Cannot renew certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.enameling.com

I ran this command: certbot renew --dry-run

It produced this output:
root@eureka:~# certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/cbboff.org-0001.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer None
Simulating renewal of an existing certificate for cbboff.org
Performing the following challenges:
http-01 challenge for cbboff.org
Waiting for verification...
Cleaning up challenges


new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/cbboff.org-0001/fullchain.pem



Processing /etc/letsencrypt/renewal/cbboff.org.conf


Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Simulating renewal of an existing certificate for cbboff.org and 5 more domains
Performing the following challenges:
http-01 challenge for enameling.com
http-01 challenge for www.enameling.com
http-01 challenge for cbboff.org
http-01 challenge for whitesmithinc.com
http-01 challenge for www.cbboff.org
http-01 challenge for www.whitesmithinc.com
Waiting for verification...
e[31mChallenge failed for domain enameling.come[0m
e[31mChallenge failed for domain www.enameling.come[0m
http-01 challenge for enameling.com
http-01 challenge for www.enameling.com
Cleaning up challenges
e[31mFailed to renew certificate cbboff.org with error: Some challenges have failed.e[0m


Processing /etc/letsencrypt/renewal/enameling.com.conf


Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Simulating renewal of an existing certificate for enameling.com and www.enameling.com
Performing the following challenges:
http-01 challenge for enameling.com
http-01 challenge for www.enameling.com
Waiting for verification...
e[31mChallenge failed for domain enameling.come[0m
e[31mChallenge failed for domain www.enameling.come[0m
http-01 challenge for enameling.com
http-01 challenge for www.enameling.com
Cleaning up challenges
e[31mFailed to renew certificate enameling.com with error: Some challenges have failed.e[0m


Processing /etc/letsencrypt/renewal/whitesmithinc.com.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Simulating renewal of an existing certificate for whitesmithinc.com and www.whitesmithinc.com
Performing the following challenges:
http-01 challenge for whitesmithinc.com
http-01 challenge for www.whitesmithinc.com
Waiting for verification...
Cleaning up challenges


new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/whitesmithinc.com/fullchain.pem



Processing /etc/letsencrypt/renewal/www.whitesmithinc.com.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Simulating renewal of an existing certificate for www.whitesmithinc.com
Performing the following challenges:
http-01 challenge for www.whitesmithinc.com
Waiting for verification...
Cleaning up challenges


new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/www.whitesmithinc.com/fullchain.pem



The following simulated renewals succeeded:
/etc/letsencrypt/live/cbboff.org-0001/fullchain.pem (success)
/etc/letsencrypt/live/whitesmithinc.com/fullchain.pem (success)
/etc/letsencrypt/live/www.whitesmithinc.com/fullchain.pem (success)

e[31mThe following simulated renewals failed:e[0m
e[31m /etc/letsencrypt/live/cbboff.org/fullchain.pem (failure)
/etc/letsencrypt/live/enameling.com/fullchain.pem (failure)e[0m


e[31m2 renew failure(s), 0 parse failure(s)e[0m
e[1m
IMPORTANT NOTES:
e[0m - The following errors were reported by the server:

Domain: enameling.com
Type: unauthorized
Detail: 162.191.242.49: Invalid response from
http://enameling.com/.well-known/acme-challenge/IxZHJzR_DuIdDK-JTlmtPv8YJwHq6B5AMomGyzobRkg:
403

Domain: www.enameling.com
Type: unauthorized
Detail: 162.191.242.49: Invalid response from
http://www.enameling.com/.well-known/acme-challenge/XqzBLzTaUuij47ge_brSGQZHPsZtfHAV01I5lsPn2uk:
403

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

My web server is (include version): apache2 2.4.56-1~deb11

The operating system my web server runs on is (include version): debian 5.10.191-1

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.12.0

Welcome to the community @sschlaif

It looks like you have a couple problems. The most immediate is the cert request failure for the enameling.com and its www domain. But, you also have some overlapping certs which means at least unnecessary requests are being made to Let's Encrypt servers.

Let's start with seeing result of this command

sudo apache2ctl -t -D DUMP_VHOSTS

(you may need to use httpd or apachectl instead of apache2ctl for that Debian distro I don't remember off-hand)

4 Likes

root@eureka:~# apache2ctl -t -D DUMP_VHOSTS
VirtualHost configuration:
10.22.22.50:443 is a NameVirtualHost
default server enameling.com (/etc/apache2/sites-enabled/000-enameling.com-le-ssl.conf:2)
port 443 namevhost enameling.com (/etc/apache2/sites-enabled/000-enameling.com-le-ssl.conf:2)
alias www.enameling.com
alias enameling
alias enameling.kihakkt.jetcafe.org
alias 162.191.242.49
alias kihakkt.jetcafe.org
port 443 namevhost whitesmithinc.com (/etc/apache2/sites-enabled/whitesmithinc.com-le-ssl.conf:2)
alias www.whitesmithinc.com
alias whitesmith
alias whitesmith.kihakkt.jetcafe.org
10.22.22.50:80 is a NameVirtualHost
default server enameling.com (/etc/apache2/sites-enabled/000-enameling.com.conf:1)
port 80 namevhost enameling.com (/etc/apache2/sites-enabled/000-enameling.com.conf:1)
alias www.enameling.com
alias enameling
alias enameling.kihakkt.jetcafe.org
alias 162.191.242.49
port 80 namevhost ses-test.kihakkt.jetcafe.org (/etc/apache2/sites-enabled/sestest.conf:1)
alias ses-test
alias www.ses-test.kihakkt.jetcafe.org
alias www.ses-test
port 80 namevhost whitesmithinc.com (/etc/apache2/sites-enabled/whitesmithinc.com.conf:1)
alias www.whitesmithinc.com
alias whitesmith
alias whitesmith.kihakkt.jetcafe.org
192.168.6.38:443 is a NameVirtualHost
default server cbboff.org (/etc/apache2/sites-enabled/cbboff.org-le-ssl.conf:2)
port 443 namevhost cbboff.org (/etc/apache2/sites-enabled/cbboff.org-le-ssl.conf:2)
alias www.cbboff.org
port 443 namevhost eureka.kihakkt.jetcafe.org (/etc/apache2/sites-enabled/eureka-le-ssl.conf:2)
alias eureka
alias mail.kihakkt.jetcafe.org
alias mail
192.168.6.38:80 is a NameVirtualHost
default server cbboff.org (/etc/apache2/sites-enabled/cbboff.org.conf:1)
port 80 namevhost cbboff.org (/etc/apache2/sites-enabled/cbboff.org.conf:1)
alias www.cbboff.org
port 80 namevhost eureka.kihakkt.jetcafe.org (/etc/apache2/sites-enabled/eureka.conf:1)
alias eureka
alias mail
alias mail.kihakkt.jetcafe.org
port 80 namevhost ses-test.kihakkt.jetcafe.org (/etc/apache2/sites-enabled/sestest.conf:1)
alias ses-test
alias www.ses-test.kihakkt.jetcafe.org
alias www.ses-test
port 80 namevhost whitesmithinc.com (/etc/apache2/sites-enabled/whitesmithinc.com.conf:1)
alias www.whitesmithinc.com
alias whitesmith
alias whitesmith.kihakkt.jetcafe.org
192.168.5.38:443 is a NameVirtualHost
default server enameling.com (/etc/apache2/sites-enabled/000-enameling.com-le-ssl.conf:2)
port 443 namevhost enameling.com (/etc/apache2/sites-enabled/000-enameling.com-le-ssl.conf:2)
alias www.enameling.com
alias enameling
alias enameling.kihakkt.jetcafe.org
alias 162.191.242.49
alias kihakkt.jetcafe.org
port 443 namevhost cbboff.org (/etc/apache2/sites-enabled/cbboff.org-le-ssl.conf:2)
alias www.cbboff.org
port 443 namevhost eureka.kihakkt.jetcafe.org (/etc/apache2/sites-enabled/eureka-le-ssl.conf:2)
alias eureka
alias mail.kihakkt.jetcafe.org
alias mail
port 443 namevhost whitesmithinc.com (/etc/apache2/sites-enabled/whitesmithinc.com-le-ssl.conf:2)
alias www.whitesmithinc.com
alias whitesmith
alias whitesmith.kihakkt.jetcafe.org
192.168.5.38:80 is a NameVirtualHost
default server enameling.com (/etc/apache2/sites-enabled/000-enameling.com.conf:1)
port 80 namevhost enameling.com (/etc/apache2/sites-enabled/000-enameling.com.conf:1)
alias www.enameling.com
alias enameling
alias enameling.kihakkt.jetcafe.org
alias 162.191.242.49
port 80 namevhost cbboff.org (/etc/apache2/sites-enabled/cbboff.org.conf:1)
alias www.cbboff.org
port 80 namevhost eureka.kihakkt.jetcafe.org (/etc/apache2/sites-enabled/eureka.conf:1)
alias eureka
alias mail
alias mail.kihakkt.jetcafe.org
port 80 namevhost ses-test.kihakkt.jetcafe.org (/etc/apache2/sites-enabled/sestest.conf:1)
alias ses-test
alias www.ses-test.kihakkt.jetcafe.org
alias www.ses-test
port 80 namevhost whitesmithinc.com (/etc/apache2/sites-enabled/whitesmithinc.com.conf:1)
alias www.whitesmithinc.com
alias whitesmith
alias whitesmith.kihakkt.jetcafe.org
root@eureka:~#

Is there a reason you are doing IP based selection with 3 different IP addresses?

Because normally today people rely on SNI. I am wary of suggesting changes to simplify if you have some need for this.

I know I used port 443 examples above and the --apache plug-in would be making changes to port 80 VirtualHosts. But, there is similar config for port 80.

Also, I am a little surprised this ever worked. This is an unusual VirtualHost setup and your Certbot version 1.12 is fairly old.

4 Likes

I have a business subnet that is the 10.22.22 IP, 192.168.5 is the home subnet. 192.168.6 was old and I should remove it, nothing is on that subnet any more.

Would it be worthwhile to remove the certbot that was installed via apt with a new one from the certbot web pages.

Does your Apache respond differently depending on the originating IP?

That is, is there a reason you can't use one set of configs with

<VirtualHost *:80>
and 
<VirtualHost *:443>

instead?

4 Likes

No, I could change it to that and see how things work out.

Changed them all to that, restarted apache but it didn't change the problem.

would you reshow this.

4 Likes

root@eureka:~# apache2ctl -t -D DUMP_VHOSTS
e[?2004lVirtualHost configuration:
*:443 is a NameVirtualHost
default server enameling.com (/etc/apache2/sites-enabled/000-enameling.com-le-ssl.conf:3)
port 443 namevhost enameling.com (/etc/apache2/sites-enabled/000-enameling.com-le-ssl.conf:3)
alias www.enameling.com
alias enameling
alias enameling.kihakkt.jetcafe.org
alias 162.191.242.49
alias kihakkt.jetcafe.org
port 443 namevhost cbboff.org (/etc/apache2/sites-enabled/cbboff.org-le-ssl.conf:3)
alias www.cbboff.org
port 443 namevhost eureka.kihakkt.jetcafe.org (/etc/apache2/sites-enabled/eureka-le-ssl.conf:3)
alias eureka
alias mail.kihakkt.jetcafe.org
alias mail
port 443 namevhost whitesmithinc.com (/etc/apache2/sites-enabled/whitesmithinc.com-le-ssl.conf:3)
alias www.whitesmithinc.com
alias whitesmith
alias whitesmith.kihakkt.jetcafe.org
*:80 is a NameVirtualHost
default server enameling.com (/etc/apache2/sites-enabled/000-enameling.com.conf:2)
port 80 namevhost enameling.com (/etc/apache2/sites-enabled/000-enameling.com.conf:2)
alias www.enameling.com
alias enameling
alias enameling.kihakkt.jetcafe.org
alias 162.191.242.49
port 80 namevhost cbboff.org (/etc/apache2/sites-enabled/cbboff.org.conf:2)
alias www.cbboff.org
port 80 namevhost eureka.kihakkt.jetcafe.org (/etc/apache2/sites-enabled/eureka.conf:2)
alias eureka
alias mail
alias mail.kihakkt.jetcafe.org
port 80 namevhost ses-test.kihakkt.jetcafe.org (/etc/apache2/sites-enabled/sestest.conf:2)
alias ses-test
alias www.ses-test.kihakkt.jetcafe.org
alias www.ses-test
port 80 namevhost whitesmithinc.com (/etc/apache2/sites-enabled/whitesmithinc.com.conf:2)
alias www.whitesmithinc.com
alias whitesmith
alias whitesmith.kihakkt.jetcafe.org
e[?2004hroot@eureka:~# e[?2004l

1 Like

OK, many fewer pieces to work with :slight_smile: can you show the contents of the above file

And, the output of this will be helpful in a bit

sudo certbot certificates
4 Likes
# <VirtualHost 10.22.22.50:80 192.168.5.38:80>
<VirtualHost *:80>
	# 10.22.22.50 is the address of the server on the SES VLAN
	# 192.168.5.38 is the address of the server on the standard LAN
	ServerAdmin webmaster@enameling.com
	ServerName enameling.com
	ServerAlias www.enameling.com
	ServerAlias enameling
	ServerAlias enameling.kihakkt.jetcafe.org
	ServerAlias 162.191.242.49
	
	DocumentRoot /home/ses/WWW/sesv2/
	<If "req('Host') != 192.168.5.38">
		Deny from all
	</If>
	<If "req('HTTP_X_FORWARDED_HOST') != 192.168.5.38">
		Deny from all
	</If>
	<Directory />
		Options FollowSymLinks
		AllowOverride None
	</Directory>
	<Directory /home/ses/WWW/sesv2/>
		Options FollowSymLinks MultiViews
		AllowOverride None
		Require all granted
		# Order allow,deny
		# allow from all
	</Directory>

	ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
	<Directory "/usr/lib/cgi-bin">
		AllowOverride None
		Options -ExecCGI -MultiViews +SymLinksIfOwnerMatch
		<RequireAny>
			Require ip 127.0.0.0/255.0.0.0
			Require ip 10.8.1.0/255.255.255.0
			Require ip 10.8.2.0/255.255.255.0
			Require ip 192.168.0.0/255.255.0.0
			Require ip 162.191.242.49/255.255.0.0
			Require ip ::1/128
		</RequireAny>
		# Order allow,deny
		# allow from all
	</Directory>
RewriteEngine on
RewriteCond %{SERVER_NAME} =enameling [OR]
RewriteCond %{SERVER_NAME} =enameling.com [OR]
RewriteCond %{SERVER_NAME} =enameling.kihakkt.jetcafe.org [OR]
RewriteCond %{SERVER_NAME} =www.enameling.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

root@eureka:~# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: cbboff.org-0001
Serial Number: 43ddd1748ec8ae20f1c4a80ec3ed3b1f1c6
Key Type: RSA
Domains: cbboff.org
Expiry Date: 2023-12-13 14:39:16+00:00 (VALID: 84 days)
Certificate Path: /etc/letsencrypt/live/cbboff.org-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/cbboff.org-0001/privkey.pem
Certificate Name: cbboff.org
Serial Number: 3dbab7ee920255ed6fa5fcdd83a67fcc858
Key Type: RSA
Domains: cbboff.org enameling.com whitesmithinc.com www.cbboff.org www.enameling.com www.whitesmithinc.com
Expiry Date: 2023-10-17 08:21:19+00:00 (VALID: 27 days)
Certificate Path: /etc/letsencrypt/live/cbboff.org/fullchain.pem
Private Key Path: /etc/letsencrypt/live/cbboff.org/privkey.pem
Certificate Name: enameling.com
Serial Number: 3598c65668a954db0316b2b4b129a060554
Key Type: RSA
Domains: enameling.com www.enameling.com
Expiry Date: 2023-10-14 13:36:53+00:00 (VALID: 24 days)
Certificate Path: /etc/letsencrypt/live/enameling.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/enameling.com/privkey.pem
Certificate Name: whitesmithinc.com
Serial Number: 4078ea67407a34f333cc1978062c84efd06
Key Type: RSA
Domains: whitesmithinc.com www.whitesmithinc.com
Expiry Date: 2023-12-13 14:39:34+00:00 (VALID: 84 days)
Certificate Path: /etc/letsencrypt/live/whitesmithinc.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/whitesmithinc.com/privkey.pem
Certificate Name: www.whitesmithinc.com
Serial Number: 3e4152752330e4097f52292181eb0ab4c26
Key Type: RSA
Domains: www.whitesmithinc.com
Expiry Date: 2023-12-13 14:39:39+00:00 (VALID: 84 days)
Certificate Path: /etc/letsencrypt/live/www.whitesmithinc.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.whitesmithinc.com/privkey.pem


root@eureka:~#

You have two certs that cover those two names.
Sadly, it seems they are both having renewal issues.

The HTTP vhost is redirecting to HTTPS.
Please show the file:

4 Likes

Based on above I would think I would get denied (a 403) but instead I am redirected to HTTPS

Ignoring that, a request URL with /cgi-bin/ also gets redirected by the require ip should not allow.

Are you sure HTTP requests are getting to that VirtualHost ?

Did you fully restart Apache after restructuring the VirtualHosts ?

3 Likes

The --apache plug-in they are using should interrupt that

4 Likes

eureka:1:1 % cat /etc/apache2/sites-enabled/000-enameling.com-le-ssl.conf

<IfModule mod_ssl.c>
# <VirtualHost 10.22.22.50:443 192.168.5.38:443>
<VirtualHost *:443>
	# 10.22.22.50 is the address of the server on the SES VLAN
	# 192.168.5.38 is the address of the server on the standard LAN
	ServerAdmin webmaster@enameling.com
	ServerName enameling.com
	ServerAlias www.enameling.com
	ServerAlias enameling
	ServerAlias enameling.kihakkt.jetcafe.org
	# ServerAlias 50.37.5.22
	ServerAlias 162.191.242.49
	ServerAlias kihakkt.jetcafe.org
	
	# DocumentRoot /home/ses/WWW/sesv2/
	DocumentRoot /home/ses/WWW/sesv3/
	<Directory />
		Options FollowSymLinks
		AllowOverride None
	</Directory>
	# <Directory /home/ses/WWW/sesv2/>
	<Directory /home/ses/WWW/sesv3/>
		Options FollowSymLinks MultiViews
		AllowOverride None
		Require all granted
		# Order allow,deny
		# allow from all
	</Directory>

	ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
	<Directory "/usr/lib/cgi-bin">
		AllowOverride None
		Options -ExecCGI -MultiViews +SymLinksIfOwnerMatch
		<RequireAny>
			Require ip 127.0.0.0/255.0.0.0
			Require ip 10.8.1.0/255.255.255.0
			Require ip 10.8.2.0/255.255.255.0
			Require ip 192.168.0.0/255.255.0.0
			Require ip 162.191.242.49/255.255.0.0
			Require ip 10.22.22.0/255.255.255.0
			Require ip ::1/128
		</RequireAny>
		# Order allow,deny
		# allow from all
	</Directory>

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/enameling.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/enameling.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

Then I suggest using --webroot instead.

2 Likes

Yes, the http requests are indeed getting redirected to the VirtualHost. I do restart apache after restructuring the VirtualHosts.