Cannot Renew Certificate - authorisation error

Metricrat · May 11, 2020, 1:49pm

OK, I have put this

<location "/.well-known/acme-challenge/">
         Redirect  / https://metricrat.co.uk/
</location>

and reloaded apache

rg305 · May 11, 2020, 1:51pm

No go.
still same redirection:

curl -Iki http://ai2.metricrat.co.uk/.well-known/acme-challenge/test-file
HTTP/1.1 301 Moved Permanently
Content-Type: application/binary
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Mon, 11 May 2020 13:50:12 GMT
Location: https://ai2.metricrat.co.uk/.well-known/acme-challenge/test-file

I don’t know what I’ve missed but I can’t seem to find it.
Maybe a new set of eyes are needed - sorry - I tried.
I would open a new topic and have someone else give this a go.
You can mention this topic in that one.

Metricrat · May 11, 2020, 2:01pm

Well we can’t have missed much, tried just about everything!!
Very grateful for your effort and input, Rudy, I learnt a lot about debugging apache…

There must be another angle to this. I recall it was swine to get the sub domain setup in the first place with the DNS, but it did all fall into place, more by luck than judgement.

Is there a way of perhaps getting a new certificate, see if that works…

rg305 · May 11, 2020, 2:06pm

We can try one last test - not to fix anything - just to check our sanity (or that of Apache).
Try:

<VirtualHost *:80>
    ServerAdmin webmaster@ai2.metricrat.co.uk
    ServerName ai2.metricrat.co.uk
    DocumentRoot /var/www/ai2.metricrat.co.uk/public_html
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
    <location "/.well-known/acme-challenge/">
         return 200 "you reached the challenge section"
    </location>
    <location "/">
         return 200 "This site has moved to HTTPS"
    </location>
</VirtualHost>

We “should” see one of those two messages - there is no other choice.
If we still see the previous redirection, then that redirection is happening somewhere else.

We’d have to start all over again and troubleshoot the failure… check the LE logs.
I was trying to avoid that and this “looked” simpler… at the time.

Metricrat · May 11, 2020, 2:10pm

Apache won’t reload with that in the .conf file…

rg305 · May 11, 2020, 2:19pm

I can’t seem to find the apache equivalent of the nginx:
return 200 "text"

There is NO return directive in Apache …

rg305 · May 11, 2020, 2:26pm

Found a very tedious rewrite that would require making two new files with the text contents.
Not worth the effort.

rg305 · May 11, 2020, 2:31pm

Last go:

<VirtualHost *:80>
    ServerAdmin webmaster@ai2.metricrat.co.uk
    ServerName ai2.metricrat.co.uk
    DocumentRoot /var/www/ai2.metricrat.co.uk/public_html
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
    redirect 303 /.well-known/acme-challenge/ https://metricrat.co.uk/
    redirect 303 / https://ai2.metricrat.co.uk/
</VirtualHost>

Using 303 to make it obvious.

Metricrat · May 11, 2020, 2:45pm

Set that. Any change ?

rg305 · May 11, 2020, 2:49pm

None.
And I just noticed the “server” responding isn’t Apache:

 curl -Iki http://ai2.metricrat.co.uk/.well-known/acme-challenge/test-file
HTTP/1.1 301 Moved Permanently
Content-Type: application/binary
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Mon, 11 May 2020 14:46:29 GMT
Location: https://ai2.metricrat.co.uk/.well-known/acme-challenge/test-file
Content-Length: 0
Server: ESF
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff

What is “ESF” ? ? ?
Hindsight = 20/20
It was there the whole time!

Metricrat · May 11, 2020, 2:51pm

I don’t know, I believe it might be a google thing…

rg305 · May 11, 2020, 2:53pm

Are you even on the right server?
What shows?:
wget config.me

rg305 · May 11, 2020, 2:55pm

Are you even on the right server?
What shows?:
~~wget config.me~~
curl ifconfig.me

[lack of sleep]

Metricrat · May 11, 2020, 3:14pm

That returns the IP of my server.

Is the redirection of the google site overriding anything apache is doing ?

rg305 · May 11, 2020, 3:53pm

I don’t know enough to answer that question.
I don’t even know what “SPF” stands for in the context of “server type”.

Rip · May 11, 2020, 5:17pm

An SPF record is a Sender Policy Framework record. It’s used to indicate to mail exchanges which hosts are authorized to send mail for a domain. It’s defined in RFC 4408, and clarified by RFC 7208.

Rip

Metricrat · May 11, 2020, 5:22pm

Don’t you mean ESF ?

Metricrat · May 11, 2020, 5:29pm

From what I can see, any call to https://ai2.metricrat.co.uk will get a response from the google site, and not the server. From what you say, we need to be able to get a call from http://ai2.metricrat.co.uk in order to help certbot validate the site? This http address is not setup on the server or on the virtual host. Is there anything I can add or change to make this so, or have I got this wrong ?

I was able to set up the https certificate in the first place, and it is clearly working now; my site ai2.metricrat.co.uk is using an https secure address. I do not understand why certbot cannot validate when everything appears to already be in place?

If we cannot solve it on the community, what recourse do I have to “letsencrypt” to get this resolved ?

rg305 · May 11, 2020, 5:40pm

That’s NOT the SPF we are talking about.

rg305 · May 11, 2020, 5:41pm

My eyes! my eyes!
Yes, not SPF, ESF.