Hey,
I happily used letsencrypt for several month now and all was working fine. However, since several days, the renewal process for my certificates now fails with the following error:
Domain: j4velin.de
Type: unauthorized
Detail: Invalid response from
http://j4velin.de/.well-known/acme-challenge/i2h7IdxI5zn6Z998lyBoCrbMKPZqYmoUyAsKdQx8JMc
[5.196.219.123]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
2.0//EN\">\n<html><head>\n<title>404 Not
Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"
My domain is: hoffmann-thomas.de (but also j4velin.de and some others)
I ran this command: sudo certbot renew --dry-run
It produced this output: https://hoffmann-thomas.de/files/renew.txt (letsencrypt.log here: https://hoffmann-thomas.de/files/letsencrypt.log)
My web server is (include version): Apache/2.4.7
The operating system my web server runs on is (include version): Ubuntu 14.04.6
My hosting provider, if applicable, is: webhod.de
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0
Any help would be greatly appreciated.
Hi @j4velin
you have a lot of old certificates ( https://check-your-website.server-daten.de/?q=j4velin.de#ct-logs ). Perhaps you have used tls-sni-01 - validation. That's deprecated and not longer supported.
Your config is not consistent, but I don't see if this is the problem.
The www version is redirected to https, the non-www version not.
If you use htt-01 validation, Certbot creates a file in /.well-known/acme-challenge, Letsencrypt checks that file.
And your certificate has 8 domain names:
CN=hoffmann-thomas.de
20.01.2019
20.04.2019
expires in 27 days hoffmann-thomas.de, j4velin.de,
naturpur-uckermark.de, thomas-und-anna.de,
www.hoffmann-thomas.de, www.j4velin.de,
www.naturpur-uckermark.de, www.thomas-und-anna.de - 8 entries
Have all these domains the same vHost? Or different vHosts, but with the same DocumentRoot?
Checking your log
https://hoffmann-thomas.de/files/letsencrypt.log
some of your authentications are valid (www.thomas-und-anna.de), but j4velin.de is invalid.
Checking the valid domain ( https://check-your-website.server-daten.de/?q=thomas-und-anna.de ) there is the same inconsistency: non-www is redirected to https, www not.
So two different solutions:
- use the webroot authentication (or)
- double check your config to find the reason one domain works, another not - and fix that.
Hey Juergen,
thanks for your reply. I probably used the now deprectated method but according to How to stop using TLS-SNI-01 with Certbot it doesnt seem like I actively have to do anything to change that, do I?
I do use different vhosts and different documentRoot paths for all these domains. That wasn’t an issue with the old method, maybe it doesn’t work with the new one?
It's a long command, but that isn't really a problem.
certbot run -i apache -a webroot -w webroot-of-hoffmann-thomas -d hoffmann-thomas.de -d www.hoffmann-thomas.de -w webroot-of-j4velin -d j4velin.de -d www.j4velin.de ...
and the other two main domains.
But you can make it simpler if you create 4 certificates (if you have 4 vHosts).
certbot run -i apache -a webroot -w webroot-of-hoffmann-thomas -d hoffmann-thomas.de -d www.hoffmann-thomas.de
Then you can separate the problems if three domains are ok and the 4. doesn't work.
Thanks, now at least I have valid certs for all domains except j4velin.de …
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for j4velin.de
Using the webroot path /var/www/html/j4velin for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. j4velin.de (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://j4velin.de/.well-known/acme-challenge/ZCYfUhhtYXps-rH0KTmyfyW-AyTGqaWhSLqE-bAsErU [5.196.219.123]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"
What does the line “Performing the following challenges: http-01 challenge for j4velin.de” mean exactly? That wasn’t printed on the other domains…
If that doesn't work, that's not your webroot.
Is there a default host? Perhaps this vHost is used. Typo in the ServerName or ServerAlias?
Create the two subdirectories
/var/www/html/j4velin/.well-known/acme-challenge
there a file (file name 1234), then try to load it with your browser:
http://j4velin.de/.well-known/acme-challenge/1234
Or use the too with the complete path j4velin.de/.well-known/acme-challenge/1234, same with the www-version.
No default vhost, no typos. Accessing http://j4velin.de/.well-known/acme-challenge/1234 redirects to the https:// version, but that then works. I currently exceeded the rate limit (again) so I’ll have to wait to test it with the complete path
But it's the wrong vHost.
Checking that url - https://check-your-website.server-daten.de/?q=j4velin.de%2F.well-known%2Facme-challenge%2F1234
shows the
CN=hoffmann-thomas.de
24.03.2019
22.06.2019
expires in 90 days hoffmann-thomas.de, www.hoffmann-thomas.de - 2 entries
So it's the wrong vHost with a different DocumentRoot.
No, it the corret host, I just had to use the certs from the hoffmann-thomas.de domain (because I cant get certs for j4velin.de)
I think creating the .well-known/acme-challenge directories seems to have fixed the issue - certbot was now able to finally renew the cert for the j4velin.de domain too. Thanks for your help!
Happy to read that it had worked.
Yep, there is your new certificate:
CN=j4velin.de
24.03.2019
22.06.2019
expires in 90 days j4velin.de, www.j4velin.de - 2 entries