Certbot-auto renew Failed.. when redirecting http to https

I ran this command: sudo ./certbot-auto renew
This output:

Processing /etc/letsencrypt/renewal/bugzilla.game.xxx.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for bugzilla.game.xxx.com
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (bugzilla.game.xxx.com) from /etc/letsencrypt/renewal/bugzilla.game.xxx.com.conf produced an unexpected error: Failed authorization procedure. bugzilla.game.xxx.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://bugzilla.game.xxx.com/.well-known/acme-challenge/QliKipQIn9Zdd6y3-CSa6GUGP__4I3SjcvSHmTib1h4: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p". Skipping.

But if i comment out “redirect / https://bugzilla.game.xxx.com” in apache config then Work!
Pleas help me take certbot-auto renew success with crontab ,not manual comment out “redirect / https:…”

Thanks.

Please post your vhost config here.

<VirtualHost *:80>
        ServerName bugzilla.game.xxx.com
        ServerAdmin root@xxx.com
	DocumentRoot /projects/bugzilla/web/docroot
	Redirect permanent / https://bugzilla.game.xxx.com
	<Directory  /projects/bugzilla/web/docroot/>
	    	Order allow,deny
		AddHandler cgi-script .cgi
  		Options +ExecCGI
  		DirectoryIndex index.cgi index.html
  		AllowOverride All     
        </Directory>


        <IfModule mpm_itk_module>
          AssignUserId bugzilla bugzilla
        </IfModule>

        ErrorLog ${APACHE_LOG_DIR}/bugzilla/error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog ${APACHE_LOG_DIR}/bugzilla/access.log combined
</VirtualHost>

<IfModule mod_ssl.c>
	<VirtualHost _default_:443>
		ServerName bugzilla.game.xxx.com
		ServerAdmin root@xxx.com
		
		DocumentRoot /projects/bugzilla/web/docroot
        <Directory  /projects/bugzilla/web/docroot/>
		AddHandler cgi-script .cgi
  		Options +ExecCGI
  		DirectoryIndex index.cgi index.html
  		AllowOverride All     
        </Directory>

		<IfModule mpm_itk_module>
		  AssignUserId bugzilla bugzilla
		</IfModule>


		# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
		# error, crit, alert, emerg.
		# It is also possible to configure the loglevel for particular
		# modules, e.g.
		#LogLevel info ssl:warn

		ErrorLog ${APACHE_LOG_DIR}/bugzilla/error.log
		CustomLog ${APACHE_LOG_DIR}/bugzilla/access.log combined

		# For most configuration files from conf-available/, which are
		# enabled or disabled at a global level, it is possible to
		# include a line for only one particular virtual host. For example the
		# following line enables the CGI configuration for this host only
		# after it has been globally disabled with "a2disconf".
		#Include conf-available/serve-cgi-bin.conf

		#   SSL Engine Switch:
		#   Enable/Disable SSL for this virtual host.
		SSLEngine on

		#   A self-signed (snakeoil) certificate can be created by installing
		#   the ssl-cert package. See
		#   /usr/share/doc/apache2/README.Debian.gz for more info.
		#   If both key and certificate are stored in the same file, only the
		#   SSLCertificateFile directive is needed.
		SSLCertificateFile	/etc/letsencrypt/live/bugzilla.game.xxx.com/cert.pem
		SSLCertificateKeyFile	/etc/letsencrypt/live/bugzilla.game.xxx.com/privkey.pem	
 
		#   Server Certificate Chain:
		#   Point SSLCertificateChainFile at a file containing the
		#   concatenation of PEM encoded CA certificates which form the
		#   certificate chain for the server certificate. Alternatively
		#   the referenced file can be the same as SSLCertificateFile
		#   when the CA certificates are directly appended to the server
		#   certificate for convinience.
		SSLCertificateChainFile	/etc/letsencrypt/live/bugzilla.game.xxx.com/chain.pem

I dropped Apache over a year ago so I’m a bit rusty. Something like this might help you.

RewriteEngine On
RewriteBase /

# Redirect all hits except for Let's Encrypt's ACME Challenge verification to example.com
RewriteCond %{SERVER_PORT} 80
RewriteCond %{REQUEST_URI} !^.well-known/acme-challenge
RewriteRule ^(.*) http://example.com/$1 [R=301,L]

RewriteCond %{REQUEST_URI} !^.well-known/acme-challenge
RewriteRule ^(.*) https://example.com/$1 [R=301,L]

Your Redirect directive is not the right one, you need a trailing slash:

Before:

Redirect permanent / https://bugzilla.game.xxx.com

After:

Redirect permanent / https://bugzilla.game.xxx.com/

Restart/reload Apache and try again.

Cheers,
sahsanu

2 Likes
<VirtualHost *:80>
        ServerName bugzilla.game.xxx.com
        ServerAdmin root@xxx.com
	DocumentRoot /projects/bugzilla/web/docroot
	Redirect permanent / https://bugzilla.game.xxx.com/
	<Directory  /projects/bugzilla/web/docroot/>
	    	Order allow,deny
		AddHandler cgi-script .cgi
  		Options +ExecCGI
  		DirectoryIndex index.cgi index.html
  		AllowOverride All     

		RewriteEngine On
		RewriteBase /

		# Redirect all hits except for Let's Encrypt's ACME Challenge verification to example.com
		RewriteCond %{SERVER_PORT} 80
		RewriteCond %{REQUEST_URI} !^.well-known/acme-challenge
		RewriteRule ^(.*) http://bugzilla.game.xxx.com/$1 [R=301,L]

		RewriteCond %{REQUEST_URI} !^.well-known/acme-challenge
		RewriteRule ^(.*) https://bugzilla.game.xxx.com/$1 [R=301,L]
	
	</Directory>

        <IfModule mpm_itk_module>
          AssignUserId bugzilla bugzilla
        </IfModule>

        ErrorLog ${APACHE_LOG_DIR}/bugzilla/error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog ${APACHE_LOG_DIR}/bugzilla/access.log combined
</VirtualHost>

Still not work bro.

FYI my server run on EC2

Processing /etc/letsencrypt/renewal/bugzilla.game.the-im.com.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Attempting to renew cert (bugzilla.game.the-im.com) from /etc/letsencrypt/renewal/bugzilla.game.the-im.com.conf produced an unexpected error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new authz :: Too many invalid authorizations recently.. Skipping.

There is a Failed Validation limit of 5 failures per account, per hostname, per hour. So, try again in 1 hour.

2 Likes

Try this order, let me know. As i said my Apache is rather rusty.

   <VirtualHost *:80>
            ServerName bugzilla.game.xxx.com
            ServerAdmin root@xxx.com
    	DocumentRoot /projects/bugzilla/web/docroot

    		RewriteEngine On
    		RewriteBase /

    		# Redirect all hits except for Let's Encrypt's ACME Challenge verification to example.com
    		RewriteCond %{SERVER_PORT} 80
    		RewriteCond %{REQUEST_URI} !^.well-known/acme-challenge
    		RewriteRule ^(.*) http://bugzilla.game.xxx.com/$1 [R=301,L]

    		RewriteCond %{REQUEST_URI} !^.well-known/acme-challenge
    		RewriteRule ^(.*) https://bugzilla.game.xxx.com/$1 [R=301,L]


    	Redirect permanent / https://bugzilla.game.xxx.com/
    	<Directory  /projects/bugzilla/web/docroot/>
    	    	Order allow,deny
    		AddHandler cgi-script .cgi
      		Options +ExecCGI
      		DirectoryIndex index.cgi index.html
      		AllowOverride All     

    	
    	</Directory>

There is no need for those rewrite rules, both VirtualHosts (80 & 443) are using the same DocumentRoot so fixing the Redirect directive adding a trailing slash would solve the issue.

2 Likes

Thanks @sahsanu my Apache has gotten soooooo rusty :smile:

2 Likes

Thanks 2 Brother :heart_eyes: trailing slash would solve the issue.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.