Certbot don`t renew sertificates


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.cuspu.edu.ua

I ran this command: ./update-certs.sh www.cuspu.edu.ua

It produced this output: Failed authorization procedure. www.cuspu.edu.ua (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.cuspu.edu.ua/.well-known/acme-challenge/3qoh74dS_fwLKuij
gSxqTM_PKmgZBfOxuLH5NR6t3Ms: "

<html xmlns="http"

My web server is (include version): apache 2.4.18

The operating system my web server runs on is (include version): Ubuntu 16.04.3 LTS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): yes


#2

Exactly what does update-certs.sh do?

What was the rest of Certbot’s output?

Note that:

  1. http://www.cuspu.edu.ua/.well-known/acme-challenge/test redirects to:
  2. https://www.cuspu.edu.ua/.well-known/acme-challenge/test which redirects to:
  3. https://www.cuspu.edu.ua/ua/.well-known/acme-challenge/test

which returns a “404 Not Found” page different from the HTML in Certbot’s error.

So, I don’t know what’s going on, but there might be a web server misconfiguration.


#3

update-certs.sh:
#!/bin/bash

SCRIPTS_FOLDER="$(dirname $0)/scripts"

CERT_UPDATE_SCRIPTS=${SCRIPTS_FOLDER}/certificate_update.sh

case $1 in
–help)
echo -e "
This script you may use for update your certificates by letsencrypt.
Usage: ./$(basename $0) [ domain name ]
Possible domain names are:

\t5) www.cuspu.edu.ua

Attention! You must check to exist configuration file of your domain.
By default config files are placed on folder [ /etc/letsencrypt/domain.name.ini]
"
;;
www.cuspu.edu.ua) ${CERT_UPDATE_SCRIPTS} $1
;;

esac

Certbot’s output:
Failed authorization procedure. www.cuspu.edu.ua (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.cuspu.edu.ua/.well-known/acme-challenge/3qoh74dS_fwLKuij
gSxqTM_PKmgZBfOxuLH5NR6t3Ms: "

<html xmlns="http"

IMPORTANT NOTES:

http://www.cuspu.edu.ua/.well-known/acme-challenge/test 2 redirects to:
https://www.cuspu.edu.ua/.well-known/acme-challenge/test which redirects to:
https://www.cuspu.edu.ua/


#4

You’ll need to post the contents of this, or better yet, ask the person who wrote the scripts!


#5

So that script lets you manually choose which domain name and/or certificate to renew. That’s rather strange, because the idea behind Let’s Encrypt and certbot is automation. Not manually renewing. It SHOULD be enough to just run certbot renew.

I think the actual “how does the script renew” information is contained in the above script. Could you post the content of that script too?

That’s unusual. certbot doesn’t use that kind of configuration file(s). It does use /etc/letsencrypt/cli.ini, but all the specifics for a certain certificate is contained in /etc/letsencrypt/renewal/certificatename.conf.

Nope, it does not. @mnordhoff is correct about the (erroneous?) redirection:

osiris@erazer ~ $ curl -Lvk http://www.cuspu.edu.ua/.well-known/acme-challenge/test
*   Trying 195.62.15.242...
* TCP_NODELAY set
* Connected to www.cuspu.edu.ua (195.62.15.242) port 80 (#0)
> GET /.well-known/acme-challenge/test HTTP/1.1
> Host: www.cuspu.edu.ua
> User-Agent: curl/7.55.0
> Accept: */*
> 
< HTTP/1.1 301 Moved Permanently
< Server: nginx
< Date: Sun, 17 Jun 2018 10:05:50 GMT
< Content-Type: text/html
< Content-Length: 178
< Connection: keep-alive
< Location: https://www.cuspu.edu.ua/.well-known/acme-challenge/test
< 
* Ignoring the response-body
* Connection #0 to host www.cuspu.edu.ua left intact
* Issue another request to this URL: 'https://www.cuspu.edu.ua/.well-known/acme-challenge/test'
*   Trying 195.62.15.242...
* TCP_NODELAY set
* Connected to www.cuspu.edu.ua (195.62.15.242) port 443 (#1)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.0 (IN), TLS handshake, Server hello (2):
* NPN, negotiated HTTP1.1
* TLSv1.0 (IN), TLS handshake, Certificate (11):
* TLSv1.0 (IN), TLS handshake, Server key exchange (12):
* TLSv1.0 (IN), TLS handshake, Server finished (14):
* TLSv1.0 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.0 (OUT), TLS change cipher, Client hello (1):
* TLSv1.0 (OUT), TLS handshake, Unknown (67):
* TLSv1.0 (OUT), TLS handshake, Finished (20):
* TLSv1.0 (IN), TLS change cipher, Client hello (1):
* TLSv1.0 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.0 / ECDHE-RSA-AES256-SHA
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=www.cuspu.edu.ua
*  start date: Mar 22 05:25:45 2018 GMT
*  expire date: Jun 20 05:25:45 2018 GMT
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
> GET /.well-known/acme-challenge/test HTTP/1.1
> Host: www.cuspu.edu.ua
> User-Agent: curl/7.55.0
> Accept: */*
> 
< HTTP/1.1 301 Moved Permanently
< Server: nginx
< Date: Sun, 17 Jun 2018 10:05:50 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 0
< Connection: keep-alive
< Set-Cookie: 5d950cea0505e54b04770f676ac75747=mchde6bmrns8douhbdepbscgk4; path=/; secure; HttpOnly
< P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
< Expires: Wed, 17 Aug 2005 00:00:00 GMT
< Last-Modified: Sun, 17 Jun 2018 10:05:50 GMT
< Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
< Pragma: no-cache, no-cache
< Location: https://www.cuspu.edu.ua/ua/.well-known/acme-challenge/test
< 
* Connection #1 to host www.cuspu.edu.ua left intact
* Issue another request to this URL: 'https://www.cuspu.edu.ua/ua/.well-known/acme-challenge/test'
* Found bundle for host www.cuspu.edu.ua: 0x1531cc0 [can pipeline]
* Re-using existing connection! (#1) with host www.cuspu.edu.ua
* Connected to www.cuspu.edu.ua (195.62.15.242) port 443 (#1)
> GET /ua/.well-known/acme-challenge/test HTTP/1.1
> Host: www.cuspu.edu.ua
> User-Agent: curl/7.55.0
> Accept: */*
> 
< HTTP/1.1 404 Not Found
< Server: nginx
< Date: Sun, 17 Jun 2018 10:05:51 GMT
< Content-Type: text/html; charset=UTF-8
< Content-Length: 1770
< Connection: keep-alive
< Set-Cookie: 5d950cea0505e54b04770f676ac75747=cv87usfbeu5pjjdfrg0rfnkbs3; path=/; secure; HttpOnly
< P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
< Cache-Control: no-cache
< Pragma: no-cache
< 
<!DOCTYPE html>
<html lang="uk-ua" dir="ltr">
<head>
	<meta charset="utf-8" />
	<title>404 - Категорію не знайдено</title>
	<link href="/templates/system/css/error.css" rel="stylesheet" />
			<!--[if lt IE 9]><script src="/media/jui/js/html5.js"></script><![endif]-->
</head>
<body>
	<div class="error">
		<div id="outline">
		<div id="errorboxoutline">
			<div id="errorboxheader">404 - Категорію не знайдено</div>
			<div id="errorboxbody">
			<p><strong>У Вас відсутні <strong>права</strong> для перегляду цієї сторінки, оскільки:</strong></p>
			<ol>
				<li><strong>застарілих закладок/вибраного</strong></li>
				<li>пошукова система виявила <strong>застарілі записи на цьому сайті</strong></li>
				<li><strong>невірно введена адреса</strong></li>
				<li>у Вас відсутній <strong>доступ</strong> до цієї сторінки</li>
				<li>Запитаний ресурс не знайдено.</li>
				<li>Виникла помилка при обробці вашого запиту.</li>
			</ol>
			<p><strong>Будь ласка, спробуйте одну з вказаних сторінок:</strong></p>
			<ul>
				<li><a href="/index.php" title="Перейти на головну сторінку">Головна сторінка</a></li>
			</ul>
			<p>Якщо у Вас виникли труднощі, будь ласка, зв'яжіться з адміністратором сайту</p>
			<div id="techinfo">
			<p>
				Категорію не знайдено							</p>
						</div>
			</div>
		</div>
		</div>
	</div>
</body>
</html>
* Connection #1 to host www.cuspu.edu.ua left intact
osiris@erazer ~ $ 

Two things you should notice:

  • The three "Location: " headers redirecting the client to the 404 file not found error.
  • The fact your webserver isn’t sending the intermediate certificate: “SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.”

The last one is verified by checking with OpenSSL:

CONNECTED(00000003)
depth=0 CN = www.cuspu.edu.ua
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = www.cuspu.edu.ua
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/CN=www.cuspu.edu.ua
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
Server certificate
(...)

You should either use fullchain.pem in stead of cert.pem or use cert.pem AND chain.pem in your webserver configuration. (How et cetera depends on the webserver used…)

With regard to the redirections: your “main site” is also redirected to /ua/ which doesn’t give a 404. So it’s probaby a correct redirect for the workings of your site, but perhaps certbot isn’t configured correctly. Could you please post the contents of /etc/letsencrypt/renewal/www.cuspu.edu.ua.conf?


#6

/etc/letsencrypt/renewal/www.cuspu.edu.ua.conf:
// renew_before_expiry = 30 days version = 0.21.1 archive_dir =
/etc/letsencrypt/archive/cuspu.edu.ua cert = /etc/letsen-
crypt/live/cuspu.edu.ua/cert.pem privkey = /etc/letsen-
crypt/live/cuspu.edu.ua/privkey.pem chain = /etc/letsen-
crypt/live/cuspu.edu.ua/chain.pem fullchain = /etc/letsen-
crypt/live/cuspu.edu.ua/fullchain.pem

//Options used in the renewal process [renewalparams]
account =953c06b3bced46d70134392d7b220e94
authenticator = webroot
rsa_key_size = 4096
installer = None webroot_path =
/var/www/html, [[webroot_map]]
//cuspu.edu.ua = /var/www/html
www.cuspu.edu.ua = /var/www/sites/www.kspu.kr.ua/public_html/


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.