Can't expand certificate to include alias www

Help
1

Please fill out the fields below so we can help you better.

Problem: I can generate a certificate for my domain paranoidandroid.co.za but not the alias www.paranoidandroid.co.za, when I include the alias in the list then I get the error (below).

My domain is: paranoidandroid.co.za

I ran this command: sudo letsencrypt --apache

It produced this output:
An unexpected error occurred:
KeyError: 'server’
Please see the logfiles in /var/log/letsencrypt for more details.

My operating system is (include version): Ubuntu 16.04.2 LTS

My web server is (include version): Apache/2.4.18 (Ubuntu) mod_jk/1.2.41 OpenSSL/1.0.2g

My hosting provider, if applicable, is: Linode

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

More info from log file:
2017-03-15 07:29:50,598:DEBUG:letsencrypt.cli:Root logging level set at 30
2017-03-15 07:29:50,600:INFO:letsencrypt.cli:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2017-03-15 07:29:50,600:DEBUG:letsencrypt.cli:letsencrypt version: 0.4.1
2017-03-15 07:29:50,600:DEBUG:letsencrypt.cli:Arguments: [’–apache’]
2017-03-15 07:29:50,601:DEBUG:letsencrypt.cli:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoint#standalone)
2017-03-15 07:29:50,605:DEBUG:letsencrypt.cli:Requested authenticator apache and installer apache
2017-03-15 07:29:51,241:DEBUG:letsencrypt.display.ops:Single candidate plugin: * apache
Description: Apache Web Server - Alpha
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = letsencrypt_apache.configurator:ApacheConfigurator
Initialized: <letsencrypt_apache.configurator.ApacheConfigurator object at 0x7f329d7cf7d0>
Prep: True
2017-03-15 07:29:51,243:DEBUG:letsencrypt.cli:Selected authenticator <letsencrypt_apache.configurator.ApacheConfigurator object at 0x7f329d7cf7d0> and installer <letsencrypt_apache.configurator.ApacheConfigurator
object at 0x7f329d7cf7d0>
2017-03-15 07:30:12,449:DEBUG:letsencrypt.cli:Picked account: <Account(552e0bace5d36c66c6de0eff4571eac1)>
2017-03-15 07:30:12,451:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/directory. args: (), kwargs: {}
2017-03-15 07:30:12,457:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2017-03-15 07:30:12,769:DEBUG:requests.packages.urllib3.connectionpool:“GET /directory HTTP/1.1” 200 280
2017-03-15 07:30:12,776:DEBUG:root:Received <Response [200]>. Headers: {‘Content-Length’: ‘280’, ‘Expires’: ‘Wed, 15 Mar 2017 07:30:14 GMT’, ‘Boulder-Request-Id’: ‘LwL7eKQuUYgju3jDhTmxwyrgwNCLfegg6E52TzRsotg’, ‘S
trict-Transport-Security’: ‘max-age=604800’, ‘Server’: ‘nginx’, ‘Connection’: ‘keep-alive’, ‘Pragma’: ‘no-cache’, ‘Cache-Control’: ‘max-age=0, no-cache, no-store’, ‘Date’: ‘Wed, 15 Mar 2017 07:30:14 GMT’, ‘X-Fram
e-Options’: ‘DENY’, ‘Content-Type’: ‘application/json’, ‘Replay-Nonce’: ‘nHwXSlorUgjiAyYF5IclKURY3BQM7tXsP0vIX7l7F_w’}. Content: '{\n “new-authz”: “https://acme-v01.api.letsencrypt.org/acme/new-authz”,\n “new-c
ert”: “https://acme-v01.api.letsencrypt.org/acme/new-cert”,\n “new-reg”: “https://acme-v01.api.letsencrypt.org/acme/new-reg”,\n “revoke-cert”: “https://acme-v01.api.letsencrypt.org/acme/revoke-cert”\n}'
2017-03-15 07:30:12,776:DEBUG:acme.client:Received response <Response [200]> (headers: {‘Content-Length’: ‘280’, ‘Expires’: ‘Wed, 15 Mar 2017 07:30:14 GMT’, ‘Boulder-Request-Id’: ‘LwL7eKQuUYgju3jDhTmxwyrgwNCLfegg
6E52TzRsotg’, ‘Strict-Transport-Security’: ‘max-age=604800’, ‘Server’: ‘nginx’, ‘Connection’: ‘keep-alive’, ‘Pragma’: ‘no-cache’, ‘Cache-Control’: ‘max-age=0, no-cache, no-store’, ‘Date’: ‘Wed, 15 Mar 2017 07:30:
14 GMT’, ‘X-Frame-Options’: ‘DENY’, ‘Content-Type’: ‘application/json’, ‘Replay-Nonce’: ‘nHwXSlorUgjiAyYF5IclKURY3BQM7tXsP0vIX7l7F_w’}): '{\n “new-authz”: “https://acme-v01.api.letsencrypt.org/acme/new-authz”,\n
"new-cert": “https://acme-v01.api.letsencrypt.org/acme/new-cert”,\n “new-reg”: “https://acme-v01.api.letsencrypt.org/acme/new-reg”,\n “revoke-cert”: “https://acme-v01.api.letsencrypt.org/acme/revoke-cert”\n}'
2017-03-15 07:30:35,745:DEBUG:letsencrypt.cli:Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/letsencrypt”, line 9, in
load_entry_point(‘letsencrypt==0.4.1’, ‘console_scripts’, ‘letsencrypt’)()
File “/usr/lib/python2.7/dist-packages/letsencrypt/cli.py”, line 1986, in main
return config.func(config, plugins)
File “/usr/lib/python2.7/dist-packages/letsencrypt/cli.py”, line 662, in run
lineage, action = _auth_from_domains(le_client, config, domains)
File “/usr/lib/python2.7/dist-packages/letsencrypt/cli.py”, line 453, in _auth_from_domains
original_server = lineage.configuration[“renewalparams”][“server”]
File “/usr/lib/python2.7/dist-packages/configobj.py”, line 554, in getitem
val = dict.getitem(self, key)
KeyError: ‘server’

2

doesn't seem like a valid comman

can you also check that you have a folder under \etc\letsencrypt\accounts\acme-v01.api.letsencrypt.org\directory

it should have some files like the ones below

3

Thank you ahaw021 for your response. I followed: https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-16-04 , so it is a valid command

I can use this command to request a certificate for my domain paranoidandroid.co.za

The issue comes in when I add www.paranoidandroid.co.za (either on the command line or via the ncurses menu).

$ sudo ls -la accounts/acme-v01.api.letsencrypt.org/directory/[long hash]
drwx------ 2 root root 4096 Jul 15  2016 .
drwx------ 3 root root 4096 Jul 15  2016 ..
-rw-r--r-- 1 root root   68 Jul 15  2016 meta.json
-r-------- 1 root root 1632 Jul 15  2016 private_key.json
-rw-r--r-- 1 root root  752 Jul 15  2016 regr.json
4

The KeyError: server error is normally associated with having two different copies of Certbot that were installed in different ways, in particular originally using certbot-auto or letsencrypt-auto scripts and later trying to renew or update a certificate using an OS package-provided version.

In this case you can probably avoid the problem by using the original -auto script, if you still know where you downloaded it. The reason for the trouble is that the OS-provided one is a much older version of the tool than the -auto one.

5

By the way, on Unix these need to be forward slashes ("/")!

6

It actually is a perfectly valid command for the older versions (pre rename) of the client.

@schoen, just thinking out loud here, could it be some kind of problem with a server setting in either cli.ini or the renewal configuration file? We've seen problems with somehow added characters to the server setting in configuration files before and removing the non-valid chars would solve the problem.

7

Yes, but more likely a problem with using two different versions of the client.

8

well spotted it was supposed to be valid syntax*

9

I've done this awhile ago so I have to figure out if I did both manually install and package installed Let's Encrypt.
So here is what I've found so far:

$ apt list --installed | grep lets
letsencrypt/xenial,xenial,now 0.4.1-1 all [installed,automatic]
python-letsencrypt/xenial,xenial,now 0.4.1-1 all [installed,automatic]
python-letsencrypt-apache/xenial,xenial,now 0.4.1-1 all [installed]

$ letsencrypt --version
letsencrypt 0.4.1

It looks like I did both, I found something under /opt/

$ sudo find / -name "letsencrypt*"
/etc/letsencrypt
/home/[USER]/.local/share/letsencrypt
/opt/letsencrypt
--->8 Snip 8<---
/opt/letsencrypt/letsencrypt-auto
/opt/letsencrypt/letsencrypt-auto-source
--->8 Snip 8<---
/opt/letsencrypt/letsencrypt-nginx
/opt/letsencrypt/letsencrypt-nginx/letsencrypt_nginx
/opt/letsencrypt/letsencrypt
/opt/letsencrypt/letsencrypt/letsencrypt
/root/.local/share/letsencrypt
/root/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt
/root/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt-0.7.0.dist-info
/root/.local/share/letsencrypt/bin/letsencrypt
/usr/bin/letsencrypt
/usr/lib/python2.7/dist-packages/letsencrypt
/usr/lib/python2.7/dist-packages/letsencrypt_apache
/usr/lib/python2.7/dist-packages/letsencrypt-0.4.1.egg-info
/usr/lib/python2.7/dist-packages/letsencrypt_apache-0.4.1.egg-info
/usr/share/doc/letsencrypt
/usr/share/man/man1/letsencrypt.1.gz
/usr/share/webmin/webmin/letsencrypt-lib.pl
/usr/share/webmin/webmin/letsencrypt.cgi
/var/lib/dpkg/info/letsencrypt.list
/var/lib/dpkg/info/letsencrypt.md5sums
/var/lib/dpkg/info/letsencrypt.postrm
/var/lib/letsencrypt
/var/log/letsencrypt
/var/log/letsencrypt/letsencrypt.log
10

Yep! So in this case, letsencrypt-auto (and certbot-auto), which self-updates, will always give you the very newest released version of Certbot, while your operating system letsencrypt gives you 0.4.1, which is a little over one year old now (!).

11

So, just to be clear, I should uninstall the OS’s version and just use the one I have in /opt/ ?

BTW, big-up to you guys for the great job you are doing!

12

Ok, sorted the double installation out (un-installed the OS’s package), then I ran the one in /opt/

$ sudo -H ./certbot-auto --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
--->8 Snip 8<---
8: paranoidandroid.co.za
9: www.paranoidandroid.co.za
--->8 Snip 8<---
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):8,9

-------------------------------------------------------------------------------
You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/paranoidandroid.co.za.conf)

It contains these names: paranoidandroid.co.za

You requested these names for the new certificate: paranoidandroid.co.za,
www.paranoidandroid.co.za.

Do you want to expand and replace this existing certificate with the new
certificate?
-------------------------------------------------------------------------------
(E)xpand/(C)ancel: E
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for paranoidandroid.co.za
tls-sni-01 challenge for www.paranoidandroid.co.za
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. www.paranoidandroid.co.za (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for TLS-SNI-01 challenge. Requested 3435e5db16b8dff92589e77b1bdf97f3.25f502cd498a7374a75bc008ea6af8a0.acme.invalid from 176.58.106.89:443. Received 2 certificate(s), first certificate had names "paranoidandroid.co.za"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.paranoidandroid.co.za
   Type:   unauthorized
   Detail: Incorrect validation certificate for TLS-SNI-01 challenge.
   Requested
   3435e5db16b8dff92589e77b1bdf97f3.25f502cd498a7374a75bc008ea6af8a0.acme.invalid
   from 176.58.106.89:443. Received 2 certificate(s), first
   certificate had names "paranoidandroid.co.za"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

I’ve attached the DNS record. Am I going in the right direction or am I doing something wrong here? What else can I look at?

Screenshot from 2017-03-16 10-25-36.png786×784 86.4 KB

13

This kind of error is basically a failure of Certbot’s apache plugin to correctly update your Apache configuration in order to prove your control over the domain name. So far, the most common reason for that is an “unusual” Apache configuration, particularly having multiple VirtualHosts in a single configuration file within /etc/apache2. Do you know if that could be the case for you?

14

I have each domain in it’s own file in sites-available I’ve set it up many moons ago. I also have a 000-default.conf in that directory (I think I set it up to take ppl to the paranoid android web site when they use the IP address only). Also a long time ago I’ve config the paranoid android site to redirect to https (which I’m having trouble switching off - forgot how I did it). The 000-default.conf:

<VirtualHost *:80>
	ServerAdmin webmaster@localhost

	DocumentRoot /var/www/paranoidandroid
	<Directory />
		Options FollowSymLinks
		AllowOverride None
	</Directory>
	<Directory /var/www/>
		Options Indexes FollowSymLinks MultiViews
		AllowOverride All
		Order allow,deny
		allow from all
	</Directory>

	ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
	<Directory "/usr/lib/cgi-bin">
		AllowOverride None
		Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
		Order allow,deny
		Allow from all
	</Directory>

	ErrorLog ${APACHE_LOG_DIR}/error.log

	# Possible values include: debug, info, notice, warn, error, crit,
	# alert, emerg.
	LogLevel warn

	CustomLog ${APACHE_LOG_DIR}/access.log combined

    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </Directory>

</VirtualHost>
<VirtualHost 176.58.106.89:443>
	ServerAdmin webmaster@localhost

	DocumentRoot /var/www/paranoidandroid
	<Directory />
		Options FollowSymLinks
		AllowOverride None
	</Directory>
	<Directory /var/www/>
		Options Indexes FollowSymLinks MultiViews
		AllowOverride All
		Order allow,deny
		allow from all
	</Directory>

	ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
	<Directory "/usr/lib/cgi-bin">
		AllowOverride None
		Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
		Order allow,deny
		Allow from all
	</Directory>

	ErrorLog ${APACHE_LOG_DIR}/error.log

	# Possible values include: debug, info, notice, warn, error, crit,
	# alert, emerg.
	LogLevel warn

	CustomLog ${APACHE_LOG_DIR}/access.log combined

    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </Directory>

	Redirect "/" "https://www.paranoidandroid.co.za"
</VirtualHost>

And the paranoidandroid.co.za looks like this:

<VirtualHost 176.58.106.89:80>
	ServerName paranoidandroid.co.za
	ServerAlias www.paranoidandroid.co.za
	ServerAdmin andre@paranoidandroid.co.za
	DocumentRoot /var/www/paranoidandroid/
</VirtualHost>

Thank you for the assist.

15

Ah, the good old mixing of * and an IP address in multiple <VirtualHost> directives.

@TungstenX Does your server have multiple IP addresses and are you using IP address based virtual hosting?

16

This file is very old. It migrated with my learning curve…
I’m hosted at Linode, so I have 1 IP address and a few virtual hosts on it. Everything is working fine except the cert for the www.paranoidandroid.co.za alias.

Any ideas from the info I gave? Do you need other info?

17

You could try to put everything in a syntax like <VirtualHost *:80> and <VirtualHost *:443> (so without an IP address or _default_ in it.

18

I’ve updated the 000_default.conf and paranoidandroid.co.za files in /etc/apache2/sites-available to use<VirtualHost *:80> - Sorry to say, no difference; can’t create 2 certificates (paranoidandroid.co.za and www.paranoidandroid.co.za) and the www.paranoidandroid.co.za still reports:

www.paranoidandroid.co.za uses an invalid security certificate. 
The certificate is only valid for paranoidandroid.co.za 
Error code: SSL_ERROR_BAD_CERT_DOMAIN
19

Did you also change the VirtualHost directives with port 443 in them to <VirtualHost *:443>?

Is the error message of certbot-auto exactly the same as before? If not, what is it now?

20

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.