Cert renewable fails with 404

Hey,

I happily used letsencrypt for several month now and all was working fine. However, since several days, the renewal process for my certificates now fails with the following error:

Domain: j4velin.de
   Type:   unauthorized
   Detail: Invalid response from
   http://j4velin.de/.well-known/acme-challenge/i2h7IdxI5zn6Z998lyBoCrbMKPZqYmoUyAsKdQx8JMc
   [5.196.219.123]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

My domain is: hoffmann-thomas.de (but also j4velin.de and some others)

I ran this command: sudo certbot renew --dry-run

It produced this output: https://hoffmann-thomas.de/files/renew.txt (letsencrypt.log here: https://hoffmann-thomas.de/files/letsencrypt.log)

My web server is (include version): Apache/2.4.7

The operating system my web server runs on is (include version): Ubuntu 14.04.6

My hosting provider, if applicable, is: webhod.de

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

Any help would be greatly appreciated.

Hi @j4velin

you have a lot of old certificates ( https://check-your-website.server-daten.de/?q=j4velin.de#ct-logs ). Perhaps you have used tls-sni-01 - validation. That’s deprecated and not longer supported.

Your config is not consistent, but I don’t see if this is the problem.

Domainname Http-Status redirect Sec. G
http://www.j4velin.de/
5.196.219.123 301 https://www.j4velin.de/ 0.050 A
http://j4velin.de/
5.196.219.123 200 0.050 H
https://j4velin.de/
5.196.219.123 200 0.350 B
https://www.j4velin.de/
5.196.219.123 200 0.334 B
http://www.j4velin.de/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
5.196.219.123 301 https://www.j4velin.de/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.053 A
Visible Content: Moved Permanently The document has moved here . Apache/2.4.7 (Ubuntu) Server at www.j4velin.de Port 80
http://j4velin.de/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
5.196.219.123 404 0.053 A
Not Found
Visible Content: Not Found The requested URL /.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de was not found on this server. Apache/2.4.7 (Ubuntu) Server at j4velin.de Port 80
https://www.j4velin.de/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 404 0.264 A
Not Found
Visible Content: Not Found The requested URL /.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de was not found on this server. Apache/2.4.7 (Ubuntu) Server at www.j4velin.de Port 443

The www version is redirected to https, the non-www version not.

If you use htt-01 validation, Certbot creates a file in /.well-known/acme-challenge, Letsencrypt checks that file.

And your certificate has 8 domain names:

CN=hoffmann-thomas.de
	20.01.2019
	20.04.2019
expires in 27 days	hoffmann-thomas.de, j4velin.de, 
naturpur-uckermark.de, thomas-und-anna.de, 
www.hoffmann-thomas.de, www.j4velin.de, 
www.naturpur-uckermark.de, www.thomas-und-anna.de - 8 entries

Have all these domains the same vHost? Or different vHosts, but with the same DocumentRoot?

Checking your log

https://hoffmann-thomas.de/files/letsencrypt.log

some of your authentications are valid (www.thomas-und-anna.de), but j4velin.de is invalid.

Checking the valid domain ( https://check-your-website.server-daten.de/?q=thomas-und-anna.de ) there is the same inconsistency: non-www is redirected to https, www not.

So two different solutions:

  • use the webroot authentication (or)
  • double check your config to find the reason one domain works, another not - and fix that.

Hey Juergen,

thanks for your reply. I probably used the now deprectated method but according to How to stop using TLS-SNI-01 with Certbot it doesnt seem like I actively have to do anything to change that, do I?
I do use different vhosts and different documentRoot paths for all these domains. That wasn’t an issue with the old method, maybe it doesn’t work with the new one?

It’s a long command, but that isn’t really a problem.

certbot run -i apache -a webroot -w webroot-of-hoffmann-thomas -d hoffmann-thomas.de -d www.hoffmann-thomas.de -w webroot-of-j4velin -d j4velin.de -d www.j4velin.de ...

and the other two main domains.

But you can make it simpler if you create 4 certificates (if you have 4 vHosts).

certbot run -i apache -a webroot -w webroot-of-hoffmann-thomas -d hoffmann-thomas.de -d www.hoffmann-thomas.de

Then you can separate the problems if three domains are ok and the 4. doesn’t work.

Thanks, now at least I have valid certs for all domains except j4velin.de

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for j4velin.de
Using the webroot path /var/www/html/j4velin for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. j4velin.de (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://j4velin.de/.well-known/acme-challenge/ZCYfUhhtYXps-rH0KTmyfyW-AyTGqaWhSLqE-bAsErU [5.196.219.123]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

What does the line “Performing the following challenges: http-01 challenge for j4velin.de” mean exactly? That wasn’t printed on the other domains…

If that doesn’t work, that’s not your webroot.

Is there a default host? Perhaps this vHost is used. Typo in the ServerName or ServerAlias?

Create the two subdirectories

/var/www/html/j4velin/.well-known/acme-challenge

there a file (file name 1234), then try to load it with your browser:

http://j4velin.de/.well-known/acme-challenge/1234

Or use the too with the complete path j4velin.de/.well-known/acme-challenge/1234, same with the www-version.

No default vhost, no typos. Accessing http://j4velin.de/.well-known/acme-challenge/1234 redirects to the https:// version, but that then works. I currently exceeded the rate limit (again) so I’ll have to wait to test it with the complete path

But it’s the wrong vHost.

Checking that url - https://check-your-website.server-daten.de/?q=j4velin.de%2F.well-known%2Facme-challenge%2F1234

shows the

CN=hoffmann-thomas.de
	24.03.2019
	22.06.2019
expires in 90 days	hoffmann-thomas.de, www.hoffmann-thomas.de - 2 entries

So it’s the wrong vHost with a different DocumentRoot.

No, it the corret host, I just had to use the certs from the hoffmann-thomas.de domain (because I cant get certs for j4velin.de)

I think creating the .well-known/acme-challenge directories seems to have fixed the issue - certbot was now able to finally renew the cert for the j4velin.de domain too. Thanks for your help!

1 Like

Happy to read that it had worked.

Yep, there is your new certificate:

CN=j4velin.de
	24.03.2019
	22.06.2019
expires in 90 days	j4velin.de, www.j4velin.de - 2 entries

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.