Can't renew certificate

#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: circusofthings.com

I ran this command: sudo certbot certonly --force-renew -d circusofthings.com -d www.circusofthings.com
(option 3, path: /var/lib/tomcat7/webapps/ROOT/ where my .pfx currently working file is)

It produced this output:

Waiting for verification…
Cleaning up challenges
Failed authorization procedure. circusofthings.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://circusofthings.com.well-known/acme-challenge/IfCzZ2FQ36I51BkpgYZPyGJ_l7LI5lp0Sai9UYzJUNk: Invalid hostname in redirect target, must end in IANA registered TLD, www.circusofthings.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.circusofthings.com/.well-known/acme-challenge/WtDlKF5iZ3kJZSP6pzJWPhds5Ur42hG67bM6kFjDcyA [31.193.227.136]: “\n\n404 Not Found\n\n

Not Found

\n<p”

(Suspicious that is fetching to: https://circusofthings.com.well-known/acme-challenge… lost “/”?)

My web server is (include version):
Apache Tomcat/7.0.52 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 14.04

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

certbot 0.28.0

#2

Hi @jaimiris

that’s the “missing slash redirect problem” (output via https://check-your-website.server-daten.de/?q=circusofthings.com ):

Domainname Http-Status redirect Sec. G
http://circusofthings.com/
31.193.227.136 301 https://circusofthings.com 0.097 A
http://www.circusofthings.com/
31.193.227.136 200 0.467 H
https://circusofthings.com 200 0.503 N
Certificate error: RemoteCertificateChainErrors
https://circusofthings.com/
31.193.227.136 200 0.690 N
Certificate error: RemoteCertificateChainErrors
https://www.circusofthings.com/
31.193.227.136 200 0.580 N
Certificate error: RemoteCertificateChainErrors
http://circusofthings.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
31.193.227.136 301 https://circusofthings.com.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.097 A
Visible Content: Moved Permanently The document has moved here . Apache/2.4.7 (Ubuntu) Server at circusofthings.com Port 80
http://www.circusofthings.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
31.193.227.136 404 0.097 A
Not Found
Visible Content: Not Found The requested URL /.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de was not found on this server. Apache/2.4.7 (Ubuntu) Server at www.circusofthings.com Port 80
https://circusofthings.com.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de -1 0.030 R
NameResolutionFailure - The remote name could not be resolved: ‘circusofthings.com.well-known’
Visible Content:

Your http redirects to https, but without a slash at the end (first row).

If there is a subdirectory /.well-known/acme-challenge redirected, the result is the not existing domain

circusofthings.com.well-known

that can’t work.

So check your redirect rule to add a “/” after your %SERVER - Variable.

1 Like
#3

PS: Your www-version isn’t redirected.

So the http version is checked. But http has a

Server: Apache/2.4.7 (Ubuntu)

header,

https has a

Server: Apache-Coyote/1.1

If your webroot is the https version, you must add a www-redirect http -> https.

1 Like
#4

Hi @JuergenAuer
Your response makes perfect sense… but something new happened:

Cleaning up challenges
An unexpected error occurred:
The server experienced an internal error :: Problem getting authorization
Please see the logfiles in /var/log/letsencrypt for more details.

… in the log we have:

2019-04-17 10:36:58,602:DEBUG:certbot.error_handler:Calling registered functions
2019-04-17 10:36:58,602:INFO:certbot.auth_handler:Cleaning up challenges
2019-04-17 10:36:58,602:DEBUG:certbot.plugins.webroot:Removing /var/lib/tomcat7/webapps/ROOT/.well-known/acme-challenge/9c0W5yrxnOzT2ii7D8p3_d$
2019-04-17 10:36:58,603:DEBUG:certbot.plugins.webroot:Removing /var/lib/tomcat7/webapps/ROOT/.well-known/acme-challenge/tISpbFpiZPRjvZrjXhl8Ag$
2019-04-17 10:36:58,603:DEBUG:certbot.plugins.webroot:All challenges cleaned up
2019-04-17 10:36:58,604:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/certbot”, line 11, in
load_entry_point(‘certbot==0.28.0’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1340, in main
return config.func(config, plugins)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1225, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 116, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File “/usr/lib/python3/dist-packages/certbot/renewal.py”, line 305, in renew_cert
new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 335, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 371, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 82, in handle_authorizations
self._respond(aauthzrs, resp, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 161, in _respond
self._poll_challenges(aauthzrs, chall_update, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 212, in _poll_challenges
aauthzrs, index, chall_update[index])
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 244, in _handle_check
updated_authzr, _ = self.acme.poll(original_aauthzr.authzr)
File “/usr/lib/python3/dist-packages/acme/client.py”, line 213, in poll
response = self.net.get(authzr.uri)
File “/usr/lib/python3/dist-packages/acme/client.py”, line 1097, in get
self._send_request(‘GET’, url, **kwargs), content_type=content_type)
File “/usr/lib/python3/dist-packages/acme/client.py”, line 999, in _check_response
raise messages.Error.from_json(jobj)
acme.messages.Error: urn:ietf:params:acme:error:serverInternal :: The server experienced an internal error :: Problem getting authorization
2019-04-17 10:36:58,606:ERROR:certbot.log:An unexpected error occurred:
2019-04-17 10:36:58,606:ERROR:certbot.log:The server experienced an internal error :: Problem getting authorization

#5

Perfect!
After checking your “www…” suggestion everytjing worked
Thank you very much, Sir

3 Likes