Cant renew certificate - probably error at initial certificate creation

I assume the problem is that I didn’t know what I did when I set up the certificates. I’m mainy running WordPress on my server. When I installed the certificate, I assumed I had to enter subdomains. Apparently this causes confusion upon renewal.

Assuming theres some clash between certificates, I removed the grendel.no ceritifcate, using

certbot delete grendel.no

grendel.no was deleted, but I cant create a new certificate. I enclose what happend just before I messed things up.

My domain is:
grendel.no

I ran this command:
certbot renews

It produced this output:

Processing /etc/letsencrypt/renewal/grendel.no.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for grendel.no
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (grendel.no) from /etc/letsencrypt/renewal/grendel.no.conf produced an unexpected error: Failed authorization procedure. grendel.no (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 08252ab848ea986bceda578e98f0b6ae.cf4bda6dc8f0b2dec74b68258fdfbbce.acme.invalid from 46.226.13.198:443. Received 2 certificate(s), first certificate had names “blog.
grendel.no, grendel.no, ptsd-boken.grendel.no, quaintworld.grendel.no, r.grendel.no, www.grendel.no”. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/grendel.no/fullchain.pem (failure)

My web server is (include version):
Server version: Apache/2.4.18 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 16.04.3 LTS

My hosting provider, if applicable, is:
www.webhuset.no

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes.

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

Certbot tried to modify your apache configuration to create a temporary VirtualHost with a special certificate to respond to the TLS-SNI challenge from Let’s Encrypt, but for some reason it didn’t work and your existing VirtualHost with your normal certificate was returned instead.

Could you please post the output of the following command?

sudo apachectl -S

Thanks for helping! I’m a total newbie here, unfortunately.

~ 2014>sudo apachectl -S
AH00548: NameVirtualHost has no effect and will be removed in the next release    /etc/apache2/ports.conf:4
AH00112: Warning: DocumentRoot [/home/vds/www/personlighetstesting.grendel.no] does not exist
VirtualHost configuration:
46.226.13.198:443      is a NameVirtualHost
         default server grendel.no (/etc/apache2/sites-enabled/grendel.no.conf:39)
         port 443 namevhost grendel.no (/etc/apache2/sites-enabled/grendel.no.conf:39)
         port 443 namevhost personlighetstesing.grendel.no (/etc/apache2/sites-enabled/personlighetstesting.grendel.no.conf:29)
         port 443 namevhost piwik.grendel.no (/etc/apache2/sites-enabled/piwik.grendel.no-le-ssl.conf:2)
         port 443 namevhost shiny.grendel.no (/etc/apache2/sites-enabled/shiny.grendel.no-le-ssl.conf:2)
46.226.13.198:80       is a NameVirtualHost
         default server beta.grendel.no (/etc/apache2/sites-enabled/beta.grendel.no.conf:1)
         port 80 namevhost deprecated.grendel.no (/etc/apache2/sites-enabled/deprecated.grendel.no.conf:1)
         port 80 namevhost grendel.no (/etc/apache2/sites-enabled/grendel.no.conf:3)
         port 80 namevhost laravel.grendel.no (/etc/apache2/sites-enabled/laravel.grendel.no.conf:1)
         port 80 namevhost leander.grendel.no (/etc/apache2/sites-enabled/leander.grendel.no.conf:1)
         port 80 namevhost ojs.grendel.no (/etc/apache2/sites-enabled/ojs.grendel.no.conf:1)
         port 80 namevhost personlighetstesting.grendel.no (/etc/apache2/sites-enabled/personlighetstesting.grendel.no.conf:1)
         port 80 namevhost www.grendel.no (/etc/apache2/sites-enabled/www.grendel.no.conf:1)
*:443                  grendel.no (/etc/apache2/sites-enabled/default-ssl.conf:2)
*:*                    ptsd-boken.grendelno (/etc/apache2/sites-enabled/ptsd-boken.grendel.no.conf:1)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex authdigest-opaque: using_defaults
Mutex watchdog-callback: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex authdigest-client: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ldap-cache: using_defaults
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/lock/apache2" mechanism=fcntl 
Mutex mpm-accept: using_defaults
Mutex cache-socache: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
Define: ENABLE_USR_LIB_CGI_BIN
User: name="www-data" id=33
Group: name="www-data" id=33

I suspect that the <VirtualHost *:443> in /etc/apache2/sites-enabled/default-ssl.conf may be the problem. The other VirtualHosts that have an explicit IP address listed take precedence over it; however it may be confusing certbot into trying to use it as a basis for its temporary configuration, over which they would also then take precedence. (I don’t think that should happen in this case… but I don’t have a better explanation)

If you’re not actively using that virtual host, it might be worth a try to disable it (sudo a2dissite default-ssl) and run certbot again.

1 Like

Thanks! This time Certbot did its stuff.

Everything seems to work now.

Thank you so much :slight_smile:

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.