Cert renewal partial auth failure


#1

renewal is failing on two of our three domains in our single cert… was told we ran this command to renew last time but now failing. I can browse to the files in the acme-challenge directory. One note is that our www.acttheatre.org in our DNS A records does not have an IP… acttheatre.org does www.acttheatre.org is redirected to acttheatre using the CNAME entry: www.acttheatre.org 3600 acttheatre.org
Perhaps this is the problem? More info below, thanks!

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: acttheatre.org dev.acttheatre.org www.acttheatre.org

I ran this command: sudo ./certbot-auto certonly --dry-run --webroot -w /opt/bitnami/apps/wordpress/htdocs -d dev.acttheatre.org -d acttheatre.org -d www.acttheatre.org

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for dev.acttheatre.org
http-01 challenge for acttheatre.org
http-01 challenge for www.acttheatre.org
Using the webroot path /opt/bitnami/apps/wordpress/htdocs for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. acttheatre.org (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from htt
p://acttheatre.org/.well-known/acme-challenge/PijNC9AVhIEGr-GQKJ5KHV57oO58CAGVxmcoAmW_pRA: "\n<html class=“avada-html-layout-wide avada-html-has-sticky-foo
ter” lang=“en-US” prefix=“og: http://ogp.me/ns# fb:”, www.acttheatre.org (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorizatio
n :: Invalid response from http://www.acttheatre.org/.well-known/acme-challenge/k7biAFOH9uOCiuUwMy8ER4-vH37TE1oh9NVKfNy-mec: "\n<html class=“avada-html-lay
out-wide avada-html-has-sticky-footer” lang=“en-US” prefix=“og: http://ogp.me/ns# fb:”

IMPORTANT NOTES:

My web server is (include version): bitnami apache

The operating system my web server runs on is (include version): Linux

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don’t know): I think so

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):


#2

Hi @rwolken

is your webroot correct? Please create the two required subdirectories

/opt/bitnami/apps/wordpress/htdocs/.well-known/acme-challenge

there a file (file name 1234 without extension).

Then try to load this file via

http://acttheatre.org/.well-known/acme-challenge/1234
http://www.acttheatre.org/.well-known/acme-challenge/1234
http://dev.acttheatre.org/.well-known/acme-challenge/1234

No, a CNAME isn’t a problem.


#3

So dev.acttheatre.org worked? It resolves to a different IP address from the other two - are they on different servers? Are you running certbot on the dev server? If so you need to get the dev cert on the dev server and the live cert on the live server. Or if you need all three domains on one cert, you can configure one server to redirect /.well-known/acme-challenge/* to the other server.


#4

Yes dev worked and al three domains are on the same cert. We have two servers, a Dev and a Live one . How would I configure\setup a redirect of the .well-known/acme-challenge to that other server? THANKS


#5

I’d recommend getting two separate certs, one for dev and one for live, as that should be much simpler to renew…

If you really want to keep the single cert with all three domains, you can set up a redirect in your Apache configuration. Something along the lines of (on the dev server):

Redirect "/.well-known/acme-challenge/" "https://acttheatre.org/.well-known/acme-challenge/"

and then run certbot on the live server. That way, the challenge request will be redirected to the server where certbot is actually running and able to respond to it. Or you could do it the other way round, set up the redirect from live to dev and run certbot on dev. Remember you also need to copy the renewed cert (and private key, unless you use --reuse-key) to the other server.


#6

Thanks!
I did put a file, yep.html, in http://acttheatre.org/.well-known/acme-challenge
and can open that file.

I can try the redirect and let you know. thanks


#7

The redirect does not work. a bit frustrated that this procedure worked last time and I have two days left.

I believe the --reuse-key is set up as it seemed to auto copy the cert over to the other server. If I am to replace both certs with one for dev and one for the other, how do I turn this off?

AND would just rerun the command I have been using and leave out the -d for domains on the other server?
sudo ./certbot-auto certonly --webroot -w /opt.bitnami/apps/wordpress/htdocs -d acttheatre.org -d www.acttheatre.org
thank you!


#8

Check for post_hook/renew_hook lines in /etc/letsencrypt/renewal/[your cert name].conf and and scripts in /etc/letsencrypt/renewal-hooks/{post,deploy} - that’s where anything that runs automatically on renewal would be configured. Or check your own custom cron jobs, if any.

Yes, that command will get you a new cert for just the one or two domains. However, note that since you already have one for the three domains, the new cert will have a new name (e.g. something like acttheatre.org-0001) which you would then need to update your Apache configuration to point at since the cert name is also the name of the directory where the cert is stored.

If you prefer instead to replace and overwrite the existing cert, keeping its current name and location, you can add the --cert-name option to the command, to specify which cert you want to replace. Use sudo ./certbot-auto certificates to find out the name if you’re not sure.


#9

Thanks so very much for the help!