Certbot breaks site

Help
1

Have three sites using certbot. Running certbot to reinstall works for the chosen site but breaks the other two sites. Sites are:

chessregister.com
smilerestore.com
7thrank.com

Also, running certbot renew --dry-run ends with errors and references sites that I’ve revoked (no longer using) …

Processing /etc/letsencrypt/renewal/7thrank.com.conf

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for kmbig.com
http-01 challenge for mikelucente.com
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (7thrank.com) from /etc/letsencrypt/renewal/7thrank.com.conf produced an unexpected error: Failed authorization procedure. kmbig.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://kmbig.com/.well-known/acme-challenge/x8pMiXoFqcN6lZwnihSBt34qr9ODNUdRv4_bkZuHGvs [198.54.117.197]: “\r\n404 Not Found\r\n\r\n

404 Not Found

\r\n
openresty</cente”, mikelucente.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://7thrank.com [45.55.33.90]: “\n<html lang=“en-US”>\n\n\t<meta charset=“UTF-8” />\n<meta http-equiv=“X-UA-Compatible” content=“IE=edge”>\n\t<lin”. Skipping.

So I’m thoroughly confused about how to resolve all of this.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: smilerestored.com

I ran this command: certbot

It produced this output: normal output (success)

My web server is (include version): apache

The operating system my web server runs on is (include version): ubuntu 16.04

My hosting provider, if applicable, is: DO

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.31

1 Like
2

Hi @motoaddict

the errors are expected.

Checking your domain - https://check-your-website.server-daten.de/?q=7thrank.com#ct-logs

Issuer not before not after Domain names LE-Duplicate next LE
Let's Encrypt Authority X3 2019-10-17 2020-01-15 www.7thrank.com - 1 entries duplicate nr. 1
Let's Encrypt Authority X3 2019-08-24 2019-11-22 7thrank.com, home.chessregister.com, kmbig.com, mikelucente.com, smilerestored.com, www.7thrank.com - 6 entries

Dry-run tries to renew existing certificates, that can't work if the certificate has expired domain names, so you don't have a working vHost -> you can't use --dry-run.

Instead, create new certificates.

But first: Check / share your vHost configuration:

apachectl -S
1 Like
3

VirtualHost configuration:
*:80 wordpress.7thrank.com (/etc/apache2/sites-enabled/000-default.conf:1)
*:443 is a NameVirtualHost
default server 7thrank.com (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
port 443 namevhost 7thrank.com (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
alias www.7thrank.com
alias smilerestored.com
alias home.chessregister.com
port 443 namevhost wordpress.7thrank.com (/etc/apache2/sites-enabled/default-ssl.conf:2)
ServerRoot: “/etc/apache2”
Main DocumentRoot: “/var/www/html”
Main ErrorLog: “/var/log/apache2/error.log”
Mutex default: dir="/var/lock/apache2" mechanism=fcntl
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
PidFile: “/var/run/apache2/apache2.pid”
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name=“www-data” id=33
Group: name=“www-data” id=33

4

There

is a port 443 vHost with four domain names.

But there is no port 80 vHost with the same list of domain names.

So create one, then share apachectl -S again.

If that's correct, create a new certificate:

certbot -d 7thrank.com -d www.7thrank.com -d smilerestored.com -d home.chessregister.com --apache
1 Like
5

Revocation doesn't stop Certbot from trying to renew a certificate (we assume that you may have revoked it for a reason other than not wanting it anymore, such as accidentally disclosing the private key). In order to get Certbot to stop trying to renew for names that you're no longer using, you need to replace their certificates with certificates that no longer list the old names (e.g. certbot certonly with a -d list not including those names), or delete the old certificates (e.g. certbot delete). In the latter case, you should make sure that no web server virtual hosts are still referencing the unused certificate, in order to avoid invalidating your web server configuration.

1 Like
6

How do I modify the following to do what you are suggesting?

<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html

    <Directory /var/www/html/>
        Options FollowSymLinks
        AllowOverride All
        Require all granted
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

RewriteEngine on
RewriteCond %{SERVER_NAME} =7thrank.com [OR]
RewriteCond %{SERVER_NAME} =smilerestored.com [OR]
RewriteCond %{SERVER_NAME} =www.7thrank.com [OR]
RewriteCond %{SERVER_NAME} =www.smilerestored.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

1 Like
7

Add one ServerName and three ServerAlias.

Same as your port 443 vHost.

1 Like
8

Did that but only see one domain listed:

VirtualHost configuration:
*:80 7thrank.com (/etc/apache2/sites-enabled/000-default.conf:1)
*:443 is a NameVirtualHost
default server 7thrank.com (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
port 443 namevhost 7thrank.com (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
alias www.7thrank.com
alias smilerestored.com
alias home.chessregister.com
port 443 namevhost wordpress.7thrank.com (/etc/apache2/sites-enabled/default-ssl.conf:2)
ServerRoot: “/etc/apache2”
Main DocumentRoot: “/var/www/html”
Main ErrorLog: “/var/log/apache2/error.log”
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/lock/apache2" mechanism=fcntl
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
PidFile: “/var/run/apache2/apache2.pid”
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name=“www-data” id=33
Group: name=“www-data” id=33

1 Like
9

Then share both config files.

1 Like
10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.