Cert renew failes on some domains

My domain is: www.bartvanderleck.nl

I ran this command: sudo certbot

It produced this output:
blank to select all options shown (Enter ‘c’ to cancel): 4
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.bartvanderleck.nl
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. www.bartvanderleck.nl (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://www.bartvanderleck.nl.well-known/acme-challenge/LFVPAtu8DGQunJt9ztsLhYuhpJ2nH-tS1g6lw0oFC8c: dns :: DNS problem: NXDOMAIN looking up A for www.bartvanderleck.nl.well-known

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: www.bartvanderleck.nl
    Type: connection
    Detail: Fetching
    https://www.bartvanderleck.nl.well-known/acme-challenge/LFVPAtu8DGQunJt9ztsLhYuhpJ2nH-tS1g6lw0oFC8c:
    dns :: DNS problem: NXDOMAIN looking up A for
    www.bartvanderleck.nl.well-known

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

My web server is (include version):
Server version: Apache/2.4.18 (Ubuntu)
Server built: 2018-06-07T19:43:03

The operating system my web server runs on is (include version): Ubuntu 16.04

My hosting provider, if applicable, is: my own server in a rack with True.nl

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.28.0

I have a letsencrypt certificate on www.bartvanderleck.nl. It needs to be renewed, but I get an error on doing so. Until now, it would automatically renew every month. I have made no changes in the DNS.
The same is true for www.lizzyansingh.nl.
I also run www.amsterdamsejoffers.nl, for which there are no issues, they renew ok. These domains are all running on the same server on the same Apache2 instance.
Did something change in letsencrypt that I used to get certs renewed but it generates an error starting 2019?

Hi @xtine

that's the "missing slash problem". Checked your domain (via https://check-your-website.server-daten.de/?q=bartvanderleck.nl )

Domainname Http-Status redirect Sec. G
http://bartvanderleck.nl/
87.233.133.101 302 https://www.bartvanderleck.nl 0.036 E
http://www.bartvanderleck.nl/
87.233.133.101 302 https://www.bartvanderleck.nl 0.030 A
https://bartvanderleck.nl/
87.233.133.101 200 1.554 N
Certificate error: RemoteCertificateNameMismatch
https://www.bartvanderleck.nl 200 5.187 I
https://www.bartvanderleck.nl/
87.233.133.101 200 1.330 I
http://bartvanderleck.nl/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
87.233.133.101 302 https://www.bartvanderleck.nl.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.036 E
Visible Content: Found The document has moved here .
http://www.bartvanderleck.nl/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
87.233.133.101 302 https://www.bartvanderleck.nl.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.033 A
Visible Content: Found The document has moved here .
https://www.bartvanderleck.nl.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de -1 0.034 R
NameResolutionFailure - The remote name could not be resolved: 'www.bartvanderleck.nl.well-known'
Visible Content:

most is good. But you have a redirect http -> https. Letsencrypt follows these redirects.

But your redirect rule doesn't have a /, so /.well-known/acme-challenge/1234 is redirected to the not existing domain

https://www.bartvanderleck.nl.well-known/

Check your redirect rule and add a / after your %SERVERNAME (or HOSTNAME etc.).

Same with your second domain:

https://www.lizzyansingh.nl.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de

PS: Your certificate has only the www domain name, so your non-www version is insecure. Create one certificate with both domain names and use that.

I added a trailing / in the domain, makes no change. Also, there was no trailing slash before, and it did work until the last renew. Also, the www.amsterdamsejoffers.nl domain doesn’t have a / in the redirect either:
Redirect / https://www.amsterdamsejoffers.nl

I use certbot version 0.28, were changes made in certbot?

I do get a different error now:

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for bartvanderleck.nl
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. bartvanderleck.nl (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://www.bartvanderleck.nl/.well-known/acme-challenge/IHq5XHk3_NG1Xgw6YkVLGs0EmF6c8q4Uhe2VCz2dtI0 [87.233.133.101]: “\n\n404 Not Found\n\n

Not Found

\n<p”

IMPORTANT NOTES:

Now you have correct redirects, the "not existing domain" - error is gone.

Domainname Http-Status redirect Sec. G
http://bartvanderleck.nl/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
87.233.133.101 302 https://www.bartvanderleck.nl/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.033 E
Visible Content: Found The document has moved here .
http://www.bartvanderleck.nl/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
87.233.133.101 302 https://www.bartvanderleck.nl/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.034 A
Visible Content: Found The document has moved here .
https://www.bartvanderleck.nl/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 404 5.187 A
Not Found
Visible Content: Not Found The requested URL /.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de was not found on this server.

To fix your other problem, find your DocumentRoot (in your https - vHost) and use it:

certbot run -a webroot -i apache -w yourDocumentRoot -d bartvanderleck.nl -d www.bartvanderleck.nl

Check your https vHost because you have a correct redirect http -> https, so Certbot must create the validation file in your https vHost.

This doesn’t explain why it worked until now. It also doesn’t explain how the other domains do get the right certificates.
Also, it seems Certbot will stop working on Ubuntu 16.04 a week from now. Rather than using the fix they made for that, I am considering upgrading to 18.04.

this did work. Thank you.

1 Like

You may have used tls-sni-01 validation. That's deprecated, an updated certbot doesn't use that.

Happy to read that it had worked. Now you have a new certificate with both domain names:

CN=bartvanderleck.nl
	05.03.2019
	03.06.2019
expires in 90 days	bartvanderleck.nl, www.bartvanderleck.nl - 2 entries

So both connections are secure.

But you have mixed content that is blocked.

http://c11.statcounter.com/counter.php?sc_project=1181742&java=0&security=e93423f0&invisible=1
http://www.statcounter.com/counter/counter.js

Change these links to htttps or remove the links.

Your second domain is now ok. Both have a wrong redirect http -> https with another domain name.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.