Entered the command: certbot-auto renew Server DNS is correct
Receive the following:
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for cnow9..com
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (cnow9..com) from /etc/letsencrypt/renewal/cnow9..com.conf produced an unexpected error: Failed authorization procedure. cnow9..com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://cnow9..com/.well-known/acme-challenge/KwJ3aDbhy0pcgBJV7bcO0Xue6KbVt19DM4kI8SLISSQ: "
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/cnow9..com/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
The following errors were reported by the server:
Domain: cnow9..com
Type: unauthorized
Detail: Invalid response from http://cnow9..com/.well-known/acme-challenge/KwJ3aDbhy0pcgBJV7bcO0Xue6KbVt19DM4kI8SLISSQ:
"
Oritor
<meta property="og:title" content="Or"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
You have probably some address rewrite rules, which are redirecting all requests to your app and it makes it impossible for Let’s Encrypt validation servers to access verification file. You have to make sure that all URLs beginning with /.well-known/acme-challenge/ are handled by webserver itself.
@rg305: I think the part of the domain between these two dots was removed - which is kinda pointless, as I was able to find full domain name using Certificate Transparency logs…
certbot-auto certonly --webroot-path /var/www/html
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Failed to find executable apache2ctl in PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
How would you like to authenticate with the ACME CA?
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c’
to cancel): cnow9.oritor.com
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for cnow9.oritor.com
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. cnow9.oritor.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://cnow9.oritor.com/.well-known/acme-challenge/gtzkkipdQUab_uKPSspyekeds01qU5hJQsZeoIbGh9U: "
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
You need to be sure that a request to http://cnow9.oritor.com/.well-known/acme-challenge/whatever is going to read the files on your web root, in your case /var/www/html/.well-known/acme-challenge/whatever
so before trying to issue a cert check it yourself.
1.- Create a test file
mkdir -p /var/www/html/.well-known/acme-challenge/
echo "this is a challenge test" > /var/www/html/.well-known/acme-challenge/test
2.- Check that you can view the file using your browser.
If you can’t view the text “this is a challenge test” then or you are not specifying the right web root for your domain (keep in mind that you are redirecting http to https and maybe you have different web roots /var/www/html/ for request to port 80 and another path for requests to port 443) or as other mates said, maybe you have some rewrite rule doing something strange.