I updated certbot after receiving an email telling me I needed to update my client and that TLS-SNI-01 validation is reaching end-of-life. So I followed the instructions here, but unfortunately when I ran the command sudo certbot renew --dry-run
I recieved a lot of output telling me things didn’t go well. I’ve been racking my brain and google trying to remove any redirects from port 80, but either I end up with a 403 Forbidden, or a redirect which certbot doesn’t like. I’m at a loss.
apache.conf
Mutex file:${APACHE_LOCK_DIR} default
PidFile ${APACHE_PID_FILE}
Timeout 150
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 5
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}
HostnameLookups Off
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf
Include ports.conf
<Directory />
Options None
Order deny,allow
Deny from all
AllowOverride None
Require all denied
</Directory>
<Directory /usr/share>
AllowOverride None
Require all granted
</Directory>
<Directory /var/www/>
Options -Indexes +FollowSymLinks -MultiViews
Options -Includes -ExecCGI
FileETag -INode
AllowOverride All
Allow from all
Require all granted
LimitRequestBody 5120000
</Directory>
AccessFileName .htaccess
<FilesMatch "^\.ht">
Require all denied
</FilesMatch>
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
IncludeOptional conf-enabled/*.conf
IncludeOptional sites-enabled/*.conf
FileEtag -INode +MTime +Size
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
#Hide the Server information
ServerSignature Off
ServerTokens Prod
SecServerSignature LCARS
ServerName kipp.garyluck.co.uk
UseCanonicalName On
#Setting some custom headers
<IfModule mod_headers.c>
Header always set Content-Security-Policy "default-src 'self';script-src 'self' https: data: ;style-src 'self' 'unsafe-inline'; img-src 'self' *.gravatar.com; font-src 'self' data: ;"
<If "%{HTTPS} eq 'on'">
Header always set Strict-Transport-Security "max-age=31536000;"
</If>
# includeSubDomains"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Xss-Protection "1; mode=block"
Header always set X-Content-Type-Options "nosniff"
Header unset X-Powered-By
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Feature-Policy "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'"
</IfModule>
<Directory /var/www/*/public_html>
AllowOverride All
Order allow,deny
Allow from All
RewriteEngine On
RewriteOptions InheritBefore
RewriteCond %{REQUEST_URI} ^/\.test
RewriteRule . - [L,PT]
#Prevent files being executed by the web client.
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
#Prevent user lookup using /?author=1
RewriteCond %{REQUEST_URI} !^/wp-admin [NC]
RewriteCond %{QUERY_STRING} author=\d [or]
RewriteCond %{REQUEST_URI} ^/wp-json/wp/v2/users
RewriteRule ^ /? [L,R=301]
FileETag None
</Directory>
<Directory /var/www/*/public_html/.well-known/acme-challenge>
Options +Indexes
</Directory>
<Directory /var/www/*/public_html/wp-content/uploads>
<Files ~ "\.ph(?:p[345]?|t|tml)$">
deny from all
</Files>
</Directory>
<Files wp-config.php>
order allow,deny
deny from all
</Files>
#Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order allow,deny
deny from all
</Files>
<Location "/wp-content/">
<If "%{QUERY_STRING} =~ /wp-config.php/">
Deny from all
</If>
</Location>
<IfModule mod_ssl.c>
#Some SSL stuff
SSLEngine off
#Although the SSLEngine is off here, it's enabled in each VHosts config file. Means I can set global stuff here, and just need to switch it on per VHost.
SSLProtocol all -SSLv3 -SSLv2
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
</IfModule>
garyluck.vhost.conf
<VirtualHost *:80>
DocumentRoot /var/www/garyluck/public_html
ServerName garyluck.co.uk
ServerAlias www.garyluck.co.uk
<If "%{REQUEST_URI} !~ /\.well\-known/">
Redirect / https://garyluck.co.uk
</If>
</VirtualHost>
<VirtualHost _default_ *:443>
ServerAdmin webmaster@localhost
ServerName garyluck.co.uk
DocumentRoot /var/www/garyluck/public_html
<IfModule mod_headers.c>
Header always set Content-Security-Policy "default-src https: data: ; style-src 'self' 'unsafe-inline' https: maxcdn.bootstrapcdn.com; script-src https: 'self';"
</IfModule>
<Directory "/var/www/owncloud">
Options +FollowSymLinks
AllowOverride All
<IfModule mod_dav.c>
Dav off
</IfModule>
</Directory>
<IfModule mod_ssl.c>
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/garyluck.co.uk/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/garyluck.co.uk/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/garyluck.co.uk/fullchain.pem
</IfModule>
ErrorLog ${APACHE_LOG_DIR}/garyluck.co.uk/error.log
CustomLog ${APACHE_LOG_DIR}/garyluck.co.uk/access.log combined
</VirtualHost>
My domain is: https://garyluck.co.uk
I ran this command: sudo certbot renew --dry-run
It produced this output:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/garyluck.co.uk.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for garyluck.co.uk
http-01 challenge for www.garyluck.co.uk
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (garyluck.co.uk) from /etc/letsencrypt/renewal/garyluck.co.uk.conf produced an unexpected error: Failed authorization procedure. garyluck.co.uk (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://garyluck.co.uk/.well-known/acme-challenge/T1cLVMp-l5NNMcDUq5If5hoZvpZf5eaxkg-nr-s75xY [178.62.79.84]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>403 Forbidden</title>\n</head><body>\n<h1>Forbidden</h1>\n<p", www.garyluck.co.uk (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.garyluck.co.uk/.well-known/acme-challenge/5QUDu7M2iVbiNXJZdTITi34-2yxTHfCju0LiI3rk9M4 [178.62.79.84]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>403 Forbidden</title>\n</head><body>\n<h1>Forbidden</h1>\n<p". Skipping.
And
- The following errors were reported by the server:
Domain: garyluck.co.uk
Type: unauthorized
Detail: Invalid response from
http://garyluck.co.uk/.well-known/acme-challenge/T1cLVMp-l5NNMcDUq5If5hoZvpZf5eaxkg-nr-s75xY
[178.62.79.84]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
2.0//EN\">\n<html><head>\n<title>403
Forbidden</title>\n</head><body>\n<h1>Forbidden</h1>\n<p"
Domain: www.garyluck.co.uk
Type: unauthorized
Detail: Invalid response from
http://www.garyluck.co.uk/.well-known/acme-challenge/5QUDu7M2iVbiNXJZdTITi34-2yxTHfCju0LiI3rk9M4
[178.62.79.84]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
2.0//EN\">\n<html><head>\n<title>403
Forbidden</title>\n</head><body>\n<h1>Forbidden</h1>\n<p"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
My web server is (include version): Apache/2.4.7 (Ubuntu)
The operating system my web server runs on is: Ubuntu 14.04.5
I can login to a root shell on my machine: Yep
I’m using a control panel to manage my site: No
The version of my client is: certbot 0.28.0