModule mod_ssl.c>
    <VirtualHost *:443>
      ServerAdmin baefisch@gmx.de
      DocumentRoot /var/www/nextcloud/

      ServerName woidcloud.de

      ServerAlias 192.168.178.90
      ServerAlias 88.133.124.148
      ServerAlias www.woidcloud.de

      <Directory /var/www/nextcloud/>
        Require all granted
        Options +FollowSymlinks
        AllowOverride All
        Options FollowSymLinks MultiViews

        <IfModule mod_dav.c>
          Dav off
        </IfModule>
        SetEnv Home /var/www/nextcloud
        SetEnv HTTP_HOME /var/www/nextcloud
      </Directory>
    

SSLCertificateFile /etc/letsencrypt/live/woidcloud.de/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/woidcloud.de/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

Could openresty server be interfering?

@baefisch How does openresty get involved here?

1 Like

Never used openresty!!!

root@cNexttcloud03:/etc/apache2/sites-enabled# netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:6011          0.0.0.0:*               LISTEN      241771/sshd: baefis 
tcp        0      0 127.0.0.1:6010          0.0.0.0:*               LISTEN      241307/sshd: baefis 
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      548/master          
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      198/mysqld          
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      138/systemd-resolve 
tcp6       0      0 ::1:6011                :::*                    LISTEN      241771/sshd: baefis 
tcp6       0      0 ::1:6010                :::*                    LISTEN      241307/sshd: baefis 
tcp6       0      0 :::443                  :::*                    LISTEN      250620/apache2      
tcp6       0      0 :::22                   :::*                    LISTEN      1/init              
tcp6       0      0 :::80                   :::*                    LISTEN      250620/apache2      
tcp6       0      0 ::1:25                  :::*                    LISTEN      548/master          
udp        0      0 127.0.0.53:53           0.0.0.0:*                           138/systemd-resolve 
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           146/avahi-daemon: r 
udp        0      0 0.0.0.0:55970           0.0.0.0:*                           146/avahi-daemon: r 
udp6       0      0 :::36227                :::*                                146/avahi-daemon: r 
udp6       0      0 :::5353                 :::*                                146/avahi-daemon: r 

root@cNexttcloud03:/etc/apache2/sites-enabled# systemctl status openresty
Unit openresty.service could not be found.

i am a stupid guy. played around with multible domains and implemented ngnix proxy manager.
this will lead into my next question. How to correctly forward....

Something identifying as openresty is involved in handling HTTP(s) requests to your domain. The server header comes from somewhere.

Does your hosting service have a firewall, antivirus, or network routing "in front of" your Apache that could be doing this?

HTTP requests to both your apex and www domain are currently redirecting to the below locations (respectively). Does this mean anything to you?

Location: https://woidcloud.de/index.php/login
Location: https://www.woidcloud.de/index.php/login
2 Likes

ok. proxymanager renewed it by clickling the button.
sorry. completly my mistake. Thanks for this fast support!!!

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.