Now that we know HTTP is NOT an option.
We can focus on the HTTPS path.
[I was starting to think I was a bit crazy there for a minute]
We need to compare a working https config with this failing config.
Which includes reviewing their renewal conf files.
Sorry My badā¦ Isolated too long.
@RIP No worries, we are all going through the same thing (together | apart).
If you can, walk around the block.
See the random little critters that have come out to claim the world we left behind.
[we have strange African lizards roaming the streets like they own them ā¦ I kinda guess they do, now]
Ah good, I am not alone!
Shall I post my renewal conf as well here ?
You already have.
I think we should try the --webroot -w /doc/root/path method
That bypasses the "logic" that tries to figure where to put the files and forces a specific location.
The "logic" falls on us to determine and ensure it works.
And when it does it works flawlessly.
OK, how do we do that ?
https://certbot.eff.org/docs/using.html#webroot
We match certbot webroot to the expected root of the web server vhost config (or specific location for /.well-known/ā¦ therein, if specified).
So what does the HTTPS vhost config look like now?
[since everything is being redirected to HTTPS - despite our best efforts]
OK tried this:
sudo certbot certonly --webroot -w /var/www/ai2.metricrat.co.uk/public_html -d ai2.metricrat.co.uk
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for ai2.metricrat.co.uk
Using the webroot path /var/www/ai2.metricrat.co.uk/public_html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. ai2.metricrat.co.uk (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://ai2.metricrat.co.uk/.well-known/acme-challenge/20NHCRtrSvfm-92GVL6PzmFup_4khTODI8InVVHhkvI [2607:f8b0:400f:800::2013]: "<!DOCTYPE html><html lang=\"en-US\" itemscope itemtype=\"http://schema.org/WebPage\"><head><script type=\"text/javascript\" nonce=\"5Bs"
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: ai2.metricrat.co.uk
Type: unauthorized
Detail: Invalid response from
https://ai2.metricrat.co.uk/.well-known/acme-challenge/20NHCRtrSvfm-92GVL6PzmFup_4khTODI8InVVHhkvI
[2607:f8b0:400f:800::2013]: "<!DOCTYPE html><html lang=\"en-US\"
itemscope itemtype=\"http://schema.org/WebPage\"><head><script
type=\"text/javascript\" nonce=\"5Bs"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.I reverted the virtual host entry to how it was when we started:
<VirtualHost *:80>
ServerAdmin webmaster@ai2.metricrat.co.uk
ServerName ai2.metricrat.co.uk
DocumentRoot /var/www/ai2.metricrat.co.uk/public_html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =ai2.metricrat.co.uk
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>Please show the vhost config for 443
[Everthing in 80 gets redirected to 443]
This?:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster@ai2.metricrat.co.uk
ServerName ai2.metricrat.co.uk
DocumentRoot /var/www/ai2.metricrat.co.uk/public_html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLCertificateFile /etc/letsencrypt/live/ai2.metricrat.co.uk/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/ai2.metricrat.co.uk/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
from:
/etc/apache2/sites-enabled/ai2.metricrat.co.uk-le-ssl.conf
and contents of the include:
/etc/letsencrypt/options-ssl-apache.conf
SSLEngine on
# Intermediate configuration, tweak to your needs
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-R$
SSLHonorCipherOrder on
SSLCompression off
SSLOptions +StrictRequire
# Add vhost name to log entries:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_commonOK, let's test that document root:
mkdir /var/www/ai2.metricrat.co.uk/public_html/.well-known
mkdir /var/www/ai2.metricrat.co.uk/public_html/.well-known/acme-challenge
echo "challenge file" >> /var/www/ai2.metricrat.co.uk/public_html/.well-known/acme-challenge/test-file1
echo "root file" >> /var/www/ai2.metricrat.co.uk/public_html/test-file2
Then test from Internet:
http://ai2.metricrat.co.uk/.well-known/acme-challenge/test-file1
http://ai2.metricrat.co.uk/test-file2
Both should redirect to HTTPS automatically:
https://ai2.metricrat.co.uk/.well-known/acme-challenge/test-file1
https://ai2.metricrat.co.uk/test-file2
Let's see which ones work.
OK tried that. Still getting a redirect to my google site with a 404 page.
Seems like the redirect to my google site is overriding anything on my serverā¦
Anything here that helps ?
Hi @Metricrat
you use Google and you have a working Google certificate.
So there is no action required.
I don't think and know, if it is possible to create Letsencrypt certificates if you use the Google host.
But it's not required because you have a working certificate.
OK. i think I understand that. I was concerned that this site would lose its https status if it does not renew?
But I have two other sites (virtual hosts on the same IP) with google redirects that have successfully renewed their letsencrypt certificates (main domain names, not a subdomain), so i donāt really understand why this one will not renew. As you may have seen from the posts above, there is apparently no way of providing http access for certbot to do its thing with the acme challenge. Just doesnāt make any sense. Rudy (rg305) has worked very hard on mybehalf trying to troubleshoot but to no avail.
Well, the renewal deadline passed, and despite my reservations, the site is still up and it has retained itās https status without a letsencrypt certificate in place. So @JuergenAuer is quite right, that by using a new google site as a redirect to my domain, it gets its https status from Google.
Still strange that the other site, https://metricrat.co.uk, did renew OK with letsencrypt. Might try letting it expire next time around and see what happensā¦
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.