Cannot Renew Certificate - authorisation error

Metricrat · May 11, 2020, 12:45pm

Hmmm, apache refused to reload with the first one.

Second one, same result as before, but the browser had to have a good 5 second think about it first, previously went straight to the 404.

ls -l /home/metricrat/cert
total 4
-rw-rw-r-- 1 metricrat metricrat 5 May 11 11:27 test-file

Just in case, please note that I am substituting the "real user name" with "metricrat". Shouldn't make any difference....

rg305 · May 11, 2020, 12:48pm

OK we use a “bigger hammer” - lol

Metricrat · May 11, 2020, 12:49pm

rg305 · May 11, 2020, 12:51pm

That’s what I’m talking about!!!
remove the location /.well-known section
Add this to the Apache.conf or Apache2.conf file [within the HTTP section - outside of any vhost config]:
Alias /.well-known/acme-challenge/ /home/metricrat/cert/
[all vhosts will have this set]

OOOOH and make sure mod alias is actually loaded:
something like:
LoadModule alias_module modules/mod_alias.so
[maybe that was the problem the whole time - apache never gripes it just moves onward]

Metricrat · May 11, 2020, 1:00pm

OK, there is a lot going on in the /etc/apache2 folder !

No apparent [HTTP] section in the apache2.conf file ? What to do…

There is a mods-enabled folder which lists “alias.load” and “alias.conf”
(the aliases on the other virtual hosts appear to work OK, so one could surmise alias is loaded ?)

rg305 · May 11, 2020, 1:01pm

I don’t recall how to dump the full apache config.
It would be easy to search through that.
It … should be in the alias.load folder.
Try:
apachectl -D DUMP_MODULES

If not there (which would explain a lot), try enabling it:
I think that’s:
a2enmod alias

Metricrat · May 11, 2020, 1:07pm

sudo apachectl -D DUMP_MODULES

Loaded Modules:
core_module (static)
so_module (static)
watchdog_module (static)
http_module (static)
log_config_module (static)
logio_module (static)
version_module (static)
unixd_module (static)
access_compat_module (shared)
alias_module (shared)
auth_basic_module (shared)
authn_core_module (shared)
authn_file_module (shared)
authz_core_module (shared)
authz_host_module (shared)
authz_user_module (shared)
autoindex_module (shared)
deflate_module (shared)
dir_module (shared)
env_module (shared)
evasive20_module (shared)
filter_module (shared)
mime_module (shared)
mpm_prefork_module (shared)
negotiation_module (shared)
php7_module (shared)
reqtimeout_module (shared)
rewrite_module (shared)
security2_module (shared)
setenvif_module (shared)
socache_shmcb_module (shared)
ssl_module (shared)
status_module (shared)
unique_id_module (shared)

rg305 · May 11, 2020, 1:08pm

OK already there.
Well NOT OK…
Now we’re back to square one.
Why was it failing?
TYPO/syntax error ? ? ?
Apache doesn’t tell us!

rg305 · May 11, 2020, 1:10pm

Here is what I have working in one of my test servers (running Apache):
In the /etc/apache2/apache2.conf file:

IncludeOptional sites-enabled/*.conf <<<< point of reference
#send all ACME challenges to this dedicated location
Alias /.well-known/acme-challenge/ /ACME-challenges/

Metricrat · May 11, 2020, 1:21pm

I have a IncludeOptional sites-enabled/*.conf section

So you want me to use:

/ACME-challenges/
or
/home/metricrat/cert/

rg305 · May 11, 2020, 1:22pm

You can use either - that is WHERE I put it and it works for me

Metricrat · May 11, 2020, 1:26pm

Tried both, same result.
Frustrating…

Should I try certbot again with that in place ?

rg305 · May 11, 2020, 1:27pm

It will fail ….
But you can try

rg305 · May 11, 2020, 1:28pm

You have other sites on this server.

Do any of them NOT redirect to HTTPS?
or
Do any of them have working certs/renewals?

Metricrat · May 11, 2020, 1:34pm

I believe they all redirect to https (cannot get any to resolve to http)

As stated in the OP, when running sudo certbot --dry-run apart from this site, all the others reported happy to get renewed or just happy (before renewal time)

** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

The following certs were successfully renewed:
  /etc/letsencrypt/live/carter-computing.co.uk/fullchain.pem (success)
  /etc/letsencrypt/live/cyberama.co.uk/fullchain.pem (success)
  /etc/letsencrypt/live/metricrat.co.uk/fullchain.pem (success)
  /etc/letsencrypt/live/tsah.co.uk/fullchain.pem (success)
  /etc/letsencrypt/live/www.burbush.co.uk/fullchain.pem (success)

The following certs could not be renewed:
  /etc/letsencrypt/live/ai2.metricrat.co.uk/fullchain.pem (failure)
  ** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

rg305 · May 11, 2020, 1:37pm

OK we can try piggybacking on one of those:
Try:

    <location "/.well-known/acme-challenge/">
         Redirect  / https://some.other.site.on.your.box/
    </location>

You can remove the Alias line from apache2.conf

Metricrat · May 11, 2020, 1:43pm

This to be put in the file for ai2.metricrat.co.uk ?
(/etc/apache2/sites-enabled/ai2.metricrat.co.uk.conf)

Should I use the metricrat.co.uk, given this is the main domain ?

Shall I undo the changes made in apache2.conf ? (Tidy as we go…)

rg305 · May 11, 2020, 1:44pm

Yes, yes, and yes.

Metricrat · May 11, 2020, 1:46pm

Sorry, is there meant to be a space after the slash and before the domain name?

Redirect / https://metricrat.co.uk/

Also, once this is set, do I test certbot again ?

rg305 · May 11, 2020, 1:47pm

NO certbot yet
Yes
Redirect “this” “to.this”