Can't, twice again, renew certificate


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
grendel.no

I ran this command:
certbot --apache certonly -w ~vds/www/blog.grendel.no -d grendel.no -d blog.grendel.no -d r.grendel.no -d www.grendel.no -d ptsd-boken.grendel.no

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for grendel.no
http-01 challenge for blog.grendel.no
http-01 challenge for r.grendel.no
http-01 challenge for www.grendel.no
http-01 challenge for ptsd-boken.grendel.no
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. blog.grendel.no (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://blog.grendel.no/.well-known/acme-challenge/x9j-C_e9fRLKMuraGRnydZrzRH01xcpHOiBS9Xd1N8E: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p", r.grendel.no (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://r.grendel.no/.well-known/acme-challenge/gFw6LAs6jcEpnaMaCabe5haHzLvrFoDE1Nmzuu4uG6U: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p", ptsd-boken.grendel.no (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://ptsd-boken.grendel.no/.well-known/acme-challenge/MygHLXyd5dLIcKxA6YtbHgCS0M2jLN82ANtidZTTLoY: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p", grendel.no (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://grendel.no/.well-known/acme-challenge/0AelLT-A9_AMMZ_RFtxQTSs6FKFNXF38vud--eBDPU8: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p", www.grendel.no (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.grendel.no/.well-known/acme-challenge/8fyCxRWjs0nSS2mTQ2qioSkY5okidL4U4OWl6i3gW4M: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: blog.grendel.no
   Type:   unauthorized
   Detail: Invalid response from
   http://blog.grendel.no/.well-known/acme-challenge/x9j-C_e9fRLKMuraGRnydZrzRH01xcpHOiBS9Xd1N8E:
   "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
   <html><head>
   <title>403 Forbidden</title>
   </head><body>
   <h1>Forbidden</h1>
   <p"

   Domain: r.grendel.no
   Type:   unauthorized
   Detail: Invalid response from
   http://r.grendel.no/.well-known/acme-challenge/gFw6LAs6jcEpnaMaCabe5haHzLvrFoDE1Nmzuu4uG6U:
   "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
   <html><head>
   <title>403 Forbidden</title>
   </head><body>
   <h1>Forbidden</h1>
   <p"

   Domain: ptsd-boken.grendel.no
   Type:   unauthorized
   Detail: Invalid response from
   http://ptsd-boken.grendel.no/.well-known/acme-challenge/MygHLXyd5dLIcKxA6YtbHgCS0M2jLN82ANtidZTTLoY:
   "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
   <html><head>
   <title>403 Forbidden</title>
   </head><body>
   <h1>Forbidden</h1>
   <p"

   Domain: grendel.no
   Type:   unauthorized
   Detail: Invalid response from
   http://grendel.no/.well-known/acme-challenge/0AelLT-A9_AMMZ_RFtxQTSs6FKFNXF38vud--eBDPU8:
   "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
   <html><head>
   <title>403 Forbidden</title>
   </head><body>
   <h1>Forbidden</h1>
   <p"

   Domain: www.grendel.no
   Type:   unauthorized
   Detail: Invalid response from
   http://www.grendel.no/.well-known/acme-challenge/8fyCxRWjs0nSS2mTQ2qioSkY5okidL4U4OWl6i3gW4M:
   "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
   <html><head>
   <title>403 Forbidden</title>
   </head><body>
   <h1>Forbidden</h1>
   <p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version):
Apache/2.4.29 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 18.04 LTS

My hosting provider, if applicable, is:
www.webhuset.no

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes.

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No.

Additional info:

#apachectl -S
VirtualHost configuration:
46.226.13.198:80       is a NameVirtualHost
         default server grendel.no (/etc/apache2/sites-enabled/000-grendel.no.conf:1)
         port 80 namevhost grendel.no (/etc/apache2/sites-enabled/000-grendel.no.conf:1)
                 alias www.grendel.no
                 alias blog.grendel.no
                 alias r.grendel.no
                 alias ptsd-boken.grendel.no
                 alias test.grendel.no
                 alias beta.grendel.no
         port 80 namevhost api.grendel.no (/etc/apache2/sites-enabled/api.grendel.no.conf:1)
         port 80 namevhost omvendtpedagogikk.no (/etc/apache2/sites-enabled/omvendtpedagogikk.no.conf:1)
                 alias omvendtpedagogikk.no
                 alias www.omvendtpedagogikk.no
         port 80 namevhost omvendtpsykologi.no (/etc/apache2/sites-enabled/omvendtpsykologi.no.conf:1)
                 alias omvendtpsykologi.no
                 alias www.omvendtpsykologi.no
         port 80 namevhost personlighetstesting.no (/etc/apache2/sites-enabled/personlighetstesting.no.conf:1)
                 alias personlighetstesting.no
                 alias www.personlighetstesting.no
46.226.13.198:443      is a NameVirtualHost
         default server grendel.no (/etc/apache2/sites-enabled/000-grendel.no-le-ssl.conf:2)
         port 443 namevhost grendel.no (/etc/apache2/sites-enabled/000-grendel.no-le-ssl.conf:2)
                 alias www.grendel.no
                 alias blog.grendel.no
                 alias r.grendel.no
                 alias ptsd-boken.grendel.no
                 alias test.grendel.no
                 alias beta.grendel.no
         port 443 namevhost api.grendel.no (/etc/apache2/sites-enabled/api.grendel.no-le-ssl.conf:2)
         port 443 namevhost omvendtpedagogikk.no (/etc/apache2/sites-enabled/omvendtpedagogikk.no-le-ssl.conf:2)
                 alias omvendtpedagogikk.no
                 alias www.omvendtpedagogikk.no
         port 443 namevhost omvendtpsykologi.no (/etc/apache2/sites-enabled/omvendtpsykologi.no-le-ssl.conf:2)
                 alias omvendtpsykologi.no
                 alias www.omvendtpsykologi.no
         port 443 namevhost personlighetstesting.no (/etc/apache2/sites-enabled/personlighetstesting.no-le-ssl.conf:2)
                 alias personlighetstesting.no
                 alias www.personlighetstesting.no
         port 443 namevhost shiny.grendel.no (/etc/apache2/sites-enabled/shiny.grendel.no.conf:2)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex mpm-accept: using_defaults
Mutex cache-socache: using_defaults
Mutex authdigest-opaque: using_defaults
Mutex watchdog-callback: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex authdigest-client: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ldap-cache: using_defaults
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/lock/apache2" mechanism=fcntl 
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
Define: ENABLE_USR_LIB_CGI_BIN
User: name="www-data" id=33
Group: name="www-data" id=33

Any and all hints and suggestions appreciated.

Thank you.


#2

Could you please check the access and/or error log of Apache? It should give you extra information on WHY your webserver refused access to the token file.


#3

Hi @rolfmblindgren

to test: Create two subdirectories in the webroot of wwww.grendel.no /.well-known/acme-challenge, there create a file (name something like 123456789 without extension)

So this file should be loaded by www.grendel.no/.well-known/acme-challenge/123456789 (with correct permissions).

Perhaps your option

-w ~vds/www/blog.grendel.no

and your setting

Main DocumentRoot: “/var/www/html”

aren’t compatible, so Certbot creates the file on the wrong place or the permission is wrong.


#4

Hi Juergen, thanks for helping.

The .conf-file for the actual site states that DocumentRoot is /home/vds/www/blog.grendel.no, so that probably can’t be it.

The output of

curl -I -L -k -X GET http://www.grendel.no/.well-known/acme-challenge/readme

is

HTTP/1.1 200 OK
Date: Sat, 07 Jul 2018 11:54:09 GMT
Server: Apache/2.4.29 (Ubuntu) mod_lisp2/1.3.1 mod_R/1.2.8 R/3.3.0 OpenSSL/1.1.0g mod_apreq2-20090110/2.8.0
Content-Security-Policy: upgrade-insecure-requests;
Last-Modified: Sat, 07 Jul 2018 11:50:13 GMT
ETag: "4-5706762173472"
Accept-Ranges: bytes
Content-Length: 4
Vary: Accept-Encoding,Cookie
Cache-Control: max-age=300, must-revalidate
Content-Type: text/plain

So it seems that permissions are OK.


#5

This is suspicious, because reproducing that request doesn’t actually have that response content.

I would check you don’t have any tricky .htaccess/mod_security/WordFence stuff going on that may be catching out “robot-like” requests.

Apart from that, using --apache with -w is redundant. With the Apache authenticator, you shouldn’t specify a webroot - Certbot will work out what to do for each domain on its own.


#6

I get a Forbidden:

Forbidden

You don’t have permission to access /.well-known/acme-challenge/readme on this server.

PS: If you check this with curl, you may have additional rights


#7

Hi Osiris, thanks for helping!

Here’s something:

[Sat Jul 07 13:57:48.522869 2018] [core:error] [pid 1914] (13)Permission denied: [client 66.133.109.36:58916] AH00035: access to /.well-known/acme-challenge/7oy0KZ3dvv8Jb-A862X4_WnKlXt1iedMEEHKLPJ-m2o denied (filesystem path '/var/lib/letsencrypt/http_challenges') because search permissions are missing on a component of the path

I suppose that’s worth looking into. But is it apache that isn’t allowed to search? Or is it the filesystem?


#8

PS: Now I can see the content:

http://www.grendel.no/.well-known/acme-challenge/readme

ACK


#9

OK, it seems there was a directory permission error. So now, the updates went through.

But the site still does not load.


#10

If you use certonly, you have to install your certificate manual.

PS: There is another, older certificate, which is valide:

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:false;include_subdomains:false;domain:www.grendel.no&lu=cert_search

grendel.no from 28.05.2018 to 26.08.2018 with ten dns-names. But you didn’t use it.


#11

This is embarassing, but I restarted the web server, and now it works.

Thank you!


#12

Happy to read this.

Next time, renew a little bit earlier. Normally, after 60 - 70 days. If there are problems, you have more time to fix it.


#13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.