Can't renew certificat (Certbot, Apache 2.2, Debian 7) for one vhost only

Hello,

As said in the tittle I used LE to create two certificates for two virtual hosts on the same server. They are working fine.

Host: Debian 7
Web server: Apache 2.2

When I tried to test the dry-run renewal like this:

./certbot-auto renew --dry-run

I got this error:
(don't ask for the real domain name, I can't ! )

(...)

Attempting to renew cert from /etc/letsencrypt/renewal/domain.com produced an unexpected error: Failed authorization procedure. domain.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from Website Domain Names, Online Stores & Hosting | Domain.com "

<html ". Skipping.

(...)

IMPORTANT NOTES:

• The following errors were reported by the server:

Domain: domain.com
Type: unauthorized
Detail: Invalid response from
Website Domain Names, Online Stores & Hosting | Domain.com
"

<html "

(...)

But for the second virtual host everything works just fine... They both have in their document root a .well-known folder with the same permissions:

drwxr-xr-x 2 root root 4096 juin 14 14:34 .well-known

And if I create a file with some text in it, I can reach it and read it without any problems on both virtual hosts.

I know this problem seems to be very popular but I don't find how to fix this...

I also tried this command, just to be sure:

./certbot-auto renew --dry-run --pre-hook "/etc/init.d/apache2 stop" --post-hook "/etc/init.d/apache2 start"

Same problem.

This is the part of the virtual host about the HTTPS: https://paste.debian.net/hidden/7677ddd8/

Do you have a clue, please ?

If you need more informations, please ask.

EDIT: I tried to use the command:

./certbot-auto renew

And I didn't get an error, since they are not due to renewal. Is this normal to have this behaviour when the dry-run failed?

koshie

Here are two "clues":
Ensure that if your domain resolve to an IPv6 address it must be fully functional; as IPv6 is preferred over IPv4.
Understand that certbot will try port 80 (unless instructed otherwise).

I understand, but this can’t be the problem I have (I think) because as I said, one of the vhost on the same server don’t have this problem. If it was true, both will be unable to dry-run the renew of the certificate. Right?

Not if the first was the default.
It would catch all and (appear to) work when looking for itself but fail for all others.

About port 80 I’m sure it’s open, because before I added the LE certificate it was working on port 80. So it can’t be that.

About the IPv6/IPv4, we are working with IPv4 for sure and in ports.conf I have this:

NameVirtualHost *:80
Listen 80

NameVirtualHost *:443 # If you add NameVirtualHost *:443 here, you will also have to change # the VirtualHost statement in /etc/apache2/sites-available/default-ssl # to # Server Name Indication for SSL named virtual hosts is currently not # supported by MSIE on Windows XP. Listen 443 Listen 443

Which really make me think Apache isn’t configured for IPv6. Also, after checking the server with ifconfig and lsmod, I don’t see anything about IPv6. So I’m 100% sure it’s not the problem.

In any case, thanks for your answer .

Hello,

no clue about this problem? I’m still stuck and I can’t found a way to fix it.

I think I’ll re-create this certificates and see if I still have the problem.

koshie

It’s hard to help when you don’t give the domain nor show the vhost configs.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.