Can't renew the certifiacte

Hi

My domain is: team.mrashad.com

I ran this command: “certbot certonly --register-unsafely-without-email --agree-tos --webroot -w /root/vhosts/team.mrashad.com -d team.mrashad.com

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for team.mrashad.com
Using the webroot path /root/vhosts/team.mrashad.com for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. team.mrashad.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://team.mrashad.com.well-known/acme-challenge/TmTKRX4oFzoTnBNDlZHz0XI_yljuMdzJnN7ILiVNZQA: Error getting validation data

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: team.mrashad.com
    Type: connection
    Detail: Fetching
    https://team.mrashad.com.well-known/acme-challenge/TmTKRX4oFzoTnBNDlZHz0XI_yljuMdzJnN7ILiVNZQA:
    Error getting validation data

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.


My web server is (include version): apache

The operating system my web server runs on is (include version): Linux Ubuntu 16.04.5 LTS

My hosting provider, if applicable, is: My own server

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

I did create the certificate before with the same command but now I need to renew it, I do the “apache” changes by myself not by “certbot”, I did remove the “.well-known” directory after the certificate creation -I don’t know if I need it now or the bot will recreate it- but my concern it about the link that bot come back with, it checks “https://team.mrashad.com.well-known/acme-challenge/TmTKRX4oFzoTnBNDlZHz0XI_yljuMdzJnN7ILiVNZQA” instead of “https://team.mrashad.com/well-known/acme-challenge/TmTKRX4oFzoTnBNDlZHz0XI_yljuMdzJnN7ILiVNZQA” -“team.mrashad.com.well-known” instead of “team.mrashad.com/well-known”- I can’t tell why or how to fix this, I’m using “certbot 0.26.1”
I run the “certbot” as root but the “apache” runs as user “www-data” who is the owner of “/root/vhosts/team.mrashad.com” and “/root/vhosts/”

Thank you for your help

Hi @mrashad

you have a redirect http -> https. This is allowed. But in your redirect there is a missing

/

Look this:

download http://team.mrashad.com/.well-known/acme-challenge/1234 -h
SystemDefault
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Length: 345
Content-Type: text/html; charset=iso-8859-1
Date: Sat, 22 Sep 2018 16:34:27 GMT
Location: https://team.mrashad.com.well-known/acme-challenge/1234
Server: Apache/2.4.18 (Ubuntu)

Status: 301 MovedPermanently

322,40 milliseconds
0,32 seconds

Your redirect sends

https://team.mrashad.com.well-known/acme-challenge/1234

back, but there is no domain team.mrashad.com.well-known. So you should add a / after the server name:

https://team.mrashad.com/.well-known/acme-challenge/1234

1 Like

Now your redirect is correct:

download http://team.mrashad.com/.well-known/acme-challenge/1234 -h
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Length: 346
Content-Type: text/html; charset=iso-8859-1
Date: Sat, 22 Sep 2018 17:03:04 GMT
Location: https://team.mrashad.com/.well-known/acme-challenge/1234
Server: Apache/2.4.18 (Ubuntu)

Status: 301 MovedPermanently

310,60 milliseconds
0,31 seconds

And there

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:false;include_subdomains:false;domain:team.mrashad.com&lu=cert_search

is a new certificate, created today :wink:

Thank you very much, you saved my day

fixed the redirection then everything works like a charm, thank you

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.