Hi, searched and tried several solutions. Cannot renew my cert. DNS is resolvable.
My domain is:
woidcloud.de
I ran this command:
certbot renew --dry-run --debug-challenges -v
It produced this output:
"identifier": {
"type": "dns",
"value": "woidcloud.de "
},
"status": "invalid",
"expires": "2024-09-03T07:44:22Z",
"challenges": [
{
"type": "http-01",
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/13754007003/gyDH3w ",
"status": "invalid",
"validated": "2024-08-27T07:44:26Z",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "88.133.124.148: Invalid response from http://woidcloud.de/.well-known/acme-challenge/Ifbeas0oHGCFF6EtIjtW40WP_eFQULSoiZMRI-Cffzw: 404",
"status": 403
},
"token": "Ifbeas0oHGCFF6EtIjtW40WP_eFQULSoiZMRI-Cffzw",
"validationRecord": [
{
"url": "http://woidcloud.de/.well-known/acme-challenge/Ifbeas0oHGCFF6EtIjtW40WP_eFQULSoiZMRI-Cffzw ",
"hostname": "woidcloud.de ",
"port": "80",
"addressesResolved": [
"88.133.124.148"
],
"addressUsed": "88.133.124.148"
}
]
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you're using Certbot):
certbot 0.27.0
My guess is something has changed in your OpenResty server config that no longer matches how you request your cert.
Would you show the contents of the config file for this domain from this folder?
/etc/letsencrypt/renewal
2 Likes
I think the mistake was to trie to create a new one, with this command:
certbot --manual --preferred-challenges dns certonly
Then i realized renewing would be the solution and got errors.
cat /etc/letsencrypt/renewal/woidcloud.de.conf
renew_before_expiry = 30 days
version = 0.27.0
archive_dir = /etc/letsencrypt/archive/woidcloud.de
cert = /etc/letsencrypt/live/woidcloud.de/cert.pem
privkey = /etc/letsencrypt/live/woidcloud.de/privkey.pem
chain = /etc/letsencrypt/live/woidcloud.de/chain.pem
fullchain = /etc/letsencrypt/live/woidcloud.de/fullchain.pem
Options used in the renewal process
[renewalparams]
account = 8ada4f7d4b5d27148acb4a30e4774055
authenticator = apache
installer = apache
server = https://acme-v02.api.letsencrypt.org/directory
Domain: woidcloud.de
Type: unauthorized
Detail: 88.133.124.148: Invalid response from http://woidcloud.de/.well-known/acme-challenge/Mw85_eyWLLw4duQbPjaPR7Y7tTB16_IR0dTtSaM0bz8: 404
Domain: www.woidcloud.de
Type: unauthorized
Detail: 88.133.124.148: Invalid response from http://www.woidcloud.de/.well-known/acme-challenge/tbvioykkzdk_Rg1T4KJukRSk_xsXzk5JcdPF37T7rJM: 404
To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
Encountered exception:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
self._respond(aauthzrs, resp, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 155, in _respond
self._poll_challenges(aauthzrs, chall_update, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 226, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. woidcloud.de (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: 88.133.124.148: Invalid response from http://woidcloud.de/.well-known/acme-challenge/Mw85_eyWLLw4duQbPjaPR7Y7tTB16_IR0dTtSaM0bz8: 404, www.woidcloud.de (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: 88.133.124.148: Invalid response from http://www.woidcloud.de/.well-known/acme-challenge/tbvioykkzdk_Rg1T4KJukRSk_xsXzk5JcdPF37T7rJM: 404
Calling registered functions
Cleaning up challenges
Attempting to renew cert (woidcloud.de ) from /etc/letsencrypt/renewal/woidcloud.de.conf produced an unexpected error: Failed authorization procedure. woidcloud.de (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: 88.133.124.148: Invalid response from http://woidcloud.de/.well-known/acme-challenge/Mw85_eyWLLw4duQbPjaPR7Y7tTB16_IR0dTtSaM0bz8: 404, www.woidcloud.de (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: 88.133.124.148: Invalid response from http://www.woidcloud.de/.well-known/acme-challenge/tbvioykkzdk_Rg1T4KJukRSk_xsXzk5JcdPF37T7rJM: 404. Skipping.
Keep in mind this trying to mix with --apache
Request to: woidcloud.de/88.133.124.148 , Result: [Address=88.133.124.148,Address Type=IPv4,Server=openresty
1 Like
baefisch:
certbot 0.27.0
Supplemental information; there is a new version of Certbot 2.11.0 Release
1 Like
Attempting to renew cert (woidcloud.de) from /etc/letsencrypt/renewal/woidcloud.de.conf produced an unexpected error: Failed authorization procedure. woidcloud.de (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: 88.133.124.148: Invalid response from http://woidcloud.de/.well-known/acme-challenge/DccLvEwqhzpkWcISADCXyruh6zSH908K3gcrq7Vfwsc: 404, www.woidcloud.de (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: 88.133.124.148: Invalid response from http://www.woidcloud.de/.well-known/acme-challenge/z8eEl3RZo1DbaHPu81RqXsCBmZg8XfsE2653rtX0GmE: 404. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/woidcloud.de/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/woidcloud.de/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: woidcloud.de
Type: unauthorized
Detail: 88.133.124.148: Invalid response from
http://woidcloud.de/.well-known/acme-challenge/DccLvEwqhzpkWcISADCXyruh6zSH908K3gcrq7Vfwsc:
404
Domain: www.woidcloud.de
Type: unauthorized
Detail: 88.133.124.148: Invalid response from
http://www.woidcloud.de/.well-known/acme-challenge/z8eEl3RZo1DbaHPu81RqXsCBmZg8XfsE2653rtX0GmE:
404
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
root@cNexttcloud03:/var/www/nextcloud# apachectl -t -D DUMP_VHOSTS
VirtualHost configuration:
*:80 is a NameVirtualHost
default server cNexttcloud03.wtz (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost cNexttcloud03.wtz (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost woidcloud.de (/etc/apache2/sites-enabled/001-nextcloud.conf:2)
alias 192.168.178.90
alias 88.133.124.148
alias www.woidcloud.de
*:443 is a NameVirtualHost
default server woidcloud.de (/etc/apache2/sites-enabled/001-nextcloud-le-ssl.conf:2)
port 443 namevhost woidcloud.de (/etc/apache2/sites-enabled/001-nextcloud-le-ssl.conf:2)
alias 192.168.178.90
alias 88.133.124.148
alias www.woidcloud.de
port 443 namevhost woidcloud.de (/etc/apache2/sites-enabled/001-nextcloud.conf:36)
i am using an proxmox container, which is up to date. how to upgrade to a newer version?
Instructions can be found here https://certbot.eff.org/
rg305
August 27, 2024, 7:42pm
11
We should have a look at this file:
1 Like
rg305:
/var/www/nextcloud# cat /etc/apache2/sites-enabled/001-nextcloud.conf
<VirtualHost *:80>
DocumentRoot /var/www/nextcloud/
ServerName woidcloud.de
ServerAlias 192.168.178.90
ServerAlias 88.133.124.148
ServerAlias www.woidcloud.de
<Directory /var/www/nextcloud/>
Require all granted
Options +FollowSymlinks
AllowOverride All
Options FollowSymLinks MultiViews
<IfModule mod_dav.c>
Dav off
</IfModule>
SetEnv Home /var/www/nextcloud
SetEnv HTTP_HOME /var/www/nextcloud
</Directory>
RewriteEngine on
RewriteCond %{SERVER_NAME} =192.168.178.90 [OR]
RewriteCond %{SERVER_NAME} =88.133.124.148 [OR]
RewriteCond %{SERVER_NAME} =woidcloud.de [OR]
RewriteCond %{SERVER_NAME} =www.woidcloud.de
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<VirtualHost *:443>
ServerName woidcloud.de
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
</IfModule>
SSLCertificateFile /etc/letsencrypt/live/woidcloud.de/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/woidcloud.de/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
rg305
August 27, 2024, 8:26pm
13
There is either:
some missing content from that file output
there are globally included sections
Something is handling the challenge requests differently than expected:
[I'd expect everything to be redirected to HTTPS]
curl -Ii www.woidcloud.de/.well-known/acme-challenge/Test_File-1234
HTTP/1.1 404 Not Found <<<<<<<<<<<<<<<<<<<<< redirect expected
Server: openresty
Date: Tue, 27 Aug 2024 20:22:25 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 5215
Connection: keep-alive
Referrer-Policy: no-referrer
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-Robots-Tag: noindex, nofollow
X-XSS-Protection: 1; mode=block
Set-Cookie: ocjkjzdohd9e=g6843f32c6mdva5v7vuobku5ta; path=/; secure; HttpOnly; SameSite=Lax
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Set-Cookie: oc_sessionPassphrase=lxAkJNbmuZJ3G7qKQnFSDp6CpFFV7DQaEuKbFDsyXwYrBxCRaAXD9qkA%2FcmnseEIIIlzVRCeqrxuOk8sgXcN2CwCttXo1Nvo5S6ZKGHpkGnR%2BiQIPi0YOeqtMFLfOHlx; path=/; secure; HttpOnly; SameSite=Lax
Set-Cookie: ocjkjzdohd9e=g6843f32c6mdva5v7vuobku5ta; path=/; secure; HttpOnly; SameSite=Lax
Content-Security-Policy: default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self' blob:;style-src 'self' 'unsafe-inline';img-src 'self' data: blob: https://*.tile.openstreetmap.org https://www.woidcloud.de;font-src 'self' data:;connect-src 'self' blob: stun.nextcloud.com:443;media-src 'self' blob:;frame-src 'self' nc: https://www.woidcloud.de;child-src blob: 'self';frame-ancestors 'self' https://www.woidcloud.de;worker-src blob: 'self';form-action 'self' https://www.woidcloud.de
Set-Cookie: __Host-nc_sameSiteCookielax=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
Set-Cookie: __Host-nc_sameSiteCookiestrict=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
Set-Cookie: ocjkjzdohd9e=g6843f32c6mdva5v7vuobku5ta; path=/; secure; HttpOnly; SameSite=Lax
X-Request-Id: r3Sh7RdpAJvMyQNNjBHV
Feature-Policy: autoplay 'self';camera 'self';fullscreen 'self' https://www.woidcloud.de;geolocation 'self';microphone 'self';payment 'none'
1 Like
sorry, missed to use preformatted function.
changed nothing on my config files. simply want to renew.
think my redirect for 443 is ok. isn´t it?
<VirtualHost *:80>
DocumentRoot /var/www/nextcloud/
ServerName woidcloud.de
ServerAlias 192.168.178.90
ServerAlias 88.133.124.148
ServerAlias www.woidcloud.de
<Directory /var/www/nextcloud/>
Require all granted
Options +FollowSymlinks
AllowOverride All
Options FollowSymLinks MultiViews
<IfModule mod_dav.c>
Dav off
</IfModule>
SetEnv Home /var/www/nextcloud
SetEnv HTTP_HOME /var/www/nextcloud
</Directory>
RewriteEngine on
RewriteCond %{SERVER_NAME} =192.168.178.90 [OR]
RewriteCond %{SERVER_NAME} =88.133.124.148 [OR]
RewriteCond %{SERVER_NAME} =woidcloud.de [OR]
RewriteCond %{SERVER_NAME} =www.woidcloud.de
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<VirtualHost *:443>
ServerName woidcloud.de
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
</IfModule>
SSLCertificateFile /etc/letsencrypt/live/woidcloud.de/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/woidcloud.de/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
also find this file, but can´t remember the reason for creating.
root@cNexttcloud03:/etc/apache2/sites-enabled# cat /etc/apache2/sites-available/001-nextcloud-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin baefisch@gmx.de
DocumentRoot /var/www/nextcloud/
ServerName woidcloud.de
ServerAlias 192.168.178.90
ServerAlias 88.133.124.148
ServerAlias www.woidcloud.de
<Directory /var/www/nextcloud/>
Require all granted
Options +FollowSymlinks
AllowOverride All
Options FollowSymLinks MultiViews
<IfModule mod_dav.c>
Dav off
</IfModule>
SetEnv Home /var/www/nextcloud
SetEnv HTTP_HOME /var/www/nextcloud
</Directory>
SSLCertificateFile /etc/letsencrypt/live/woidcloud.de/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/woidcloud.de/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
Could openresty
server be interfering?
@baefisch How does openresty get involved here?
1 Like
MikeMcQ:
interfering
Never used openresty!!!
root@cNexttcloud03:/etc/apache2/sites-enabled# netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:6011 0.0.0.0:* LISTEN 241771/sshd: baefis
tcp 0 0 127.0.0.1:6010 0.0.0.0:* LISTEN 241307/sshd: baefis
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 548/master
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 198/mysqld
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 138/systemd-resolve
tcp6 0 0 ::1:6011 :::* LISTEN 241771/sshd: baefis
tcp6 0 0 ::1:6010 :::* LISTEN 241307/sshd: baefis
tcp6 0 0 :::443 :::* LISTEN 250620/apache2
tcp6 0 0 :::22 :::* LISTEN 1/init
tcp6 0 0 :::80 :::* LISTEN 250620/apache2
tcp6 0 0 ::1:25 :::* LISTEN 548/master
udp 0 0 127.0.0.53:53 0.0.0.0:* 138/systemd-resolve
udp 0 0 0.0.0.0:5353 0.0.0.0:* 146/avahi-daemon: r
udp 0 0 0.0.0.0:55970 0.0.0.0:* 146/avahi-daemon: r
udp6 0 0 :::36227 :::* 146/avahi-daemon: r
udp6 0 0 :::5353 :::* 146/avahi-daemon: r
root@cNexttcloud03:/etc/apache2/sites-enabled# systemctl status openresty
Unit openresty.service could not be found.
i am a stupid guy. played around with multible domains and implemented ngnix proxy manager.
this will lead into my next question. How to correctly forward....
baefisch:
Never used openresty!!!
Something identifying as openresty is involved in handling HTTP(s) requests to your domain. The server
header comes from somewhere.
Does your hosting service have a firewall, antivirus, or network routing "in front of" your Apache that could be doing this?
HTTP requests to both your apex and www domain are currently redirecting to the below locations (respectively). Does this mean anything to you?
Location: https://woidcloud.de/index.php/login
Location: https://www.woidcloud.de/index.php/login
2 Likes
ok. proxymanager renewed it by clickling the button.
sorry. completly my mistake. Thanks for this fast support!!!
2 Likes
system
Closed
September 26, 2024, 9:15pm
20
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.