Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: www.cuspu.edu.ua
I ran this command: ./update-certs.sh www.cuspu.edu.ua
It produced this output: Failed authorization procedure. www.cuspu.edu.ua (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.cuspu.edu.ua/.well-known/acme-challenge/3qoh74dS_fwLKuij
gSxqTM_PKmgZBfOxuLH5NR6t3Ms: "
<html xmlns="http"
My web server is (include version): apache 2.4.18
The operating system my web server runs on is (include version): Ubuntu 16.04.3 LTS
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): yes
case $1 in
–help)
echo -e "
This script you may use for update your certificates by letsencrypt.
Usage: ./$(basename $0) [ domain name ]
Possible domain names are:
…
\t5) www.cuspu.edu.ua
…
Attention! You must check to exist configuration file of your domain.
By default config files are placed on folder [ /etc/letsencrypt/domain.name.ini]
"
;;
www.cuspu.edu.ua) ${CERT_UPDATE_SCRIPTS} $1
;;
…
esac
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
So that script lets you manually choose which domain name and/or certificate to renew. That's rather strange, because the idea behind Let's Encrypt and certbot is automation. Not manually renewing. It SHOULD be enough to just run certbot renew.
I think the actual "how does the script renew" information is contained in the above script. Could you post the content of that script too?
That's unusual. certbot doesn't use that kind of configuration file(s). It does use /etc/letsencrypt/cli.ini, but all the specifics for a certain certificate is contained in /etc/letsencrypt/renewal/certificatename.conf.
Nope, it does not. @mnordhoff is correct about the (erroneous?) redirection:
osiris@erazer ~ $ curl -Lvk http://www.cuspu.edu.ua/.well-known/acme-challenge/test
* Trying 195.62.15.242...
* TCP_NODELAY set
* Connected to www.cuspu.edu.ua (195.62.15.242) port 80 (#0)
> GET /.well-known/acme-challenge/test HTTP/1.1
> Host: www.cuspu.edu.ua
> User-Agent: curl/7.55.0
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Server: nginx
< Date: Sun, 17 Jun 2018 10:05:50 GMT
< Content-Type: text/html
< Content-Length: 178
< Connection: keep-alive
< Location: https://www.cuspu.edu.ua/.well-known/acme-challenge/test
<
* Ignoring the response-body
* Connection #0 to host www.cuspu.edu.ua left intact
* Issue another request to this URL: 'https://www.cuspu.edu.ua/.well-known/acme-challenge/test'
* Trying 195.62.15.242...
* TCP_NODELAY set
* Connected to www.cuspu.edu.ua (195.62.15.242) port 443 (#1)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.0 (IN), TLS handshake, Server hello (2):
* NPN, negotiated HTTP1.1
* TLSv1.0 (IN), TLS handshake, Certificate (11):
* TLSv1.0 (IN), TLS handshake, Server key exchange (12):
* TLSv1.0 (IN), TLS handshake, Server finished (14):
* TLSv1.0 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.0 (OUT), TLS change cipher, Client hello (1):
* TLSv1.0 (OUT), TLS handshake, Unknown (67):
* TLSv1.0 (OUT), TLS handshake, Finished (20):
* TLSv1.0 (IN), TLS change cipher, Client hello (1):
* TLSv1.0 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.0 / ECDHE-RSA-AES256-SHA
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: CN=www.cuspu.edu.ua
* start date: Mar 22 05:25:45 2018 GMT
* expire date: Jun 20 05:25:45 2018 GMT
* issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
> GET /.well-known/acme-challenge/test HTTP/1.1
> Host: www.cuspu.edu.ua
> User-Agent: curl/7.55.0
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Server: nginx
< Date: Sun, 17 Jun 2018 10:05:50 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 0
< Connection: keep-alive
< Set-Cookie: 5d950cea0505e54b04770f676ac75747=mchde6bmrns8douhbdepbscgk4; path=/; secure; HttpOnly
< P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
< Expires: Wed, 17 Aug 2005 00:00:00 GMT
< Last-Modified: Sun, 17 Jun 2018 10:05:50 GMT
< Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
< Pragma: no-cache, no-cache
< Location: https://www.cuspu.edu.ua/ua/.well-known/acme-challenge/test
<
* Connection #1 to host www.cuspu.edu.ua left intact
* Issue another request to this URL: 'https://www.cuspu.edu.ua/ua/.well-known/acme-challenge/test'
* Found bundle for host www.cuspu.edu.ua: 0x1531cc0 [can pipeline]
* Re-using existing connection! (#1) with host www.cuspu.edu.ua
* Connected to www.cuspu.edu.ua (195.62.15.242) port 443 (#1)
> GET /ua/.well-known/acme-challenge/test HTTP/1.1
> Host: www.cuspu.edu.ua
> User-Agent: curl/7.55.0
> Accept: */*
>
< HTTP/1.1 404 Not Found
< Server: nginx
< Date: Sun, 17 Jun 2018 10:05:51 GMT
< Content-Type: text/html; charset=UTF-8
< Content-Length: 1770
< Connection: keep-alive
< Set-Cookie: 5d950cea0505e54b04770f676ac75747=cv87usfbeu5pjjdfrg0rfnkbs3; path=/; secure; HttpOnly
< P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
< Cache-Control: no-cache
< Pragma: no-cache
<
<!DOCTYPE html>
<html lang="uk-ua" dir="ltr">
<head>
<meta charset="utf-8" />
<title>404 - Категорію не знайдено</title>
<link href="/templates/system/css/error.css" rel="stylesheet" />
<!--[if lt IE 9]><script src="/media/jui/js/html5.js"></script><![endif]-->
</head>
<body>
<div class="error">
<div id="outline">
<div id="errorboxoutline">
<div id="errorboxheader">404 - Категорію не знайдено</div>
<div id="errorboxbody">
<p><strong>У Вас відсутні <strong>права</strong> для перегляду цієї сторінки, оскільки:</strong></p>
<ol>
<li><strong>застарілих закладок/вибраного</strong></li>
<li>пошукова система виявила <strong>застарілі записи на цьому сайті</strong></li>
<li><strong>невірно введена адреса</strong></li>
<li>у Вас відсутній <strong>доступ</strong> до цієї сторінки</li>
<li>Запитаний ресурс не знайдено.</li>
<li>Виникла помилка при обробці вашого запиту.</li>
</ol>
<p><strong>Будь ласка, спробуйте одну з вказаних сторінок:</strong></p>
<ul>
<li><a href="/index.php" title="Перейти на головну сторінку">Головна сторінка</a></li>
</ul>
<p>Якщо у Вас виникли труднощі, будь ласка, зв'яжіться з адміністратором сайту</p>
<div id="techinfo">
<p>
Категорію не знайдено </p>
</div>
</div>
</div>
</div>
</div>
</body>
</html>
* Connection #1 to host www.cuspu.edu.ua left intact
osiris@erazer ~ $
Two things you should notice:
The three "Location: " headers redirecting the client to the 404 file not found error.
The fact your webserver isn't sending the intermediate certificate: "SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway."
The last one is verified by checking with OpenSSL:
CONNECTED(00000003)
depth=0 CN = www.cuspu.edu.ua
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = www.cuspu.edu.ua
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=www.cuspu.edu.ua
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
Server certificate
(...)
You should either use fullchain.pem in stead of cert.pemor use cert.pemANDchain.pem in your webserver configuration. (How et cetera depends on the webserver used..)
With regard to the redirections: your "main site" is also redirected to /ua/ which doesn't give a 404. So it's probaby a correct redirect for the workings of your site, but perhaps certbot isn't configured correctly. Could you please post the contents of /etc/letsencrypt/renewal/www.cuspu.edu.ua.conf?