Cert renewable fails with 404

Hey,

I happily used letsencrypt for several month now and all was working fine. However, since several days, the renewal process for my certificates now fails with the following error:

Domain: j4velin.de
   Type:   unauthorized
   Detail: Invalid response from
   http://j4velin.de/.well-known/acme-challenge/i2h7IdxI5zn6Z998lyBoCrbMKPZqYmoUyAsKdQx8JMc
   [5.196.219.123]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

My domain is: hoffmann-thomas.de (but also j4velin.de and some others)

I ran this command: sudo certbot renew --dry-run

It produced this output: https://hoffmann-thomas.de/files/renew.txt (letsencrypt.log here: https://hoffmann-thomas.de/files/letsencrypt.log)

My web server is (include version): Apache/2.4.7

The operating system my web server runs on is (include version): Ubuntu 14.04.6

My hosting provider, if applicable, is: webhod.de

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0

Any help would be greatly appreciated.

Hi @j4velin

you have a lot of old certificates ( https://check-your-website.server-daten.de/?q=j4velin.de#ct-logs ). Perhaps you have used tls-sni-01 - validation. That's deprecated and not longer supported.

Your config is not consistent, but I don't see if this is the problem.

Domainname Http-Status redirect Sec. G
• http://www.j4velin.de/
5.196.219.123 301 https://www.j4velin.de/ 0.050 A
• http://j4velin.de/
5.196.219.123 200 0.050 H
• https://j4velin.de/
5.196.219.123 200 0.350 B
• https://www.j4velin.de/
5.196.219.123 200 0.334 B
• http://www.j4velin.de/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
5.196.219.123 301 https://www.j4velin.de/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.053 A
Visible Content: Moved Permanently The document has moved here . Apache/2.4.7 (Ubuntu) Server at www.j4velin.de Port 80
• http://j4velin.de/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
5.196.219.123 404 0.053 A
Not Found
Visible Content: Not Found The requested URL /.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de was not found on this server. Apache/2.4.7 (Ubuntu) Server at j4velin.de Port 80
• https://www.j4velin.de/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 404 0.264 A
Not Found
Visible Content: Not Found The requested URL /.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de was not found on this server. Apache/2.4.7 (Ubuntu) Server at www.j4velin.de Port 443

The www version is redirected to https, the non-www version not.

If you use htt-01 validation, Certbot creates a file in /.well-known/acme-challenge, Letsencrypt checks that file.

And your certificate has 8 domain names:

CN=hoffmann-thomas.de
	20.01.2019
	20.04.2019
expires in 27 days	hoffmann-thomas.de, j4velin.de, 
naturpur-uckermark.de, thomas-und-anna.de, 
www.hoffmann-thomas.de, www.j4velin.de, 
www.naturpur-uckermark.de, www.thomas-und-anna.de - 8 entries

Have all these domains the same vHost? Or different vHosts, but with the same DocumentRoot?

Checking your log

https://hoffmann-thomas.de/files/letsencrypt.log

some of your authentications are valid (www.thomas-und-anna.de), but j4velin.de is invalid.

Checking the valid domain ( https://check-your-website.server-daten.de/?q=thomas-und-anna.de ) there is the same inconsistency: non-www is redirected to https, www not.

So two different solutions:

  • use the webroot authentication (or)
  • double check your config to find the reason one domain works, another not - and fix that.

Hey Juergen,

thanks for your reply. I probably used the now deprectated method but according to How to stop using TLS-SNI-01 with Certbot it doesnt seem like I actively have to do anything to change that, do I?
I do use different vhosts and different documentRoot paths for all these domains. That wasn’t an issue with the old method, maybe it doesn’t work with the new one?

It's a long command, but that isn't really a problem.

certbot run -i apache -a webroot -w webroot-of-hoffmann-thomas -d hoffmann-thomas.de -d www.hoffmann-thomas.de -w webroot-of-j4velin -d j4velin.de -d www.j4velin.de ...

and the other two main domains.

But you can make it simpler if you create 4 certificates (if you have 4 vHosts).

certbot run -i apache -a webroot -w webroot-of-hoffmann-thomas -d hoffmann-thomas.de -d www.hoffmann-thomas.de

Then you can separate the problems if three domains are ok and the 4. doesn't work.

Thanks, now at least I have valid certs for all domains except j4velin.de …

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for j4velin.de
Using the webroot path /var/www/html/j4velin for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. j4velin.de (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://j4velin.de/.well-known/acme-challenge/ZCYfUhhtYXps-rH0KTmyfyW-AyTGqaWhSLqE-bAsErU [5.196.219.123]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

What does the line “Performing the following challenges: http-01 challenge for j4velin.de” mean exactly? That wasn’t printed on the other domains…

If that doesn't work, that's not your webroot.

Is there a default host? Perhaps this vHost is used. Typo in the ServerName or ServerAlias?

Create the two subdirectories

/var/www/html/j4velin/.well-known/acme-challenge

there a file (file name 1234), then try to load it with your browser:

http://j4velin.de/.well-known/acme-challenge/1234

Or use the too with the complete path j4velin.de/.well-known/acme-challenge/1234, same with the www-version.

No default vhost, no typos. Accessing http://j4velin.de/.well-known/acme-challenge/1234 redirects to the https:// version, but that then works. I currently exceeded the rate limit (again) so I’ll have to wait to test it with the complete path

But it's the wrong vHost.

Checking that url - https://check-your-website.server-daten.de/?q=j4velin.de%2F.well-known%2Facme-challenge%2F1234

shows the

CN=hoffmann-thomas.de
	24.03.2019
	22.06.2019
expires in 90 days	hoffmann-thomas.de, www.hoffmann-thomas.de - 2 entries

So it's the wrong vHost with a different DocumentRoot.

No, it the corret host, I just had to use the certs from the hoffmann-thomas.de domain (because I cant get certs for j4velin.de)

I think creating the .well-known/acme-challenge directories seems to have fixed the issue - certbot was now able to finally renew the cert for the j4velin.de domain too. Thanks for your help!

Happy to read that it had worked.

Yep, there is your new certificate:

CN=j4velin.de
	24.03.2019
	22.06.2019
expires in 90 days	j4velin.de, www.j4velin.de - 2 entries