Can't renew certificate

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: demo.kdsquantum.com

I ran this command: sudo certbot renew --cert-name demo.kdsquantum.com --dry-run

It produced this output: Attempting to renew cert (demo.kdsquantum.com) from /etc/letsencrypt/renewal/demo.kdsquantum.com.conf produced an unexpected error: Failed authorization procedure. demo.kdsquantum.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: 54.79.34.63: Invalid response from http://demo.kdsquantum.com/.well-known/acme-challenge/V512G-gH55t3AerJkzzebKOAETvzSs7G8MdsnCklYqw: 404. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/demo.kdsquantum.com/fullchain.pem (failure)

My web server is (include version): Apache/2.4.29 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 18.04

My hosting provider, if applicable, is: NONE

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): NO

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0

Hi All

I have a domain set up with Lets Encrypt SSL certification and until recently its worked - maybe a year or two, without fault. Recently, 3 days ago, its failed to automatically update the certificate.

I see that there is an error message 'Invalid response from http://demo.kdsquantum.com/.well-known/acme-challenge/V512G-gH55t3AerJkzzebKOAETvzSs7G8MdsnCklYqw:'. Now I admit I never took much notice about the validation / update process until now, but certbot seems to fail to find a file '/.well-known/acme-challenge/V512...

So. I assume that this folder and file were created when the certificate was first created? But I never noticed, and now the update process is trying to find that file as validation of the domain.

Also, I am looking for that folder and file, but it does not seem to exist in my web root folder (ie /public where web files are served from. I can recreate a dummy file (empty file) at that location and access it via http port 80 so I think there is no problem with the server firewall settings.

If this folder '.well-known/acme-challenge/V512...' and file ever existed, then I am quite sure that I have accidently deleted them recently through a web update. I recently used an 'rsync --delete' option to update the website, which would delete any files and folders that were not found on the development source website. This would include the '.well-known/acme-challenge/V512...' file if it originally existed.

I have since tried to reinstall the certificate using 'sudo certbot --apache -d demo.kdsquantum.com' but it still fails with error message 'Invalid response from http://demo.kdsquantum.com/.well-known/acme-challenge/PfqFhAlFT8g8rPQAB94yyZSc_0bjgqx63qYEdQkrX9c: 404'.

I would greatly appreciate help to resolve this problem, and hopefully to also understand if / how the '/.well-known/acme-challenge/...' file gets put in place.

Thank you in advance for your help.

1 Like
2

Hi @mike66, and welcome to the LE community forum :slight_smile:

Apache can be tricky.
It is likely something in that config that was changed weeks ago.
And you are now just feeling the effects of it.

Let's start by reviewing the config with:
sudo apachectl -t -D DUMP_VHOSTS

And this version of really old:

3 Likes
3

Hi @rg305
Thanks for your response, and please find the information requested below.

sudo apachectl -t -D DUMP_VHOSTS
[Mon Jun 19 20:57:26.055138 2023] [alias:warn] [pid 26101] AH00671: The Alias directive in /etc/phpmyadmin/apache.conf at line 3 will probably never match because it overlaps an earlier Alias.
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using demo.kdsquantum.com. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:443 is a NameVirtualHost
default server agent.kdsquantum.com (/etc/apache2/sites-enabled/agent-le-ssl.conf:2)
port 443 namevhost agent.kdsquantum.com (/etc/apache2/sites-enabled/agent-le-ssl.conf:2)
alias www.agent.kdsquantum.com
port 443 namevhost demo.kdsquantum.com (/etc/apache2/sites-enabled/demo-le-ssl.conf:2)
alias www.demo.kdsquantum.com
*:80 is a NameVirtualHost
default server demo.kdsquantum.com (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost demo.kdsquantum.com (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost agent.kdsquantum.com (/etc/apache2/sites-enabled/agent.conf:1)
alias www.agent.kdsquantum.com
port 80 namevhost demo.kdsquantum.com (/etc/apache2/sites-enabled/demo.conf:1)
alias www.demo.kdsquantum.com

ALSO NOTE: You will see another vhost ' agent.kdsquantum.com' in the above dump. Running certbot renew --dry-run completes successfully on that vhost, but fails for demo.kdsquantum.com, as you can see below ...

sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/agent.kdsquantum.com.conf

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for agent.kdsquantum.com
Enabled Apache rewrite module
Waiting for verification...
Cleaning up challenges

new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/agent.kdsquantum.com/fullchain.pem

Processing /etc/letsencrypt/renewal/demo.kdsquantum.com.conf

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for demo.kdsquantum.com
http-01 challenge for www.demo.kdsquantum.com
Enabled Apache rewrite module
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (demo.kdsquantum.com) from /etc/letsencrypt/renewal/demo.kdsquantum.com.conf produced an unexpected error: Failed authorization procedure. demo.kdsquantum.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: 54.79.34.63: Invalid response from http://demo.kdsquantum.com/.well-known/acme-challenge/bvjxjSC6kdIBDNA_t_oDI_SCEoq-qX2Rv4kHrWTd9kY: 404. Skipping.

4

These two files are using the same name:port combination:

That's an overlap and considered a misconfiguration.

5 Likes
5

Thank you @rg305, you nailed it!

The 000-default.conf was the default configuration on the server. Its not used now. It never caused a problem previously, however until a few months ago the server hostname was different. I changed the servers hostname to demo.kdsquantum.com a few months back and I guess that the default virtual host is also using that hostname. After deleting the default virtual host, the demo.kdsquantum.com domain updated without fault.

Thank you one again for your prompt help.

3 Likes
6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.