Cerbot renew opensuse 15.4 failed authenticate some domains

tcbishop · January 2, 2023, 1:51am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
dna.engr.latech.edu
I ran this command:
certbot renew --dry-run

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/dna.engr.latech.edu.conf

ssl_module is statically linked but --apache-bin is missing; not disabling session tickets.
Simulating renewal of an existing certificate for dna.engr.latech.edu

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: dna.engr.latech.edu
Type: connection
Detail: 138.47.29.6: Fetching http://dna.engr.latech.edu/.well-known/acme-challenge/oqmja1hMrVv6xppDNLiswG7XUn63xd-VD2IUZ7vIoX0: Connection reset by peer

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Failed to renew certificate dna.engr.latech.edu with error: Some challenges have failed.

All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/dna.engr.latech.edu/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
dna:/etc/apache2/vhosts.d #

My web server is (include version):
apache2-2.4.51-150400.6.3.1.x86_64

The operating system my web server runs on is (include version):
openSUSE
VERSION = 15.4

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.32.2

Bruce5051 · January 2, 2023, 1:59am

Hello @tcbishop, welcome to the Let's Encrypt community.

Using this online tool Let's Debug gives these results for the HTTP-01 Challenge https://letsdebug.net/dna.engr.latech.edu/1319601

Supplemental information:

$ curl -I http://dna.engr.latech.edu/.well-known/acme-challenge/oqmja1hMrVv6xppDNLiswG7XUn63xd-VD2IUZ7vIoX0
HTTP/1.1 301 Moved Permanently
Date: Mon, 02 Jan 2023 01:57:58 GMT
Server: Apache
Location: https://dna.engr.latech.edu/.well-known/acme-challenge/oqmja1hMrVv6xppDNLiswG7XUn63xd-VD2IUZ7vIoX0
Content-Type: text/html; charset=iso-8859-1

$ curl -I https://dna.engr.latech.edu/.well-known/acme-challenge/oqmja1hMrVv6xppDNLiswG7XUn63xd-VD2IUZ7vIoX0
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

$ curl -k -I https://dna.engr.latech.edu/.well-known/acme-challenge/oqmja1hMrVv6xppDNLiswG7XUn63xd-VD2IUZ7vIoX0
HTTP/1.1 404 Not Found
Date: Mon, 02 Jan 2023 01:59:09 GMT
Server: Apache
Vary: accept-language,accept-charset
Accept-Ranges: bytes
Content-Type: text/html; charset=utf-8
Content-Language: en

rg305 · January 2, 2023, 2:01am

Hi @tcbishop, and welcome to the LE community forum

There seems to be an HTTP connectivity issue.
But since I see "Apache", I would advise that you troubleshoot that first.
I'd start that with:
sudo apachectl -t -D DUMP_VHOSTS

tcbishop · January 2, 2023, 2:05am

Is this what you are looking for?

dna:/etc/apache2/vhosts.d # apachectl -t -D DUMP_VHOSTS
VirtualHost configuration:
138.47.29.6:443 dna.engr.latech.edu (/etc/apache2/vhosts.d/dna.engr.latech.edu-le-ssl.conf:2)
138.47.29.6:80 dna.engr.latech.edu (/etc/apache2/vhosts.d/dna.engr.latech.edu.conf:13)

FYI: my university had previously filtered out some http traffic but that does not seem to be the issue w/ this.

rg305 · January 2, 2023, 2:09am

Yes.
If that is the entire output, then I have two things to say/ask:

using the IP in the vhost config is not recommended.
the next step in the troubleshooting process is to review the HTTP file:

If that is NOT the entire output, then we may need to see more of it [to be sure there isn't anything there that might be related to this problem].

Bruce5051 · January 2, 2023, 2:11am

Using this online tool SSL Server Test (Powered by Qualys SSL Labs) shows that the TLS Certificate has Expired; and note that http is being redirected to https curl and web browser do not like that I am not sure about Let's Encrypt during a HTTP-01 Challenge for Domain Validation.
SSL Server Test: dna.engr.latech.edu (Powered by Qualys SSL Labs)

tcbishop · January 2, 2023, 2:11am

you want me to dump contents of
/etc/apache2/vhosts.d/dna.engr.latech.edu.conf
and
/etc/apache2/vhosts.d/dna.engr.latech.edu-le-ssl.conf

rg305 · January 2, 2023, 2:12am

Just the HTTP vhost.
[the first file mentioned]

As we can see, the problem exists in HTTP:

tcbishop · January 2, 2023, 2:13am

cat /etc/apache2/vhosts.d/dna.engr.latech.edu.conf

#
# VirtualHost template
# Note: to use the template, rename it to /etc/apache2/vhost.d/yourvhost.conf. 
# Files must have the .conf suffix to be loaded.
#
# See /usr/share/doc/packages/apache2/README.QUICKSTART for further hints 
# about virtual hosts.
#
# Almost any Apache directive may go into a VirtualHost container.
# The first VirtualHost section is used for requests without a known
# server name.
#
<VirtualHost 138.47.29.6:80>
    ServerAdmin bishop@latech.edu
    ServerName dna.engr.latech.edu

    # DocumentRoot: The directory out of which you will serve your
    # documents. By default, all requests are taken from this directory, but
    # symbolic links and aliases may be used to point to other locations.
    ###DocumentRoot /autotmb/home/www/vhosts/dna.engr.latech.edu
    DocumentRoot /home/www/htdocs/

    # if not specified, the global error log is used
    ErrorLog /var/log/apache2/error_log
    CustomLog /var/log/apache2/access_log combined

    # don't loose time with IP address lookups
    HostnameLookups Off

    # needed for named virtual hosts
    UseCanonicalName Off

    # configures the footer on server-generated documents
    ServerSignature On


    # Optionally, include *.conf files from /etc/apache2/conf.d/
    #
    # For example, to allow execution of PHP scripts:
    #
    # Include /etc/apache2/conf.d/php5.conf
    #
    # or, to include all configuration snippets added by packages:
    # Include /etc/apache2/conf.d/*.conf


    # ScriptAlias: This controls which directories contain server scripts.
    # ScriptAliases are essentially the same as Aliases, except that
    # documents in the realname directory are treated as applications and
    # run by the server when requested rather than as documents sent to the client.
    # The same rules about trailing "/" apply to ScriptAlias directives as to
    # Alias.
    #
    ScriptAlias /cgi-bin/ "/home/www/cgi-bin/"

    # "/srv/www/cgi-bin" should be changed to whatever your ScriptAliased
    # CGI directory exists, if you have one, and where ScriptAlias points to.
    #
    <Directory "/home/www/cgi-bin">
        AllowOverride None
        Options +ExecCGI -Includes
        <IfModule !mod_access_compat.c>
            Require all granted
        </IfModule>
        <IfModule mod_access_compat.c>
            Order allow,deny
            Allow from all
        </IfModule>
    </Directory>


    # UserDir: The name of the directory that is appended onto a user's home
    # directory if a ~user request is received.
    #
    # To disable it, simply remove userdir from the list of modules in APACHE_MODULES
    # in /etc/sysconfig/apache2.
    #
    <IfModule mod_userdir.c>
        # Note that the name of the user directory ("public_html") cannot simply be
        # changed here, since it is a compile time setting. The apache package
        # would have to be rebuilt. You could work around by deleting
        # /usr/sbin/suexec, but then all scripts from the directories would be
        # executed with the UID of the webserver.
        UserDir public_html
        # The actual configuration of the directory is in
        # /etc/apache2/mod_userdir.conf.
        Include /etc/apache2/mod_userdir.conf
        # You can, however, change the ~ if you find it awkward, by mapping e.g.
        # http://www.example.com/users/karl-heinz/ --> /home/karl-heinz/public_html/
        #AliasMatch ^/users/([a-zA-Z0-9-_.]*)/?(.*) /home/$1/public_html/$2
    </IfModule>


    #
    # This should be changed to whatever you set DocumentRoot to.
    #
    <Directory "/home/www/htdocs">

        #
        # Possible values for the Options directive are "None", "All",
        # or any combination of:
        #   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
        #
        # Note that "MultiViews" must be named *explicitly* --- "Options All"
        # doesn't give it to you.
        #
        # The Options directive is both complicated and important.  Please see
        # http://httpd.apache.org/docs/2.4/mod/core.html#options
        # for more information.
        #
        Options Indexes FollowSymLinks

        #
        # AllowOverride controls what directives may be placed in .htaccess files.
        # It can be "All", "None", or any combination of the keywords:
        #   Options FileInfo AuthConfig Limit
        #
        AllowOverride None

        #
        # Controls who can get stuff from this server.
        #
        <IfModule !mod_access_compat.c>
            Require all granted
        </IfModule>
        <IfModule mod_access_compat.c>
            Order allow,deny
            Allow from all
        </IfModule>

    </Directory>

RewriteEngine on
RewriteCond %{SERVER_NAME} =dna.engr.latech.edu
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

rg305 · January 2, 2023, 2:13am

Not in the error message shown.

rg305 · January 2, 2023, 2:15am

Before we continue, please confirm if this was the entire output [OR NOT]:

tcbishop · January 2, 2023, 2:17am

That was full output w/ options indicated.

rg305 · January 2, 2023, 2:19am

OK, then we need to see the associated renewal.conf file.
Find it with:
ls -l /etc/letsencrypt/renewal/

tcbishop · January 2, 2023, 2:19am

-rw-r--r-- 1 root root 569 Sep 27 18:37 dna.engr.latech.edu.conf

rg305 · January 2, 2023, 2:20am

OK, let's have a look at that file.
It should explain why the HTTP challenge requests are NOT being redirected to HTTPS.

tcbishop · January 2, 2023, 2:20am

more /etc/letsencrypt/renewal/dna.engr.latech.edu.conf

# renew_before_expiry = 30 days
version = 1.30.0
archive_dir = /etc/letsencrypt/archive/dna.engr.latech.edu
cert = /etc/letsencrypt/live/dna.engr.latech.edu/cert.pem
privkey = /etc/letsencrypt/live/dna.engr.latech.edu/privkey.pem
chain = /etc/letsencrypt/live/dna.engr.latech.edu/chain.pem
fullchain = /etc/letsencrypt/live/dna.engr.latech.edu/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = ed858a9831c022a3258bb3ffc600512e
authenticator = apache
installer = apache
server = https://acme-v02.api.letsencrypt.org/directory
key_type = rsa

rg305 · January 2, 2023, 2:25am

OK, now we know.
certbot is using the Apache plug-in to [temporarily] alter the Apache configuration to serve the challenge request.
Something has gone wrong with that and it now fails.

I'd recommend moving away from such alterations.
You could use --webroot -w /home/www/htdocs/ in its' place.
Something like:
certbot renew --webroot -w /home/www/htdocs/ -d dna.engr.latech.edu

_az · January 2, 2023, 2:25am

I don't think there's anything wrong with your Certbot setup or Apache.

When I try issue a certificate against your server from my laptop, I see the same "connection by reset" issue:

$ sudo -E certbot certonly -d dna.engr.latech.edu --webroot -w /tmp --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Simulating a certificate request for dna.engr.latech.edu

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: dna.engr.latech.edu
  Type:   connection
  Detail: 138.47.29.6: Fetching http://dna.engr.latech.edu/.well-known/acme-challenge/WMmku-7I33UkiGuf9EcTTx_PgCqiKOK6KbnkgUMxHl4: Connection reset by peer

To me, it indicates that there is something happening the networking level.

A firewall or block list might cause this issue to occur. Consider whether you have any hardware or software running that might be blocking the Let's Encrypt validation servers. Maybe mod_security in Apache?

rg305 · January 2, 2023, 2:26am

I thought we had ruled that out...
But it might still be in play.

tcbishop · January 2, 2023, 2:28am

I can ask the university IT guys if they are blocking things... but not sure what they might be filtering. The website seemed to work fine before the certificate expired. and they still work if I setup a security exception in my browser.

I can also disable my firewall temporarily and try the renewal but http, http2, apache2, apache2-ssl are allowed via opensuse's firewallD