Can't, once again, renew certificate

rolfmblindgren · March 13, 2018, 2:23pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
grendel.no

I ran this command:
sudo certbot renew

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/api.grendel.no.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/personlighetstesting.no.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/piwik.grendel.no.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/omvendtpsykologi.no.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/shiny.grendel.no.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/grendel.no.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.grendel.no
http-01 challenge for blog.grendel.no
http-01 challenge for grendel.no
http-01 challenge for ptsd-boken.grendel.no
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (grendel.no) from /etc/letsencrypt/renewal/grendel.no.conf produced an unexpected error: Failed authorization procedure. www.grendel.no (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.grendel.no/.well-known/acme-challenge/xrOcQmAmgzAEE5SbGGj4xO2G19PI3ZXQNn1JcwffLe4: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p", grendel.no (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://grendel.no/.well-known/acme-challenge/WEEdN_3pdLCUjF6jVJfLHfO5FfZu_FNhvrcsqsSA8sY: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p", ptsd-boken.grendel.no (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://ptsd-boken.grendel.no/.well-known/acme-challenge/1gaGWuxzPfjOZElqZdplGLmjmENSlEVRbex5Y6VFYX4: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p", blog.grendel.no (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://blog.grendel.no/.well-known/acme-challenge/5dwlenRYrT4qNSwGA7zKPzslqviXDtekINXhbu15gkQ: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p". Skipping.

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/grendel.no-0001.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for grendel.no
http-01 challenge for blog.grendel.no
http-01 challenge for ptsd-boken.grendel.no
http-01 challenge for r.grendel.no
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (grendel.no-0001) from /etc/letsencrypt/renewal/grendel.no-0001.conf produced an unexpected error: Failed authorization procedure. grendel.no (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://grendel.no/.well-known/acme-challenge/ZoaJY_ivHZtDFCShj13KCnhQz1zYIHOC1-9rByamd0w: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p", r.grendel.no (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://r.grendel.no/.well-known/acme-challenge/MVrmYM9ok3K-TsI69G2GVhjNeXGsMPom073_z0EEsSA: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p", blog.grendel.no (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://blog.grendel.no/.well-known/acme-challenge/TbzMIYWlbtjEt9CFqC65vYu_UJhxsS40rXiiwCWHqZ4: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p", ptsd-boken.grendel.no (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://ptsd-boken.grendel.no/.well-known/acme-challenge/ha6FeKvhL5C3FFTs0HZ5uk4ryqiZnCrwIpTNYBi1AMU: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p". Skipping.

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/omvendtpedagogikk.no.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal
All renewal attempts failed. The following certs could not be renewed:
 /etc/letsencrypt/live/grendel.no/fullchain.pem (failure)
 /etc/letsencrypt/live/grendel.no-0001/fullchain.pem (failure)

-------------------------------------------------------------------------------

The following certs are not due for renewal yet:
 /etc/letsencrypt/live/api.grendel.no/fullchain.pem (skipped)
 /etc/letsencrypt/live/personlighetstesting.no/fullchain.pem (skipped)
 /etc/letsencrypt/live/piwik.grendel.no/fullchain.pem (skipped)
 /etc/letsencrypt/live/omvendtpsykologi.no/fullchain.pem (skipped)
 /etc/letsencrypt/live/shiny.grendel.no/fullchain.pem (skipped)
 /etc/letsencrypt/live/omvendtpedagogikk.no/fullchain.pem (skipped)
All renewal attempts failed. The following certs could not be renewed:
 /etc/letsencrypt/live/grendel.no/fullchain.pem (failure)
 /etc/letsencrypt/live/grendel.no-0001/fullchain.pem (failure)
-------------------------------------------------------------------------------
2 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
- The following errors were reported by the server:

  Domain: grendel.no
  Type:   unauthorized
  Detail: Invalid response from
  http://grendel.no/.well-known/acme-challenge/ZoaJY_ivHZtDFCShj13KCnhQz1zYIHOC1-9rByamd0w:
  "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
  <html><head>
  <title>403 Forbidden</title>
  </head><body>
  <h1>Forbidden</h1>
  <p"

  Domain: r.grendel.no
  Type:   unauthorized
  Detail: Invalid response from
  http://r.grendel.no/.well-known/acme-challenge/MVrmYM9ok3K-TsI69G2GVhjNeXGsMPom073_z0EEsSA:
  "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
  <html><head>
  <title>403 Forbidden</title>
  </head><body>
  <h1>Forbidden</h1>
  <p"

  Domain: blog.grendel.no
  Type:   unauthorized
  Detail: Invalid response from
  http://blog.grendel.no/.well-known/acme-challenge/TbzMIYWlbtjEt9CFqC65vYu_UJhxsS40rXiiwCWHqZ4:
  "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
  <html><head>
  <title>403 Forbidden</title>
  </head><body>
  <h1>Forbidden</h1>
  <p"

  Domain: ptsd-boken.grendel.no
  Type:   unauthorized
  Detail: Invalid response from
  http://ptsd-boken.grendel.no/.well-known/acme-challenge/ha6FeKvhL5C3FFTs0HZ5uk4ryqiZnCrwIpTNYBi1AMU:
  "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
  <html><head>
  <title>403 Forbidden</title>
  </head><body>
  <h1>Forbidden</h1>
  <p"

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address.
- The following errors were reported by the server:

  Domain: www.grendel.no
  Type:   unauthorized
  Detail: Invalid response from
  http://www.grendel.no/.well-known/acme-challenge/xrOcQmAmgzAEE5SbGGj4xO2G19PI3ZXQNn1JcwffLe4:
  "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
  <html><head>
  <title>403 Forbidden</title>
  </head><body>
  <h1>Forbidden</h1>
  <p"

  Domain: grendel.no
  Type:   unauthorized
  Detail: Invalid response from
  http://grendel.no/.well-known/acme-challenge/WEEdN_3pdLCUjF6jVJfLHfO5FfZu_FNhvrcsqsSA8sY:
  "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
  <html><head>
  <title>403 Forbidden</title>
  </head><body>
  <h1>Forbidden</h1>
  <p"

  Domain: ptsd-boken.grendel.no
  Type:   unauthorized
  Detail: Invalid response from
  http://ptsd-boken.grendel.no/.well-known/acme-challenge/1gaGWuxzPfjOZElqZdplGLmjmENSlEVRbex5Y6VFYX4:
  "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
  <html><head>
  <title>403 Forbidden</title>
  </head><body>
  <h1>Forbidden</h1>
  <p"

  Domain: blog.grendel.no
  Type:   unauthorized
  Detail: Invalid response from
  http://blog.grendel.no/.well-known/acme-challenge/5dwlenRYrT4qNSwGA7zKPzslqviXDtekINXhbu15gkQ:
  "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
  <html><head>
  <title>403 Forbidden</title>
  </head><body>
  <h1>Forbidden</h1>
  <p"

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address.

My web server is (include version):
Apache/2.4.18 (Ubuntu) mod_R/1.2.8 R/3.2.3 OpenSSL/1.0.2g mod_apreq2-20090110/2.8.0

The operating system my web server runs on is (include version):

No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 16.04.4 LTS
Release:	16.04
Codename:	xenial

My hosting provider, if applicable, is:
www.webhuset.no

I can login to a root shell on my machine (yes or no, or I don’t know):

Yes.

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

Most definitely not.

Additional info:

apachectl -S

AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/apache2/ports.conf:4
VirtualHost configuration:
46.226.13.198:80       is a NameVirtualHost
         default server api.grendel.no (/etc/apache2/sites-enabled/api.grendel.no.conf:1)
         port 80 namevhost api.grendel.no (/etc/apache2/sites-enabled/api.grendel.no.conf:1)
         port 80 namevhost blog.grendel.no (/etc/apache2/sites-enabled/blog.grendel.no.conf:1)
         port 80 namevhost omvendtpedagogikk.no (/etc/apache2/sites-enabled/omvendtpedagogikk.no.conf:1)
                 alias omvendtpedagogikk.no
                 alias www.omvendtpedagogikk.no
         port 80 namevhost omvendtpsykologi.no (/etc/apache2/sites-enabled/omvendtpsykologi.no.conf:1)
                 alias omvendtpsykologi.no
                 alias www.omvendtpsykologi.no
         port 80 namevhost personlighetstesting.no (/etc/apache2/sites-enabled/personlighetstesting.no.conf:1)
                 alias personlighetstesting.no
                 alias www.personlighetstesting.no
         port 80 namevhost ptsd-boken.grendel.no (/etc/apache2/sites-enabled/ptsd-boken.grendel.no.conf:1)
         port 80 namevhost R.grendel.no (/etc/apache2/sites-enabled/r.grendel.no.conf:1)
46.226.13.198:443      is a NameVirtualHost
         default server api.grendel.no (/etc/apache2/sites-enabled/api.grendel.no-le-ssl.conf:2)
         port 443 namevhost api.grendel.no (/etc/apache2/sites-enabled/api.grendel.no-le-ssl.conf:2)
         port 443 namevhost blog.grendel.no (/etc/apache2/sites-enabled/blog.grendel.no-le-ssl.conf:2)
         port 443 namevhost omvendtpedagogikk.no (/etc/apache2/sites-enabled/omvendtpedagogikk.no-le-ssl.conf:2)
                 alias omvendtpedagogikk.no
                 alias www.omvendtpedagogikk.no
         port 443 namevhost omvendtpsykologi.no (/etc/apache2/sites-enabled/omvendtpsykologi.no-le-ssl.conf:2)
                 alias omvendtpsykologi.no
                 alias www.omvendtpsykologi.no
         port 443 namevhost personlighetstesting.no (/etc/apache2/sites-enabled/personlighetstesting.no-le-ssl.conf:2)
                 alias personlighetstesting.no
                 alias www.personlighetstesting.no
         port 443 namevhost piwik.grendel.no (/etc/apache2/sites-enabled/piwik.grendel.no-le-ssl.conf:2)
         port 443 namevhost ptsd-boken.grendel.no (/etc/apache2/sites-enabled/ptsd-boken.grendel.no-le-ssl.conf:2)
         port 443 namevhost R.grendel.no (/etc/apache2/sites-enabled/r.grendel.no-le-ssl.conf:2)
                 alias r.grendel.no
         port 443 namevhost shiny.grendel.no (/etc/apache2/sites-enabled/shiny.grendel.no-le-ssl.conf:2)
         port 443 namevhost www.grendel.no (/etc/apache2/sites-enabled/www.grendel.no-le-ssl.conf:2)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex watchdog-callback: using_defaults

I have checked that .well-known/acme-challenge exist, and that files put in that directory can be accessed:

root@localhost:~# curl -I -L -k -X GET http://api.grendel.no/.well-known/acme-challenge/readme
HTTP/1.1 200 OK
Date: Tue, 13 Mar 2018 14:22:25 GMT
Server: Apache/2.4.18 (Ubuntu) mod_R/1.2.8 R/3.2.3 OpenSSL/1.0.2g mod_apreq2-20090110/2.8.0
Last-Modified: Tue, 13 Mar 2018 14:21:30 GMT
ETag: "8-5674bf98d15a3"
Accept-Ranges: bytes
Content-Length: 8
Content-Type: text/plain

Any and all hints and suggestions appreciated. Thank you.

schoen · March 13, 2018, 4:36pm

A weird thing is that when I tried to access it, I got a 404, but then when I tried to access it again, it succeeded immediately. Any idea why that could be?

rolfmblindgren · March 13, 2018, 4:59pm

I’ve googled a bit, and tried

certbot certonly -w ~vds/www/blog.grendel.no -d grendel.no -d r.grendel.no -d blog.grendel.no -d www.grendel.no

because that seemed like a good idea. This, apparently, succeded, and certbot now insists that it’s a long time until renewal.

However, I still can’t, well, open the web site proper. I hope it’s just a matter of updating caches or spreading DNS or something.

schoen · March 13, 2018, 5:01pm

What problem do you see when trying to use the web site?

I connected in HTTPS and got

11.49:-16.16:6.12:-2.81:-13.68:ISTP:Resourse Investigator:Shaper

with an HTTP 200.

rolfmblindgren · March 13, 2018, 5:05pm

That’s the default web site. Which is silly. So i changed it to grendel.no. Which would be less silly.

Sorry about the confusion. I know I should’t change things around while people are obviously trying to help, but that would cause confusion anyway.

rolfmblindgren · March 13, 2018, 7:35pm

Please ignore this thread. I screwed up.

system · April 12, 2018, 7:36pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.