domain: cosd.com
server: Apache 2.4.52 (Ubuntu)
full shell & root access (no control panel)
client: acme.sh 3.07 & 3.0.8
I can't determine from our acme.sh
log file (here) what's going wrong with my certificate renewal this time around. I've been using a LetsEncrypt cert for about 2 years with no problems... originally set up through certbot
& then migrated to acme.sh
soon afterward, and switching web host with no problems.
Just under 3 months ago I attempted to switch to ZeroSSL but then restored everything (?) back to LE when I couldn't get ZeroSSL to work. Our cron
renewal failed at the next 60 day interval... whatever I do now, the logfile indicates it can't get the URL containing the created token:
[Sun Mar 31 18:24:20 UTC 2024] Invalid status, cosd.com:Verify error detail:129.213.164.46: Invalid response from https://cosd.com/.well-known/acme-challenge/hEG4yGOF2EZP4WiSsUUParYHiN2qwcl3RHHyc6Aigoo: 404
I've been using the usual syntax for Webroot mode (my site is in a /web
subdirectory; though it's a CMS, files & directories are also accessible from there):
acme.sh --log --issue --server letsencrypt -d cosd.com -d www.cosd.com -w /var/www/html/cosd.com/web
The "Third Party Tool" letsdebug.net
for cosd.com
confirms under HTTPCheck that my .well-known/acme-challenge/
directory is accessible through Apache. (I think the HTTP 404 Not Found response for the dummy filename is normal in this context)?
From what I can understand in the logfile, it's getting a "token" with a long random name from the LE server and then creating a file named by that token in /web/.well-known/acme-challenge/
... but by the time the LE server attempts to verify the presence of that file it isn't there (or not served by Apache; which works normally for files everywhere else).
Here's what I can't understand: our server directory .well-known/acme-challenge/
is modified when the acme.sh
script is run, but it doesn't leave the filename there. The logfile indicates that the token-named file is created, but not that it's deleted. If you follow the server response URLs you'll see that the file is indeed no longer there.
I don't know whether it's normal for that file to be deleted after use in the authentication (and I don't know how to prevent its deletion), but without the file persisting I don't know whether our own acme.sh
is deleting that file prematurely... or if we're failing another requirement of the LE server is expecting... without help.
Since our acme.sh
functioned fine with renewals for nearly 2 years, I also feel this is related to our attempt to get a cert 3 months ago from ZeroSSL, as also originally suggested here (Invalid Response from well-known/acme-challenge with .acme.sh/acme.sh).