Cannot Renew Certificate - authorisation error

OK, I have put this

<location "/.well-known/acme-challenge/">
         Redirect  / https://metricrat.co.uk/
</location>

and reloaded apache

1 Like

No go.
still same redirection:

curl -Iki http://ai2.metricrat.co.uk/.well-known/acme-challenge/test-file
HTTP/1.1 301 Moved Permanently
Content-Type: application/binary
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Mon, 11 May 2020 13:50:12 GMT
Location: https://ai2.metricrat.co.uk/.well-known/acme-challenge/test-file

I don’t know what I’ve missed but I can’t seem to find it.
Maybe a new set of eyes are needed - sorry - I tried.
I would open a new topic and have someone else give this a go.
You can mention this topic in that one.

Well we can’t have missed much, tried just about everything!!
Very grateful for your effort and input, Rudy, I learnt a lot about debugging apache…

There must be another angle to this. I recall it was swine to get the sub domain setup in the first place with the DNS, but it did all fall into place, more by luck than judgement.

Is there a way of perhaps getting a new certificate, see if that works…

1 Like

We can try one last test - not to fix anything - just to check our sanity (or that of Apache).
Try:

<VirtualHost *:80>
    ServerAdmin webmaster@ai2.metricrat.co.uk
    ServerName ai2.metricrat.co.uk
    DocumentRoot /var/www/ai2.metricrat.co.uk/public_html
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
    <location "/.well-known/acme-challenge/">
         return 200 "you reached the challenge section"
    </location>
    <location "/">
         return 200 "This site has moved to HTTPS"
    </location>
</VirtualHost>

We “should” see one of those two messages - there is no other choice.
If we still see the previous redirection, then that redirection is happening somewhere else.

We’d have to start all over again and troubleshoot the failure… check the LE logs.
I was trying to avoid that and this “looked” simpler… at the time.

Apache won’t reload with that in the .conf file…

I can’t seem to find the apache equivalent of the nginx:
return 200 "text"

There is NO return directive in Apache …

Found a very tedious rewrite that would require making two new files with the text contents.
Not worth the effort.

Last go:

<VirtualHost *:80>
    ServerAdmin webmaster@ai2.metricrat.co.uk
    ServerName ai2.metricrat.co.uk
    DocumentRoot /var/www/ai2.metricrat.co.uk/public_html
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
    redirect 303 /.well-known/acme-challenge/ https://metricrat.co.uk/
    redirect 303 / https://ai2.metricrat.co.uk/
</VirtualHost>

Using 303 to make it obvious.

Set that. Any change ?

None.
And I just noticed the “server” responding isn’t Apache:

 curl -Iki http://ai2.metricrat.co.uk/.well-known/acme-challenge/test-file
HTTP/1.1 301 Moved Permanently
Content-Type: application/binary
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Mon, 11 May 2020 14:46:29 GMT
Location: https://ai2.metricrat.co.uk/.well-known/acme-challenge/test-file
Content-Length: 0
Server: ESF
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff

What is “ESF” ? ? ?
Hindsight = 20/20
It was there the whole time!

I don’t know, I believe it might be a google thing…

Are you even on the right server?
What shows?:
wget config.me

Are you even on the right server?
What shows?:
wget config.me
curl ifconfig.me

[lack of sleep]

That returns the IP of my server.

Is the redirection of the google site overriding anything apache is doing ?

I don’t know enough to answer that question.
I don’t even know what “SPF” stands for in the context of “server type”.

An SPF record is a Sender Policy Framework record. It’s used to indicate to mail exchanges which hosts are authorized to send mail for a domain. It’s defined in RFC 4408, and clarified by RFC 7208.

Rip

Don’t you mean ESF ?

From what I can see, any call to https://ai2.metricrat.co.uk will get a response from the google site, and not the server. From what you say, we need to be able to get a call from http://ai2.metricrat.co.uk in order to help certbot validate the site? This http address is not setup on the server or on the virtual host. Is there anything I can add or change to make this so, or have I got this wrong ?

I was able to set up the https certificate in the first place, and it is clearly working now; my site ai2.metricrat.co.uk is using an https secure address. I do not understand why certbot cannot validate when everything appears to already be in place?

If we cannot solve it on the community, what recourse do I have to “letsencrypt” to get this resolved ?

That’s NOT the SPF we are talking about.

My eyes! my eyes!
Yes, not SPF, ESF.